UDS Intrepid Server Report

[:UDS-Intrepid/Report:back to the reports index page]

Plans for 8.10

Place in this section bullet points of specific intended outcomes for the 8.10 development cycle.

Testing Outcome

• Get community feedback about the level of testing they're willing to provide.
• Identify what to test.
• Select a testing framework.
• Work on creating tests for common server scenarios.

J2EE Outcome

• Make a decision in the next two weeks.

Groupware Outcome

• Find a Calendaring solution for Intrepid.
• Chuck Short will follow up by weighing the pros and cons of several solutions.

Sessions

19 May Round Table

• Introductions
• Discussed items that didn't get into Hardy for various reasons.
  • Rails -- expertise was lacking to complete the packages.
  • Mail + Spam -- a wrong direction was taken, which wasn't realized in time to meet the freeze.
  • iSCSI some use cases are covered, but others are not. So parts did make it into Hardy and parts didn't.
• Improve QA test cases.

Encrypted Sub-directory in Home

• What are we trying to Acheive? What are the Use Cases?
  • Encrimental encrypted backups.
  • Secure location for a user on a shared server.
  • Encrypt information saved to a remote server.
• Probably more benificial to Desktop rather than Server at this point in time.
• Server is more familiar with the topic
• Dustin recommend it, and he's on the server team
• Enabling this is low haning fruit, making the pain of implementation relatively low.
  • Can be integrated with the Desktop Edition as well.

Implications

• Performance issue with encrypting everything
• non-encrypted /boot is a good idea.
• Encrypted Swap is probably needed regardless.
  • may consider .cache as well
• If the encrypted directory is mounted and backed up the backup will include unencrypted files.
  • Also, once a directory is mounted any user with access rights can also see the files in the clear.
• Filesystem names are not currently encrypted.
  • Obsfucated directory structure and file names will be coming in the next few months.

Technology

• Ecryptfs -- sits on top of other file systems (universe: ecryptfs-utils)
  • Uses in kernel encryption.
• Tied into PAM -- only need to enter password once.
• Can encrypt remote shares.
• Another technology is ZFS inode level encryption.

Objections

• Private home directories by default is not a good idea.
• 0700 /home/username/Desktop to make it private from other users on the system.
• The implementation may be more work than it's worth.
• The fact that other users can see unencrypted files is an issue.
  • May be able to supplement the Discretionary Access Controls to prevent access.

OpenChange

• What's missing
• What we can provide in the short term
• What can we do for Intrepid
  • Implemented in client form
  • Recommended to be released with Intrepid.
  • libmapi -- headed toward 1.0. Set of libraries to open a connection to Exchange, using Exchange protocols (MAPI).
  • Libraries have been integrated with Evolution.
  • Proxy should be available.
  • Will have further discussion about Intrepid Openchange commitment.
• Enable the same functionality in Free/OSS.
• Started 5 years ago, as of 12 months ago project has taken off. With big help from Documentation from MS.
• Novell accepted GPLv3 for Evolution portion. (I think this was they've said they will, but they haven't yet.)
  • Novell customers have been providing pressure for GPLv3.

• Akonadi -- KDE4.1+ groupware infrastructure (http://pim.kde.org/akonadi).

  • Will integrate with Openchange.
• Openchange backup utility can backup per user mailbox.
  • Preserves Exchange metadata.
• Poor document management through Exchange Public folders. Openchange allows access to these.
• Will need to run Windows 2008 server for testing.

Why Exchange Matters

• Killer App.
• People stay with Microsoft because of it.
• No equivelant with OSS.

Use Case

• Linux clients connecting to Exchange server. (Linux clients on MS environments)
• MS clients connecting through Outlook to Linux servers. (Windows clients on Linux Environments)

Features

• Address book provider -- working.
• Message store.
• Proxy for MAPI -- Handles requests from Outlook.
• Client libraries will be integrated into Samba 3.
• Connects SQL datastore with Samba and OpenLDAP.
• Comes with Scripting Language to automate administration tasks.

• Small plain-text file format used to represent MAPI objects (libocpf) http://apidocs.openchange.org/libocpf/index.html

Test Setup

• W2k8 Server + AD + DNS + Exchange -- Server
• Vista + Office/Outlook -- Windows Client
• Evolution + Openchange -- Linux Client

• Mocabox -- Messaging OpenChange Applications Box -- embedded development platform -- virtual images soon available from the repository

Proposed Security Changes

Review: https://wiki.ubuntu.com/SecurityTeam/Roadmap

• Investigate script or something to check for setuid binaries.
  • checksecurity
• Changes to default settings

  • /etc/ssh/sshd_config: "PermitRootLogin no"

