Domain: dmtf.org
Stories and comments across the archive that link to dmtf.org.
Comments · 10
-
CIM is really a widely adopted open standard
It is a lot easier to embrace an "open standard" when you developed it yourself, then donated it to a consortium.
WBEM is a decades old open standard implemented by just about every major software and hardware manufacturer out there. It's shipped with just about every OS. The computer you are using right now probably has CIM implementation built in or at least available in the core OS.
The standard is managed by the Distributed Management Task Force which includes most top software firms. Here is the Java JSR-48: WBEM Services Specification and Implementation for example.
What Microsoft is giving the open-source community is a CIMON ( CIM Object Manager ) implementation. This is fully standards based and Microsoft is just donating the code. But as mentioned earlier Ubuntu and most OSes already ship with a lightweight CIMON.
-
Re:Uh huh
Yep, installed packages are available through the Windows Management Instrumentation - where you'll find rich information about everything related to system management, from system board, network adapters, performance counters, drivers over printers, volumes, disks to installed software, updates, running services etc.
Yes, this model offers much more information that you'll ever get from a Linux system unless you have dip into some serious log file archeology.
The WMI classes are not part of PowerShell, but PowerShell will seamlessly integrate with the WMI/CIM model. Consequently, the WMI classes are not documented as part of PowerShell. However, they are very well documented. To get a little feel for what type of information can be obtained for a Windows system, look at the documentation for WMI. There are also CIM classes which should work cross platform with any system that adheres to DMTFs WBEM protocol and CIM model. Yes, they are available for Unix/Linux as well.Your example is actually very interesting. You managed to figure out that Win32_Product was *probably* the WMI class you wanted. Great! here is how you will progress from there: run the command and pipe the result through the Get-Member cmdlet to get an overview of the available information (properties, methods).
Get-WmiObject win32_product | Get-Member
From the answer (cannot be shown here due to
./ junk character filter) you can see that Win32_Products has (among other properties) a caption and a version. Hence, you type (or press up-arrow and edits the prev line):Get-WmiObject win32_product | Format-Table caption,version
And voila you have your installed products with versions, nicely formatted in a table. This workflow is actually very, very common with PowerShell:
1) locate the command,
2) pipe the results through get-member (which has the standard alias gm because it is used so frequently),
3) chose properties,
4) re-run the command but pipe the results to one of the export-, out- or format- cmdlets.Yes, you can export the list as comma- or tab-separated values instead by piping the results through Export-Csv:
Get-WmiObject win32_product | select caption,version | Export-Csv myproducts.csvThe GPs point was exactly about the discoverability and consistency of PowerShell. There is no overloaded use of -e options. All options has meaningful names, but can be abbreviated as long as there is no ambiguity. Output from cmdlets are self-describing and you can discover both properties and methods.
And PowerShell works with objects. If you inspected the output from the Get-WmiObject win32_product | Get-Member, you would notice that the returned objects each expose an Uninstall method. See if you can figure out what Get-WmiObject win32_product | where name -like "*Java*" | foreach Uninstall will do.
-
Re:Don't do it...
Careful, SSH and haphazard interfaces do not play in Linux's favor.
Day 1) Walk in the door, optimistic about what can be done with this "Enterprise" platform.
You know this works exactly the same way s/Windows/Linux/ and vice-versa
I use Puppet for doing Linux configuration management, and it is an _awesome_ tool but shows just how much Linux is lacking in basic system instrumentation, configuration management, and datacenter level administration. That is an area Windows has a leg up.
Kerberos + formal APIs beats SSH + only standardized interfaces are 30 years old
Think what it takes to programmatically manage crontab entries for a minute, compared to something with an API for scheduled tasks built in.
It's not even a contest, Linux is HORRIFIC at programatic configuration, you cannot lie about this.If SSH is your idea of remote automation heaven, then I hate to tell you, but you can install that on Windows. There's a good chance you wouldn't need to if its kerberized WMI interface does what you need, and you can't just install "instrumentation" into Linux. And these are standard interfaces I'm talking about
.. http://www.dmtf.org/Once you get to the datacenter level, doing things programmatically is KEY. This SSH + messy nondeterministic CLI bullcrap doesn't cut it.
