Updating Free Software in the Enterprise?

wallykeyster asks: "I'm an IT Director for a small private university in the U.S., and we are largely a Microsoft shop. We pay over $15,000 each year for our Campus Agreement so that we can upgrade the desktop OS to our version of choice, run Office, and have some Client Access Licenses. I would like to move to FOSS solutions, but I'm having trouble finding support for Enterprise management. For example, OpenOffice and Firefox (both of which I use personally) would be easy first steps, but IE is updated automatically via our SUS server (and settings pushed to clients via group policies) and Office updates will be included soon. How are other larger organizations (i.e. more than 200 desktops) dealing with software deployment and updates? Is anyone using Zen with Novell Desktop Linux?"

Easy...

[ivan256]

Run a local Debian package repository, only put updates you want in it, point your system's sources.list at the local repository, and add the following to the crontab for every system you deploy:

0 3 * * * /usr/bin/apt-get update; /usr/bin/apt-get upgrade -yq

Re:Easy...

[bill_mcgonigle]

Exactly, or chkconfig --levels 345 yum on if that's your distro's bent.

You handle user settings with networked home directories and dot-files, which you can script modifications to if you so desire.

Re:Easy...

0 3 * * * /usr/bin/apt-get update; /usr/bin/apt-get upgrade -yq

You might want to add a day of the week. Do you really want to have hundreds of computers hitting the servers every night? Do you even need to do it that frequently? I'd mix it up a bit.

Re:Easy...

[pdbogen]

Yeah, this is pretty much the Proper Debian Way for handling this. I think there's actually a sub-package to do this more specifically, but all in all this is a good solution.

Re:Easy...

[LiquidCoooled]

I believe his intention is to keep with Windows as the OS.
He does mention starting with the easy ones.

How do you perform a Windows based rollout, and make sure your settings are updated.

Is there possibly a portion of the group policy which would run an msi/executable update?

Re:Easy...

[El+Cubano]

Run a local Debian package repository, only put updates you want in it, point your system's sources.list at the local repository, and add the following to the crontab for every system you deploy:

That's good for professor and permanent student workstations. But for lab machines, what you want is systemimager. I used to admin a lab as an undergrad and it was great. I had two "golden clients" from which came the two images I used. Then if a machine got messed up or if I did an update of some kind, I just told all the machines to reboot and grab their new omages from the server. It also supports letting you specify certain parts of the directory to not send and/or receive. All in all, a very powerful piece of software.

Re:Easy...

[RangerRick98]

You may be thinking of cron-apt. I use it on my system at home, and it does a pretty good job.

Re:Easy...

[DaGoodBoy]

No No NO! Just say 'no' to imaging... Debian supports preseeded configured values to be passed to a blank system during its install and a very easy method to run a script before and after the second stage installer. Do yourself a favor and actually track the tweaks you perform on a client when you build a system. Document them and put them in the install scripts. Then you can rely on the hardware detection method built into the Debian installer to allow you a diverse hardware ecology, consistent packages and a sliding target going forward as the repository ages.

Just my $0.02 from a fellow sysadmin who has left imaging and never looked back!

DaGoodBoy

Re:Easy...

[swv3752]

Couple of ways to handle this:

Thin Clients. Search Newsforge for how Largo, FL setup a the whole town's IT on Linux thin clients.

Lock down. edit permissions and or wipe the home directory on logout and rebuild from /etc/skel directory. Set apt/urpmi/yum/red carpet as a cron job to update the computer.

Build a Knoppix disk. but more of pain to make it so that say remote printers work, but on modern machines that only need limited functionality like saw web and a Office Suite, Knoppix will run acceptabley. As a bonus, you no longer need Hard Drives and users can not cause permament* software problems.

*Permament inso far as needing to format the drive.

PXE Boot/ network boot, and download an image. there are a number of utils available for Linux that can build ghost images. A little creative work in scripting with tar can do the same thing.

I consider the PXE option to be the least graceful. It is wasteful on bandwith and would seem to have the highest risk of failure.

Re:Easy...

[wallykeyster]

Exactly. I am running Ubuntu on a machine on my desk, but moving the entire campus to a Debian distro doesn't seem feasible right now. We have programming classes that use Visutal Studio, psychology classes that use SPSS, and other similar issues. Our student information system uses a Windows client provided by the vendor (we've made it limp along under wine but it is not stable). Our Web site runs on a CMS that requires IE for the management side.

I'm looking for help doing this in smaller steps without losing enterprise-level management I have with SUS, group policies, etc.

Re:Easy...

[Tim+C]

Is there possibly a portion of the group policy which would run an msi/executable update?

I'd imagine that you can set a script/batch file to run at logon, and just put whatever you need in that.

(That is, I *know* you can specify a logon batch script, just not whether or not that can be enforced or pushed out via group policy)

Re:Easy...

[wallykeyster]

You certainly can, but forcing the "click-through and select the appropriate options" install of Firefox 1.0.4 would be a step backwards for us because updates to Windows, IE, or Office are transparent to our end users. With a tiny help desk, we cannot afford to put more work back on poor Nathan.

Re:Easy...

[LiquidCoooled]

at the college where I started, stubborn programs were forced through by installing software on a clean machine and creating a diff image from it.

This diff was fed into an msi packager and pushed out in the overnight update (win 2000 boxes).

it seemed to work well enough.

i'll dig out some specifics if required later once I have both arms back (3yr old demanding beebies).

Re:Easy...

[ThePiMan2003]

I would sugesst using this then:

http://forums.mozillazine.org/viewtopic.php?t=1380 33

Its a MSI package for firefox and is able to do silent installs and upgrades (you can even deploy it via AD).

Re:Easy...

[Ciderx]

I think you are looking at it the wrong way round. Use deploying Firefox to give people a choice and also give yourselves in the IT Department a choice.

For example if you deploy an MSI for Firefox (www.frontmotion.com is a great package), lock down and configure as needed (http://sourceforge.net/projects/firefoxadm - disclaimer: that's my project!), and you give both your customers (ie. academic staff and students) a choice of browser and yourselves a back-up plan if you suddenly need to lock down one of the browsers in case of security issues, etc.

Re:Easy...

[iabervon]

So you're looking for a solution for automatically updating non-Microsoft software on Windows? I wouldn't be too surprised if it was impossible, and you're unlikely to get much good advise from Slashdot on the subject.

Except, perhaps, if you have a sufficiently fast network, you could possibly have everyone run the software in question off of a central fileserver, which you could then update easily by hand. Having just upgraded my Linux Firefox using tar accidentally ("I'll just untar this, then change my symlinks to point to the new version, then restart Firefox. Oops, all of the different versions have the same directory names in their tarballs. Hmm, Firefox crashes if you overwrite all its files. Oh well, the new version starts up fine..."), it seems like it's not necessary to run programs to upgrade if you can change what people run directly.

Re:Easy...

[spencerogden]

As a side note, there is a version of SPSS that runs on unix, in fact I've never used it on windows.

Re:Easy...

[GIL_Dude]

So... What are you doing to keep Office patched? Whatever you are doing there is what you would do to keep OpenOffice or Firefox patched (well, updated anyway since you can't actually patch firefox, you just have to install new one).

Larger organizations use something like SMS or Tivolli or something to send out patches for Office, etc. Yes, you'll be able to patch MS Office using WSUS (the SUS 2.0) that will ship in a month or so (it's in RC now). However, that really doesn't give you a full flegded patching solution either as it leaves out anything else you want to patch (your student information system, etc.). So look into a distribution system like an SMS, Tivolli, Altiris, etc. - you need one.

