Slashdot Mirror
Designing A Linux Distribution For NASA?
Zenker asks: "At NASA we are offering Linux as an alternative to Windows for anyone who wants it. I am working on a contract that puts a new computer on everyone's desktop and we will provide support and services for them. I need to assemble a distribution that will have all the necessary applications without flooding them with numerous option. I don't want to support every word processor and every spreadsheet out there. A good security policy is also necessary. What distribution would you use as a base for supporting a few hundred Linux desktops? Which applications would be standard for your office suite? What would your security policy be?"
I would have to advance Mandrake. As danpbrowning pointed out, you'll probably be best off starting with a boxed distro, then modifying it to suit your needs. You have a good selection of options, including, I believe, Star Office w/Mandrake 7.2. Mandrake also supports KickStart out of the box to make scripting setups easier. Red Hat 6.x is also good. I am using RH 6.2 at home, since they support an FTP install. (Mandrake does too, but I was having trouble connecting to their mirrors that night.) You may have trouble promoting RH 7.0 due to the bad press, and may want to avoid it for the reasons it got bad press. Too cutting edge for something as staid as an employer-provided workstation. Red Hat includes Kudzu, which is supposed to check for hardware changes. On my PC at home, it did so beautifully with my NIC and modem (both on the HCL for RH 6.2).
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I have admin'd in a few middling-large environments (one, at a math dept with ~450 desktops, the other, at a chip designer firm with ~300 (and ~150 nodes in a sim farm); these numbers are subject to my bad memory). There are a few tips I have arrived at and have observed others say that may help:
One: NFS mount /home. Preferably not off of a linux NFS server, apparently Linux still isn't as good as, say, Solaris WRT NFS serving. Also note that, in the linux distros I've used in NFS/NIS environments, if the NFS/NIS server goes down and comes back up, the Linux clients can exhibit "odd" behavior. odd == {not coming back up, etc}. Both the client and server NFS funkiness may not be an issue with the new kernel, btw. This allows for _much easier_ centralized backup {tape library, raid, whatever). I imagine you already have your own network-centric user authentication system like NIS(+), ldap, kerberos, whatever. A second benefit to this is that of a user's machine dies, and you have a stock of "premade" workstations, you can just plug it in and they're back up. This requires a minimal bit of education WRT "keep all your shit in /home" but it's worth it.
Two: (this from an article written by the head admin @ RH). Use a source control system for your config files. That way you can track versions, changes, retrieve old versions, etc. CVS was the referenced system. This makes mucho sense when you think about it, as config file nightmares are enough to give the sturdiest admin pause.
Three: security is of course a combination of many things. network security is outside of the question's space, and I assume you already have that aspect covered anyway (NB: openbsd makes a kickass firewall router if you are looking for a cisco/lucent/whatever alternative). WRT host-based security, just turn off all the services you don't need. That's step #1. Axe inetd. Use shadow/MD5 passwords, or customize the distro to use something else secure (OTPIE, kerberos, isn't there encrypted NIS+ transmission?, et al. (the places I've worked at haven't been more paranoid than shadow/MD5 for the workstations)). Have a centralized loghost that you spend a LOT of time securing. (OTPIE == one time passwords in everything. a google search will pull it up; I think it's dicussed in the ORA Practical Unix and Internet Security book). There are other tweaks that can be done but I think what I've described will take you a long way. There is a book on the LDP (Linux Documentation Project) called Securing and Optimizing Linux that was IIRC pretty good.
The previous posters were all pretty much dead on that a pre-extant distro is probably what you want to start with. Either debian or Mandrake/RH would do fine. Debians package management system is pretty neat once you get used to it. Mandrake has an interesting install-time option that lets you affect system security on a wholescale level (file and dir permissions, su-ability, blah blah) via a selection box ranging from "Hello, Crackers!" to "Insane" or some such. Of course you may also have the resources to build a distro effectively from scratch to exactly fit you needs. Whatever works. I will say the one-step installs like KickStart (RH/?Mandrake?) or a Big Ass (tm) shell script launched from a boot/root floppy combined with a central media mount point (e.g. an NFS'd cdrom or a FTP dir) are _nice_ when you have 100s of machines to install. There was an article in the most recent LJ (maybe it was the one before that) about this.
WRT apps, StarOffice is OK. It gets the job done but you'll probably want 128+ MB of ram and a 400+ MHz processor. Browsing with Netscape is tolerable as long as you don't expect much. Groupware is a whole other thread in the making, and has shown up at least three times here on /. in the past week. That's probably the common subset of functionality the users will need (i.e. progammers and secretaries both check mail). After that, well, it depends on the users. If they're programmers, well, linux is a programmer's _dream operating system_ IMNSHO. As far as desktops go, I know that gdm (gtk-using-update of xdm) can launch different sessions selectively. So give them kde, gnome+(E/fvwm2/Afterstep/Whatever), or any other combo of things your black sysadmin heart desires and let the users choose what they like the best. StarOffice, Netscape, and xterm/rxvt/et.al. work the same in pretty much any desktop environment. KDE is particularly easy for most win32 users to adapt to.
Sorry if it seems like I have babble mode on, but I'm up late. ;-) Good luck! I'd offer to help in person (I'm in Texas, so is JSC, so there's a chance we're in the same area code) but I somehow doubt a national agency is going to be thrilled to have a 22-year-old goth punk who is probably utterly incapable of getting a security clearance (for pretty much all the reasons you could think of except being a spy for a foreign power) poking about their network...
Last tangental thought: ask the fellows over in the NSA about how they did it. Since they just released NSALinux v.01 or some such they have probably tested its use internally and in a similar environment (.gov, $security++). Maybe you could collaborate to produce some guidelines for other .gov agencies looking to make the switch (USDOC-STD-1234-ABCD-LMNOP no doubt ;-) )...
--
News for Geeks in Austin, TX
For supporting large numbers of clients, you can't go wrong with Debian.
After all, you can keep a central store of the software that you need, update it as necessary and have a cron job of apt-get running on each machine. Keep the software syncronized on every machine to a set standard ( with optional bits and pieces of course ). An install would be an easy matter of booting a floppy on the target machine.
Of course, this from someone who is for the first time getting a real handle on Debian ... *so* different from OpenBSD, but nice all the same :)
The fact that no one understands you doesn't mean you're an artist.