Slashdot Mirror

← Back to Stories (view on slashdot.org)

Designing A Linux Distribution For NASA?

Posted by Cliff on from the putting-a-penguin-on-the-moon dept.

Zenker asks: "At NASA we are offering Linux as an alternative to Windows for anyone who wants it. I am working on a contract that puts a new computer on everyone's desktop and we will provide support and services for them. I need to assemble a distribution that will have all the necessary applications without flooding them with numerous option. I don't want to support every word processor and every spreadsheet out there. A good security policy is also necessary. What distribution would you use as a base for supporting a few hundred Linux desktops? Which applications would be standard for your office suite? What would your security policy be?"

22 comments

  1. Always wanted to know, myself by danpbrowning · · Score: 1

    I sure have asked myself this question a million times. Here's what I would say:
    Start with an existing distribution and modify it to your needs. Redhat has great hardware detection and stability. Further, VA Linux Distro (based off of redhat) has additional features (2.4.0 IDE backport patch included in their 2.2.18 kernel).
    Applications? That's a toughie. StarOffice seems like a good way to go because it has most the apps a user will need, and has great upgradability with future openoffice versions.
    You might look into creating cookie-cutter installations where everyone has the same exact desktop, buttons, etc. It would be easier to support, but annoying for power users.
    HTH

    --
    Daniel
  2. Why not... by Anonymous Coward · · Score: 1

    Why not have a 'master' server cluster, configured with X and all the goods, and then have every user connect via some kind of thin client?

    There won't be many software issues that the user can screw up in this configuration, an upgrade will only need to happen on the cluster (NOT on hundreds or thousands of workstations), and everything can be managed separately.

    Forcing users to store their files on the cluster (or encouraging this, by having /home on a RAID array) will allow for easy backups as well.

    At that point, you can consider giving 'power users' access to install their own software in /usr/local for themselves.

    Think ahead - what happens if there's another critical upgrade necessary (like Linux kernel
    Next, install StarOffice. Yes, I know, it's not the greatest, but it has decent support for MS document formats, and as much as I hate to say it, you need them. Your customers/partners/suppliers might send you stuff in those formats and you *have* to be able to read them.

    Next, install a decent web browser. Perhaps the latest Mozilla milestone release or something (NOT Netscape 6!) or maybe something lighter derived from Mozilla.

    Whatever you decide to do, please choose carefully. I think you have a great opportunity to make things easier on your IS department in the long run.

  3. Mandrake by sharkey · · Score: 2

    I would have to advance Mandrake. As danpbrowning pointed out, you'll probably be best off starting with a boxed distro, then modifying it to suit your needs. You have a good selection of options, including, I believe, Star Office w/Mandrake 7.2. Mandrake also supports KickStart out of the box to make scripting setups easier. Red Hat 6.x is also good. I am using RH 6.2 at home, since they support an FTP install. (Mandrake does too, but I was having trouble connecting to their mirrors that night.) You may have trouble promoting RH 7.0 due to the bad press, and may want to avoid it for the reasons it got bad press. Too cutting edge for something as staid as an employer-provided workstation. Red Hat includes Kudzu, which is supposed to check for hardware changes. On my PC at home, it did so beautifully with my NIC and modem (both on the HCL for RH 6.2).

    --

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
    1. Re:Mandrake by sharkey · · Score: 1

      The thing I really liked about the Mandrake 7.1+ install is the dependency checking. Unlike Red Hat, if you remove a component that others depend on, it tells you so immediatley. That in mind, do an expert install, and pick the general categories that you think suit your needs. Make sure you choose "Select Individual Packages", or what ever Mandrake calls it (Been awhile since I've installed it). The general categories will select a large, number of packages for you. After you tell it to let you select individual packages, and tell it that whatever size it says it is installing is fine, you'll get a tree of all the packages. It is VERY daunting at first glance, and seems like it will take forever. But, forge ahead, and you'll get through it. Unselect the packages you don't want. If a package depends on the one you are unselecting, it will say something to the effect of, "Removing packages FOO, BAR, UCK, and FUP. Yes|No" This is the confirmation dialog, if you say yes it will remove the listed packages. Some packages it claims are required. Some, like RedHat it installs hether you tell it to or not. Sendmail comes to mind, Red Hat anyways. There is no doubt that you will have to go through and remove and/or add a few packages w/rpm after the install completes. Compilers and network servers spring to mind as things that are not needed on a desktop. Check the logs the install creates to find exactly what is installed, and what version it is. Look them up, find out if you really need them. Judging from your reply, you don't need a whole lot. If it weren't for the security policy you mentions, doing the "Workstation" install might fit you. You should visit http://www.openna.com and look at the docs they have to offer. In particular, look for "Securing and Optimising Linux. They have a Red Hat edition, which I have been reading and referring to. It is geared mostly towards servers, but it does outline some good concepts. Since Mandrake is a derivative of Red Hat, much of the book will carry over very well. http://www.linuxdocs.org is invaluable as well. Are there any LUGS in your area? Any computer groups of any focus? Even if they are not directly involved with Linux, there's a good chance that they know of someone or some folks who are into Linux.