Re:Easy...

[swv3752]

Novell Zen for Windows software updating, but any Admin of a large windows network should be aware of such solutions.

Re:Easy...

Why not? Sounds like the grandparent was netbooting his images which is reasonable (like an invisible live CD). If you're not running thin clients, sure your solution is fine, but if you are, you can combine documenting your tweaks with creating system images for the best effect.

Re:Easy...

[Nailer]

Or Mandrake package repository, or yum server, or a dir full or packages (which up2date can use) or so on. I've done that before, and it works pretty well.

Problem is, the logic about what's going to be installed happens on the clients (fine, you'll have a meta package opn the server descriving client config). And if a change pisses you off, you've got to have a rollback method (okay, you'll code that yourself). A profiling (you'll do that yourself too). And a auto deployment system to create custom kickstart files so you can deploy new machines quickly (yeah, this is starting to look like serious work).

Management Satellite is a centralized web based config and deployment system. Add a few hundred machines to a group, work with a set of groups (ANDed and ORed and so on), create a config profile (perhaps from an existing machine), then change what's in that package/config profile and watch from the web based GUI as the couple of hundred machines make the change happen (using the Jabber protocol). Revert the change.

Boot a clean machine from the network and watch as the distro, all third party software, your custom configuration, and attaching to the Management Satellite server for future config/package changes happen for you. See a new machine on the server added to the group, with it's IBM or Dell or HP asset tag and a bunch of hardware info included so you can use it for asset tracking (there's room for arbitrary notes about each box).

Works with Red Hat Enterprise Linux and Solaris clients.

http://www.redhat.com/software/rhn/provisioning/

Re:Easy...

[shokk]

Rolling out Mozilla 1.7.8 to a few hundred Windows clients tonight. We're using Symantec CCM (actually still labeled ON Technology CCM) for doing package rollouts. The thing basically scripts the whole install process and blasts the installs out to all the target clients. Very cool.

Re:Easy...

[smartfart]

This is enteprise, right? I'd set up my own apt repository, and point the flock of boxen at that. Otherwise, you're killing your bandwidth, etc.. Plus, you'd have control over exactly what patches are being rolled out.

Re:Easy...

[Lodragandraoidh]

Then you can rely on the hardware detection method built into the Debian installer to allow you a diverse hardware ecology...

This is a key point for some applications - particularly in the nonprofit arena, but also in corporate entities.

For example, we have various machines that are hand-me-downs from our 'production' customer systems as time passes and we do upgrades for new capabilities. Instead of trashing these systems, we put them to use to bolster our support infrastructure. Imaging all of these systems is not useful in that context.

Re:Easy...

[ferlatte]

The nice thing about imaging is that you can easily "reset" machines back to baseline. Speaking as someone who using imaging to manage about 800 machines, it's not very hard to make an image that runs on a wide variety of hardware.

Re:Easy...

[sharkey]

Is there possibly a portion of the group policy which would run an msi/executable update?

Yes. It's the "Software Settings" section under both Computer and User in Group Policy. It requires (AFAIK) an actual MSI, not one packed into a "setup.exe". It allows publication to Add/Remove Programs by user, and assignment for users or computers. You can also set upgrades there, as well as transforms.

Check these guys out as well. Their Firefox MSI works fine through GPO.

Re:Easy...

[orin]

Any MSI package can be deployed either to users or computers via Active Directory. There would be a bit of mucking about involved in creating new MSI packages for each update to software - but this is easier than manually patching a significant number of machines. I'm surprised that very few open source projects aiming to dominate the Windows desktop release their binaries in .msi format as this would simplify their distribution in AD environments.

Re:Easy...

[ehvoy]

firefox now supports silent installs:

firefox setup 1.0.4.exe -ms -cleanOnUpgrade

it will silently install or upgrade currently installed versions. The only drawback I think is it will not automatically configure profiles.

Just create a "computer" (not user) policy, add a "startup" script, and add a batch file that copies the firefox setup executable somewhere on the user's local drive, runs it with switches, then deletes the setup executable. Very easy, and a compelling reason to switch to firefox in windows-only shops.

Re:Easy...

[luvirini]

indeed, I would randowmly generate the update time and weekday for each machine to balance the load. Well atleast the time of day.. as with that they would all hit the server at exactly same time.

Re:Easy...

[StyXman]

I've been in this position, but is not always that simple. Unluckly, I'm not in that job anymore, and in that time I didn't have the need to, but to update a local repository is not that simple.

See, most enterprises that embrace Debian as its base distribution, ends up tweaking the packages here and there, specially with deployment in mind (this means, each new computer needs to be configured only the minimum, being it automatically or by hand).

The problem arises when you need to update this packages. You can maintain a set of patches, but it seems to get trickier with each new package version. Again, I didn't have the oportunity to test all this theory. So I would twist a little more this question: has anyone been in this position? what did you do? how well it went, in all these days/months/years?

Re:Easy...

[Shawarma]

By "preseeded configured values" do you mean you can put stuff into the debconf database and skip the questions?
Do you have a reference to a HOWTO describing that? And also some documentation on how to run a script between the first and second stage installer?
This all sounds very interesting..

Re:Easy...

[richlv]

crap. don't know why it's so hard to find with google/freshmeat (and sf search does not work right now) - but maybe you should check out
http://wpkg.sourceforge.net/

Re:Easy...

[Daengbo]

I was seriously going to suggest this option, because OO.o runs very well from a server. combine this with a login script to update the local installation (a couple of MBs), and you're probably good. I don't know about FF's ability to run from the network and save user settings locally, though.

Re:Easy...

[Shulai]

Besides the installer, FF is provided as a zip file, and you can uncompress it anywere. So it should work too.

rpm upgrade

[unk1911]

just use an RPM upgrade utility and crontab...?

Re:rpm upgrade

[pegr]

Guys, he said he was an IT Director. Please don't go confusing him with crontab this or apt-get that...

At least tell him to find his favorite geek to explain it to him...

Re:rpm upgrade

[unk1911]

oh wait debian doesn't have rpm's. nevermind. just use whatever the debian equivalent of an rpm is

Re:rpm upgrade

[wallykeyster]

Believe it or not, some IT management rises from within, some have undergrad degrees in Comp Sci, and some run FreeBSD, OS 10.3, Windows 2000, and Windows XP on boxes at home.

Re:rpm upgrade

[The+Spoonman]

Believe it or not, there are a lot of techs and admins that fit that description, too....but I wouldn't let them administer my calculator, let alone a corporate network.

Re:rpm upgrade

Look at me! I can run the installer on a few boxes at home! Sigh.

Re:rpm upgrade

I bet he couldn't even get his Airport card to work on his "OS 10.3" box.

Re:rpm upgrade

[oliphaunt]

Yeah, but do you have pointy hair? Well, do you?

/just kidding...

Re:rpm upgrade

[Jsutton1027w]

that would be a deb. And, apt-get works wonderfully on debian for updating packages.

Re:rpm upgrade

[pegr]

Sorry, I was poking fun at IT management in general, not you in particular. Please forgive my snickering that your response now sits at +4 funny.

Actually, I think the best IT management comes from those with a solid understanding of the business processes they are there to support. IT knowledge in general is secondary.

Often, IT forgets that they are the means, not the end. Unless you sell software, of course...

Re:rpm upgrade

[wallykeyster]

Apology accepted. I come from within but still preach that we are but a means to an end.

Re:rpm upgrade

I've seen your lame site. Wouldn't be putting down anybody's talent level you pathetic whiney bitch.

Give up already!

