Contents

UDS Intrepid Server Report
Plans for 8.10
Sessions

UDS Intrepid Server Report

back to the reports index page

Plans for 8.10

Place in this section bullet points of specific intended outcomes for the 8.10 development cycle.

Testing Outcome

Get community feedback about the level of testing they're willing to provide.
Identify what to test.
Select a testing framework.
Work on creating tests for common server scenarios.

J2EE Outcome

Make a decision on which Servlet Container to place in Main, in the next two weeks.

Groupware Outcome

Find a Calendaring solution for Intrepid.
Chuck Short will follow up by weighing the pros and cons of several solutions.

Swap File Outcome

Swap File needs to be in installer for at least a release.

Auto Update Outcome

Document setting up multiple repositories based on package type.
Find a way to move/copy packages from one repo to another.

Identity Management Outcome

Package OpenLDAP for cn=config.
- Directory configuration configured through LDAP objects.

Software RAID Outcomes

1. fix the grub issue 2. improve the logic in intiramfs 3. add the toggle

PIE Hardening Outcomes

Make default for amd64.
It's time for beer

ClamAV/SpamAssassin Outcome

Will contact Upstream and try to build a relationship to stabilize the API.
SpamAssassin will be MIRed.

Polish Outcome

vim will be installed by default.
Further discuss ACLs.
Install screen by default.
Talk to Colin about installing updates after installation.

Colin Discussion Outcome

acl by default
Keep Root ssh options as they are.
No full upgrade during post install.

Management Integration Outcome

Test ipmi and wbem with existing Enterprise Management Systems.
- http://www.supermicro.com/products/accessories/addon/sim.cfm
- http://www.intel.com/design/servers/ipmi/
Rick has access to systems using those management systems. Dmtf
- http://www.dmtf.org/standards/wbem/ http://en.wikipedia.org/wiki/Diet_Coke_and_Mentos_eruption

Landscape Outcome

Talk to Landscape devs and figure out which features are available.
Ask the questions listed in the notes below.
Create a Wiki page for the Landscape questions.

Documentation Outcome

See Doc section below.

Sessions

19 May Round Table

Introductions
Discussed items that didn't get into Hardy for various reasons.
- Rails -- expertise was lacking to complete the packages.
- Mail + Spam -- a wrong direction was taken, which wasn't realized in time to meet the freeze.
- iSCSI some use cases are covered, but others are not. So parts did make it into Hardy and parts didn't.
Improve QA test cases.

Encrypted Sub-directory in Home

What are we trying to Achieve? What are the Use Cases?
- Incremental encrypted backups.
- Secure location for a user on a shared server.
- Encrypt information saved to a remote server.
Probably more beneficial to Desktop rather than Server at this point in time.
Server is more familiar with the topic
Dustin recommend it, and he's on the server team
Enabling this is low hanging fruit, making the pain of implementation relatively low.
- Can be integrated with the Desktop Edition as well.

Implications

Performance issue with encrypting everything
non-encrypted /boot is a good idea.
Encrypted Swap is probably needed regardless.
- may consider .cache as well
If the encrypted directory is mounted and backed up the backup will include unencrypted files.
- Also, once a directory is mounted any user with access rights can also see the files in the clear.
File-system names are not currently encrypted.
- Obfuscated directory structure and file names will be coming in the next few months.

Technology

Ecryptfs -- sits on top of other file systems (universe: ecryptfs-utils)
- Uses in kernel encryption.
Tied into PAM -- only need to enter password once.
Can encrypt remote shares.
Another technology is ZFS inode level encryption.

Objections

Private home directories by default is not a good idea.
0700 /home/username/Desktop to make it private from other users on the system.
The implementation may be more work than it's worth.
The fact that other users can see unencrypted files is an issue.
- May be able to supplement the Discretionary Access Controls to prevent access.

OpenChange

What's missing
What we can provide in the short term
What can we do for Intrepid
- Implemented in client form
- Recommended to be released with Intrepid.
- libmapi -- headed toward 1.0. Set of libraries to open a connection to Exchange, using Exchange protocols (MAPI).
- Libraries have been integrated with Evolution.
- Proxy should be available.
- Will have further discussion about Intrepid OpenChange commitment.
Enable the same functionality in Free/OSS.
Started 5 years ago, as of 12 months ago project has taken off. With big help from Documentation from MS.
Novell accepted GPLv3 for Evolution portion. (I think this was they've said they will, but they haven't yet.)
- Novell customers have been providing pressure for GPLv3.
Akonadi -- KDE4.1+ groupware infrastructure (http://pim.kde.org/akonadi).
- Will integrate with OpenChange.
OpenChange backup utility can backup per user mailbox.
- Preserves Exchange meta-data.
Poor document management through Exchange Public folders. OpenChange allows access to these.
Will need to run Windows 2008 server for testing.

