(This page uses style sheets.)
There are several OSS operating systems, including OpenBSD, FreeBSD, NetBSD and various “Distributions” (explained below) of GNU/Linux, although, of these, many people have only heard of GNU/Linux, and have generally heard of it by the name Linux.
An operating system consists of a kernel which runs in supervisor mode, along with supporting programs running under the control of the kernel in user mode. Linux is a kernel but it requires supporting loaders, compilers, drivers etc. Most of these supporting programs are provided by the Free Software Foundation's GNU project and so the totality ought to be called GNU/Linux, which is the term used in this report.
The Linux kernel is provided packaged together with a set of supporting programs and applications by a number of companies such as Red Hat, SuSE and Mandrake as a Distribution. The contents of a Distribution should interwork, and the kernel may well be patched with changes not available with other Distributions. The choice of Distribution must therefore be considered, as each has its strengths and weaknesses.
There are other Distributions such as Debian and Gentoo which are not prepared by a commercial organisation and this has implications for the way in which support is provided. Support for these distributions comes either from third parties or from access to mailing lists on the Internet. Both of these can provide acceptable levels of cover.
Debian has a reputation for solidity and its stable section contains code which has been thoroughly tested by many people world wide. There are also two other sections providing increasing levels of leading edge software. The stable branch also has the reputation of being out of date. This is unfair to some extent because most commercial users are principally interested in stability and lack of bugs, and not whether the latest peripheral can be supported.
Gentoo is a source-only distribution, which means that the Administration can build its own binaries easily, tailoring the Distribution to their environment and hardware. Building such a distribution from scratch is time consuming but once the binaries have been built they are available generally. This is a new distribution and is worth considering. Because most other Distributions are supplied with full source code, it is possible to tailor any of them the same way; Gentoo, however, may be more amenable to such treatment.
The commercial Distributions come in different packages with different levels of support available. The Distribution available via the Internet is invariably only supported for about a year; users are then expected to upgrade. Most companies provide an “Enterprise” version which is guaranteed to be supported for 5 years or more and which is based on stable versions. Such versions also have a support contract associated with them which is sometimes called a licence, even though the code is licensed using GPL or LGPL and may not be licensed otherwise. It is the availability of such supported and stable distributions that many Administrators want. Indeed one reason to move to OSS is the lack of pressure to upgrade constantly and unnecessarily. The companies promise to backport bug fixes. Red Hat, for instance, have their Enterprise Range which consists of three products, two for servers and one for technical workstations, each of which appears to be based on version 7.3 of Red Hat Linux, even though the current downloadable version is labelled 9.
Our opinion is that GNU/Linux is the preferred platform for workstations as it offers better configuration tools and a variety of packaging setups that are more suitable for desktop use. Also, some popular desktop products do not work on all of the alternatives (for example the Mozilla web browser currently does not work on OpenBSD).
For servers the situation is much less clear cut. OpenBSD has by far the best security record of any OSS operating system, being able to claim only one remotely exploitable vulnerability in 6 years. It should be the preferred platform for anything that requires higher than average security (such as firewalls and De-Militarised Zone servers).
Server applications generally run well on all of the BSD platforms and GNU/Linux, although many have been written for GNU/Linux and are then ported. Proprietary software is often only available for GNU/Linux.
There are several choices, ranging from very simple, light-weight window managers like icewm to fully featured session managers like those included in Gnome and KDE. The choice should depend on the intended use.
Of the session managers KDE's is the more mature but Gnome is catching up fast. Gnome is being supported by Sun Microsystems and members of the Gnome Foundation. netproject considers that it has a better architecture and believes it has a better future.
A Gnome-based desktop has been issued recently by Ximian called XD2. This works on top of a number of different base Distributions including Red Hat and SuSE. Ximian have paid particular attention to integrating the various different applications to make sure that they work in a similar way. This means that they have included their own versions of some products like OpenOffice.org. It is too early to comment fully on this desktop but the initial impressions are promising.
The choice for any Administration is likely to be one of personal preference; both environments are very capable. Applications designed to work in one environment will work in the other but more specific features such as session management may not work properly.
