Weblog entry #8 for e5z8652
See all weblog entries made by e5z8652.
#8
Locking down your neighbor
Posted by e5z8652 on Fri 29 Aug 2008 at 06:29
How do you manage workstations in an enterprise environment? I'm talking about relatively benign situations like setting MIME types across desktops as well as more restrictive scenarios like enforcing proxy settings for Debian desktops.
**CAN** you manage Debian desktops in an enterprise environment?
**CAN** you manage Debian desktops in an enterprise environment?
Comments on this Entry
Posted by Steve (80.68.xx.xx) on Mon 1 Sep 2008 at 12:36
[ Send Message | View Steve's Scratchpad | View Weblogs ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Personally I use cfengine to manage my systems. That allows anything you can script to be done to machines.
I suspect you'd receive more replies if you were more specific about the kind of setup, and the type of management that you desired.
[ Parent | Reply to this comment ]
I was really just trolling for ideas because my interests really are wide ranging.
On the small end, I've had trouble just consistently setting MIME types on my home workstation. When I set my desktop to act in a certain way, sometimes I would like that change migrated over quickly and easily. There might be an easy way to do it, but the documentation seems hard to wade through. (Of course a Linux desktop is all about choice, and developers tend to promote privacy and security of the individual user. I'll respect my eight year old's privacy to a point but she's really not interested in messing around with KDE's control center just yet.) This gets into other small annoyances with how debs will set stuff I don't think they should. If I set up playing ogg files with application A, and then install application B just to take a look at it, I often find that ogg files now open with app B by default. I feel it should at least have asked me, and now I have to visit my children's desktops again to fix what would be an inexplicable change the next time they log in. I get really steamed when an apt-get --purge remove application B doesn't restore my original settings, I just get an "application not found" error when clicking on an ogg. Then I get to reset the MIME types for myself and my children again.
Previously any sort of management tool I've tried has been broken in subtle ways. For example I set up KDE's kiosktool on a machine and managed to lock everyone out. I couldn't undo the changes, so ended up re-installing. That was a few years ago (before casual virtualization) so was sort of a pain. It looks like kiosktool development is stalled. I don't like gnome so I'm not familiar with their equivalent. Maybe their design paradigm is more suited to what I'm looking for though.
On the big end, anything Linux is looked at like black magic at my work, which is a solid Microsoft Active Directory shop. The black magic aspect is not necessarily a bad thing. Every so often I see some people that find a logical click path to configure something that SHOULD work, but because they're not really conversant with what the clicks are controlling things break in non-obvious ways. This isn't their fault really, as Microsoft cannot cover every eventuality in their help files and they don't have radio buttons for every possible option. Although I think that if you click on "advanced" enough they should. :) (In defense of my os-challenged colleagues, this doesn't happen very often, and you see from the first have of this comment that I have the exact same fuzzy knowledge problem with KDE.) The lack of a click path on my Debian servers means that if it's broke, I probably broke it and remember doing it.
But if I have any chance at all for fielding more general use machines I need at least some sort of group policy editor equivalent for enterprise kiosks or workstations. I do have a couple of requests for Linux workstations that would be shot down by management because they couldn't administer them. Webmin is a start, but it relies on knowing quite a bit about what webmin is doing. For example creating a zone file with webmin means you don't have to get the syntax exactly correct, but if you don't have at least a basic idea of what that syntax is you can't fill in the blanks appropriately. Like kiosktool, I haven't tried webmin in a few years. An "enterprise webmin" is what I'm after, with ssh connections and a central management console instead of hitting each workstation individually.
Maybe I'll just come up with scripts to copy certain files and then dust off that perl-tk book. (I've had a sort of vacation from the IT field for the last three years, so it's embarrassing that a MS fan supervisor uses Perl more often than I do anyway.) However a homebrew solution would once again have to present a familiar interface to non-Linux administrators and management while not requiring them to know the difference between linux-image-2.6.25-2 and linux-image-2.6.26-1 other than the number is bigger. With the firewire stack changes, maybe that's a bad example... :) Also, the homebrew solution would fail the "1-800" test that one of my supervisors wants to apply for any OSS solution. (Although I find that the 1-800 solution does not really work well for certain proprietary vendors, including a major one in Washington State.)
Anyway, enough rambling. If anyone gets all the way to the end of this and is still interested, please let me know what you use to manage multiple workstations, or multiple desktops on a single workstation. I'm just looking for ideas to follow up on. cfengine is a good start.