Why Exchange Matters

Killer App.
People stay with Microsoft because of it.
No equivalent with OSS.

Use Case

Linux clients connecting to Exchange server. (Linux clients on MS environments)
MS clients connecting through Outlook to Linux servers. (Windows clients on Linux Environments)

Features

Address book provider -- working.
Message store.
Proxy for MAPI -- Handles requests from Outlook.
Client libraries will be integrated into Samba 3.
Connects SQL data-store with Samba and OpenLDAP.
Comes with Scripting Language to automate administration tasks.
Small plain-text file format used to represent MAPI objects (libocpf) http://apidocs.openchange.org/libocpf/index.html

Test Setup

W2k8 Server + AD + DNS + Exchange -- Server
Vista + Office/Outlook -- Windows Client
Evolution + OpenChange -- Linux Client
Mocabox -- Messaging OpenChange Applications Box -- embedded development platform -- virtual images soon available from the repository

Proposed Security Changes

Review: https://wiki.ubuntu.com/SecurityTeam/Roadmap

Investigate script or something to check for setuid binaries.
- checksecurity
Changes to default settings
- /etc/ssh/sshd_config: "PermitRootLogin no"
Private directories
- /root to 0700
- /home/*/Desktop to 0700
- /home/*/Private to 0700
Encrypt Swap by default
- Performance issues
- Use case:
  - Laptop/Desktop more important than encrypted Swap on a Server.
- Discuss with Desktop Team
/etc/shadow SHA passwords
- supported by glibc, perhaps not by shadow
- http://www.redhatmagazine.com/2008/03/18/tips-and-tricks-choosing-the-password-hashing-algorithm-for-etcshadow-during-installation/

MySQL ad-hoc

Patch question, will there be any changes in VCS?
- Currently using Bitkeeper
- Looking for new VCS.
Which patch fixes what?
- Commit notes relate to bug numbers.
- Want to create bug fix patches from release diff?
- Some bugs are fixed by multiple commits, making it hard to create a patch for Ubuntu shipped version.
MySQL 5.0 received some community features post release.
Working on making MySQL run faster on Solaris, but not dropping support for other platforms.
- In the future there may be features in MySQL enterprise that aren't in the community release, but for now that isn't on the roadmap.
- Changes will be available to the community.

Admin GUI

Most commonly requested feature on Brain Storm, IRC, etc.

Requirements

Define Target Audience
- Not senior Linux/Unix sysadmin.
- New admin, possibly coming from Windows background.
Consider managing more than 1 machine from the same UI, possibly for the future
Multiple machines is one of the several cases where potentially a GUI can be more powerful than a commandline
Note that upstreams like OpenLDAP, Samba and OpenChange have GUI admin needs, and have some code out there and that they really don't want to maintain GUIs. So adopting a framework where these projects can just maintain some kind of plugin/parser/something is more attractive to these upstreams. --> This could be done by upstream providing a CLI that allows to modify the configuration without acting directly on the conf files. (see postfix configuration tool as an example) --> This reduces the admin load, but the tool that talks to the CLI still has to be maintained --> This could be done by upstream providing system-tools-backends -- Freedesktop.org project (allows specifying a GUI)

Possible approaches

Web-based GUI
Build on Free desktop system tools backends
- http://system-tools-backends.freedesktop.org/
- Use remote dbus
- use tubes via IM
- Backends: /usr/share/system-tools-backends-2.0
- Allows separation between GUI and policy engine
- Uses same backend as is shipped and used by Desktop
- Allows fine-grained access control using PolicyKit
SMIT type system. (AIX management interface) which is based on command line config commands : nice learning curve, curses+GUI client. Every GUI action can display the commandline that it will eventually run on your behalf.
Port YaST

eBox

Advantages
- Universal client
- Already in universe
- Configuration Templates, available in the future.
- Configure multiple eBox servers from one eBox installation.
Disadvantages
- Can clash with an administrator making changes on the commandline simultaneously
- Has its own configuration database
- eBox authenticates using a non-system user. (eBox has own accounts system -- independent of system)
- Want a consistent authentication mechanism for system configuration changes.
- relies on somewhat-privileged web server

Modules to target for Intrepid

[imported from Boston eBox gobby session - needs updating...]