The desktop managers offer most European languages but may be patchy in their support for any given language.
All functional groups must be configured with security in mind. Security at the software level can only work if it exists in the wider framework of security management. netproject has not fully investigated all the functions given as part of this report.
Confidential data on internal LANs should be encrypted where ever possible. Sensitive data sent over the Internet should always be encrypted. This can be done by tunnelling connections over products like ssh and stunnel.
Confidential data held on mobile devices should be encrypted on disk. The ideal is that all data should be encrypted but this would impose significant overheads which will not always be acceptable. There are a number secure filing systems and the next Linux kernel provides better support for them. For instance http://koeln.ccc.de/archiv/drt/crypto/linux-disk.html has a discussion of the various methods available.
Secure methods to identify uniquely a person or machine which is part of a communication with other persons or machines. This includes signatures and PKI infrastructures. No PKI systems were tested as part of this project. All authentication was done against an LDAP database using standard password challenge.
Once authenticated, to determine what a person or machine can do and in what circumstances. This is normally part of the operating system or application code. Role Based Access Control or RBAC has been defined by the NIST in the USA and is available for Linux. (See http://csrc.nist.gov/rbac/).
Virus control is needed principally to stop onward transmission of viruses to other non-OSS sites. Although email is one of the main ways that viruses are transmitted, it is not the only one, so generalised file scanning is needed to stop transmission by other means.
Unfortunately we know of no OSS product which does such scanning. However by properly configuring the filesystems on both servers and desktops it is possible to ensure that the only executable files are those which were installed by the system administrator. It is therefore important that system administrators make sure the files they install are trustworthy, for example by checking the Distribution vendor's signature on the files.
A range of intelligent or semi-intelligent OSS proxy servers is available.
Of the web proxy servers, squid is the most popular. It has an associated product (squidguard) that prevents access to a list of banned web sites.
All current OSS operating systems have internal packet-filtering firewalls, the majority of which are stateful. Stateful firewalls are those which maintain information about ongoing connections and data streams through the firewall, and allow packets to pass which are associated with those connections while filtering out packets which are not. Firewalls which are not stateful examine each packet on its own merits, without keeping any record of previous packets. Specialised plug-ins are available for protocols such as ftp and telephony H.323 which use non-standard means of connecting.
iptables, currently included with GNU/Linux, and ipfilter, included with FreeBSD are both good firewall products. Packetfilter is now included with OpenBSD also has a good reputation. Good practice for external firewalls is to have two different ones between the public network connection and internal servers. We do not recommend a single example.
Available for most Unix flavours, this is a mature and powerful offering. Features include public key encryption, dynamic compression for bandwidth management, and the ability to work with NAT (Network Address Translation). See also http://openvpn.sourceforge.net/ for more information.
This is a GNU/Linux implementation of the IPSEC and IKE standards, meaning it will inter-operate with compliant devices, including special routers and other operating systems. Since IPv6 supports IPSEC natively, FreeSWAN might be preferred if this newer standard is used. To benefit from FreeSWAN's unique “Opportunistic Encryption” extension, which can automate security, DNS records must be updated which could be limiting. netproject understands that IPSEC may also have problems with NAT. See also http://www.freeswan.org/ for more information.
This is less mature than the other two and public-key support is still experimental. However it can work with NAT, is available for Windows, and ships with Red Hat Linux (you can even configure it with their intuitive Network Device Control tool). More information is available at http://sites.inka.de/~W1011/devel/cipe.html.
The site http://www.infrastructures.org/ provides considerable detail on how to manage a network of machines, both servers and desktops, and has a number of OSS tools for a range of system maintenance tasks. It is maintained by someone who has done these tasks for many years. netproject agrees with almost all of the content except, primarily, the section on printer management.
The site shows that Unix, and by extension GNU/Linux, management tends to be done by tools that are put together from smaller single-function units. This modular approach is extremely powerful and it is what allows Unix and GNU/Linux system administrators to be very efficient and effective. It also means that the market for toolkits is small, since system administrators each tend to build their own set of tools.
