- On freenode join #ubuntu-server summit
Enable PIE by default on 64bit architectures
- A gobby document was created for the spec, jaunty-server-pie
- Schedule changed: Likewise-open instead of lvm-crypt.
- Disable pie by default on 32 bit arch, noticeable slow-down
- PIE on 64-bit has no problems
- What works right now in Ubuntu? Running and backtracing core
- Fix gdb PIE and existing compiler tests that do not work and move on
- Do we need benchmarks? Compare bootspeed (python boot benchmarks)
- Phronix does distro compare boot benchmarks
- Getting a backtrace from a running PIE process must work
- Phoronix for testing, perhaps? - phoronix-test-suite
- Are .a files shipping with -dev packages still? Has Debian Policy changed?
- More of a goal for jaunty +1
- Work on rebuilding the archive over Christmas
- For server team pie roadmap
- Build a package with my ppa cflags + pie
- debian.org/hardening for more hardening information
- There is no impact on desktops
- Get benchmarks from every time? How does pie affect your part of the ubuntu stack?
- Fix multiarch spec for 64bit compiler building 32bit targets
- Benchmark for open-jdk with pie enabled
- The best benchmark for the dev stuff would be to run a test suite
- What about third parties? shouldn't affect kernel drivers and shipped third party apps
- How much additional security does PIE give you?
- Time for spec ending for PIE by Default
- Why shouldn't Ubuntu Server be the first distro to have PIE by default... we should!
- For Jaunty determine a list of things needed for default PIE.
Jaunty Security Defaults
sha512 by default is done
- Jaunty tries to reduce the number of places it needs to be set /etc/login.defs is the One True Place for it
- What about LDAP migrations from sha512 to LDAP?
- Caller of crypt() needs to be able to use the right salt for sha512
- LDAP clients with glibc that doesn't know about sha512 may have issues (pre Hardy?)
- TODO: a migration PAM module that updates existing hashes to sha512 (jaunty+1)
syn flood protection
- Very conflicting data on this and should probably wait for some form of "sign off"
- Elmo says Fedora enabled it and Dave Miller went bananas and he has never seen this attack in use - not providing any protection for additional risk
- Add UFW option to installer. Can have the question, but not high priority to allow preseeding.
- Need a GUI for ufw before it is enabled by default on Desktops.
- Install a service and the service starts, install apache and then apache starts
- Default to open ports be default (with debconf option to not enable this)
- UFW dynamic listening detection is on the todo list.
- Firewall on by default on server?
- Make sure that upgrades don't re enable the port
- Need to cover all of main services before the default is active?
- New Profiles
- apparmor for dhclient and for squid: lots of things, pretty scary, hard pressed to do a config that wouldn't break people
- Get notification daemon working by default
Default LDAP DIT for user and group management
- Determine Directory Information Tree for LDAP:
- users -- uidNumber
- groups -- gidNumber
- Service Node: Apache, Mail
- MIT is the default kereberos implementation in main
- Question: Make it FreeIPA compatible?
Mandriva proposed tree: http://ur1.ca/030n
- A directory should start with a sane DIT.
- DIT should be as shallow as possible.
Base the DIT on rfc2307: http://ur1.ca/030r.
May follow rfc2307 http://ur1.ca/030r
- The success of your directory hinges on the management tools.
- Which is the best schema to load by default?
- qmail is perhaps the best mail schema
- default scheme: cosine, inetOrgPerson, Samba, qmail, core
Likewise 5 (AD authentication)
- Likewise-open and jaunty... likewise-open is now at version 5 and its development process is now more open, using git.
- winbindd replaced by a modular architecture:
- netlogond (Does DNS queries, to find DC location).
- New CLI utilities
- Is it possible to use likewise-open's sandboxed libraries? Support isssue in Ubuntu.
- There are only a few open bugs in likewise-open-5.0
- Discussing if the AD domain admin should have sudo access on the Ubuntu machine that joined the domain. Gerry will determine if it's possible to ask as question during the Domain Join process to enable domain admins to have priveleges on the box.
Suspend and Hibernate Support for the Ubuntu Server (Green Computing)
- Server Suspend: it's about creating an "eelastic cloud"
- Help the Green Computing initiative by lowering server power consumption in the datacenter.
- Hardware maintencance.
- Hibernate a machine, fix hardware, then resume to the past state.
- Use case of using hibernate to save the state of a machine while booting into another OS.
- At some point powering down systems can save a large amount of $$ for some businesses.
- Use case for suspend: adjust resources based on work load, suspend allows adding more resources quickly.
- Can use wakeonlan to resume systems from suspend or hibernate.
