Role Specific Distributions?

An Anonymous Coward asks: "I'll start off by saying that I'm a Windows 2000 MCSE, but in our mostly-Windows business, I've managed to sneak a few Linux servers in here and there. For example, our primary DNS server runs Linux, but the secondary is a Windows box, to keep the boss happy. He's scared of Linux due to the massive configuration needed, not to mention the lack of checkboxes and 'Are you sure?' dialog boxes. I think something that would help him (and probably others) accept Linux more in a server role would be a custom-made distribution dependent on the role of the server. Does such an animal exist (something like 'Linux -- DNS Server edition') where all services except BIND are disabled, and BIND is already setup securely with just a few site-specific things left to configure (like the specific hostnames and zones)? How about something like this for web, email, and news too?" While we all know that any Linux distribution can be tweaked for a wide variety of services, might this make some kind of sense in an odd, PHB kinda way?

There are tons...

[Deagol]

My favorite is the Redhat Kickstart version. :) I have a boot disk that configures a syslog server. One for a dns server. Etc. One size fits all, really. You can make as lean or fat a server you need to.

As a fellow MCSE (NT 4.0 + Internet), I can't see how linux is a "massive" configuration any more than NT is. Most distros give you a nice GUI interface for configuration -- if you want it.

Personally, I've never understood the need to drive a VGA monitor for a server OS. All I need is terminal access and vi.

Seriously, though, there quite a few floppy-based specailized linux distros (router, firewall, etc.). I haven't come across much more.

Re:There are tons...

Personally, I've never understood the need to drive a VGA monitor for a server OS. All I need is terminal access and vi.

This is what gets most NT admins. They can never figure out how a computer is suppost to work w/o a local monitor.

Try this

[Molina+the+Bofh]

You can setup whatever distro you want, disable all the servers but those one you want, and use Mindi-Linux. It uses a skeleton ramdisk and your kernel, modules, and tools to build a boot/root disk set. The first floppy boots your kernel, then loads your modules and installs your tools from additional floppies. Mindi works for almost any Linux kernel or distribution. So you setup it once, and then will be able to make your very own 'Linux -- DNS Server edition' that even your boss will be able to use!

Freesco

[Beowulf_Boy]

I use Freesco as my home server. It officially runs off a floppy, but you can install it on a Harddisk, and add more options to it.
It runs a 1.8 kernel though, but its enough to get the Job done.
DHCP, DNS, HTTP, Router, and many many more.

Re:Freesco

[dead_penguin]

It runs a 1.8 kernel though, but its enough to get the Job done

Are you *sure* about that one? Stable Linux kernel versions were 1.0, 1.2, 2.0, 2.2, 2.4. I don't know what exactly Freesco runs on (never tired it), but since it seems to use masquerading, I'd guess it's probably one of the later 2.0 series.

Re:Freesco

[vertical_98]

The latest stable version of Freesco is version 2.7. It is running kernel 2.0.36 (or 38).

I can say from experience that it is VERY stable. Six months (at least) up time. It is a floppy distro, but it can installed on a HD, and has a large selection of packages that it can run.

PHB-Linux?

[zcat_NZ]

Well, there are firewall-only distros (LRP, etc) but I've not heard of any DNS-only or other single-service distributions.

I think the problem here is that MS has got a lot of people into the "one service, one server" mentality because under NT different services tend to 'leak' and interact with each other causing problems. And perhaps also because it suits them financially (one more server, one more NT license).

Linux doesn't work that way. Most of us are quite happy to run dns+http+smtp+imap+sql all on one box and if the load average gets too high we get a faster box. The only real exception to this is firewalls; it's usually a good idea to run a separate firewall box with as little as possible installed on it, and a lot of people use an otherwise-obsolete PC for the job which is why there are one-disk-firewall distro's.

If you really want to install just one service most distributions will happily let you do it, for example with RedHat select a custom install and uncheck all but the "DNS server" option, and you'll get a very minimal GUI install with a DNS server and the tools you need to admin it, and not much else. If you want a really light install you can even select individual packages and remove the GUI too, but then you have to set up stuff in textmode which will make your PHB unhappy again..

Re:PHB-Linux?

[dead_penguin]

I couldn't agree more. Linux seems to do very well for running several different services simultaneously, especially on low-end hardware for low-demand applications.

I've got an "old" (was it really *that* long ago??) 486 running sendmail + apache + samba + nfs + mysql + imap, and also doing some ip masquerading for the dsl. This is using a Redhat 7.0 install (with all updates, of course!) and some fairly anal ipmasq rules. On my home network here it performs beautifully, and the price certainly is right!

Re:PHB-Linux?

[Molina+the+Bofh]

Resource-wise, there usually is no problem, as Linux needs very little resources. But if you're thinking of security, then a better approach is really to distribute services.