• Private directories
  • /root to 0700
  • /home/*/Desktop to 0700
  • /home/*/Private to 0700
• Encrypt Swap by default
  • Performance issues
  • Use case:
    • Laptop/Desktop more important than encrypted Swap on a Server.
  • Discuss with Desktop Team
• /etc/shadow SHA passwords
  • supported by glibc, perhaps not by shadow

  • http://www.redhatmagazine.com/2008/03/18/tips-and-tricks-choosing-the-password-hashing-algorithm-for-etcshadow-during-installation/

MySQL ad-hoc

• Patch question, will there be any changes in VCS?
  • Currently using Bitkeeper
  • Looking for new VCS.
• Which patch fixes what?
  • Commit notes relate to bug numbers.
  • Want to create bug fix patches from release diff?
  • Some bugs are fixed by multiple commits, making it hard to create a patch for Ubuntu shipped version.
• MySQL 5.0 received some community features post release.
• Working on making MySQL run faster on Solaris, but not dropping support for other platforms.
  • In the future there may be features in MySQL enterprise that aren't in the community release, but for now that isn't on the roadmap.
  • Changes will be available to the community.

Admin GUI

• Most commonly requested feature on Brain Storm, IRC, etc.

Requirements

• Define Target Audience
  • Not senior Linux/Unix sysadmin.
  • New admin, possibly coming from Windows background.
• Consider managing more than 1 machine from the same UI, possibly for the future
• Multiple machines is one of the several cases where potentially a GUI can be more powerful than a commandline

  Note that upstreams like OpenLDAP, Samba and OpenChange have GUI admin needs, and have some code out there and that they really don't want to maintain GUIs. So adopting a framework where these projects can just maintain some kind of plugin/parser/something is more attractive to these upstreams. --> This could be done by upstream providing a CLI that allows to modify the configuration without acting directly on the conf files. (see postfix configuration tool as an example) --> This reduces the admin load, but the tool that talks to the CLI still has to be maintained --> This could be done by upstream providing system-tools-backends -- Freedesktop.org project (allows specifying a GUI)

Possible approaches

• Web-based GUI
• Build on Free desktop system tools backends

  • http://system-tools-backends.freedesktop.org/

  • Use remote dbus
  • use tubes via IM
  • Backends: /usr/share/system-tools-backends-2.0
  • Allows separation between GUI and policy engine
  • Uses same backend as is shipped and used by Desktop

  • Allows fine-grained access control using PolicyKit

• SMIT type system. (AIX management interface) which is based on command line config commands : nice learning curve, curses+GUI client. Every GUI action can display the commandline that it will eventually run on your behalf.
• Port YaST

eBox

• Advantages
  • Universal client
  • Already in universe
  • Configuration Templates, available in the future.
  • Configure multiple eBox servers from one eBox installation.
  Disadvantages
  • Can clash with an administrator making changes on the commandline simultaneously
  • Has its own configuration database
  • eBox authenticates using a non-system user. (ebox has own accounts system -- independent of system)
  • Want a consistant authentication mechanism for system configuration changes.
  • relies on somewhat-priviledged web server

Modules to target for Intrepid

[imported from Boston ebox gobby session - needs updating...]

• SAMBA [required]
  • PDC [optional]
  • File
  • Print
  • Join Domain (front end to jerry's CLI)
• OpenLDAP
• User Management
  • should use whatever backend has been configured (AD, LDAP, passwd) [not required but highly recomended] only if LDAP is local
  • Add/Remove user/group
  • Add/remove user to group
• Printer [required]
  • Not sure that it is working
  • Printer level CUPS management
• DHCP [required]
  • Trivial
• DNS [not required]
• NTP [not required]
• Mail Server [not required, users]

UI Changes

It would be nice to have ebox more ubuntu-looking.

20 May Roundtable

Testing/QA

• ISO tests too simple.
• Package python Tests.
  • Maybe bzr
  • Maybe in a PPA.
  • Might break normal system configuration, but a warning would be provided.
  • Collect information from test over the Internet.
  • Integrate into the Install Options on the ISO.
• Create or use a Framework to run the tests.
  • Could be run in a KVM, VMWare, chroot, etc.

  • Pyre Ring -- Google Code testing framework. (http://code.google.com/p/pyrering/)

  • Autotest -- Testing Framework from IBM. (http://test.kernel.org/autotest)

    • Has integrated test suites.
• Run tests that come with the packages.
  • Test the integration of packages. For example Apache and PHP, Kerberos and NSS, etc.
• For Intrepid create the tests and place them into a PPA.

Install UI

• Make the UI more flexible without adding complexity.

New Options

• Add a Landscape key during install
• Join a domain using Likewise-Open.
• Second install experience -- could use d-i or oem-config
• Use tasksel do handle server profiles (MS-server-like "roles")

  • Don't want the current tasksel to grow too large >> redesign UI ?