- Green Cloud, move virtual machines between larger systems to dynamically support demand.
- There may not be any gain in using suspend/hibernate in a VM, because most virtual solutions already contain a snapshot feature.
- Hibernate/suspend won't be a solution for all servers.
- There's no way to determine by looking at a machine if it has the ability to respond to wakeonlan
- Develop initramfs, udev rules, etc in order for the resume to work properly.
- Getting server hardware support for suspend/resume may not be as large a job as it was for laptop hardware
- Ultimate Goal: fill the suspend/resume gap between laptop, server hardware, and virtual machines.
- Use case is that the cache is hot, so there's a perceived benefit by suspending that primed cache, rather rebooting with a cold cache
- Make current tools ipmi, wakeonlan, etc work out of the box.
Growing the server community
- How to improve coverage of the Ubuntu Server community.
- Change from one big block post to multiple smaller posts
- use the post in future in wordpress
- blog post is summary of ubuntu server team meeting, more of a minutes section for those that cannot attend
- New categories for the server blog
- Blog outreach: outside the Ubuntu community (ex: most popular post: ruby).
- Create trackbacks from the server blog to the persons blog who is blogging about new development
- Use/goal of the team report. how-to get more information from the community members for the report
- 'Server community' is wide description; we should, maybe, split to groups, where each group would be doing some oriented task; ..
- New packages to the archive announced to the archive
- Create an archive report based on server team member activity
- That way new people would know where to start when they want to approach ubuntu server community
- After uds blog about the specs that were discussed
- Close to release there is less things to blog about
- QA tracker/iso tracking -- is this being tracked?
- Call for testing category.
- Jorge to find a Bridge Person between Ubuntu Server and the Ubuntu Forums.
- Good example of forums use is vm builder
- Need some type of identifier for the forums.
- Flag people in ubuntu forums as a member of core-dev, Canonical employee, etc
- Create a special ubuntu server team rank
- Not to create a ubuntu developer rank
- Contact technoviking on the forums
- Find ways to reach out beyond the Ubuntu community to other developer communities.
- Push blog posts to upstream blog planets
- Goals for team report, Jorge to track this down
- Is openweek/developer week helping out?
- Running a session but not seeing a spike after that in membership of the team
- Ubuntu server team is the only team that doesnt have a separate -devel channel
- -devel discussion moving to ubuntu-devel
- Building a community is not about building an irc channel but building a community
- irc has exlusivity
- Developers will follow the users.
- The Ubuntu Server community may not be known to a large number of users.
- Don't have a good way of showing consumers to contrib, nothing shows up in ubuntu weekly news on ubuntu server team
- Use technical information to make blog posts more attractive.
- Age demographic is important to determine the Ubuntu Server audience.
- What is being replaced by ubuntu server: ie is windows being replaced by ubuntu server or is solaris being replaced by ubuntu, etc
- LISA '09 November 16, 2009 Baltimore, MD
- Full lsb needs some graphical libraries
- A profile for systems with no X may be created.
- LSB is important for end user's and ISVs.
- LSB may allow ISVs to build applications on bleeding edge distros and they will work with older distro versions as well.
- Will LSB support non-rpm based distros.
- LSB no longer requires rpm. It actually requires alien that requires rpm
- Registering files outside the package manager probably won't work with Ubuntu due to the dist-upgrade process.
- Package namespace is an issue between distros, LSB has a mechanism to handle it, but isn't being followed by distros.
- Need help writing LSB tests.
- Past Ubuntu versions have been tested for LSB compliance.
- There's an error found by LSB due to relro compile flag.
- Question: has LSB thought about having a standard for Web configuration applications.
- Current LSB team doesn't have the expertise to develop a Web interface standard.
- LSB looks at what distros are doing and decides on a standard.
- Are there any issues using LP in the work flow?
- Is there a way to "rate" bug comments, to only view relevant comments.
- Have the ability to create a bug from a comment that is a different bug from the original.
- New feature will be able to mute bug mail, but will still allow subscription.
- Use the API to find bugs that a team is subscribed to.
- Have documentation available to help setup environment available when mentoring someone on a bug.
- Can set bug filing guide lines per package.
- Guidelines are better from a user perspective than templates may be.
- If a specific set of data is needed for a bug, a script or instructions can be included with the package and recommended in the guidelines.
- In LP 3.0 the ability to close a bug for multiple Ubuntu releases will be available.
- Make it easier to file bugs upstream when upstream doesn't use LP.
- It would be good to be able to see a LP bug list and an upstream bug list side by side.
- A good feature would be good to see a list of bugs assigned to a team.