SAMBA [required]
- PDC [optional]
- File
- Print
- Join Domain (front end to jerry's CLI)
OpenLDAP
User Management
- should use whatever backend has been configured (AD, LDAP, passwd) [not required but highly recommended] only if LDAP is local
- Add/Remove user/group
- Add/remove user to group
Printer [required]
- Not sure that it is working
- Printer level CUPS management
DHCP [required]
- Trivial
DNS [not required]
NTP [not required]
Mail Server [not required, users]

UI Changes

It would be nice to have eBox more ubuntu-looking.

20 May Round-table

Testing/QA

ISO tests too simple.
Package python Tests.
- Maybe bzr
- Maybe in a PPA.
- Might break normal system configuration, but a warning would be provided.
- Collect information from test over the Internet.
- Integrate into the Install Options on the ISO.
Create or use a Framework to run the tests.
- Could be run in a KVM, VMWare, chroot, etc.
- Pyre Ring -- Google Code testing framework. (http://code.google.com/p/pyrering/)
- Autotest -- Testing Framework from IBM. (http://test.kernel.org/autotest)
  - Has integrated test suites.
Run tests that come with the packages.
- Test the integration of packages. For example Apache and PHP, Kerberos and NSS, etc.
For Intrepid create the tests and place them into a PPA.

Install UI

Make the UI more flexible without adding complexity.

New Options

Add a Landscape key during install
Join a domain using Likewise-Open.
Second install experience -- could use d-i or oem-config
Use tasksel do handle server profiles (MS-server-like "roles")
- Don't want the current tasksel to grow too large >> redesign UI ?
- Give more non-technical descriptions to tasksel tasks (use long description of the seeds).
- Improved presentation of available tasks (tree like, long description).
- Provide an online source for additional task options (dynamically added when starting tasksel):
  - use cases: new ISVs packages available after release are available for installation.
  - Possibly grey out the options that aren't available due to no Internet connection. This will allow users to know that the options are there.
    - Debconf doesn't allow.
- 2-step tasksel : ask all questions at the start, then perform install ?
- Nobody uses tasksel ? -> market tasksel more aggressively as the way to handle roles (rebrand it as "add-remove-profile" ? postinstall msg ?)
Add a Partner Task to the bottom of the Task list.
- The task will then download another Tasksel package with other install Tasks.
- "partner task" that would select/enable the partner repo and run a secondary tasksel.
Use Aptitude to provide an option to install any available package.
Use another installer?
- Not really an option due to the amount of work.
- Ubiquity -- Needs X, a lot of work as well.

Likewise Join Domain Example

Are there other ways to display the domain question?
What happens when the join fails?

J2EE Server

What we need to implement.

J2EE Options

Full server stack
- Glassfish
  - Currently doesn't build from source.
  - Can be changed in the future.
  - Packaged in Multiverse.
  - Increasing market share
- JBoss
  - Questionable maintenance relationship.
- Geronimo
  - Free/OSS
  - Robust
  - Right featureset/Ubuntu-style management options
  - Needs further investigation and packaging.
  - Increasing market share
  - Apache Project.
  - Modular design. Technologically on par with JBoss and Glassfish v+1.
  - Good upstream maintenance relationship.
  - not packaged, bfs?
- JOnAS
  - Not packaged.
  - Decreasing market share
  - Not sure of upstream maintainability.
- Resin
  - Not packaged.
  - Builds from source.
  - Not sure of upstream.

Servlet Containers

Tomcat
- servlet container only
- Tomcat is downstream of Glassfish.
- Already packaged.
- Good upstream maintenance.
- Lost contributors from Sun.
Jetty
- Packaged in Universe.
- Good upstream.
Glassfish Servlet Container (v3)
- Needs Maven.
- Includes Felix
- Tomcat+
- Not packaged. Database access layer - Hibernate (JPA); Eclipse Link; Open JPA (Oracle)

Groupware

Need a solution since we currently don't offer one.