They cancelled the show people. Enterprise is not getting an update. Let's stop kicking the dead horse already!

Re:Give up already!

[rob_squared]

I'm guessing you didn't hear about the parity error the transporters kept reporting. The men were pleased when they got double their package, though.

small colleges

[guildsolutions]

Unfortunatly I work for a small college in Maryland, our updates are all still done manually by hand. We still use norton ghost to do all of our mass deployments. Moving forward to something like this, that would ease my own burdon would definitly be a step in the right direction, however we have neither the budget or willingness to pay for such services. We make do with what we have, it works for us to this point, but things definitly could be better.

We have aproximatly 550 PC's on two completely differnt networks (facualty and students)

Re:small colleges

wow that is insanely inefficient, even at my school with 250-500 computers they make better use of their time than that.

Re:small colleges

[team99parody]

however we have neither the budget or willingness to pay for such services. We make do with what we have, it works for us to this point, but things definitly could be better.

Do you have classes (in either IT, CS, MIS, or similar) that claim to teach real-world skills? If so, a project to automate such an effort would be a wonderful class project for you guys to undertake.

Even if the class isn't about IT, this project can be used as a case study - for example, a class about software methodologies and software lifecycle mangement - or even a business class evaluating build-vs-buy tradeffs.

Re:small colleges

You obviously have a big budget, if you can spend thousands on Microsoft every year, so just pay someone to do the updates...

If your budget shrinks some day, you can start automating then :)

Re:small colleges

[EvilMonkeySlayer]

By hand?

I'm the IT Manager (nice job title for the only computer guy at the company) at a small print company (less than 50 PC's) and I simply use SUS on an old (OLD server 200MHz Pentium 1 MMX machine) to select updates that I think are needed and apply them to the windows machines.

SUS is a free download from Microsoft. The downside to it at the moment is that it's Windows 2000/XP/2003 only at the moment. I hear MS is adding the ability to apply Office updates through it too in v2.

Re:small colleges

[Eclipse5302]

You forgot the /sarcasm tags.

Or those are real spelling errors...in which case you should start attending some of the classes your college offers.

Re:small colleges

[malraid]

Your IT director is an idiot. How much does it cost to do updates by hand? Ask him to quantify it. Ask him to quantify ZEN Works. I was able to get a high school I used to work for to buy it. The support guys couldn't be happier when patches were done with a couple of clicks in ConsoleOne and boom...the whole directory is updated on next reboot. Mass deployments? Use multicast. Aplications assigned to users that are installed automatically on the workstation when the user logs in? Check . The cost was about one month of my salary. But then I understand you, they changed the IT Director and put an ass kisser that stopped us from using ZEN Works (and backup exec, so backups were done with "copy /s", and saddly I'm not kidding) so it all went down the drain. ZEN Works is worth it, believe me.

Re:small colleges

Determine the idiot that has you doing this by hand. Buy a copy of "The System and Practice of System Administration" (Limoncelli and Hogan ?)

Bookmark the chapter on why doing mass rollouts by had is stupid.

Leave the bookmarked book on said idiots desk.

You may want to buy a copy for yourself.

Re:small colleges

[superpulpsicle]

Shouldn't be so hard on the IT director. At least he/she is willing to change. There are some decision makers locked into M$ FOR LIFE.

rsync and ssh

nuff said..

And if you need GUI stuff..
add perl or pygtk for GUI admin (both of which work well even on Windows for this type of stuff)..
Java or .NET is an option, but I think overkill for this type of stuff.

mod_perl/mod_python and/or PHP for web admin.

Updating Free Software in the Enterprise?

[Kufat]

It's GNU/LCARS, dammit!

Re:Updating Free Software in the Enterprise?

[tverbeek]

It's GNU/LCARS, dammit!

{sigh} LCARS was the interface, which (as all seasoned techs know) replaced KNOME but still ran on top of X11. The underlying OS, of course, was GNU, and at the time of NX-01's launch, used the HURD 1.0 as its kernel.

Except in Engineering, of course, where the systems ran OS/2 Warp 5. (Y'all heard Trip mention that from time to time, right?)

Re:Updating Free Software in the Enterprise?

[wild_berry]

I don't believe HURD will be ready by then. It's a fairly tight time schedule you've set up.

We use Altiris

[nycsmart1]

Very easy. Create Rapid install package and deploy. We updated firefox to 1.0.4 the other day to 80 clients in a matter of minutes.

Re:We use Altiris

[wallykeyster]

I've heard of this but never used it. Does it create a file that requires no user intervention or must the end user still click through stuff?

Re:We use Altiris

[nycsmart1]

Alteris is a rather large and complicated client management suite (windows centric, thought there is some linux, unix & mac support). As for package creation, with the tools provided you can create a silent installation package by creating a baseline, installing the software, then track changes after the install to create the package .The it can be pushed to the client.

Is anyone repackaging FOSS for distribution?

[ddkilzer]

Is any repackaging FOSS for distribution through "standard" tools on Windows? That's the conclusion I've come to in order to support distribution of updates.

Re:Is anyone repackaging FOSS for distribution?

[Alioth]

We have some FOSS tools for Windows being packaged and pushed out through SMS/Active Directory etc. (I'm not in charge of that bit, so I'm only peripherally aware on what goes on). Generally, anything with an MSI is easy to package (for example, ActiveState Perl). We also use OpenSSH and Putty etc. which the IS department have packaged.

It's Just Another Package as far as all that stuff is concerned.

Re:Is anyone repackaging FOSS for distribution?

[quantum+bit]

I repackage Firefox into an msi for group policy deployment. I used to use Winstall LE that came with Win2k server, but eventually I learned enough about how msi works to be dissatisfied with that (it often gets lots of unrelated registry changes since so much background crap always happens in windows). Now I just build them by hand.

MakeMSI is a good tool for rolling your own, though it's best if you have some knowledge of how the tables work. Often I'll use Orca to tweak/double check things.

Firefox was a bit of a pain to package the first time because of all the subdirs, but it's really light on the registry keys and for updates it's mostly a matter of just dropping in the new files.

Re:Is anyone repackaging FOSS for distribution?

[quantum+bit]

Oh, I almost forgot to mention, I also repackaged GIMP (I did GTK separately as a merge module but so far nothing else uses it), TightVNC, VLC, and PDFCreator.

PDFCreator was the worst of the bunch since I'm morally opposed to just wrapping installers and want a real MSI. I ended up having to write a custom DLL to install the printer driver as the MSI format doesn't include any provisions for that.

Re:Is anyone repackaging FOSS for distribution?

[ugo]

Check this out, it looks like a really good solution.

http://msi-repository.sourceforge.net/

Re:Is anyone repackaging FOSS for distribution?

This may be useful for building custom install packages, then running them through domain login scripts,

Nullsoft Scriptable Install System
http://nsis.sourceforge.net/

Re:Is anyone repackaging FOSS for distribution?

[mr_tap]

The standard package format on Windows is a windows installer (MSI) package. This is used by Office 2000/XP/2003 etc. Think of it as functionally equivalent to an RPM.

The windows installer package can be deployed with the built-in software installation via group policy (aka intellimirror) or the more feature rich (and expensive) options like SMS, ZenWorks, Altiris etc

Increasingly more FOSS projects are distributing the installations for Windows as windows installer packages - for example Apache

For FOSS projects that use legacy installers, the installation can be repackaged into windows installer format using a variety of tools.

[Blatant self promotion]Building windows installer packages is one of my companies core skills, we actually have our Firefox and Thunderbird packages available for free download[/Blatant self promotion]

$15,000 a year...