      Make no mistake, you are going to have to spend a good bit of time and effort up front with this sort of thing. With Linux, you are in control, rather than a vendor, so the buck really stops with you. Doing the research up front saves a lot of, "Oh, shit!!! What did I fsck up?!?! and how in the hell do I fix it?" later. Believe me, I know.

      Even though it looks as if it has a huge amount of stuff, as do most of the major distros, you're defintitely better off starting with a full distro, installing it, testing it, and removing what you don't want. I wouldn't know where to begin "rolling your own" distro, but I wouldn't think it is an overnight project. I haven't used KickStart, but I have heard good thing about it. KickStart is used to script a RedHat/Mandrake install, to install what you need, and leave out what you don't. Other distros probably can use it as well, and I am sure there are other utils to do the same thing.

      Do you have a good internet connection? I'd recommend checking out as many distros as you can firsthand, after reading the other replies. Most of the major distros are going to have way more than you want or need, and will need to be customised for you. Find out what "goodies" people really ARE using in their everyday life. You might be surprised. Well, maybe not about music;) Finding a LUG is a really good thing to do. Find someone with more experience than me. Find someone with more experience than you.

      --

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
    2. Re:Mandrake by TheTomcat · · Score: 2

      Mandrake also installs Kudzu (sp?) by default. In fact, it told me last night that my CDRom has been removed from my computer.. either it's flaky (it's always worked for me before), or my CDRom's in some serious trouble (-:

      I'm incredibly happy with Mandrake, coming from Redhat.

    3. Re:Mandrake by gzenker · · Score: 1

      I like Mandrake, but it comes with too much stuff. I really would like the machine with koffice on there, xmms, and few other "goodies" for people to use in their everyday life!

      How would I scale it back? Write a rpm -e routine?? That seems kind of cheesy :-/ Let me know if you have a better way!

  4. Linux from Scratch? by mini+me · · Score: 1

    Have you considered Linux from Scratch? Basically what it is, is building Linux from the ground up. This would allow you to add the software that you need, and only the software you need. It will also allow you to configure everything yourself in the exact way you want it which should increase security somewhat since you will know exactly what you have setup, and not what someone else has done for you.

    I think this project is well suited for tailor made copies of Linux, like you would like to have. Of course it will take more time to start from scratch but I feel in your situation it would be worth the extra effort. Good luck with your undertaking.

    1. Re:Linux from Scratch? by bdumm · · Score: 1
      What we have been working on lately has been alfs, which is Automated LFS. It works real nice as all you need at that point is the alfs backend and a profile to make the installation automagical. The profile is just a simple XML format that describes in XML objects the same process you use to build LFS. (ie. configure, make, make install, etc).

      Nice thing about alfs is that you just have to learn the XML syntax to make your own profiles.You could make a profile(ie your own distro, or specific nasa-worker) or just about anything.

      You could put this all on a cdrom and use it that way, or more preferably you could do it through your network.... For a cd you would need the source packages, probably could use up through chap 5 in LFS on your cdrom, with perl and some extra alfs perl modules, and really that should be it. Stick it in a drive, run alfs and the profile and watch it go to work. You could also chroot your cd enviroment to make sure it worked etc. before you burnt the cd...

      No more coasters..... :)

      btw alfs.linuxfromscratch.org has just went up and is being worked on, and you can find the alfs code, and chap4, chap5, chap6 from LFS at http://cvs.linuxfromscratch.org/index.cgi/ALFS/bac kend/ and you can find more info like the syntax docs in the ALFS directory.

      BTW this is all changing fast so check the mail lists, and cvs occasionally....

    2. Re:Linux from Scratch? by AlexA · · Score: 1
      You can do that with normal distributions too. It's called package management - disable/uninstall everything you don't need. And it'll let you configure software too by editing the config files. It's pretty straightforward, unless there are config options you need to change at the source-code level, then it's just a matter of recompiling the code yourself. No big deal.

      Plus, using Debian/Red Hat/Mandrake/etc. will make applying security updates way easier than doing it by hand - it's a pain to keep track of all the software yourself.

      My personal recommendation for distributions: Debian if you want a stable, secure, technically superior distribution; or Mandrake if you want something that's really easy to use and want to have all the latest software.