Use Cases

Shared Calendars: tracking people's schedule, check for free/busy.
Resource/meeting room scheduling
Shared Contacts.
Shared Mail Box (sales@xx etc)
Keep clients, migrate server
Keep server, migrate clients

Potential candidates

zimbra: licensing issues (Yahoo Public license: http://www.zimbra.com/community/downloads.html)- requires logo display
open-Xchange (Community Edition) (http://www.open-xchange.com/wiki/index.php?title=Main_Page):
- - slow release cycle issues. - very bad packaging (requires modified Tomcat server)
Zarafa - (oops, not Open Source)
Axigen - not open
darwin calendar (Apache 2.0 license) http://calendarserver.org - work is already under way (https://wiki.ubuntu.com/CalendarServer) and (https://bugs.launchpad.net/ubuntu/+bug/182591) -- note that is has already been packaged for Intrepid (see note in same bug report)
obm - php, in universe
bongo project (was netmail) temp example: http://dev.mythbuntu.org:8080/ admin:aaaa
- svn checkout http://svn.gna.org/svn/bongo/trunk bongo nice web interface
Horde (http://www.horde.org)
egroupware (http://www.egroupware.org/Home?lang=en) ( In universe, php )
phproject (http://www.phproject.de/index.php?&newlang=eng)
phpgroupware ( http://www.phpgroupware.org/ ) also in Universe
kolab http://www.kolab.org/
Chandlerproject http://chandlerproject.org/(Java based)
scalix http://www.scalix.com/ , http://www.scalix.com/community/licensing/Scalix_Public_License_1.1.txt (probably DSFG-ok; GPL-incompatible)
OpenGroupware - http://www.opengroupware.org/en/applications/index.html source at http://www.opengroupware.org/en/devs/source/index.html - java not a real open source project, development done by one company
Citadel http://www.citadel.org/doku.php - GPL and have Ubuntu packages. Build your own at http://www.citadel.org/doku.php/faq:installation:compile_debs
- Nice groupware approach
Bedework http://www.bedework.org/bedework/ - BSD type license. Java based. Nice web interface.
SoGO http://sogo.opengroupware.org/ - Open Source Licence. Use Ldap for authentication and PostgreSQL for data management. The web interface is equal to Thunderbird plus Lightning. There is a plugin for syncronization with Funambol.

Discarded (and why)

* Zimbra (due to license):

Zimbra alleged to be a very good solution: likely to be in partner repos.

all copies of the Original Code in Executable and Source Code form must, as a form of attribution of the original author, include on each user interface screen (i) the original Zimbra logo, and once for each user session (ii) the copyright notice as it appears in the Original Code;

http://www.zimbra.com/license/zimbra_public_license_1.2.html

* open-Xchange --> release cycle

Supported protocols

IMAP
syncml
caldav
ical over webdav

Limitations

Scalability

Interaction with existing desktop clients

outlook, firebird|thunderbird, evolution, web.

Current open source landscape on those techs aren't entreprise-ready applications.

Swap File

Advantages

Resizable
Place anywhere

Disadvantages

Current kernel doesn't support using a swap file and using hibernation. ("Unlike swsusp, suspend2 can write to any swap partition!", x)
- Display a warning that hibernation won't work.

Implementation

Add option to d-i if no swap partition is selected.
- Not the best way.

Encryption

If you're going to encrypt Swap why not encrypt everything?
May be possible to encrypt Swap with minimal impact and maximum gain.

21 May Round-table

Automatic Upgrades
- Unattended Upgrade, some things won't install without human interaction.
Change unattended-upgrades to allow for selected updates.
Need a way to provision updates.
Rollbacks -- too much work to implement.
Need a supported way to build a mirror.
- Multiple repositories support (incoming/testing/production1...)
- Need good documentation on setting up the mirror.
unattended-upgrades package
- Allows you to white list packages
- Can white list repositories.
- Package Blacklists.
Need to authorize updates before deployment.
Apply updates based on system configuration type (web, mail, etc).
Ask about private update mirror during install.
- Do you have a private mirror? If so supply url.
- Matter of wording the question correctly to avoid confusion.

Identity Management

Use Cases

Identity Management for enterprise deployments
a tool for users that don't understand ldap and can edit the directory:
- adding, removing and editing ldap entries.
- requires a consistent, simple installation / layout

Ways to manage identities

Servers
- OpenLDAP
  - Management tools -- No single Great tool.
    - http://www.lbtechservices.com/projects/lat/ - LAT
      - nice-looking task-oriented tool
      - also features low-level LDAP object view
    - http://www.web2ldap.de/ - web2ldap - WWW gateway to LDAP server
      - low-level LDAP object browser
- FDS
  - not packaged for Ubuntu/Debian
  - insignificant market share compared to AD & openldap
  - includes java-based management tools - not clear how widely used they are
- Mandriva DS
  - not packaged
- Work with OpenLDAP in developing a GUI admin tool.
  - http://directory.apache.org/studio/ - Apache Directory Studio
    - LDAP object browser
  - New OpenLDAP <-> Active Directory Proxy
    - Syncrepl-style consumer to pull changes from AD
      - with password sync agent
  - eBox
  - the schema is available in the tree
    - clients can be agnostic about schema
    - too low level - solves all problems sub-optimally
    - appropriate for an admin tool
  - ubuntu directory services package:
    - depends on slapd
    - default tree:
      - user & group management
      - application configuration in the tree - per package.
- Active Directory
  - most OpenLDAP-aware client tools support AD management (see LAT)
- Kerberos
- SQL database
Clients
- Likewise-open
- PADL tools (nss-ldap, pam-ldap)
- FreeIPA - http://freeipa.org