Thanks,
James
On the small end, I've had trouble just consistently setting MIME types on my home workstation. When I set my desktop to act in a certain way, sometimes I would like that change migrated over quickly and easily. There might be an easy way to do it, but the documentation seems hard to wade through. (Of course a Linux desktop is all about choice, and developers tend to promote privacy and security of the individual user. I'll respect my eight year old's privacy to a point but she's really not interested in messing around with KDE's control center just yet.) This gets into other small annoyances with how debs will set stuff I don't think they should. If I set up playing ogg files with application A, and then install application B just to take a look at it, I often find that ogg files now open with app B by default. I feel it should at least have asked me, and now I have to visit my children's desktops again to fix what would be an inexplicable change the next time they log in. I get really steamed when an apt-get --purge remove application B doesn't restore my original settings, I just get an "application not found" error when clicking on an ogg. Then I get to reset the MIME types for myself and my children again.
Previously any sort of management tool I've tried has been broken in subtle ways. For example I set up KDE's kiosktool on a machine and managed to lock everyone out. I couldn't undo the changes, so ended up re-installing. That was a few years ago (before casual virtualization) so was sort of a pain. It looks like kiosktool development is stalled. I don't like gnome so I'm not familiar with their equivalent. Maybe their design paradigm is more suited to what I'm looking for though.
On the big end, anything Linux is looked at like black magic at my work, which is a solid Microsoft Active Directory shop. The black magic aspect is not necessarily a bad thing. Every so often I see some people that find a logical click path to configure something that SHOULD work, but because they're not really conversant with what the clicks are controlling things break in non-obvious ways. This isn't their fault really, as Microsoft cannot cover every eventuality in their help files and they don't have radio buttons for every possible option. Although I think that if you click on "advanced" enough they should. :) (In defense of my os-challenged colleagues, this doesn't happen very often, and you see from the first have of this comment that I have the exact same fuzzy knowledge problem with KDE.) The lack of a click path on my Debian servers means that if it's broke, I probably broke it and remember doing it.
But if I have any chance at all for fielding more general use machines I need at least some sort of group policy editor equivalent for enterprise kiosks or workstations. I do have a couple of requests for Linux workstations that would be shot down by management because they couldn't administer them. Webmin is a start, but it relies on knowing quite a bit about what webmin is doing. For example creating a zone file with webmin means you don't have to get the syntax exactly correct, but if you don't have at least a basic idea of what that syntax is you can't fill in the blanks appropriately. Like kiosktool, I haven't tried webmin in a few years. An "enterprise webmin" is what I'm after, with ssh connections and a central management console instead of hitting each workstation individually.
Maybe I'll just come up with scripts to copy certain files and then dust off that perl-tk book. (I've had a sort of vacation from the IT field for the last three years, so it's embarrassing that a MS fan supervisor uses Perl more often than I do anyway.) However a homebrew solution would once again have to present a familiar interface to non-Linux administrators and management while not requiring them to know the difference between linux-image-2.6.25-2 and linux-image-2.6.26-1 other than the number is bigger. With the firewire stack changes, maybe that's a bad example... :) Also, the homebrew solution would fail the "1-800" test that one of my supervisors wants to apply for any OSS solution. (Although I find that the 1-800 solution does not really work well for certain proprietary vendors, including a major one in Washington State.)
Anyway, enough rambling. If anyone gets all the way to the end of this and is still interested, please let me know what you use to manage multiple workstations, or multiple desktops on a single workstation. I'm just looking for ideas to follow up on. cfengine is a good start.
Thanks,
James
[ Parent | Reply to this comment ]
I think your point that debs can do this stuff, points to one key method. The Enterprise desktop isn't worried that someone might install a deb and change a settings because that person is a sysadmin.
But a lot depends on the goals, if you want detailed lock down of GNU/Linux desktop, and commercial support for said tools, then Novell are the people with the experience, and the tools, but many of them aren't free software.
Few organisations need that level of control, most do fine on controlling usernames, uid, groups, applications installed, and allowing quick and remote reinstall.
Most people who do large Unix desktop installs swear by thin client technology, which generally reduces the management issue by an order of magnitude before you get started. The largest install of Unix workstation desktops I did (singlehandedly!) should of had more smaller lighter identical workstations, and a couple of even bigger servers, but hey I didn't specify it.
But a lot depends on the goals, if you want detailed lock down of GNU/Linux desktop, and commercial support for said tools, then Novell are the people with the experience, and the tools, but many of them aren't free software.
Few organisations need that level of control, most do fine on controlling usernames, uid, groups, applications installed, and allowing quick and remote reinstall.
Most people who do large Unix desktop installs swear by thin client technology, which generally reduces the management issue by an order of magnitude before you get started. The largest install of Unix workstation desktops I did (singlehandedly!) should of had more smaller lighter identical workstations, and a couple of even bigger servers, but hey I didn't specify it.
[ Parent | Reply to this comment ]