In case a service has a nasty buffer overflow (did somebody say WU-ftpd or sendmail ?), and there's only this service running on this machine, then only this service gets compromised.

Specially when setting a firewall, the golden rule is: Do not run any services.

Re:PHB-Linux?

[Jack_of_Hearts]

Your one box that runs dns+http+smtp+imap+sql might be fine in a small business environment, but will never, ever fly on an enterprise level scale. Hell, SQL alone for most enterprise level operations easily chews up a speedy 4 or 8-way box. I really don't think that the one service-one box mentality is due to MS, it's simply the result of large scale IT operations needing more power for each individual task. Also, having all those services on one box makes it a very, very vulnerable point of failure. It doesn't take rocket science to see that it's a VG idea to spread things around...

Re:PHB-Linux?

True, but usually you can get away with combining a few things. For example, in most of the places I've worked, the seconday DNS server was usually running either on a way small box (think sun sparc classic) or in combination with something else. Side rant: what is it about e-mail and DNS records that is so F*&%*^%& hard to code servers for?!? I mean, Apache seems to have a waaay more intricate problem space (ok, maybe not if you count things like all the possible ways email could be addressed, but really, how many UUCP sites are still out there), and it has orders of magnitude lower vulnerabilties than Sendmail or wu-ftpd or BIND have... Jeez, I wish there was a good BIND replacement out there, becuase with mail I can at least use postfix or something.

Re:PHB-Linux?

[dlc]

Jeez, I wish there was a good BIND replacement out there

Take a look at djbdns, from the guy who wrote qmail. It's very different than BIND, but has the same security guarantee as qmail.

Re:PHB-Linux?

[duffbeer703]

That doesn't work when you need to be up.

You seperate services to maximize uptime & security. DNS has no business running on a database server. A database has no business running on a webserver.

What happens if your DNS box goes down? Whoops, everything is on that box!

Re:PHB-Linux?

[matman]

That's not entirely true given chroot jails and user mode Linux :)

Re:PHB-Linux?

[qurob]

You CAN run SMTP, POP3, HTTPD, DNS etc etc all one box, but that doesn't mean you should!

DB server
Mail server
DHCP, NAT server
Firewall
File Server
HTTP server

Its alot easier on your users when ONE machine is down, instead of all 5 or 10.

The old consulting company had everything loaded on one box, so when one thing had to be updated, changed, or restarted, it fucked everything else up.

Now, if the accounting software company shows up in the middle of the day, wanting to install an update, we don't have to knock mail etc offline also.

Sun Cobalt

[mclazarus]

A possibility that you can probably sell the management on is a Sun Cobalt RaQ or Qube server http://www.cobalt.com/. The Cobalt OS is based on RedHat 6.2, and it has a web interface for configuring Mail/DNS/Web sites/File Servers, etc. They are generally well done, I have occasionally run into problems, but you can sell management on the Sun name and support and still basically have a Linux box. Just make sure you grab all the latest patches for it before you make it live, and be wary, they have been slow on the security patches by a few days in the past.

Re:Sun Cobalt

Cobalts work really well, though they may not be all that PHB friendly, my old boss was convinced that he would be able to install windows 2000 on one, and still have it work properly...

SuSE

[Pierre+Phaneuf]

SuSE has a few distros built for specific roles (e-mail server and firewall, from memory, but I think there may be others).

Re:SuSE

[Trayde]

Take a look at http://www.suse.com/us/products/index.html.

• SuSE Linux Enterprise Server
• SuSE Linux Firewall on CD
• SuSE Linux eMail Server III
• SuSE Linux Connectivity Server
• SuSE Linux Database Server

Also Redhat has options at the start as to what you want to build (eg. Workstation, Server) and later what services you want installed (eg. DNS, Mail).

Not Just PHB

[nathanh]

It's not just for the PHB. I also like the idea of single-purpose distros. Products like Smoothwall are enticing because you know they'll do one thing and do it well. They are not polluted with the "gotta do 1,000,000 unrelated things!" mentality that plagues other distros.

Unfortunately it seems the single-purpose distros are almost always commercial. Cobalt produces a very nice www-only distro, with easy-to-use FORMs based configuration, and so on. But you have to buy their Cobalt hardware to get their software. Similarly you can get a nicely packaged caching proxy server built upon Squid from Swelltech, but it only comes bundled with Swelltech's hardware.

Debian was making some progress towards creating a single distribution that could be "tasked" into a single purpose. It was almost at the point where you could go "apt-get install task-mail-server" followed by "apt-get install harden" and you would have a sufficiently locked down mail server. Sadly it seems this progress has slowed. I daresay the sheer size of Debian makes it difficult to build integrated environments of comparable quality to the Cobalts of the world.