Application Integration

schema in packages
include an integration directory in /etc/ldap/slapd.conf
Packages
- postfix
- apache
- bind? (why?)
- samba
- dovecot

Server

Kerberos server:

heimdal in universe
- not-so-great security history/support
- OpenLDAP and Samba haven't noticed the previous comment being the case
mit in main
- Not thread safe (enough).
- Doesn't work as well as a server.
- very good security incident cooperative handling

kerberos server with ldap backend: heimdal supports it for years, mit only since 2007 or 2008

Client Integration

LDAP:

nss and pam using caching slapd.
nsscache on code.google.com - replacement of nscd.
Translucent overlay in openldap.
- Needs documented in Ubuntu,
- Allow schema changes without affecting current configuration.
If you need more than authentication using LDAP an LDAP proxy is needed to handle the additional schemas.

Kerberos:

AD integration:

likewise
- main issue reported : cannot join a DNS-challenged AD
  - DNS issues needs to be documented (or worked-around inside Likewise? no...)
- id mapping.
- gdm integration.

LemonLDAP - in universe e.g. lemonldap-ng
- Supports LDAP, SAML, OpenID, etc.
- Does authorization and authentication for Apache.

Review existing package for ldap support.

Focus on integrating ubuntu services in existing ldap based infrastructure:

using openldap translucent overlay to talk to AD.

Software RAID

Won't boot if array is degraded

Three options
- Boot in degraded, but functional mode.
  - Requires code to enable.
  - Nothing programmitically to control what happens.
  - Progamatic hooks are now there.
- Don't boot when array is degraded.
- bring ssh on - you'll need loaded modules for network card and set up networking for that
Need to allow the admin the ability to choose between the three.

grub is not redundant

grub is only installed on one of the drives
-> needs to be fixed to allow booting from the second drive.

PIE Hardening

Similar to -fPIC?
Has some performance penalties on i386.
- Lose a register.
- Not really an option for i386.
A good option for amd64.

Vulnerabilities

Saves from gaining elevated access from network vulnerabilities?

22 May Round-table

Discussed intrepid-server-polish

ClamAV and SpamAssassin MIR

libclamav API changes too frequently.
Changes break rdepends.

Ubuntu Server Polish

Install by default

- acl - screen - vim - traceroute - mtr - nmap? It's time for ubuntu-server-base package which will recommend different set of packages than -standard, and which would enable us have more real server and less desktop oriented packages by default.

SSH root login

Ubuntu is proposing to disable root login in the default config

If user enables root password, than he probably wants to be able to login as root. Most of the people that enable root password will enable SSH root login, because there are reasons to have root enabled. Or give the user the option to select between activating root ssh login or not on install. Check what the openssh default is. Discuss with Colin to change in Debian also so we don't diverge.

Upgrade during the installation

Consider doing apt-get dist-upgrade at the end of installation, so that there are no updates after installation. We already pull packages from -security if network is accessible. Why not pull them all?

tar

Patch it to support seLinux and ACL Check cpio also for ACL support

motd.tail

?? At the moment it's in /etc, which sometimes can be mounted as read-only.

/etc/rc.local

?? Use /bin/bash instead of /bin/sh.

Virt Live Migration

Move a VM between two physical machines without down time.
KVM is very good at Live Migration.http://kvm.qumranet.com/kvmwiki/Migration
Need shared storage for it to work.
Information on how to use it?
Live Migration works in KVM not supported by current management tools.
- Need to detect if shared storage is being used or not.

Use Cases

Save power by shutting down virtual machines during off hours.
Move VMs around based on load.
- VMWare DRS : http://www.vmware.com/products/vi/vc/drs.html
Migrate based on problems or roles.
- VMWare "High Availability" http://www.vmware.com/products/vi/vc/ha.html
Scheduled maintenance hardware, patches, etc.
Hot Copy for backups etc.
Testing.
Deployment?
Migrating underused systems, or switching off systems during low use periods to save power
migrating systems to other servers to provide additional resources
Zen Orchestrator

Server Package Integration

We need to have a mechanism to install many different application stacks for different server uses.