There are proprietary tools available such as Tivoli from IBM and Unicenter from Computer Associates.
The maintenance of users and groups of users, including password management. Products like Directory Administrator and gq allow LDAP databases to be maintained.
Although a well designed centrally-managed client should only have minimal local state, updating its configuration without re-installing from scratch is still desirable for large networks expected to be active for some time. For example, if a core central service is changed, clients may have to be re-configured to use it.
Administrators can maintain configuration updates manually as they could software updates. However, similar synchronisation problems apply. Manual modification of configuration files, often stored in plain text files, is particularly prone to typing mistakes.
The GNU Configuration Engine (http://www.cfengine.org/) automates remote configuration of networked clients. It supports a wide variety of UNIX flavours, and its powerful class concept allows different groups of clients to be managed with minimal set up. Autonomous agents on the clients can maintain text files, network interfaces, file links and permissions, temporary storage and mounted file systems.
Some of the primitives which can be automated using cfengine are:
Check and configure the network interface.
Edit text files.
Make and maintain symbolic links, including multiple links from a single command.
Check and set the permissions and ownership of files.
Tidy (delete) junk files which clutter the system.
Systematic, automated mounting of filesystems (on Unix).
Checking for the presence of important files and filesystems.
Controlled execution of user scripts and shell commands.
Cfengine follows a class-based decision structure.
System Configurator (http://sisuite.org/systemconfig/) is part of the System Installation Suite, and is used by System Installer. It can set up and maintain many components of a GNU/Linux installation across many distributions such as networking, storage, time zone and booting.
This section covers system maintenance of clients from initial setup on new hardware to ongoing updates of software and configuration, and some technologies available to ease their management.
System installation is the initial setup of software and configuration necessary to maintain a machine. Factory built machines might have no operating system at all, or arrive pre-installed with software. Older machines with unwanted software may also be re-used by installing a fresh system instead.
The first task of a system installer is to boot the target machine. To support unbootable targets such as factory-built machines with uninitialised hard disks, the BIOS must support at least one boot method other than from hard disk. The oldest method is booting from a floppy disk, and although this is widely available it assumes a floppy drive is present. These are being phased out. Floppy disks are slow, unreliable, and offer very limited space for the system installation software by modern standards. Most machines built since 1997 support booting from CD-ROM by emulating the floppy disk boot sector. If a CD drive is present this is faster and offers more space for both the initial boot software and any further software required. The most sophisticated boot method is network booting. Not all BIOS firmware or network cards support this newer feature. The Pre Execution Environment (PXE) is part of the Wired for Management (WfM) industry standard, and enables most machines purchased since 1998 to boot from the local network.
The installer must access appropriate installation media containing the higher level software to be run after the machine has booted. Typically this will be stored on a local CD-ROM or a network file server. A single compact disc can be used to store a software snapshot, and the capacity of a CD-ROM should suffice for a basic Administration desktop using regular file compression. This static snapshot might be suitable if the software is unlikely to change, or if only a stable base installation is needed for adding additional software to. In general a network installation is more flexible, can be faster, offers greater capacity, and scales better for multiple, parallel installs than sharing install discs between clients.
The system installer transfers the software from the selected media to the target machine's local hard drive, and prepares it for booting. This will involve hardware detection, checking disk capacity and configuring network details.
Some of the possible installation methods are discussed below.
The most basic installation is by a system administrator. Typically software will be provided on compact discs, including a bootable installation disc. Some automatic hints may guide the administrator, but ultimately all customisation is manual. Since package selection, hard disk partitioning, hardware configuration and network details must all be entered manually this process is time consuming and prone to human error. Most Distributions have their own installation program, for example Red Hat's anaconda and SuSE's YAST2.
If near-identical clones are adequate, a “golden client” can be manually installed and then replicated. Live distributions such as Knoppix (which boots a full GNU/Linux environment from a single CD-ROM – see http://www.knopper.net/knoppix/) and other rescue discs can be used to copy the filesystem images of the golden client to other machines. Configuration and customisation can be added by scripts run before or after the installation. Since raw filesystems can be copied to disk rather than the files contained this can offer the fastest possible installation time. However configuring non-identical clones is less efficient and requires expert skill.