I honestly look forward to the day when there is a good range of free single-purpose distros. I won't complain if my DNS server doesn't have a C compiler or if my SMTP server can't run X clients. I've already got access to dozens of general-purpose distros that can do 100s of tasks. What I want is a server that doesn't occupy my time to administer: I want to set it and forget it. I'm not getting that level of ease-of-use from the Gotta Do It All distros.

Commercial Distributions

[OctaneZ]

WHile you're post doesn't say what kind of distribution you are looking for, it may be easier to sell you boss on a commercial solution that sells specialized distributions. does just that, I have never used their products, there are some reviews out there, linux journal has a review of the web server, Linux Mag loved The Web Server, Thick Book has a review of The Firewall (run through google to avoid PDF), as does Linux World.

Hope this helps you sell a linux solution

Great business opportunity!

[Eric+S+Raymond]

This is a great business opportunity!
Build your own little homemade distro with a custom kernel, strip it down to the bare minimum drivers for whatever hardware the ibm, compaq, and dell servers have, call it "DNS-OS for Dell PowerEdge 1200", FTP-OS for ... , NFS-OS for ..., WEB-OS for ....
Your clueless PHB will no longer be frightened and confused by running ftp and http servers on the same machine! (THE SECRET IS CALL IT ANYTHING BUT LINUX BECAUSE THEY ARE SCARED OF SUPPOSEDLY UNSUPPORTED SYSTEMS)
Also have a mini x window system running
a gui for shutting down and configuring the system. (ie instead of gnomestart or kdestart run mydnsconfig or whatever on x startup) no bloat!
or just use microwindows.
And of course, use that graphic program that covers up the horrifying kernel boot messages that people are scared of.

Oh yeah, and if you use my ideas, I have them Patented^TM ;]

Great idea

[UberLame]

I think it is a great idea. I've thought so for sometime because I'm taking the approache 1 server-1 task at my house, and having a different distro for each task could be usefull.So far I have a boot server, a router/NAT, and a file server (at the moment this is also a web server and database server, soon I will have a dedicated web and database appliances), and a web cache. Soon I intend to get a pair of more recent sparc stations, one for postgres, and one for apache for personal web applications, as well as for contracting development work. With only one application per box, it makes things easier to configure than it is to run everything on one server (plus if you screw up, you only effect one thing rather than everything), but really it could and should be easier still, like by a distro having a selection of several basic configurations that will work for most people. IE, a home router distro that consists of strictly a stripped web server set to work on only one ethernet port and roaring penguin on the other port with preconfigured settings for most of the national (I don't know how much PPPoE is used overseas) cable and DSL providers. So, you turn on the machine, go to the URL for the router, enter your username and password, and what machine (if any) you want to be designated the DMZ, plus an optional section for more complex portforwarding setups.

I don't know if general release special distro's are the way to go for hardware complexity reasons. It might be better to go with custom installs that are sold only with bundled hardware, but that hardware needs to be cheap.

Also, I'd like to see more attention paid to getting good specialty distros for SBUS based Sparcstations. These machines tend to be very cheap. A Sparc2 maxs a great low volume server, and a relatively maxed out configuration will only set you back $75. A max out IPX is even less. A midrange Sparc10 (with dual or quad processors) is only going to cost you a little over $100. Don't be fooled by low CPU clocks, most Sparc based Suns can play MP3s (although a lot of the lowend ones also only have 8bit audio). But, old intel stuff is cheap also. What really makes old Suns appropriate for small server tasks is the fact that so much hardware is supported by firmware drivers (Intel people think bios calls, except this isn't super slow like Intel bioses), so hardware configuration consists of plugging in your new card (for SCSI and network cards at least) and having the kernel automatically notice it. That's it. No messy IRQs. No PnP that works badly. No wierd addressline problems. Nothing. It just works.

I think that PCI suns are going to be more problematic here, mainly because Sun specific PCI cards cost a fortune, and if you use PC PCI cards you start running into the same old wierd hardware problems (but not as severely at least).

hmm duh what does Cobalt run?

[linuxislandsucks]

Ah hmm you want configurable..try what Cobalt runs on all their boxes..

I believe the name is Chili by Sun of all places..

Remember A certified MS person is like a Testing Students or Teachers with leading questions..doesn't add to the US GNP or add to our intellignece

The mkserv command

[beland]

Athena, MIT's academic computing environment, uses a home-brewed command called "mkserv" to handle this sort of problem. For instance, if I type "mkserv remote", my machine will automatically set itself up so I can log in over the network. Before it does so, it will ask me a series of simple questions, like whether or not I want to require encryption, etc.

It seems like mainstream GNU/Linux could really use a command like this, the services equivalent of apt-get. This would seem to make much more sense than having a different distribution of the operating system for every service, especially since mkserv allows you to configure multiple services.