- We are calling these scenarios. - The system must be scalable (support many different scenarios), be policy compliant, and allow installation of many different packages with unique configurations per scenario. - Mail server is the initial scenario, but there are many that can be used, so our mechanism needs to be scalable to a fairly arbitrary number of scenarios.

Need to deal with managing config files on install and upgrades

Possibly use FAI called from DI in late install

- Need to get the scenario space defined and mounted

FAI can be an installer, but as an installer is 'poor'. DI lacks a good understanding of classes of packages. Using DI to install and FAI to configure a particular scenario is using each tool to do what it does best.

Mail Integration

Mail Gateway -- Virus, Spam, Content filtering.
- - Postfix for MTA/MSA - Amavisd-new for integration of post-SMTP mail filtering (SpamAssassin/ClamAV) - Dovecot for SASL

There are many other possible mail scenarios.

Scenario Editor

[ ATTENTION: the scenario editor here is vaporware. It presents the ideal world ]

We can generalize the idea of installing a server providing a service to a scenario. A scenario basically consists of the following concepts:

- Scenario Configuration (Variables that affect the concrete parameters of
- the server used in that scenario)
- List of packages in the archive used to provide the scenario - Scripts, that implement the scenario configuration to the (freshly)
- installed system.

The scenario editor can be implemented either

- as stand-alone application (think gtk2 or webapp). - integrated into the installation part.

In the first case, the scenario editor would create an installation media on either pendrive or iso image to boot from cd. Also a pure netinst image for use with cobbler or similar is imaginable.

The second variant would support interactive installs only. since it prompts the administrator to enter the scenario configuration.

FAI - the Fully unattended installation And configuration Infrastructure

During a FAI run the following steps (or stages) are done:

classes: FAI runs shell scripts to determine the classes, in which the
- particular machine participates. Each class may define shell variables, representing the scenario configuration
disc_config: FAI sets up partitions, creates file systems, etc.
packages: FAI non-interactively installs the set of packages that belong to
- the determined classes
scripts: here arbitrary scripts are run (mostly shell scripts, but can also
- be compiled programs or any other scripting language like cfengine, python) depending on the classes defined. These scripts do have access to the (yet unconfigured) installed system, the set classes and shell variables set in stage 'classes'. With that information, they modify the system to provide the configured scenario.

Additionally, every stage can be customized by hooks, that run between the stages. Both pre-run and post-run semantics are available (hackish, but still).

Using FAI as scenario deployment facility

If using the stand alone approach scenario editor, that application has to include the scenario configuration into the CD. The scenario designer would provide scripts to verify the scenario configuration is complete, definition of the set of packages to install and scripts, that turn a system using the scenario configuration into a configured system. These steps map directly to the stages FAI is using.

If using the integrated approach, the system image would query the administrator at install time. This can also be integrated into the classes stage of FAI, which are implemented as shell scripts. The scripts would then interrupt the installation, presenting the administrator the scenario he is about to install, query the scenario configuration and then proceed with installing the system.

In both approaches, the disc_config stage would have to be disabled, because d-i is taking care of this.

Virtual Machine Guest Install

Distribute ubuntu-vm-builder instead of JeOS ISOs.
What's the value of JeOS.
- What's the value in distributing ISOs.

Use Case

JeOS Users are used to ISOs.
Create a VM to build custom Virtual Machines.

VM Guest Outcomes

No longer distribute JeOS ISO.
Only distribute the tools:
- ubuntu-vm-builder.
- a web service to produce images
  - anyone seen this http://dcgrendel.thewaffleiron.net/vmbuilder/2.02/
- a preconfigured vm with u-v-b (for vmware & kvm)
Need to make Soren's wonderful u-v-b more known (funky name ?)

Cobbler

Provisioning server. http://cobbler.et.redhat.com/
Use Case
- PXE boot install and config.
- Diskless VMs.
Point it at a repository, CD, mount point, etc.
Create a Profile that links to a kickstart file.
Assign machines to the Profile via MAC address.
- Uses DHCP templates to identify clients.
The process of using cobbler needs documented.

Server Seed

Seeds help distributions grow.
Germinate is used to add the packages and dependencies.