- Sort on generic columns.
- Link a bug to a PPA, would be a great feature. The feature is also on the LP todo list.
Improved Power Management
- Nut has power management ability, through communicating to UPSs.
- May be room to add Nut functionality to Landscape.
- Would be nice to be able to limit a server's power usage based on load.
- Power management can improve HA functionality, by allowing one machine to power off another so that the state of the machine can be known.
- auegas disussion, project done by red hat that is an api for extracting configuration files
- Focus has been to work on integration into ubuntu, creation of lenses, etc
- website: augeas.net
- How do I manage centrally ubuntu server: currently we have to manage each application individually plus each server application
- Community would like a small to medium business server with a nice gui/web front end.
- Goal is standardize on a community application that doesn't exist
- Two different types of customers when you get involved with it, hundreds of boxes for the enterprise and small community size server
- Programmatic access to configuration is necessary before any gui is placed on top.
- Need to solve both programmatic configuration issue and remote management issue with the same tools.
Ubuntu cloud strategy
Blueprint ofr cloud computing: http://ur1.ca/04rf
- Soren defining what cloud computing is and how it is implemented
- Amazon's service is what most people think of when they think of cloud computing
- Cloud Computing: An outsourcing of computational resources to the Internet.
- Cloud in the box: a local cloud, inside the data center
- Cloud computing is a very "cloudy" term
- Cloud computing at the hardware layer is hypervisor plus os
- Framework is the service provided on top of the hardware layer
- Taking existing applications moving to the cloud layer without having to re writing them
- Azure and google app engine are framework
More information on auzre: http://ur1.ca/04rp which is the windows cloud framework
- Managing virtual machine problems: need to easily deploy similar virtual machines and also need the ability to scale
- Need management interface to Live Migrate virtual machines to other physical machines in the cloud.
- Linux high availabitly is a framework that can manage this
- We need a management interface to control the Live Migration of virtual machines between nodes in the cloud.
- Eucalyptus provides an EC2 like experience.
- Linux ha has some scalability issues, when you get into the hundreds of servers
- Q: is Linux ha integrated into libvirt? A: no, works at a higher level then libvrt
- Q: Is Linux HA what was in mind A: not really, more trying to figure out what we would like to do and then look into solutions
- Q: Could Eucalyptus be integrated from unstructured clouds to more structured clouds a: don't think mutually exclusive
- HA has a policy based framework to determine where virtual machines can be placed based on load, state, etc.
- Real push to have an ec2 system in place
- sabdfl do not want to introduce another framework, pick something that is consolidating efforts on what will be the defacto standard
- sabdfl: 5 commands for 9.04: create a cloud controller, create a group, create a node, associate a group with a cloud controler, associate a node with a group
- For amazon ec2 need official support and official backing
- Some run hardy some run intrepid
- People prototype on ec2, not are in a hardware business
- Place an apt mirror in S3 for updates to systems on EC2.
- Create an apt mirror on S3 for updating EC2 systems.
Identity management and network authentication in Hardy
- Need a solution to provide logon if the directory is unavailable.
- A long running daemon needs to know the state of the directory.
- nss-ldap should know the state of the directory.
- If the directory is unavailable it should fail quickly and allow local logon.
- Use the lsass module from likewise-open to cache nss information.
- lsass makes assumptions about AD, and may not work well with slapd.
- May be able to use lsass from likewise-open to cache nss information, but lsass is primailry for AD not slapd.
- One solution may be to use a local slapd containing information from the network directory.
Local caching slapd
- only listens on unix socket
- keeps an updated cache with syncrepl overlay
- /etc/ldap/ldap.conf reconfigured to connect that per ldapi://
- (possibly ?) magic to determine if master is reachable
- pam_ccreds can cache tickets even when server not available
- How can you stay connected to a samba server ?
- The Kerberos model depends on KDC being available.
- Some users may be hesitant to run a slapd service on each client.
VMbuilder should support the creation of iso and usb as well
- Use vmbuilder to create ISOs and USB installs.
- Dropped ubuntu name off vm-builder to allow for other distributions to use
- The old version of ubuntu-vm-builder was a shell script, now written in python and designed to be used as a library
- Vmbuilder to run on bare metal and create isos
Spec of what is being discussed: http://ur1.ca/04w3
- Other use cases for vmbuilder? possibility to use vm builder to create ec2 images in the box lab (local cloud)
- Add an encrypted file system inside a virtual machine.
- Create a VM that includes a package list from a server currently running on metal.
vm Live migration policy
- Four dimensions to determine a move is needed: disk usage, network, memory, and processor.
- There's a libvirt function to migrate VMs.