[duh_lime]

would pay for a lot of students to do the work by hand.. And they'd learn something.

OK.. there are better ways, but at least the money is not going to the Evil Empire.

Re:$15,000 a year...

[capt.Hij]

I actually tried this *once*. It seemed like a great idea on paper. I would train people to do something useful, and they could go to potential employers and pretend to have some sort of useful experience.

It was awful, and I will never do it again. I ended up spending all my time fixing stupid mistakes, and it was more work than just doing it myself. Especially since the ultiumate solution was to convert to linux, and set up a server to dish out rpm's and schedule updates via crontabs.

Re:$15,000 a year...

[fembots]

...unless these students get paid and buy a XBox 360 straight away.

Re:$15,000 a year...

Mod the parent up. I'm amazed that universities spend a lot of money on software to prevent their students from learning stuff.

IMHO every university would be better off making class projects to build rather than buy infrastructure. Having such projects is useful in zillions of areas outside of CS - the Business guys can use it as a practical case for analyzing build-vs-buy efforts; the CS guys can study the theory of whatever is being done; the MIS/IT guys can get practical hand-on experience... and as people graduate they can create spinnoff companies that turn into large donations back to the universities.

Re:$15,000 a year...

[tekiegreg]

Not really, assuming: 1) You're paying students $8/hour 2) You work students 15 hours/week (they gotta study sometime) = $6240 I can do 2 students with room left over for a trained chimp (we'll assume $2,500 worth of bannanas and computer repair bill from feces thrown at computer). With 2 students you could probably upkeep a small university ok (say 150 computers per student) after that I'd put the students to work finding an automated solution.

Re:$15,000 a year...

Let's say you pay each student $9/hour, which is less than I was making 10 years ago to do a less technical job on campus, but never mind. Let's say each student works just 10 hours per week, just 8 months each year.

That's $3096 per student per year, BEFORE any additional costs like workers insurance, workstation capital costs, and other overhead. Even without those costs, you could only afford four students, which is hardly "a lot."

Or did you have something else in mind? You could add more students for less time, say, one quarter/semester each, but that kind of turnover is probably not going to get you a great IT solution.

Re:$15,000 a year...

[dpilot]

Actually, assuming the $15000/yr maintenance system works for >200 desktops, it seems quite a reasonable cost, to me.

Re:$15,000 a year...

[wallykeyster]

I'm sure that sounds wonderful from the blissful world outside of a small private university, but it simply doesn't work that well. Even if you get the administration and faculty on board (a big if), good luck finding students who want to do it or can do it. The more time I spend in higher education, the more I worry about getting old (someone from this generation will be caring for me?!).

Re:$15,000 a year...

[SamHill]

When I started my latest academic sysadmin job, we were talking about hiring a couple of students, as that's what they'd always done in the past. I kept putting it off because the systems were so screwed up that I had to spend a huge amount of time trying to figure out what kind of crack people had been smoking when they set them up and didn't have the time or energy to train anyone.

In the end, we bought a brand-new server (we needed the disk space, anyway) that I set up from scratch. I migrated the data and built a bunch of tools to keep everything up to date, then moved on to automate handling the workstations. I never did get around to hiring anyone else, and the only time I remotely regret that is when I'm taking vacation.

Hiring students to do things is a cool idea in theory. You get some extra help and some backup, and they get some experience that they can take to their jobs. Unfortunately, their lack of experience, professionalism, and often just general understanding of how things work mean that important things get broken or never get finished because they lack the knowledge or the time to do the work.

It gets really fun when you have a couple of people who think they know what they're doing making changes without telling anyone else.

These days anyone can set up a Linux box themselves if they want to learn about the OS and how all the pieces work, and I'm happy to help out where I can. But having students work on ``mission-critical infrastructure'', such as the departmental web server or faculty workstations, just isn't worth it.

Re:$15,000 a year...

[CAIMLAS]

No, no, no, definitively NO! This is NOT funny. This is insightful. What the hell do you think institutional education is there for, anyway? It's not to shovel money into a gaping corporate mouth; it's to teach students (IE, the future leaders of society) how to think.

Computers are just a tool. They help people get work done more quickly in all manners and fashions. They are also a wonderful tool for teaching - both specifics and general concepts. One of the excellent skills which will be gained by giving students the task of installing/updating/upgrading machines - and not just CS/IT students, though I'm sure many of them could use the hands-on experience as well - is that it will help them conceptually visualize abstract structures. This is basic common sense. If people can recognize abstract structures and work within these confines, they can then apply this information applicably in the rest of their life. They'll learn how to be more organized and more systematic in their every-day approach, potentially making them better citizens and employees in their future lives.

This is very, very good advice, not "funny".

Now, granted, this would probably end up with many lab systems unfunctional for a good period of time, but that might just get them to work more diligently on getting the systems up and running. :)

Re:$15,000 a year...

[tverbeek]

I was hired a year ago to take over job responsibilities that used to be taken care of by student employees (on the principle that if you throw cheap enough labor at something it'll get done cost-effectively).

Oy.

Not pretty.

Now, as the responsible professional, I supervise a bunch of similar student employees, which is nearly a full-time job in itself. I ask them to do something, and they do something vaguely similar to what I asked, but not really. And they do it slightly different on each machine they do it to. Checking and fixing their work is still less work for me than doing it all myself... but not by a wide margin.

Re:$15,000 a year...

[Master+of+Transhuman]

The trained chimp will act as the ITS Director, correct?

Re:$15,000 a year...

[luckystuff]

This is crap. Installing/patching/upgrading stupid boxes is not a skill, and doesn't help people learn how to think abstractly--it's a simple procedural task, steps 1,2,3..n. No abstract thinking going on, simply read and click. Think car analogy, fixing cars is so helpful for abstract thinking that everybody is doing it. This is not to say that understanding, diagnosing problems, and fixing them doesn't require thinking, only that patching/installing in it's simplified form doesn't cut it for higher ed. Not after such processes have been industrialized with tools like SUS. People use SUS so they can think about harder problems that have yet to be completed efficiently by silicon chipsets. Think security policy, user training, platform management (which is what he's doing)--he could only ask this question because he's not helping 1000 students figure out how to install a patch. This whole question is going to expose problems /.ers have of relating back to real world problems and not getting stuck in cool techy solutions. First mantra: understand the client. Second mantra: understand their IT.

Re:$15,000 a year...

It's not to shovel money into a gaping corporate mouth; it's to teach students (IE, the future leaders of society) how to think.

And I'm thinking that $15k a year is money well spent -- sure you could pay for one full time student at $7.50 an hour to run around and fix the linux workstations but would that be worth it? How many support calls do you want to get that go "It works in MS Office but not in this Open Office"?

Believe it or not companies and schools have better things to do than to run around implementing the latest FOSS stuff out there.

Stand *nix tools

[rminsk]

rsync, rdist, and yum. Well yum is not to standard.

Re:Stand *nix tools

Or Mandrake and urpm. (Man-Driva now, I guess) When I used Mandrake, the pay options for auto update and all that were great and there were free urpm servers that worked well too (for DeCSS and the whatnot). Haven't tried it since the name change.

Re:Stand *nix tools

[Hackeron]

Why rdist? -- Looking at the features, rsync can fully replace rdist with the added benefit of supporting partial file transfers.

Re:Stand *nix tools

[wild_berry]

GNU/yum. As used by lions and leopards throughout Africa.

Network.