FAI (http://www.informatik.uni-koeln.de/fai/) installs the Debian distribution automatically. Software packages are accessed from a Debian site, which can be mirrored locally for speed or customisation. The installation kernel provided can be booted from the network or floppy disk, but CD-ROM booting is currently still under progress. Although FAI was designed for identical replication of clustered machines, the cfengine software described above is used for system configuration and allows extensive flexibility if required.
System Imager (http://www.systemimager.org/) provides system installation, configuration and maintenance for large networks of machines, preferably with similar hardware, across several distributions. It can boot from floppy disk, CD-ROM or PXE network servers. Both Debian and Red Hat installations have been tested, but the System Configurator software used aims to support all GNU/Linux distributions.
A golden client is manually installed and configured. Its filesystems are then mirrored to an image server, which target machines install from. If the golden client is updated, these changes are propagated to replicated clients using rsync. Although rsync sends file differences minimally over the network it can require significant memory to do so. Since modifications are relative to the golden client, System Imager is most suitable for target clients with identical or very similar hardware.
Kickstart (http://www.tldp.org/HOWTO/KickStart-HOWTO.html) is Red Hat's automated installation software. It installs Red Hat distributions from CD-ROM, hard disk or network, and boots from network, CD or floppy disk. The anaconda installer offers text or graphical interfaces, and can be interactive or fully automated by a configuration file. The hardware detection software kudzu caters for a wide range of devices automatically. General installation options can be set up in the configuration file, and extensions added with pre- and post-installation scripts.
With its intelligent configuration and detection software, kickstart can be used to automate similar installations across a variety of hardware targets. Selection of packages from the standard Red Hat distribution is straight forward, but updates or extensions can also be included by customising the kickstart process.
Software installations do not remain static during their lifetime. Software updates such as security or bug fixes will be released after the initial installation. In addition, package removal or addition will be required to manage software without re-installing an entire system.
Wherever possible, updates should be done by using “pull” rather than “push” techniques. The decision to pull updates should be made by a machine, either server or desktop, after it has verified itself against a master server. Updates should not be under the control of users. In this way, machines can be kept at the same revision level.
System administrators can maintain software updates manually. This might involve logging into the target client remotely, copying updated packages, and installing them with the distribution's native package manager. However although this offers tight control to the administrator, it is prone to errors and makes synchronising large collections of machines difficult. Some distributions offer update tools to maintain their standard packages, but typically still require manual intervention and may not provide for extensions to the basic distribution.
Red Carpet (http://www.ximian.com/products/redcarpet/) is a freely available software-updating suite from Ximian. It began as a graphical package manager for Ximian's desktop software, but now offers secure remote command line access and more software channels including distribution updates. Mandrake, SuSE and Red Hat are currently supported. It offers easy remote administration and automation, so large numbers of clients can be centrally maintained. However, some hangovers from its original design still remain. It does not support kernel or architecture-optimised updates. It can be configured to update software from customised channels. A proprietary server product Red Carpet Enterprise can be used to facilitate management of large software collections.
The graphical interface should not be used as this allows users to control updates. The command line interface should be incorporated into scripts which update the machine automatically.
Red Hat offer a range of software update services as part of their proprietary Enterprise Network (http://www.redhat.com/software/rhen/software_delivery). The most powerful is their Satellite Server, which allows full customisation of updates and errata. All servers support their standard Update Agent clients for distribution. The same comments against allowing the use of the graphical interface apply here as for Red Carpet above.
APT is a standard suite of tools supplied with the Debian GNU/Linux distribution which allows automated updates to the software installed on a machine. It is able to check dependencies between software packages installed on the machine and available from the software repositories it has been configured to check, and to retrieve and install relevant updates available from a repository. Organisations can set up and maintain their own repositories of software to be installed on their clients (Debian includes tools to set up and maintain such repositories), can use repositories provided by Debian and others, or use any combination of these sources of updated software. APT has been ported to work on rpm-based operating systems such as Red Hat Linux and Mandrake, where it provides functionality similar to, and in some ways improved by comparison to, Red Carpet.