- Need a framework to implement the policy to move a VM.
- libvirt also provides an API to gather information on the metrics.
- Need an outside service that VMs report to that determines when to migrate a VM.
- Determining a list of things to gather information on, then will determine what to do with them.
- For Jaunty getting linux-ha in main is a goal.
- Also integrating linux-ha with KVM.
Converting physical machines to virtual machines
- Two approaches: take the system offline then boot to another meda, and using some type of agent to migrate the system.
- Current question is how to migrate disk layout from a physical machine to a virtual one.
- System won't worry about the OS, and the assumption is that it will support the drivers in the VM.
- Develop a tool to create a "live hyporvisor" that will test the migration from physical to virtual.
- New motd may be more than 25 lines.
- Might be possible to use screen to allow for more lines.
- The problem with using screen is that it changes key bindings that users may not be used to.
- Will need to have a great section in the Server Guide for screen.
- Need a prototype of what the screen session will contain, and how to access it.
- Screen idea may be more of a job for a community member, but design should be reviewed by a UI expert.
- Next topic is using puppet for system configuration.
- Puppet can help install certain packages on a server depending on different configurable options such as hardware, role, etc.
- Need an easy way to create Puppet profiles, which configure services on the system.
- Puppet may be more work to configure than the advantages it offers.
- If Ubuntu can ship with multiple "generic" profiles it may be worth using, because it will decrease work for sites with large deployments.
- Puppet can also help with the configuration and management of sites with a large number of virtual machines.
- There is still time and effort involved when using any configuration management engine.
Configure RAID by default in Ubuntu
- RAID is not very user friendly to setup during the install process.
- LVM may be a better option to setup by default than RAID.
- There's an interest in automatically added new drives to a LVM volume.
- Better to do an fsck periodically than doing one at mount or boot time.
- mdadm can now do a weekly consistency check.
- Use LVM by default one for / and one for swap.
- 10:16:25 AM: If there is sufficient disk space don't fill the entire disk with the LV.
- Haven't created a separate /home because there's no good way to determine how big to make it, but with LVM changes that.
- Current question is how to name the VG to be unique, which allows the disk to be moved to another system and still work.
- The RAID+LVM question requires input from foundations and desktop teams.
- Getting back to the RAID by default discussion.
- RAID question needs to be further explored and some additional testing is required.
Encrypted Home Directory
- Encrypted home is based on the work done for the encrypted Private directory.
- The next step is to add encryption options to the installer for both server and desktop.
- ecryptfs is not designed to protect data from root user access.
- Graphical add users and groups utility still needs to be patched to offer encrypted home.
- Install questions should be geared to non-power users.
- The idea behind implementing encrypted /home is to make it very easy to use once setup.
- Migrating from encrypted Private to encrypted home is not really an option due to the issue of possible data loss.
- A possible issue with adding options to the installer is that users may not fully understand what they are getting into.
Encrypted Swap By Default
- If you are going to encrypt private or /home you need to also encrypt swap.
- Possible implementation would be to generate a random key on boot.
- Some non-scientific performance testing has been done, and no significant issues were found.
- With new hardware there should be no issues with performance.
- There has been no reported instances of data corruption in Intrepid using ecryptfs.
- May be possible to use some type of unionfs stack to migrate from encrypted Private to encrypted home.
- How do you retrieve data in a corporate environment from an employee who leaves the company.
- An upcoming patch will encrypt both data and file names.
- How does encrypted home work with samba, nfs, automount, etc?
- ecryptfs will mount on top of a network mount, and encrypt all data saved to the remote file system.
Use PAE kernel when hardware supports it
- Not all current hardware supports PAE.
- We may need a new kernel flavor to enable PAE.
- Kees will gather more information to find out the feasibility of adding PAE.
- Adding PAE changes the kernel binary a lot.
- Quick discussion on EC2 security and How to do updates on a VM in EC2.
- Augeas is pronounced Og-ee-as
- Augeas was created to change a configuration file in a programmatic way.
- Augeas is designed to handle configuration data in it's current place.
- Written in C to deal with files in the lowest level possible.
- Augeas "lenses" are part of a tree which consists of a label and value system.
- There are API bindings for most popular languages.
- Lenses need to be written for each configuration file that Augeas is intended to manipulate.
- There is a list in the Ubutu Wiki of needed lenses.
- May be a Mac port of Augeas in the future.
- The augeas tree is system dependent, due to the fact that the tree is based on the file system which varies between distros.
- Eucalyptus implements EC2's API, allowing you to have your own infrastructure as a service, or cloud environment.
- Need assistance packaging eucalyptus.
