Linux Servers for Infrastructure

Daniel Mons daniel.mons at iinet.net.au
Fri Jul 4 03:04:29 BST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Null Ack wrote:
| Im not sure about the software distribution aspetcs and group policy?
|
| Im curious about this. What I see happening is Linux being used for
| app / web / DB servers but not alot in infrastructure for desktops -
| maybe it just the places Ive worked at.
|
| Thoughts?

I contract sysadmin to a number of all-Linux or majority-Linux studios,
primarily dealing with visual effects, film, TV, etc.

I've built a number of LDAP-based systems that deal with all of the
things you describe there.  Indeed, scripting these sorts of things is
far easier than you'd expect.

Single sign on is handled by LDAP.  You can tie SASL and Samba in to
this as well if you want to authenticate MacOSX and Windows from the
same system.  Kerberos sits over the top nicely as well if you need that
too.  Tools are available in APT to configure your LDAP server for
Samba, and Apple have the necessary LDAP schemas on their developer
website for free download (licensed under the APSL, which allows use in
your network).  Network level services can be pushed by DHCP (even NTP
servers and whatnot can be taken from DHCP).  LDAP plugs intoa lmost
anything with ease - it doubles as authentication services for Wikis,
OpenVPN, database access, websites, mail, etc, etc.

SSH public/private key pairs gives you all the remote control you could
want.  From here you can set up deployment of anything (scripts,
applications, config files, whatever) via whatever means you like.  From
as trivial as a simple BASH script that reads in a list of workstations
(or reads in workstation names from DNS/DHCP config files to ensure
sanity), to as complex as using any of the free dispatch management
systems out there (DrQueue, Sun Grid Engine, etc).  Many of my clients
already use the latter for render farm management and job dispatching on
their clusters, so leveraging the setup and extending it for software
rollouts is easy.

As others have mentioned, machines are installed easily by etherboot net
installs.  A single script then gets them set up for LDAP auth, mounts
NFS home and production directories, installs the current working set of
production software, and runs all available system updates via APT.

Laid over the top, I install GOsa for onsite junior admins or helpdesk
staff to easily deal with user management for all available operating
systems (UNIX, Linux, MacOSX, Windows):
https://oss.gonicus.de/labs/gosa/

It provides a simple web interface that talks to the backend LDAP servers.

Customisability is near infinite.  You can build your own wrapper
scripts that extract configs stored in GOsa/LDAP and build your DNS
zones, DHCP config files, IMAP/SMTP config and authenitcation, OpenVPN
authn and authz, Asterisk/VOIP configs and routing, application-level
configs, .profile and .bash_profile settings, etc, etc.  The flexibility
to tailor it all to your own network and workflow is huge.

One thing that bugs me enormously about Windows (and no, I'm not some
raving Windows hater - I was a senior Windows sysadmin for many years)
is the total laxk of flexibility.  You need to do things the Microsoft
way, or not at all.  All of the tools above allow you to either go with
a simple/generic setup, or customise the system from head to toe for
your business.  The level of complexity is entirely up to you.

Linux/UNIX has a long history of being far more easily automated than
Windows.  Terms like "group policy" and whatnot are fairly redundant
under Linux, where multi-user setups and per-user/group access is
assumed from the ground up, rather than as an afterthought addon.
Windows has come from a history of single user setups, and is now
playing in the multi-user space.  Linux is the opposite, and as such is
far easier to deal with on the desktop on an enterprise scale than most
people realise.

One mistake I see most people make is that they try to treat Linux like
Windows.  If they can't control it with AD via Group Policy Manager,
they immediately write it off as "not enterprise desktop ready".
However few seem to realise that setting up ssh keys and some simple
BASH scripts gives you near unlimited remote control and config of any
scale of network you can imaging.  The biggest I've set up to date is
2000 users covering 30 separate locations across the whole of Australia.
~ And when you consider all 2000 users cost $0 in software (both client
and server side), and only required 2 system administrators to manage
all security, network config, system config and application level
support, you can see just how ready for large scale managed networks the
Linux desktop is.

- -Dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIbYUteFJDv0P9Qb8RAm2KAKCGLhdm5DGfay6Jl08I4T/ZwxuoygCfTJyt
24FiYbpUEmtHJdua/Z3KvbE=
=UX9F
-----END PGP SIGNATURE-----

More information about the ubuntu-au mailing list