Current Seeds

Required                        ---            ----
  |     \                         |               |
  |      \                        |-- Base        |-- Platform
minimal   build-essential       ---               |
  |                                               |
standard                                       ----
       \
        \
        Server
          |
        Server-Ship

* Supported

Packages that aren't in main but are supported by Canonical.
Previously for packages to get into Server they first went into Standard and Desktop seeds.
mini.iso and server.iso are basically the same, basic difference is the kernel.
Any core dev can commit to seeds.
Main == Supported + build-depends

Server Management Integration

Open IPMI -- moved to main during Hardy. (Intelligent Platform Management Interface).
- Needs tested with a Enterprise Management System.
WBEM: http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management
SBLIM - IBM: http://sblim.wiki.sourceforge.net/

Virtual Host Creation

Determine features for the next version.

ubuntu-vm-builder Intrepid Features (already developed)

Error Handling.
- Now running with set -e -u?
Create directly on a RAW device (such as iSCSI).
Specify first boot scripts.
- Before first login. (non-interactive)
- After first login. (interactive)
Specify an ISO file to get packages.
timezone + keymap setting
- fixed in a u-v-b SRU (copy host settings)

u-vm-b wanted Features / Bugs

running as non-root ?
- really difficult, losetup mount/unmount being really unfriendly
should modprobe loop
Default --dest: from ubuntu-vm-$SUITE-$ARCH to $HOSTNAME-$SUITE-$ARCH-vm
should allow for overwriting the dest directory
add virtualbox output format - .vbox
name used with --libvirt should be ubuntu_hostname or similar (to avoid
- ubuntu, ubtuntu_, ubuntu, ...)
Name change ?
- Why
  - u-v-b is good : says what it does
  - may discourage porting or retargeting
  - too long and boring
- UVE - Ubuntu Virtually Everywhere
- Soren Virtually Everywhere
- UBERVM UBuntu ...EverywheRe VM
- Cool abstract name for aggressive blogging
  - Juicer
  - JEOSer
  - SFGS: Soren's famous golf swing
  - Mustek Vystup (or Smer)

23 May Round-table

Management tools

http://www.ocsinventory-ng.org/ http://glpi-project.org/?lang=en

SRU new versions of OpenLDAP.
Package conmux -- Console multiplexor.
- http://test.kernel.org/autotest/Conmux?highlight=(conmux
OpenLDAP
- test-openldap.py: https://code.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master

Landscape Integration

Overview

Landscape is a client-server management system
- client, installed on each and every machine
- $server_end (currently expensive.canonical.com web-frontend)
Canonical is currently the only 'server' provider, which is a paid service
landscape-client polls 'http://expensive.canonical.com/'
- sends information
- retrieves a list of commands to run
There was been an empty "placeholder" package in expectation of the source (now available 2008-05)
http://www.ubuntu.com/news/landscape has the announcement with feature description

What would the Community like to see?

E.g. the client could be used standalone, to collect information and share it on the local machine via a text based console

Deployment options

Having the client on the CD, but not installing it.
Installing it but not running it.
Integrating it to the installer so that licensees can enter their key (and let the others ignore it)

Source code

Really hard to ship it on the CD without source-code; client source:
- https://launchpad.net/~landscape/+archive

Canonical needs to be happy if other tools start using the Landscape client/server API

 deb http://ppa.launchpad.net/landscape/ubuntu hardy main
 deb-src http://ppa.launchpad.net/landscape/ubuntu hardy main

Protocol documentation

The protocol is not currently documented
- Hasn't happened *yet*
- Will happen in due-course
Question of process for future change control of the protocol spec, if there are both open source and proprietary servers

server-console

The other half of the puzzle that allows regression testing
Existence of the "server-console" could be advertised in motd
Contents
- Landscape-collected data (load...)
- Available updates
- Current time
- MD status (integrated with mdadm)
- Other "system messages"

Big-issues

Conflict of interest
Any core-developer is going to be able modify this package in 'main'
- This could break Landscape-server and make Canonical very upset
- (reduced by having some sort of regression testing mechanism)

Example:

There are many MS Exchange servers in the world
There is only one Landscape server
People are paying a hundred-millon-dollars for that server to always work
Ubuntu dev uploads (eg. a security fix) that breaks server
Lots and lots of stressed people wanting their hundreds and millions back
There is only

Questions for the Landscape team

Overview that a DD/Ubuntu person with no Landscape knowledge can understand
Protocol documentation/examples
How does the 'dbus' interface interact with the message-broker/polling
How flexible is the protocol
Can the information gathered be saved on the local machine
Does the client currently handle/expect to talk to multiple servers with differing views/ACLs, eg.
- pushing readonly to hwdb.ubuntu.com
- pushing to (yet to be written) local management console
- pushing to http://landscape.canonical.com/ when they've bought a support contract