- Currently eucalyptus requires xen, but Ubuntu will need to use KVM.
- Originally distributed as a tarball in order to be distribution agnostic.
- Eucalyptus can be built with OpenJDK.
- Needs root access to access network, hpervisor, etc. Currently runs Apache as root, but that will change in the future.
- Eucalyptus and Amazon naming scheme is different, so no conflict will arise.
- No VM resource accounting system in place at the moment, but is on the road map for the future.
- The development team is working very hard on regression testing.
- Eucalyptus developers are not interested in answering the question of whether or not cloud computing is the same as grid computing.
- Should have a release candidate in a matter of days.
- We'll be getting access to the VCS soon as well.
- Can be used to prototype virtual machines for EC2, in some instances.
Kerberize Main (Clients)
- Default directory:
- create-srv-prc script:
- $ create-srv-prc SRV_TMPL [SRV_TMPL2 ...]
- create the service principals.
- copy them to the local machine.
- set the service to use the local keytab.
- check if the PTR and A dns entries are set correctly.
- support for the case where the user doesn't have necessary privileges.
- called from postinst to enable kerberos support.
- $ create-srv-prc HTTP/fqdn HTTP/short_hostname
- openssh-server: uses the host principal. check that the default config comes with kerberos support.
- dovecot: lookup the service principals names.
- Default directory:
- case of end user logging in.
- join-domain command:
- auto-discover the env.
- plugins to setup the system to integrate in the env:
- setup pam for auth.
- setup nss for uid,gid resolution.
- Supported environments:
- ldap for nss + krb for auth
- ldap for nss + ldap for auth
- AD for nss + AD for auth
- local for nss + krb for auth
- krb discovery: _kerberos_udp dns lookup
- ldap discovery: _ldap_tcp dns lookup + anonymous lookup on the root DSE
- Discussing easing the configuration of serial console.
- May be able to add a commented line in the /boot/grub/menu.lst file.
- The current eBox version is broken in Intrepid due to not being properly packaged.
- How to get community members involved with small tasks to get them familiar and comfortable with the people and tools.
- Create a list of triaged bugs/tasks that new community members can help with.
- Need to clean up the list of Server Team blueprints.
- The Community Team will need to be involved with the blueprint cleanup.
Integrated Mail Stack
- Implement an integrated spam, virus, etc scanning system with normal SMTP email server (Postfix).
- The current issue is with configuring Dovecot from another package, or in a programmatic way.
- Should configure Dovecot to use maildir by default.
- Should Postfix be changed to use Dovecot as a MDA by default.
- Get sieve scripts when using Dovecot, which can be a replacement for procmail.
- Performance boost due to the fact that Dovecot will automatically update it's indexes.
- There are performance and reduced complexity advantage of using Dovecot's LDA.
- By default postfix authentication will be tied to Dovecot, but this can be reconfigured easily by an admin.
- Some filtering features such as greylisting and rbl won't be on by default.
- But some options that postfix can do to filter spam, and they may be configured if it's determined that they won't drop legit messages.
- Could configure a quarantine "folder" for spam by default.
- Can implement a Greet Delay with postfix.
- Policy should be that protocol violations should cause a message to be rejected, but content violations will still allow the message through
/etc under revision control
- etckeeper is an application that will handle most of the version control aspects.
- One drawback of using etckeeper is that it doesn't expose all the nice features of bzr.
- Another option is to just use bzr natively to enable version control of /etc.
- The choice is between etckeeper, captainslog, or native bzr.
- Could integrate three way merge for dpkg using bzr... which would handle upgrading packages whose config has been changed.
- The goal for Jaunty will be to have /etc under version control, then other three-way merge, etc features can be added.
- Currently etckeeper with bzr has been working fine.
- etckeeper won't restore permissions to restored files.
- Forgetting to commit a change may be an issue, but can be solved by doing an auto-commit.
- etckeeper does preserve permission, it's when the bzr is used outside of etckeeper that permissions are not maintained.
- No one thinks version control of /etc is a bad idea, but there are still some implementation details.
EcryptFS graphical user interface for Jaunty desktop
- Some good work done with Python GTK for a GUI front end to the encrypted Private directory, but didn't get into Intrepid.
Jaunty Server Guide Updates
Doc section was short and the list can be found here: https://wiki.ubuntu.com/JauntyServerGuide
- Surprisingly few objections to the way Landscape client has been integrated into Ubuntu Server.
- Ubuntu system management service... implemented following the software as a service model.
- Landscape team is open to help with documenting the landscape protocol, and integrating with other tools.
- Working on supporting the EC2 API in Landscape.