Idea for a spec

[Etienne Goyer]

Greeting everybody,

I am relatively new on this list, so maybe the subject have already been
discussed and acted upon.  If it is the case, sorry for bothering you
with my blabbers.

I have an idea for a spec.  Reading the recent post about the spec for
etc-in-svn prompted me to discuss it.  Hopefully, it will bring
something new on the table.  For a lack of better terminology, I would
call this spec "Ubuntu domain".

First, a little prologue.  I personnally believe the next great obstacle
Linux in general and Ubuntu in particuliar will face toward adoption in
large IT infrastrucure is manageability.  I define "large IT
infrastructure" lousely as a network of more than 20 servers and a
thousand users, and manageability as the possibility to define and apply
policies in a uniform fashion with as little work as possible.  I think
all the tools to achieve good manageability already exist in Ubuntu, but
they suffer from not being pre-integrated out of the box.  A good
sysadmin in a large IT infrastructure would setup LDAP for
authentication, Nagios for monitoring, write a set of scripts to
automate common sysadmin tasks and deleguate work to juniors securely
using sudo.  However, he have to roll-out most of these tools himself.
This is something that might be over the head of junior or average
sysadmins, or those coming from another platform.

The idea for my spec is to provide an integrated set of network
infrastrucure services in a standardized and predictable fashion.  This
would simplify the life of sysadmins, expecially the juniors and those
not experienced in Linux.  It would also simplify the writing of
administration tools, as it would be easier to make assumption about how
things are setup.

Setting up an "Ubuntu domain" would involve running a configuration
scripts, a wizard, on what will become the reference server (hereafter
called the "master").  This would configure the infrastructure services
according to the spec.  Another setup tool is to be ran on machine that
want to make use of these infrastructure services (hereafter called the
"clients").  Ideally, you only have to provide the name or address of
the master server to the clients to have them auto-configured to make
use of pre-defined infrastructure services.

Here are some standard services an Ubuntu "domain" might be able to
provide :

- DNS
- Centralized authentication and user/group database using LDAP
- DHCP (possibly with dynamic DNS update, where applicable)
- PKI (in-house CA and x509 certificates)
- NTP
- syslog
- monitoring (Nagios, Hobbit, or whatever)
  ... etc

Here are some guidelines we might want to consider :

- Only standard services and protocols that can be used independantly of
this framework should be used
- All on-the-wire communication should be encrypted (or signed, at the
very least)
- All service that have the capability to authenticate using x509
certificates should be configured for doing so (ie LDAP)
- As many service as possible should be replicated (LDAP, DNS) for
robustness and reliability

I have not thought out all the details yet, but I already have some
ideas about how most of these could be implemented.  If people feel this
is worthy of discussing, I could start fleshing it out on the Wiki.  I
have some pretty wild ideas about what might get integrated into such an
initiative eventually, but I think it should start modestly with
objective that could get implemented relatively easily.

In any case, I would love to hear what people have to say about it.
Among other, such a spec would really need a better name than "Ubuntu
domain", for not being confused with what is being done by That Other
Operating System (TM).

Regards,

Etienne Goyer