[jellomizer]

What I did for other schools was having /usr/local mounted on a file server with all the Linux applications installed so we just installed it once and they were all uptodate. But that may not work for all casses. Companies such as IBM have tools that can help keep Linux systems uptodate as well as Windows systems. Like IBM Director. Or you can find an OSS project and see if you can get a contact with a smaller consulting firm to help keep your OSS up to date and well managed.

Re:Network.

[starfishsystems]

This is a traditional approach which I've seen done successfully at a number of sites. Often, the remote filesystem contains the definitive software installation, while some alternate, possibly coarser, mechanism is used to maintain the installation locally.

It scales better if you (a) automount the remote filesystems, and (b) use in conjunction with cachefs.

If you notice performance problems, you may elect to deploy a set of workgroup servers, or you may find it worth the effort to switch to something like cfengine and install everything locally.

Re:Network.

[jkitchen]

but then you have problems if someone breaks into the 'master' system. Patch one system, patch all systems.

do what we do

run all your applications off of an NFS server..
that way, you only upgrade one copy on the server.

-Dirtbag

Re:do what we do

[fitten]

Doesn't always work when applications have dependencies that aren't a part of the standard distro.

Re:do what we do

I think he meant to nfs mount /usr. Problem solved (excepting things in /bin, /sbin and /lib).

Re:do what we do

[narsiman]

Or stick with what microsoft provides you. Use Microsoft's DFS technology. Map a DFS drive on all your desktops to say something like

C:\Program Files\Server Apps\latest\OO or
C:\Program Files\Server Apps\latest\Mozilla

and map the shortcut to the relevant location.

DFS does things similar to NFS but as usual you need to be an all M$ shop which you already are.

Re:do what we do

[fitten]

Heh heh... :)

At $15,000 a year......

[ARRRLovin]

......You're getting off EXTREMELY cheap. If you switch to a different OS, or OSS, you'll easily spend more than that (many times more) in hiring people to support the new infrastructure.

Re:At $15,000 a year......

[tisme]

I completely agree. Imagine the stress of changing and the downtime (something always goes wrong). My campus switched from Microsoft Windows/Office to Linux/OpenOffice in one faculty and the computers were down for over a week. After the change a massive education process had to be started. While everything is working now.. the transition was not easy and people are still having to adjust.

Re:At $15,000 a year......

ummm, don't you think someone is already being paid to do all the various labor-intensive things about running labs?

Re:At $15,000 a year......

[lawpoop]

On the other hand, you could hire a local linux company to create a distro that client computers would load on boot. Add a support contract with occational updates to your distro. If you have problems with a client machine, simply reboot it and it will re-image itself.

This could be cheaper than $15,000.

Re:At $15,000 a year......

[jorisumu]

I didn't know Bill Gates posted on slashdot, but thanks dear Billy for your biased opinion... and BTW, you won't get poorer letting this guys go...

Re:At $15,000 a year......

[Overzeetop]

They are, but just imagine the spike in help desk calls for the client side support. And the amount of labor to switch just the word templates over to OO.

(I've done it for a small office, and it wan't pretty. None of the corporate standards switched, so everytime wo opened an old document, the formatting was toast. Trivial, though annoying, for you and me, but "the world is coming to an end"-level crisis for older, entrenched, barely-computer-literate secrateries. And, no, you can't just fire them all - they're the ones who can walk into an office, listen to a minute and a half of drivel from a $150/hr principal, then turn it into a formatted letter saying exactly the right thing and ready for signature.

Re:At $15,000 a year......

[Kallahar]

Except that the 15k goes to MS, they still need to have administrators on hand to install the updates. It's not like MS sends out a guy to perform the upgrades.

Re:At $15,000 a year......

[ARRRLovin]

I didn't know Bill Gates posted on slashdot, but thanks dear Billy for your biased opinion... and BTW, you won't get poorer letting this guys go...

It would be at least a few years and many hours of downtime before they would see any of that money recouped. As someone who has sat down and done an actual cost analysis, I can tell you, it's not cheap to switch to something that's "free" (beer).

Re:At $15,000 a year......

[Creepy+Crawler]

---I completely agree. Imagine the stress of changing and the downtime (something always goes wrong). My campus switched from Microsoft Windows/Office to Linux/OpenOffice in one faculty and the computers were down for over a week. After the change a massive education process had to be started. While everything is working now.. the transition was not easy and people are still having to adjust.

How in the hell could that happen? If you change slow, and with those users who WANT the change, it could go smooth.

You start out with a testbed, say a base of Debian or Red Hat. Then you add the init scripts (not /etc/init.d but local fileserver configs and setup as needed for locale) to set up the particulars. You then go to the users who want Linux or FreeBSD (or windows users whose machines are bogged down with crapware) and get a few pilot users started.

Once you have them up and running, then you can get the people who 'see how much better they run' and then want the "Upgrade". Yu can iron down the bugs with more users and more picky configs like 'Ive done that all the time and I want it done like that NOW'.

Then near the end of the user adoption, you force the stalwarts to succumb. There will ALWAYS be stalwarts, but prepare for some give because that person will bring in a Windows laptop. Just provide a publically accessable Windows=>Linux tools to help with migration and communication.

Its really NOT that difficult.

Re:At $15,000 a year......

[jilles]

Agreed, for that kind of money you basically already have the best solution. Assuming your goal is to cut on the 15000 dollars and not push some idealist OSS agenda, you are not going to make any substantial cuts this way. Plus, your 'clients' (the students & staff) will probably complain loudly if you take away the software packages they are used to. At 15000$ the cost argument is ridiculous so you'll have a real hard time explaining why they have to use open office instead of ms office. Unless you remove IE from the system (which boils down to replacing the OS), people are going to click that blue IE icon.

What you'll end up with is a complicated mix of operating systems, offices suits and browsers that you will need to support. You will increase cost rather than cut cost. Forget about eliminating MS from your systems, you'll end up doing all the work you do now + the additional work for maintaining your home built linux enterprise management kit (I'm assuming you are not interested in commercial linux support with per seat licensing).

Re:At $15,000 a year......

"...the transition was not easy and people are still having to adjust..."

Well, when you do adjust, your long-term benifits will be realized. If you keep thinking short-term, you'll never go anywhere but staying technically challenged, dependant and wallet-drained.

Re:At $15,000 a year......

it took me roughly 1 hour to get a SUS server up a running in a QA lab with ~300 clients and other than checking it every few weeks to make sure it is still running ok (which is not something that HAS to be done) it just does its thing without me needing to do anything. With 2000/XP clients a SUS server is all you need.

Also the new version of SUS that is currently in beta adds a lot more power to administrators with update groups.

I also think that $15k a year is a really good deal. Obviously it depends on the number of clients/servers but if he is talking like 300+ then £15k is cheap. The training and development costs to migrate to Linux would be many times that much.

If I was this person I would look into setting up a small network of Linux systems (30 or so) and get everything working then if they still want to move to FOSS they have a better idea of what to do and how to do it.

Re:At $15,000 a year......

[madstork2000]

Dumb ass moderators.... Yes you may spend more, but the $15,000 figure quoted is only for software licensing. We don't know what the budget for special projects and staff currently is set at.

Migrating may cost some money upfront but the software would be free, and will continu to be free. Chances are there is a budget for major projects, upgrades etc.

Also it is wel know that Linux/Unix systems are much cheaper per server/per machine to administer. One study I believe quoted aprox 1 admin to 30 machines for Windows while 1 admin for 200+ Unix/Linux srvers. Obviously, there are a myriad of factors to consider.

Anyway, the point is this original comment most certainly is not insightful, it is misleading at best and malicious flaim bait IMHO at worst.

-MS2K

Re:At $15,000 a year......