Hardware can be monitored for faults and potential faults, for instance by making use of SMART-enabled hard disks and system health-checking hardware. Hardware and software systems should also be monitored for failures, potential failures, absence of service and lack of capacity.
MRTG (Multi-Router Traffic Grapher, http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) is a monitoring tool originally designed to track and graph the usage of capacity on network links. However, it has developed into a tool capable of tracking virtually any changing quantity, and can be used to monitor such variables as processor, memory and disk space usage, usage of network services including statistics about volumes of email processed, web pages served, etc., system temperature and fan speeds, and other variables.
Snmpd (Simple Network Management Protocol Daemon, http://net-snmp.sourceforge.net/) is a system management server which can be run on each desktop machine in an organisation. It provides system management information to clients; typically to a central SNMP client which aggregates statistics from a number of machines. MRTG can act as such a client and perform this function, providing a graphical overview of the status of a large number of client machines.
Nagios (formerly known as NetSaint, http://www.nagios.org/) is a customisable host, service and network monitoring and management system. It is able to monitor network services and perform various recovery procedures if it discovers that a service is unavailable or having problems, including both invoking automatic recovery scripts and alerting system administrators to the problem. Nagios can also provide reports and overviews of the current and past status of the services it monitors.
The SmartMonTools toolset (http://smartmontools.sourceforge.net/) includes a daemon called smartd which is designed to monitor the SMART (Self-Monitoring, Analysis and Reporting Technology) function of modern hard disk drives. Since these devices are one of the most common components to fail in a modern computer, SMART is intended to monitor drive parameters and warn a system administrator of potential failures before they happen. smartd is designed to receive these warnings and take action, typically by alerting a system administrator.
LPRng (http://www.lprng.com/) is an actively developed implementation of the old BSD standard lpr/lpd system. It contains a number of enhancements which make it much more robust and easier to manage than the original products. The author is particularly keen on ensuring that LPRng is secure. Until recently this was probably the choice for printer management but recently CUPS has made progress and the choice is now less clear cut.
The Common Unix Printing System or CUPS (http://www.cups.org/) is designed to be an enterprise-ready Unix print system. It is based on the standard Internet Printing Protocol or IPP, and incorporates a browsing function which allows details of the names and characteristics of printers to be automatically distributed across the network. CUPS also incorporates a web-based user interface for administering and configuring the printers. Drivers are available for most common printers.
KDE and Gnome both incorporate their own printing subsystems which are able to interface user applications with most of the commonly used print spooling systems, including LPRng and CUPS.
All user and Administration data is assumed to be on one or more servers. It is necessary to be able to do incremental dumps, find dumps with specified files and restore individual files or whole file systems. Backup of user data tends to easier in Unix and OSS systems then with Windows because the user data files including their configuration data are usually contained in a single directory. This is another area where a proprietary product such as Legato may be necessary to obtain the features and fine control required in a large site.
These two programs are delivered as part of most distributions and are sometimes used together with tar and cpio in customised scripts to backup and recover single machines.
Amanda (See http://www.amanda.org/) is a client server product designed to backup multiple machines to a single device. It is also able to backup Windows machine through Samba.
It is essential in a highly networked environment that all machines – both servers and desktops – have the same notion of the current time. One or more servers are designated as master servers and they get their time either from an attached clock or from external time servers on the Internet. All the other machines are slaves synchronising against these masters.
Synchronising time can be done by running ntp (http://www.ntp.org/) on the machines, it can keep a network of machines to within a second of each other quite easily.
Chrony (http://go.to/chrony/) is an alternative to ntp. It has some features making it more suitable for higher-stratum NTP nodes than ntp, while ntp is better for low-stratum nodes which may have to interface directly with such things as GPS receivers and atomic clocks. There are also OSS products for Windows which are useful in a mixed environment, such as Automachron and nettime – http://go.to/chrony/ gives details of both.