Sorry, but you home Linux admins that think Linux is the tits needs to wake up. Microsoft is reeling right now, but Linux vendors are getting complacent. As complacent as Microsoft was...At least document fucking return codes, and do something useful with them if you can't write out something parseable! Sun got that much right for Chirst's sake, and Linux fanbois like to pretend their are working on a UNIX system. Want an example??
man yum, tell me how you would know if a package installed or not when I do "yum -y update foo"
That is the bullcrap I'm talking about. OS updates... not exactly some obscure interface huh? -
Clouds are not the whole of computing
I'd suggest that they are likely to grow to being an important part of computing, but no bigger than, for example, the large-server-and-Oracle part. (full disclosure: I'm a capacity planner, so most of my income comes from just that part).
The disadvantage is that my cost per transaction is greater than if I had a steady load and ran my own machine room. The fees I and the other customers pay a cloud service have to cover their whole machine room, whether it's it's busy or not, plus their profit.
So I see a natural evolution for a growing business. While they're small, they'll build a LAMP or Java stack on a small machine in the back room. If they grow slowly and steadily, they'll buy more, larger machines for the back room. If they grow without bound, they'll jump to LAMP-on-cloud or Java-on-a-cloud, with a few code changes as possible.
Once they have mastered that, they'll move back and forth, depending on the business growth rate. If they grow too fast, they'll do a lot in the cloud. If they grow slowly, they'll have a cloud presence, but try to process as much in their own machine room as they can, to improve the profit margins, using the cloud for overflow and to run during my machine-room upgrade.
Conclusion? common software between the cloud and the machine-room is important. Look for any standards developing in the LAMP/SAMP space, like the DMTF incubator at http://www.dmtf.org/about/cloud-incubator Look for Java offerings for business, like http://blogs.sun.com/cloud/entry/communityone_cloud_recap When you're there, specifically look for virtual machines that will run in the cloud. Finally, look for load-balancing mechanisms that will send your work to two different places, under your control, sometimes called "application distributors".
Don't assume open source is at a disadvantage: if you can run your stack on a free VM on a standard-conforming cloud, however commercial it might be, then your computing can remain free of the control of others.
--dave
-
MS Open Standards Participation
These extensions are built using a recently ratified open standard called WS-Management from the DMTF.
Microsoft and 11 vendors submitted a proposal to this standards body in 2005.
They then worked with the committee through the standards process as the spec evolved and came to its final standard status just recently.
The spec was ratified as preliminary standard in mid-2006.
Many changes were made by committee voting process. Microsoft's implementation is a core part of the OS, called "Windows Remote Management" or "winrm". As this was happening Microsoft kept its development team in sync with the committee so that changes could be made in the OS.
Vista shipped compliant with the Preliminary Standard version and MIcrosoft has shipped updates both to Vista and downlevel operating systems like windows XP to bring it into compliance with the standard.
The system center extensions make use of the winrm component to communicate with non-windows systems including Linux and embedded hardware such as Intel vPro and AMD equivalents.
you can find the specification at: http://www.dmtf.org/standards/wsman -
How Intel AMT really works. Some infoIntel's "Active Management Technology" is described by Intel here. But there's no real information there, just endless PR and management-level papers, all claiming that if you have remote control, magically your machines will all just work. (We've heard this before, from Microsoft, who called it Zero Administration.)
From what little information is available, the following appears to be the case:
- AMT is implemented by some small auxiliary processor in the network controller. It's not, apparently, firmware that runs in system management mode. But that's not entirely clear.
- AMT for clients is basically an implementation of Alert Standard Format, a remote management interface which previously required installing a special plug-in board. This probably means that it uses Remote Management Control Protocol (RCMP) to talk to the client. This uses UDP datagrams on ports 623 and 644. Sending an RCMP Presence Ping on port 623 to any machine with RCMP enabled should result in a reply. Port 644 has a reasonable security system, requiring a key exchange at the start of each session. Messages are cryptographically signed, but not encrypted. If properly configured, only harmless functions should be enabled on port 623. If improperly configured...