Wrap-up

Would like to have
Needs *some* GPL client (as a minimum for testing against)
"Console idea" is an idea of the past? (Think Netware)
Multi-machine management
A management tool should focus on decreasing the learning-curve
Menus can be explored (no need to learn obscure commands)
Avoids need to specialise/learn
In the same place as the 'sudo' message, provide a 'console' message
Are the existing ncurses solutions over the years that could be built on

Answers from `<bigkevmd>`.
< bigkevmcd> the messages are bpickled (a textual pickle representation)
< bigkevmcd> and sent over https [to https://landscape.canonical.com/]
< bigkevmcd> the source for bpickle is part of the landscape client
...
< bigkevmcd> sladen: the simple answer is "look at the source"
< bigkevmcd> but, mainly because of the tests that are in there

Web Frameworks

How to deploy different types of web application frameworks.
- PHP
- Python
- Rails
- J2EE
- perl
Create policies for packaging web application frameworks.
- Debian already has some policies.

Debian Web application Policy

http://webapps-common.alioth.debian.org/

Gentoo webapp policy

Design : http://www.gentoo.org/proj/en/glep/glep-0011.htm
webapp-config tool : http://www.gentoo.org/proj/en/webapps/webapp-config.xml

PHP Web Applications

Install multiple versions of an app.
Install multiple instances of an app.
How to upgrade an installed and packaged app.
Apps get installed into /usr/share
- 3rd party modules get installed into /usr/local
- Packages need to be modified to allow /usr/share to see /usr/local

Audiences

simple user: does not change code, does not change database
plug-in user: does not change installed code/db/templates, but *adds* 3rd party plugins without changing installed files
code customizer: changes code/db
the template-editor : adapts/localizes HTML templates

Issues

The complicated part is dealing with modifications by the user
- by adding plugins in the way that is standard for the web app
- based on instructions on a howto somewhere
- based on their own knowledge
During an upgrade, perhaps check to see if they have changed anything and just give them a diff if we don't know how to handle it?

Intrepid Server Guide

Update:

samba:
- move to a use cases:
  - file server
  - print server
  - heterogeneous env. with Windows and Macs
  - anti-virus scanning on smb
software RAID
HowTo for fail-over cluster (using RHCS)

Likewise-open
- Document why DNS is needed.
- How to setup Windows DNS with AD.
- Likewise-open Troubleshooting.
JeOS section update based on ISO availability.
Cobbler -- provisioning.
Move the official Server Guide into the Wiki?
- Some still want an installable package.
- Will still ship the package.
- Include a PDF version of the Server Guide with the package.
Any new features in Ubuntu-VM-Builder.
Server Guide bug fixes, updates, etc.
OpenLDAP cn=config documentation needed.
Review the layout of the sections and standardize them.

Discussion just before the documentation discussion....

OCS Inventory

Finds details about machines on the network.
package management and system inventory via ocs, glpi and puppet

Got a quick demo from Anthony Mercatante "tiono" and Walid Nouh et al they are writing puppet plugin to use inside glpi

ocs-inventory populates glpi system

glpi - asset management system, life cycle management (purchase, contract etc)

http://www.debianadmin.com/glpi-it-and-asset-managemet-software-configuration.html stands for “Gestionnaire libre de parc informatique”, GLPI is the Information Resource-Manager with an additional Administration-Interface

languages:

ocs server - perl and php
ocs client - multiple languages (for linux agent = Perl + small bit in C)
glpi - php
both are only only mysql now

UFW Next Steps

https://wiki.ubuntu.com/UbuntuFirewall
port ranges
ufw allow apache
- ufw register/unregister apache
port open by default
- have a policy question
zones
limits (eg max X requests in Y time)
NAT/port forwarding
TODO: split out backend to allow for making writing frontends easier

Per-Package Config Files

use port-protocol tuple
separate out the port/protocol from rest of the declaration
the port/protocol declaration needs to be able to have multiple ports/protocols
allow for zones
allow for localization in the declaration file (perhaps gettext). have the
- domain for gettext be the same as the file name. or ufw_packagename
allow for default allow/deny
make sure cli has a way to list the packages that are installed and their
- status

Other

be sure to check SUSe firewall when looking at zones
Ability to learn from ufw configs.
pfsense, fwbuilder, firestarter, fireHOL, shorewall
talk to eBox about integration

LDAP Directory

Integrated Directory Services
- Enable common user authentication using LDAP.
- Need a standard tool to add/remove users.
- adduser is the current tool and needs some code to connect to LDAP.
- Import existing users using an import tool.
- Use some of the cool overlays that are available.
- Implement the Password Policy in LDAP the same as the non-ldap policy.
Use a default KDC.

--- Spec: foo