  • Give more non-technical descriptions to tasksel tasks (use long description of the seeds).
  • Improved presentation of available tasks (tree like, long description).
  • Provide an online source for additional task options (dynamically added when starting tasksel):
    • use cases: new ISVs packages available after release are available for installation.
    • Possibly grey out the options that aren't available due to no Internet connection. This will allow users to know that the options are there.
      • Debconf doesn't allow.
  • 2-step tasksel : ask all questions at the start, then perform install ?

  • Nobody uses tasksel ? -> market tasksel more aggressively as the way to handle roles (rebrand it as "add-remove-profile" ? postinstall msg ?)

• Add a Partner Task to the bottom of the Task list.
  • The task will then download another Tasksel package with other install Tasks.
  • "partner task" that would select/enable the partner repo and run a secondary tasksel.
• Use Aptitude to provide an option to install any available package.
• Use another installer?
  • Not really an option due to the amount of work.
  • Ubiquity -- Needs X, a lot of work as well.

Likewise Join Domain Example

• Are there other ways to display the domain question?
• What happens when the join fails?

J2EE Server

• What we need to implement.

J2EE Options

• Full server stack
  • Glassfish
    • Currently doesn't build from source.
    • Can be changed in the future.
    • Packaged in Multiverse.
    • Increasing marketshare
  • JBoss
    • Questionable maintenance relationship.
  • Geronimo
    • Free/OSS
    • Robust
    • Right featureset/Ubuntu-style management options
    • Needs further investigation and packaging.
    • Increasing marketshare
    • Apache Project.
    • Modular design. Technologically on par with JBoss and Glassfish v+1.
    • Good upstream maintenance relationship.
    • not packaged, bfs?
  • JOnAS
    • Not packaged.
    • Decreasing marketshare
    • Not sure of upstream maintainability.
  • Resin
    • Not packaged.
    • Builds from source.
    • Not sure of upstream.

Servlet Containers

• Tomcat
  • servlet container only
  • Tomcat is downstream of Glassfish.
  • Already packaged.
  • Good upstream maintenance.
  • Lost contributers from Sun.
• Jetty
  • Packaged in Universe.
  • Good upstream.
• Glassfish Servlet Container (v3)
  • Needs Maven.
  • Includes Felix
  • Tomcat+
  • Not packaged. Database access layer - Hibernate (JPA); Eclipse Link; Open JPA (Oracle)

Groupware

• Need a solution since we currently don't offer one.

Use Cases

• Shared Calendars: tracking people's schedule, check for free/busy.
• Resource/meeting room scheduling
• Shared Contacts.
• Shared Mail Box (sales@xx etc)
• Keep clients, migrate server
• Keep server, migrate clients

Potential candidates

• zimbra: licensing issues (Yahoo Public license: http://www.zimbra.com/community/downloads.html)- requires logo display

• open-Xchange (Community Edition) (http://www.open-xchange.com/wiki/index.php?title=Main_Page):

  • - slow release cycle issues. - very bad packaging (requires modified Tomcat server)
• Zarafa - (oops, not Open Source)
• Axigen - not open

• darwin calendar (Apache 2.0 license) http://calendarserver.org

• obm - php, in universe

• bongo project (was netmail) temp example: http://dev.mythbuntu.org:8080/ admin:aaaa

  • svn checkout http://svn.gna.org/svn/bongo/trunk bongo nice web interface

• Horde (http://www.horde.org)

• egroupware (http://www.egroupware.org/Home?lang=en) ( In universe, php )

• phproject (http://www.phproject.de/index.php?&newlang=eng)

• phpgroupware ( http://www.phpgroupware.org/ ) also in Universe

• kolab http://www.kolab.org/

• Chandlerproject http://chandlerproject.org/(Java based)

• scalix http://www.scalix.com/ , http://www.scalix.com/community/licensing/Scalix_Public_License_1.1.txt (probably DSFG-ok; GPL-incompatible)

• Opengroupware - http://www.opengroupware.org/en/applications/index.html source at http://www.opengroupware.org/en/devs/source/index.html - java not areal opensource project, development done by one company

• Citadel http://www.citadel.org/doku.php - GPL and have Ubuntu packages. Build your own at http://www.citadel.org/doku.php/faq:installation:compile_debs

  • Nice groupware approach

Discarded (and why)

* Zimbra (due to license):

Zimbra alleged to be a very good solution: likely to be in partner repos.

• all copies of the Original Code in Executable and Source Code form must, as a form of attribution of the original author, include on each user interface screen (i) the original Zimbra logo, and once for each user session (ii) the copyright notice as it appears in the Original Code;

http://www.zimbra.com/license/zimbra_public_license_1.2.html

* open-Xchange --> release cycle

Supported protocols

• IMAP
• syncml
• caldav
• ical over webdav

Limitations

• Scalability

Interaction with existing desktop clients

• outlook, firebird|thunderbird, evolution, web.

Current open source landscape on those techs aren't entreprise-ready applications.

--- Spec: foo