- The general idea is that a new computer must enroll in the system by doing one good boot of the OS and talking to the remote system administration machine for an initial key exchange of 160-bit keys. Once that's been done, secure sessions are possible. It's not clear what the initial state of a new system is. One would hope that this stuff comes up disabled. But Intel isn't telling.
- Key-setting appears to be done through normal OS operation. It doesn't apparently require an external hardware device to be plugged in, which would be far more secure.
-
Some RCMP functions of interest:
- Unconditional Power Down
- Force Hard Drive Boot
- Force CD/DVD boot (may be redirected to net)
- Lock Power/Reset/Sleep buttons.
- Lock Keyboard
- Blank Screen
- User Password Bypass
- Remote Control Device Action (control peripherals)
- One very real possibility is that spyware, worms, or viruses might set the RCMP keys and enable RCMP on a machine. If it does that, the machine is 0wned. Really 0wned. If an attacker can set the keys, an attacker can not only reboot the system remotely, they can disable the keyboard, power off button, sleep button, and reset button. Of course, you could pull the plug. Maybe. Visualize this happening on a WiFi enabled laptop.
This system is not all that badly designed, provided it stays turned off except in corporate environments that really want it and understand its implications. But if implemented dumbly (with, say, the same keys on all machines, or an insecure administration machine) it opens huge security holes. For example, if all the help desk machines have the master RCMP keys to all the machines in the organization, it's almost inevitable that there will be a leak. Compare Kerberos, where there's a central machine that has to be physically secured, but all it does is key management.
Linux support for all this is possible; the interfaces are documented. And definitely, someone needs to explore RCMP messages on port 623 and find out what is enabled at by default.
And if anybody breaks into your corporate help desk machine, they 0wn the company.
-
Re:Acronym expansion anyone?
Umm, if you can't expand the acronyms on your own, are you really likely to have a good answer to the question?
- DMTF - Distributed Management Task Force. This link was in the article (and CIM and WBEM have quick links on the DMTF home) for those who read the article and were curious.
- WBEM - Web-Based Enterprise Management
- CIM - Common Information Model. This is the only one in this list that didn't pop up feeling lucking at Google
- SBLIM - Standards Based Linux Instrumentation for Manageability. This I got directly from link in the article.
-
Re:Acronym expansion anyone?
Umm, if you can't expand the acronyms on your own, are you really likely to have a good answer to the question?
- DMTF - Distributed Management Task Force. This link was in the article (and CIM and WBEM have quick links on the DMTF home) for those who read the article and were curious.
- WBEM - Web-Based Enterprise Management
- CIM - Common Information Model. This is the only one in this list that didn't pop up feeling lucking at Google
- SBLIM - Standards Based Linux Instrumentation for Manageability. This I got directly from link in the article.
-
Re:Acronym expansion anyone?
Umm, if you can't expand the acronyms on your own, are you really likely to have a good answer to the question?
- DMTF - Distributed Management Task Force. This link was in the article (and CIM and WBEM have quick links on the DMTF home) for those who read the article and were curious.
- WBEM - Web-Based Enterprise Management
- CIM - Common Information Model. This is the only one in this list that didn't pop up feeling lucking at Google
- SBLIM - Standards Based Linux Instrumentation for Manageability. This I got directly from link in the article.
-
Re:PAM is your friend here
"If you're trying to implement this, I think that PAM (pluggable authentication modules) is the way to go."
Correct.
"You would need to write a wrapper for getpwent and friends and link all the programs on your system against it..."
Not necessarily - if you are using libc6 (ie., GNU libc 2.0 or 2.1) then you already have Sun Solaris-style NSS (Name Service Switch) which already provides the necessary "wrappers" for getpwent and friends in the standard C library; all you (the admin) needs to provide is a backend lookup library/module that will query against the nominated database.
The "modern" version of NIS/NIS+ is to do all this through LDAP - have a PAM module that performs authenticated binds against an LDAP directory (for authentication) and an NSS module that does all the get*ent lookups against the LDAP directory (for ls and friends).
Works a treat - absolutely no need for any users in
/etc/passwd or /etc/shadow.Check out:
There are some other schema efforts underway (incl. The Open Group and the DMTF), though the above is the only one to so far "deliver" (for want of a better word) for UNIX and UNIX-like (POSIX) environments.