Idea for a spec
etienne.goyer at outlands.ca
Mon May 22 14:55:24 UTC 2006
Whoa ! I must really have express wrong, this have absolutely nothing
to do with FAI. But the network in a box + domain controller is much
closer to what I have in mind. I'll try another shot at explaining it.
When you have a large numbers of host to manage, you usually have to
setup a number of infrastructure services to help you do so. These
usually include setting up DNS, centralizing authentification with LDAP,
setting up a monitoring system, etc. All the tools to do these task
exist already, you just have to set them up to your taste. This can be
time-consuming, and require some know-how.
However, I do not think junior admins, or those unexperienced with Linux
coming from other platforms, have the skills to do a good and efficient
job of setting up these infrastrucure services. Building an LDAP
directory is not rocket science, but it's not an afternoon project for
someone inexperienced either. So, often, it does'nt get done because
nobody have the skills and/or time to do it.
So the problem I am looking to solve is to help busy or inexperienced
admins benefit from having a good set of infrastructure services out of
the box. We would do so by auto-configuring most of these services for
the common case.
More concretely, it would involve (on the "master" side) :
- Setting up an LDAP directory, mostly for user authentication and NSS
- Setting up a DNS zone for the domain
- Generate a root CA, and a certificate for the master
- Generate a ssh authentication key pair
- Setting up a monitoring system
When a "client" is added to the "domain", it would involve :
- Adding the client in the domain's DNS zone
- Generate a certificate for this client, and send it to the client
- Make PAM and NSS on the client use the LDAP directory
- Install root's ssh public key in the client's authorized_keys file
- Install on the client any agent required by the monitoring service
... and so on
In other words, I would like to achieve a level of integration
comparable to what other platforms provide.
Recently, I have been giving a lot of Linux trainings to Windows admins.
While they struggle to configure BIND and learn its backward zone file
syntax, they never miss the opportunity to point out that this is being
taken care when using an Active Directory. It's even worse when it come
to user authentication. They are vaguely aware that Active Directory is
based on LDAP and Kerberos, but they do not care as it "just work" out
of the box. To achieve similar results on Linux, they would have to
learn a whole lot of LDAP concepts, how to build a DIT, probably some
LDIF syntax, and the intricacies of the LDAP daemon they would use.
That's just too much for most of them, and the reason why they will
continue to run their infrastructure on Windows.
I believe it's possible to lower the barrier to entry and make Ubuntu an
easier alternative. That's what I am looking forward to.
Scot McSweeney-Roberts a écrit :
> Etienne Goyer wrote:
>> Setting up an "Ubuntu domain" would involve running a configuration
>> scripts, a wizard, on what will become the reference server (hereafter
>> called the "master"). This would configure the infrastructure services
>> according to the spec. Another setup tool is to be ran on machine that
>> want to make use of these infrastructure services (hereafter called the
>> "clients"). Ideally, you only have to provide the name or address of
>> the master server to the clients to have them auto-configured to make
>> use of pre-defined infrastructure services.
> Doesn't FAI provide this sort of thing? -
> To be honest, I don't really understand what it is intended by the spec.
> It seems to be some form of cross between a "network in a box" and a
> domain controller. What problem is the spec supposed to solve?
More information about the ubuntu-server