ServerCandy

Differences between revisions 23 and 24
Revision 23 as of 2005-11-04 21:11:52
Size: 6478
Editor: 238_220_103_66-WIFI_HOTSPOTS
Comment:
Revision 24 as of 2005-11-05 22:44:37
Size: 6548
Editor: 209
Comment: approved
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
The "server edition" of Dapper will be supported for 5 years. We need to make sure that we have thought of things that will be attractive for system administrators, to raise interest in Ubuntu as a server OS. This specification lists ideas for the server edition.

== Rationale ==

We would like to improve the profile of Ubuntu as a server platform, and help
system administrators to get things done quickly and efficently. 		'''The "server edition" of Dapper will be supported for 5 years. This specification lists ideas for the server edition.''' We would like to improve the profile of Ubuntu as a server platform, and help system administrators to get things done quickly and efficently.
Line 48: Line 43:
'''Third part software inclusion''' '''Third party software inclusion'''
Line 89: Line 84:
 * Implent set of simple scripts to be able to perform the following checks using the information provided by the server:  * Implement set of simple scripts to be able to perform the following checks using the information provided by the server:
Line 115: Line 110:

== Reviewer comments ==

MarkShuttleworth: approved 05 Nov 2005. Very much improved, thank you! I liked the clear separation of the proposed items, and the "future / wishlist" suggestions distinct from the Dapper commitments.

Summary

The "server edition" of Dapper will be supported for 5 years. This specification lists ideas for the server edition. We would like to improve the profile of Ubuntu as a server platform, and help system administrators to get things done quickly and efficently.

Use cases

Company foo wants to replace their servers and they want a simple install/long time supported platform. They must be able to choose Ubuntu without any fear.

  • They want to test if their hardware is compatible with Ubuntu.
  • They want to stress test the hardware to ensure that Ubuntu will not let them down.
  • They want a single CD install with the best selection of server software with great flexibility.
  • They want a method to verify that their server have not been compromised at any give time or if they suspect that the server has been compromised, be able to perform basic forensinc.
  • They want a centralized SSL management system for all their services, without overhead in managing certifactes in N different places.
  • They want to be able to use vendor proprietary monitoring/configuration tools without having to download and install manually many small bits of software.
  • They would love to see a "Vendor foo Ubuntu certified hw".
  • They want to be able to use a RCS to handle their config files, specially during deployment to verify local changes and be able (if required) to redistribute them with just a push/pull.

Implementation

Documentation of security/updates policies

  • We need to documentat the differences between -security and -updates, hilighting
    • the facts that they are separate and that stuff in -updates requires explicit approval.

Ship a Server Test Suite on the CD

  • The test suite is defined in TestingServerHardware.

  • The test suite will be integrated in the Ubuntu Installer mode

  • The test suite will need to produce reasonable short run results, along with it's full burn-in test results (all this is in the spec on TestingServerHardware).

Third party software inclusion

  • Collect and analize as many proprietary monitoring/configuration tools from vendors (HP, IBM, Sun, Dell, others?).
  • Prepare installation wrappers for them.
  • Test packaging in coordination with elmo/znarl that have hw access at the datacenter.
  • Seed Depends into main and ship them on the cd.
  • Ship tools required by 3rd part vendors to certify hw directly on CD.
  • List is unknown at this time.

Make adjustments to the seed list

  • In order to provide the best to our server admins we must have feedback from what they need and achive this by creating a vibrant server community (irc channel, mailing list, wiki docs, more if required).
    • (fabbione to collect info from the community ~ always in progress)
  • Some useful metapackages, e.g. 'system-investigation' would be nice, if we get enough feedback from the users to know what they'd like to see in them.

We need to implement a central snakeoil SSL setup This would be one package that provids SSL/TLS setup for:

  • postfix
  • apache2
  • slapd
  • exim4
  • imap/pop
  • others....

These packages will also need to be modified to look to this new central SSL cert package by default.

  • (infinity/lamont ~ 4 weeks)

Create an MD5 checker for the Ubuntu Installer rescue mode

Target is to provide the possibility to perform basic forensic analisys on offline disks/server.

The implementation requires a client and a server side and needs to be as simple as possible given the limited amount of tools we have in Rescue mode.

Server side:

  • Create a public server of good and trusted md5sum and/or sha1 checksums:
    • Layout a vhost (pkgsum.ubuntu.com) that will expose the same directory layout of a normal archive and that will expose $path/$package.deb.{md5,sha1}.
    • Write a script that will run on trusted mirror inside the Datacenter to populate the archive.
    • The $package.deb.{md5,sha1} will contain a simple uncompressed output of md5sum/sha1 calculation of dpkg -e and dpkg -x output of the .deb. The last line of the file will contain the md5/sha1 of the file itself. This will allow the client to verify that the download of the $package.deb.{md5,sha1} is correct.

Client side:

  • Implement set of simple scripts to be able to perform the following checks using the information provided by the server:
    • Single file check.
    • Single deb check.
    • Full deb installation check.
    • Provide full report of the scan.
    • We don't want to reimplement an IDS. Only a simple "warning" tool. An IDS replacement would be too expensive and out of scope from this spec. (fabbione ~ 2/3 weeks)

Provide a RCS /etc out of the box

  • Implement a simple set of scripts that can easily put /etc (by default, and possibly other dirs on request) under bzr control.
  • Implement crontab script that will take care of committing monitored directories on a configurable base (1 hour by default).
  • Implement option to mail admins if there are changes
  • Make it not do backups of sensitive files unless a config option is turned on

  • We would love a working Xen implementation (discussed in https://wiki.ubuntu.com/Xen)

  • We need more and more work on HA (discussed in UbuntuCluster)

  • Some centralized user management system that is not NIS. (discussed in NetworkAuthentication - client is ok, server will be aimed at Dapper+1)

  • Easy way to determine (e.g. look up on a web site) if Dapper will work with a prospective server (discussed in TestingServerHardware)

  • We would really love sane NetworkWideUpdates and AutomaticPackageUpdates implemetations.

  • Simple out of the box monitoring of multiple machines would be a plus.
  • A dtrace port or use/investigate/integrate/package system tap (apparently a dtrace-alike for Linux)
  • Easy integration of log analysis tools, particularly with apache and multiple vhosts.

Reviewer comments

MarkShuttleworth: approved 05 Nov 2005. Very much improved, thank you! I liked the clear separation of the proposed items, and the "future / wishlist" suggestions distinct from the Dapper commitments.

ServerCandy (last edited 2008-08-06 16:18:50 by localhost)