Keep doing what you're doing. Add an upgrade to WSUS and Office 2003 and you get automated installation of all patches for IE, OS and Office on the desktop. Additionally you get reporting on the progress of patching throughout the Enterprise. At the price you're paying it makes the most sense. Now if you're really paying $150,000 you should do something different.

Re:At $15,000 a year......

[killjoe]

Wow, you let computers be down for a week because you were installing a new OS? Now that's what I call crappy change management.

Re:At $15,000 a year......

flaim bait for pointing out cost savings?

this is not a religous war; he is simply pointing out the cost savings that this guy is getting at $15K

if you want to talk seriously, you need to take off your idiotic linux zealot cap and deal with things the way they are

Re:At $15,000 a year......

[farble1670]

E is updated automatically via our SUS server (and settings pushed to clients via group policies) and Office updates will be included soon.

the $15k is for licensing + the auto update service. you can try to read between the lines that there is some vast amount of manual intervention involved to push updates, but the artical did not state that at all ... even if there is, it is clearly insignificant to the writer or they would have mentioned it.

Re:At $15,000 a year......

[duffbeer703]

The thing is, he won't be able to instantly dump his volume license agreement. SQL Server based apps and Exchange won't vanish overnight and some people will demand and end up retaining Windows workstations -- regardless of what the IT honcho says.

When you reduce the number of licenses, the volume discount in the volume license agreement drops.

So you aren't looking at a $15,000/yr savings... probaly more like $4,000 with $10-20k retraining requirements for your staff.

Re:At $15,000 a year......

[madstork2000]

What savings? My point is we have know idea what budget is in place, simply one line item - $15K per year for software. Would using free software cost the institution MORE than $15K per year? I doubt it.

Re:At $15,000 a year......

[madstork2000]

How many of those staff will have to be retrained every couple years with the planned obsolense of MS software?

Training is a weak argument. It is likely already incorporated in their budget. Most endusers familiar with Office will do just fine with OO.

I know from my time working for a large University that there was training for every iteration of Windows, Office, and all the specialty apps. If you ask me the training was a complete racket, but we (as IT staff) were required to go through the training.

As for legacy apps, yes there will be a need to ween people off them. There will likely be hold outs, but the sooner the process starts the sooner the true savings can be realized.

Re:At $15,000 a year......

[Master+of+Transhuman]

Rip and burn is not a good idea for organizations with more than 5 or 10 computers...

And having systems down for a week means you had absolutely no plan (and probably no clue).

I mean, EDS screwed up 80,000 machines in the UK a few months ago and AFAIK they got back in operation in a week or so.

Re:At $15,000 a year......

[Master+of+Transhuman]

Exactly - training is always done incompetently.

There are plenty of case studies where Linux migration was done with almost NO training, and the end users picked up OpenOffice and the distro with not much trouble. And I don't call a month or so of lessened productivity "much trouble" against the benefits.

I don't recommend migrating without training but it has to be done intelligently.

And the bottom line is STILL - whatever you're paying now, you'll pay FOREVER if you don't STOP!

Re:At $15,000 a year......

[duffbeer703]

I'm not even talking about the end-users -- I'm talking about the IT staff!

You don't snap your fingers and turn Windows admins into Linux admins -- you need to retrain, and even layoff and replace existing staff.

Universities always have the option of hiring cheap student labor -- but you still need the continuity of a real staff.

Re:At $15,000 a year......

[Daengbo]

A couple of years ago, I had a Thai national use OO.o for a week or two before asking me if it was the new version of MS Office. On the other hand, I now work with a Canadian who would rather use MS Word with Korean menus than use an English version of OO.o ... who knows what would happen?

apt-get update....

[cyber_rigger]

Or you can just use synaptic.

zen is good

I have used Zen in its various forms since it was managewise. i once tried the m$ offering (SMS ?) and realised at once there was no competition.

Its a shame that Novell solutions that work are overlooked by people in favour of m$ offerings that dont deliver....
I would like a FOSS solution tho !

cfengine

[ALecs]

I've used GNU cfengine for automated updates at a company I used to work for. Basically, you write rules about how the system shoudl look and cfengine enforces them.

However, we used to automate updates, apply system patches and rebuild the world if necessary. With about 5 lines changed to a single server, I could force all the workstations to re-install themselves overnight.

We also used this system to push out passwd file updates (poor-man's centralized auth).

http://www.cfengine.org/

Re:I have your solution

I suggest you look at all of the package managers including Gentoo's portage which can be applied to other distributions.

Portage can handle binary packages and can be "pushed"

Zenworks for Linux/RedCarpet

[KingDaveRa]

Zenworks for Desktops (ie Windows) is now a pretty advanced and mature product. It works pretty damn well. Zenworks for Linux is pretty immature by comparison. I've seen Novell making LOTS of noise about it, but then again, they would. From what I've seen though, its the only enterprise-grade software from a major vendor to offer a central control system. Most others are very fragmented.

Re:Zenworks for Linux/RedCarpet

[G+Money]

Unfortunately, the current version of Zenworks Linux Management really is just Red Carpet Enterprise with a little more polish. The next version which is due out in a few months if I'm not mistaken is worlds appart and is almost on par with the feature set currently available for Windows. Everything you could want is built in. I don't think there will really be a desktop and server line as Linux is Linux. The remote access via VNC and application security policies (Firefox must have x as it's home page, evolution can't change the smtp server, etc....) are more desktop oriented but the end result is the same. You have one tool to perform all your system management if you're a Linux shop.

Re:Zenworks for Linux/RedCarpet

[fferreres]

Ok, but if you want people to use certain smtp server, force it at the network level, not app level. And why cant people change the homepage? If you have user accounts why not allow them to change it? If it's a public terminal you can make the config file read only to users. Windows does not help much to harden machines, Zen may work, but it's a work arround at best.

Re:Zenworks for Linux/RedCarpet

[massimiliano]

I cannot fully understand what you mean by "Netware client".

In any case, Evolution for mail and Gaim for IM work perfectly with Groupwise, iFolder works, I can see printers... and the whole company (just most of it for now) is using Linux internally.

So it is working in their operating environment!

Re:Zenworks for Linux/RedCarpet

The Netware client is needed to authenticate the user, access the files and print.
Most places running Netware rely on Novell Client to do that, perhaps using NDPS printing. They don't run i-this and i-that.

Re:Zenworks for Linux/RedCarpet

[G+Money]

Forcing the smtp server at the network level would work great if all your workstations are on a local network, but if you're managing users worldwide roaming around with laptops it's not really an option. Anyway, with the security policies for application/desktop configuration, you can choose whether you're setting defaults for a user that are locked (they can't change them) or unlocked (they can). A read only config file would also work but it's not that convenient to have to manage several dozen config files in /etc/skel and then have to script out changes to every user's account anytime you want to force a change on everyone. With Zen you can have as many different groups of users as you want and each group (or even machine if you want) can have a separate set of policies applied to it, minimum list of software packages to have installed, etc.... All policy is group based so if I have a group of office workers who only need OpenOffice and Firefox and shouldn't be able to make changes to their preferences I can put them in a separate group from my power users who I can trust not to set their incoming imap server to something non-existant and then complain to the helpdesk. You would never use Zenworks to harden a single machine, you would use is to manage at least several hundred out to several hundred thousand. You're absolutely right about it being overkill for just a few machines.

Re:Zenworks for Linux/RedCarpet

[fferreres]

Thanks for the reply. I understand your points, and agree: the "concept" is great, with Windows some are solved at the wrong place. With Linux it's better able at controling "the user", it's never straight forward. But anything that allows with to better control the infrastructure is great.