    3. Re:Linux from Scratch? by HIghoS · · Score: 1

      Actually, if you hop on IRC (#LFS on irc.linuxfromscratch.org) and talk to a few of us, we allready have machines running ALFS... You can download most of the code from CVS and try it out, we are getting there, i just got back from visiting family and friends (a hole whopping two weeks, i feel so disconnected :) so i have some catching up todo, but i'll be reworking the CVS archive, as we have an influcs of new developers and volunteers, it's great =)

      PS, ALFS does work right now, it doesn't have a fancy interface like what is planned but it is usable to an extent, btw there are other implementations that were started when we first were talking about using XML with ALFS, one is Richard Lightmans RALFS and Rod Roark LFSMake

    4. Re:Linux from Scratch? by gzenker · · Score: 1

      How could I use LFS to create a cd distribution for me? I have used LFS in the past just for fun and I agree with you, it is a good idea, but I don't know the first thing about making my own distribution from it. Any help would be appreciated.

    5. Re:Linux from Scratch? by bdumm · · Score: 1

      well considering the way this seems to be "moderated" I would check cvs, as I dunno if /. would post ALFS....

    6. Re:Linux from Scratch? by HIghoS · · Score: 1

      *ROFL's and patpats bdumm*

    7. Re:Linux from Scratch? by HIghoS · · Score: 1

      Hey gzenker, you got an email so we can stay in contact? it would be alot easier considering how fast things are moving forward for us =)

      (just email it to highos@highos.com, that would be great)

    8. Re:Linux from Scratch? by HIghoS · · Score: 1

      As bdumm mentioned above (i'm actual on his LAN right now, visiting from .ca ;) ALFS is doing exactly that, when i get back the four things i'm working on are, a bootable cd/floppy for "Distrobution Installations", a Qt-Embedded Front-End to make it "pretty", getting the docs up to date and optimizating CVS.

      Making a bootable CD is not hard, you could take something like Toms bootdisk, burn it as the Bootable ISO Image, stick ALFS, the source packages or binaries just in tarballs on the CD, bootup, format+partition (which can be automated too, it isn't hard once you understand the Linux Boot up system with SysVinit), mount the new partition, mount the cd, untar/start compiling.

      As for everyone saying that you should stick with a distrobution, i don't think they have any idea what it's like having 1000+ computers (that are not all in one place) running a distrobution and having to take the time to _clean up_ after the maintainers, it's plain disgusting, with LFS at least, your at the bare minimun, and it's quite complete for the average system, adding X, KDE2, XMMS, RealPlayer, Netscape, Star Office, Word Perfect, ApplixWare, etc is just easy and very clean compared to a "all-in-one-box" like most distrobutions are (don't get me wrong, you could do it that way, but for my 2 desktops and 2 servers, it's easier todo it from scratch, as i spend just _as much_ time doing it ala LFS then doing it with MDK, RH, Deb, Slack, and stripping it down then rebuilding it)

      Anyways, i'm just mumbling, keep an eye out on LFS/ALFS slashdot, we are going back to the roots of a Linux system and making it clean and KISS.

    9. Re:Linux from Scratch? by gzenker · · Score: 1

      That sounds great! The moment you think that I could make a "distrobution" on a cd, I'm there. We are looking at doing some linux desktops real soon. I might do some LFS machines by hand until ALFS is ready to go. I'll keep my eyes on slashdot for ALFS!

  5. Slackware by Anaxagoras · · Score: 1

    If you are looking for security go with Slackware, it is a distro well known for having few security holes.

  6. Ahh, OK, my .02 USD from marginal similar exp. by StandardDeviant · · Score: 4

    I have admin'd in a few middling-large environments (one, at a math dept with ~450 desktops, the other, at a chip designer firm with ~300 (and ~150 nodes in a sim farm); these numbers are subject to my bad memory). There are a few tips I have arrived at and have observed others say that may help:

    One: NFS mount /home. Preferably not off of a linux NFS server, apparently Linux still isn't as good as, say, Solaris WRT NFS serving. Also note that, in the linux distros I've used in NFS/NIS environments, if the NFS/NIS server goes down and comes back up, the Linux clients can exhibit "odd" behavior. odd == {not coming back up, etc}. Both the client and server NFS funkiness may not be an issue with the new kernel, btw. This allows for _much easier_ centralized backup {tape library, raid, whatever). I imagine you already have your own network-centric user authentication system like NIS(+), ldap, kerberos, whatever. A second benefit to this is that of a user's machine dies, and you have a stock of "premade" workstations, you can just plug it in and they're back up. This requires a minimal bit of education WRT "keep all your shit in /home" but it's worth it.

    Two: (this from an article written by the head admin @ RH). Use a source control system for your config files. That way you can track versions, changes, retrieve old versions, etc. CVS was the referenced system. This makes mucho sense when you think about it, as config file nightmares are enough to give the sturdiest admin pause.