These are the services necessary to run a TCP/IP based network.
Routers allow a large network to be split into smaller interconnected ones. The routers have the job of directing packets from one sub network to another to enable them to get to their eventual destination. Building routers requires a good understanding of the basic protocols and many Administrations will probably want to purchase proprietary dedicated routers.
However for those who want to build their own two products exist Bird (http://bird.network.cz/) and GNU Zebra (http://www.zebra.org/).
A TCP/IP network needs some means of translating IP addresses into human meaningful domain names and vice versa. DNS is a protocol together with a number of inter communicating servers each with data on them. DNS is basic to the working of the Internet. There are a number of programs to build DNS servers including BIND (http://www.isc.org/products/BIND/), MyDNS (http://mydns.bboy.net/), and MaraDNS (http://www.maradns.org/). BIND is the most widely used.
DHCP is a protocol described in http://www.dhcp.org/ which allows machines to obtain their network details at boot time from a central server or servers. DHCP allows the efficient use of scarce IP addresses and will reallocate addresses where possible.. It also allows central administration of many global addresses such as gateways and name servers. The main product comes from http://www.isc.org/products/DHCP/ and consists of a client and server application. The client has to run on all the participating client machines. Both these products come with most standard distributions.
Network file servers allow network attached machines to access file storage on a remote machine as though it were local.
This is the de facto standard and has been in use for many years. The commonly implemented subset does not provide strong security, though a secure variant is defined and is implemented in some commercial Unix variants.
NFS consists of a server which exports files from the machine it is running on to clients running on other network attached machines. There are controls over which other machines can attach to these files but once one is attached then traffic over the network is in the clear. There is minimal authentication of attaching users in the Linux version.
The other problem with any networked file system is that a network failure will stop file access. To overcome this a distributed file system is required (see below).
NFS is a standard part of most distributions.
Samba is a product which implements Microsoft's SMB protocol. See 14.5.1 for a more detailed description. It is critical to the integration of OSS and Windows based systems and comes with most standard distributions. Its use is described in some detail in Chapter 14.
For those who have Apple Macintosh machines netatalk provides the implementation of the AppleTalk protocol. (See http://netatalk.sourceforge.net/).
These products implement a distributed file system to varying degrees. With such a system access to files can continue when the network fails because local caching provides the appearance of being connected. This is a non trivial problem and the products solve it in different ways. This sort of filesystem is really needed with laptops or machines attached to a transient connection. The other way of providing the same functionality is to have local storage which is synchronised with a central server periodically. See http://www.openafs.org/, http://www.coda.cs.cmu.edu/, and http://www.inter-mezzo.org/ for details on each product.
http://www.inter-mezzo.org/docs/bottlenecks.pdf contains a detailed discussion of the characteristics of all the above.
The provision of rapid lookup of names and address and associated data.
The most popular standard for directory services is LDAP. This is an open protocol and is implemented in many products for instance Evolution and OpenOffice.org. LDAP works with data definitions called schemas and it is possible for Administrations to develop their own customised schemas. Unfortunately the schemas used by applications are not always compatible with one another, which means, for instance, that is difficult for OpenOffice.org to read Evolution data and vice versa.
The OSS application OpenLDAP conforms to the LDAPv3 standard, and version 2.1 and later can be configured with a range of different database back ends (such as flat file, SQL or even site defined).
Most of the groupware suites provide some form of directory service, but few will actually integrate compatibly with LDAP. Short of using cut-and-paste techniques, it is difficult to use the contact database they provide in external mail agents. Most of them offer mail agents of their own, but are not very forthcoming about the level of integration available to the inbuilt contact manager.
OpenOffice.org, Evolution and Mozilla provide integral address book functions. However, the storage formats used are not interchangeable. To allow interworking some site tailoring is needed.
The use of xterm with an appropriate TERM environment variable setting can emulate most character-based terminal types, for instance VT220 and VT100. There is a specific 3270 emulation named x3270. Page-based emulations can be found in proprietary products.
There is a discussion of this in Section 13.3 below.
There is a discussion of this in Section 13.4 below.