W0t?

[diegocgteleline.es]

What about apt? apt-proxy? apt torrent, if you don't want to hammer your servers?

Seriously, why would anyone *doubt* that delivering software is much better than linux? If there's something wrong in windows, is software packaging and delivery. Did you realized how you 3rd party programs don't have methods to update automatically? (hell, lots of programs even need to be uninstalled by hand before installing the new version, no "upgrade" support)

In Linux, you have things like APT. With APT, you can update ALL your software, not just the a few Microsoft apps. You can configure it like tou want, adding several lines from different servers in your sources.list, setting priorities in apt.conf, use P2P to automate it with a cron job. We are years ahead of Microsoft in this are, IMNSHO.

Re:W0t?

[dublin]

Did you realized how you 3rd party programs don't have methods to update automatically?

That's funny, I've got several third party programs (including complex apps such as CorelDraw) on my primary windows desktop that automatically update themselves through either InstallShield Update Manager or BigFix. Granted, there's no universal updater, but that's true in any environment - heck, even the Macs don't have hooks for updating third party-apps, and it's *way* easier for them than anyone else...

Same boat

[Jett]

I'm in the same boat where I work. I'm trying to get Firefox officially supported, the biggest sticking point is the lack of an easy method to push updates. I think this is one of the biggest reasons Firefox isn't widely deployed in the corporate environment yet, sure it's easy to install it yourself and update it yourself - but that's not a solution in a controlled environment.

Re:Same boat

How about.. www.frontmotion.com/Firefox

Re:Same boat

[whoppers]

I'm not that much of a techie anymore, especially on the latest *nix, but couldn't you just deny internet access to configurations that aren't up to date with the latest "approved" configuration. This way you could force folks to install the updates themselves and maybe *gasp* take responsibility for their actions and learn a little about computers.

Fix their computer once, you'll be fixing it for life. Teach them to fix it themselves and they'll either quit using computers or never talk to you again.

Re:Same boat

[wireloose]

Sounds good in theory. Seldom in practice does the CEO support the idea of making all his/her users responsible for their computers. Has something to do with doing the job they're paid to do. Usually, they're doing something else that's needed. And that's why we have jobs. :)

Re:Same boat

[killjoe]

I haven't tried this but I can't think of a reason why it would not work.

Unzip firefox to some network drive.
Create shortcuts on desktops to f:\apps\firefox ...
That's it right? Firefox keeps profile information on the users profile so no problem there. When the time comes to upgrade just unzip the new firefox on top of the old one and you are done.

Can anybody think of why this would not work?

Re:Same boat

[PetyrRahl]

In a smaller network situation yes I can see this working without a whole lot of difficulty. In the larger network case, as the original poster was talking about, you have to worry about the amount of network traffic that this would generate.

Regards,
Petyr Rahl

Re:Same boat

It is relatively straightforward to build a Firefox .MSI package using WinINSTALL LE and push that .MSI package to domain clients using a Group Policy.

Re:Same boat

[Verteiron]

That gets it on the client systems, sure. But how do you keep a user from (for example) changing their proxy setting? With IE you can lock the user out via Group Policies. With Firefox, well.. I'm not aware of a way to implement similar restrictions.

It sounds like a Windows Server Administrator Template Policy would go a long way towards Firefox acceptance in corporate environments. You'd need some kind of plugin for Firefox that makes it read values from the Windows registry, as well.

Alternatively, a Firefox plugin could read the Group Policy restrictions targeted at IE, and "translate" them internally to the Firefox equivalents, but such a solution would be a sloppy hack at best.

Re:Same boat

[JonToycrafter]

Mod parent up! Many people answering the question the original submitter asked haven't tried to tackle this themselves, or they'd know the problems they'd run into, which the parent post nailed down.

Sadly, there isn't a perfect answer - yet. The Mozilla wiki covers this problem in more detail here.

Firefox ADM partially covers this ground - here.

There's another tool similar to Firefox ADM, but I can't find info on it at the moment.

Summary: Firefox is almost there, but in most enterprise situations, there's still a few features (mostly in the lockdown, and setting default features department) that are lacking. I expect that will become a non-issue by the end of this year.

Re:Same boat

[ehvoy]

firefox setup 1.0.4.exe -ms -cleanOnUpgrade

silent installation or silent upgrade, newly implemented in 1.0.4.

Re:Same boat

[whoppers]

I wouldn't dare say the end users should reinstall their OS, but having them install a patch now and then might make them understand how their computers work. Maybe for some it's hopeless, but I'd much rather update my machine than wait for IT to shut me down for hours while they update things.

My boss keeps getting new laptops, but can't understand how to turn off pop-up notifications about his wireless card and every night he locks his laptop in a file cabinet in the office, while I'm on a PIII with windows98. It's a strange world out here.

Re:Same boat

[vmfedor]

A majority of people don't care about computers, they just want to get their work done and are sick of the PC crashing. This is the reason trying to "teach" them doesn't work. They simply don't care, and don't want to learn how to update Firefox when all they want to do is finish writing their word document, send that e-mail using Outlook, and go home. People don't want to know how the insides work, they just want to use it. It's akin to me using a microwave. I really don't care how it works, and though I may find it interesting I wouldn't want the microwave repair guy to sit there and tell me how to fix it.

Re:Same boat

[dbIII]

But how do you keep a user from (for example) changing their proxy setting?

In that case it isn't worth bothering, you use a transparent proxy so they don't have any choice - however I'm sure thats just one example and there are plenty of other settings - perhaps make everything read-only on the file level apart from the bookmarks and history?

Re:Same boat

In that case it isn't worth bothering, you use a transparent proxy so they don't have any choice

There are some applications that won't work through a transparent web proxy.

Re:Same boat

[j0217995]

I would love to hear this. We use IE throughout our company and I have forced the home page, some bookmarks, security settings and other things from Group Policy. Now I can't do that in Firefox which means no Firefox at the company. I've been looking for something that I can setup and forget it. My GPO just works.

Re:Same boat

[Chrish2]

Woulden this meen that laptops will not be able to launch FireFox when no-longer connected

Re:Same boat

[erth64net]

Like Netscape and Mozilla, nearly everything in firefox can be locked down (Google for "firefox lockpref").

Quick overview:
1) Open prefs.js
2) Where you want to lockdown something, replace user_pref() with lockPref(). Once done delete any lines which still have user_pref()
3) Byteshift (offset=13) the changed prefs.js file. This can be done via an online script. Or download a perl script to run locally. The resulting file should be called firefox.cfg
4) Put firefox.cfg in the root of the FireFox install folder, and a 1.js in prefs/default with the line:
pref("general.config.filename", "firefox.cfg");

We lock settings such as the proxy, homepage, cache, history, download locations, and weak security settings (saving passwords, SSLv2, etc...).

I believe it's also possible to point to a webserver which can feed the lockPref values dynamically (ie: based on authenticated username).

BTW: firefox.cfg can be called anything you want, just make the appropriate changes to the instructions above.

Gentoo

emerge --sync emerge -uD world

Re:Gentoo

"emerge --sync emerge -uD world"

No, I don't think that is robust enough. How are you going to automatically handle the /etc file changes? Accept them automatically? Good luck. And there is a chance you will have problems during this days-long recomplie update. It's not reliable enough.

Re:Gentoo

[Gooba42]

The /etc problem is still stickier but the "days-long recomplie update" is easily solved.

Maintain a local test machine with whatever updates you like and when the package passes your approval you push it to an internal update server in pre-compiled form to which your clients sync.