    Three: security is of course a combination of many things. network security is outside of the question's space, and I assume you already have that aspect covered anyway (NB: openbsd makes a kickass firewall router if you are looking for a cisco/lucent/whatever alternative). WRT host-based security, just turn off all the services you don't need. That's step #1. Axe inetd. Use shadow/MD5 passwords, or customize the distro to use something else secure (OTPIE, kerberos, isn't there encrypted NIS+ transmission?, et al. (the places I've worked at haven't been more paranoid than shadow/MD5 for the workstations)). Have a centralized loghost that you spend a LOT of time securing. (OTPIE == one time passwords in everything. a google search will pull it up; I think it's dicussed in the ORA Practical Unix and Internet Security book). There are other tweaks that can be done but I think what I've described will take you a long way. There is a book on the LDP (Linux Documentation Project) called Securing and Optimizing Linux that was IIRC pretty good.

    The previous posters were all pretty much dead on that a pre-extant distro is probably what you want to start with. Either debian or Mandrake/RH would do fine. Debians package management system is pretty neat once you get used to it. Mandrake has an interesting install-time option that lets you affect system security on a wholescale level (file and dir permissions, su-ability, blah blah) via a selection box ranging from "Hello, Crackers!" to "Insane" or some such. Of course you may also have the resources to build a distro effectively from scratch to exactly fit you needs. Whatever works. I will say the one-step installs like KickStart (RH/?Mandrake?) or a Big Ass (tm) shell script launched from a boot/root floppy combined with a central media mount point (e.g. an NFS'd cdrom or a FTP dir) are _nice_ when you have 100s of machines to install. There was an article in the most recent LJ (maybe it was the one before that) about this.

    WRT apps, StarOffice is OK. It gets the job done but you'll probably want 128+ MB of ram and a 400+ MHz processor. Browsing with Netscape is tolerable as long as you don't expect much. Groupware is a whole other thread in the making, and has shown up at least three times here on /. in the past week. That's probably the common subset of functionality the users will need (i.e. progammers and secretaries both check mail). After that, well, it depends on the users. If they're programmers, well, linux is a programmer's _dream operating system_ IMNSHO. As far as desktops go, I know that gdm (gtk-using-update of xdm) can launch different sessions selectively. So give them kde, gnome+(E/fvwm2/Afterstep/Whatever), or any other combo of things your black sysadmin heart desires and let the users choose what they like the best. StarOffice, Netscape, and xterm/rxvt/et.al. work the same in pretty much any desktop environment. KDE is particularly easy for most win32 users to adapt to.

    Sorry if it seems like I have babble mode on, but I'm up late. ;-) Good luck! I'd offer to help in person (I'm in Texas, so is JSC, so there's a chance we're in the same area code) but I somehow doubt a national agency is going to be thrilled to have a 22-year-old goth punk who is probably utterly incapable of getting a security clearance (for pretty much all the reasons you could think of except being a spy for a foreign power) poking about their network...

    Last tangental thought: ask the fellows over in the NSA about how they did it. Since they just released NSALinux v.01 or some such they have probably tested its use internally and in a similar environment (.gov, $security++). Maybe you could collaborate to produce some guidelines for other .gov agencies looking to make the switch (USDOC-STD-1234-ABCD-LMNOP no doubt ;-) )...


    --
    --

    News for Geeks in Austin, TX
  7. Debian is nearly ideal for this by Lupulack · · Score: 2

    For supporting large numbers of clients, you can't go wrong with Debian.

    After all, you can keep a central store of the software that you need, update it as necessary and have a cron job of apt-get running on each machine. Keep the software syncronized on every machine to a set standard ( with optional bits and pieces of course ). An install would be an easy matter of booting a floppy on the target machine.


    Of course, this from someone who is for the first time getting a real handle on Debian ... *so* different from OpenBSD, but nice all the same :)

    --
    The fact that no one understands you doesn't mean you're an artist.
    1. Re:Debian is nearly ideal for this by webmaven · · Score: 2

      You might look into Progeny Linux, a new debian distribution, with a focus on improving the installation process and user friendliness. It is also intended as a base for Progeny's Linux NOW, (Network of Workstations), an open source technology intended to create loosely coupled resource sharing networks, making all extra CPU cycles, memory, and storage available on-demand to any application running on any of the participating workstations.

      Think that could come in handy?
      --

      --
      The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
  8. Only if you're thinking of ASP designs by keylock · · Score: 1

    It's cool to have Linux as the workstations, running opensource stuffs from a mounted partition from somewhere. But consider the ASP model - webbased.

    --
    ~keylock
  9. Don't forget the most important utility by Time+Kills · · Score: 1

    I don't have too much useful input here, but I would have to strongly suggest that the 'units' command be installed and maybe the /etc/motd be: Don't be like Homer Simpson. Check your units.