Assuming these aren't people's personal machines, i.e. student laptops, even the /etc stuff can be relatively easily handled. Most changes are going to be universal or at least nearly so, dhcpcd or ntpd configs for example. Any orphan machine that requires any significant individual tweaking is probably not one worth spending time or money on anyway.

Solutions...

[cthrall]

At a former job, we were moving to an internal RPM server that updated itself via a trusted external source...you could also run a local YUM server.

Unsure from your post...

[Saint+Aardvark]

...if you're talking about Linux desktops, Windows desktops or both.

If Linux, then follow the advice of the poster who told you to use Debian -- its package management is, IMNSHO, The Best, Ever! (tm) for Unix. If you can't go with Debian, then look at using rsync. We use that here (maybe 50 FreeBSD workstations and servers), and it's great: add stuff to The One True Machine and it shows up the next morning. We synchronize the usual suspects this way: /usr/local, /usr/X11R6.

If Windows...well, I presume you've got AD or some such. We don't (I'm trying to get away w/o a MS server in the house), and I've just come across wpkg. Looks pretty good, with two caveats:

1. You need silent installations of things. MSIs or silent .exes are good, anything with a window is bad.
2. The documentation is most charitably described as "scant". (Hoping to add to it at some point.)

Initial tests are pretty damned promising, though, and it works when run over SSH -- you don't need to be logged in, standing in front of the computer, or any of that nonsense. Almost makes me think of Windows as a real OS.

Re:Unsure from your post...

[nizo]

Thanks for the info on wpkg. It drives me nuts that I can install the new firefox on a server and rsynch it out to the linux machines, but I have to wander from machine to machine for the windows installs. I dunno if wpkg can automate this, but maybe it can automate some of our other installs.

Re:Unsure from your post...

[Saint+Aardvark]

wpkg can definitely automate Firefox installs -- just finished testing it this weekend.

As I mentioned, you need a silent install. For F., there's different ways to do that:

1. Use FrontMotion's MSI for Firefox
2. Follow the instructions and created your own MSI using MakeMSI (which is free as in beer, not speech)
3. Follow the instructions on Unattended's wiki and roll a silent install from the .exe

I've tested the first and last w/o any problems.

Totally obvious

[The+Bungi]

Pay 15K per year to have a working supported enterprise management solution, or

Pay 45K per year to hire someone to manage a homegrown house of cards "solution" based on rsync, rpm, apt-get, crontabs and other such industry stalwarts.

I think the choice is clear!

Re:Totally obvious

[geomon]

Pay 45K per year to hire someone to manage a homegrown house of cards "solution" based on rsync, rpm, apt-get, crontabs and other such industry stalwarts.

While I agree that the 3X differential in cost may be too high for this person's institution just to migrate, the "house of cards" comment is laughable. Centralized software management has been done successfully for years on *nix platforms and is done for a much lower cost than what you cite in yorur comments.

But we also manage large *nix server farms for research and maintain Solaris, AIX, HP-UNIX and other varieties of non-Microsoft OSs. The incremental cost of adding Linux administration for our workstations is a 1/4 of what you cite.

As always, YMMV.

Re:Totally obvious

You've GOT to be kidding (or inexperienced).

Managing software installs on any kind of Unix is much simpler than doing so on Windows, simply because of the enforced split between user-owned files and centrally-controlled files. For workstations, a single admin should be able to maintain thousands of Linux/Unix workstations, with the limit actually being not software-maintenance but hardware-maintenance.

Today's tools make self-updating systems robust and easy to set up. The posters above made very good, very robust suggestions - yum, apt-get, rsync. Those three separate solutions are highly reliable, very simple, and very robust. They are not a "house of cards" and the work involved in maintaining and updating a few applications certainly shouldn't keep any qualified admin busy.

In the case of Redhat/CentOS, the big ones (Open Office and Firefox) are already included in the distribution, so updates require no work at all.

The original poster, however, did not make it clear whether he's looking to use FOSS software for the OS as well, or just for the applications.

Re:Totally obvious

[The+Bungi]

the "house of cards" comment is laughable.

Well, in my experience most of the stuff that's tied together with little scripts, general purpose utilities and dependencies tends to be brittle, even on Unix. Perhaps most importantly, it tends to be mostly unmaintainable.

The incremental cost of adding Linux administration for our workstations is a 1/4 of what you cite.

Yes, but it sounds like you already have an infrastructure in place. I didn't get that from the submission.

Re:Totally obvious

[geomon]

Well, in my experience most of the stuff that's tied together with little scripts, general purpose utilities and dependencies tends to be brittle, even on Unix.

Yes, that can be problematic. That is why someone considering coverting would want to pick a distro and be consistent.

If you are honest in your assessment, though, you will concede that Microsoft updates often break apps that have been created by customers. We often experience a lag time in deploying Access when Office upgrades come out due to the updates thrashing our custom-built apps.

No one solution is without its warts.

Re:Totally obvious

[geomon]

Managing software installs on any kind of Unix is much simpler than doing so on Windows,..

While I would agree that someone managing a system based on *nix with experienced admins would probably be easier, it is not neccesarily the case that it is easier for everyone. If the person in the original article has no experience with *nix at all it will take them considerable effort and time to make the change to an open source environment.

Re:Totally obvious

[The+Bungi]

you will concede that Microsoft updates often break apps that have been created by customers.

I will be honest about it, and I'll say yes... once =)

An OS service pack (for Windows 2000) used to rollback a service pack for one of their server products (Host Integration Server).

Of course that's just my experience, but after years and years of pushed updates to thousands of desktops and servers I've seen very few problems, honestly. Not more than I'd expect by simple statistical rot. I imagine it would be no different in *nix, though really this is about the tools that exist to deploy those updates, rather than whether or not they break something when they arrive. All things being equal, the former is more critical than the latter if you consider how often something does actually break (though I don't include things that break because something in a product change, but rather an actual collision between the update(s) and the product(s))

Re:Totally obvious

[wireloose]

I haven't had a major Microsoft update yet that didn't cause some problem. I've been supporting heterogeneous networks for 22 years in a number of organizations, and I've done a lot of consulting.

You can't really claim MS's automatic updating tools are any better than the standards discussed here. Microsoft's online automatic updates blew out an entire computer center for me once. Something in the "critical fix" refused to work with the standard AMI SCSI controllers in all my Win servers (60+). Imagine having to back the update out of each of them manually. Took two days and 6 people. And I have never allowed MS auto updates to run again.

On the other hand, the Unix systems have been pretty solid. I don't consider scripts bad things. They're easy to build, easy to maintain. And good standard tools like rdist and rsynch work across lots of platforms.

But, you left out one thing in your comparison, The Bungi. If you include the "after conversion" salary, you have to include the "before conversion" salary for a MS tech that's worth his/her salt. I've never had to add a body to support *nix systems when MS systems were already in place. Often, a judicious bit of training, which costs far less than $15,000, is all that's needed.

Re:Totally obvious

[swv3752]

You forgot, fire 3 worthless MSCE's that were managing the Window's Network and save $90-$135K.

Re:Totally obvious

[The+Bungi]

fire 3 worthless MSCE's

Well that's nice and very funny, but I don't see from what in the submitter's comments you deduced there were three MCSE's - worthless or not.

Re:Totally obvious

If the person in the original article has no experience with *nix at all it will take them considerable effort and time to make the change to an open source environment.

Exactly what Microsoft likes and relies on... short-term thinkers. If you have any IT people who know point-n-click is not a skill, then you can migrate to new platforms with planning. You need to think long-term. Getting out from under Microsoft's EULA is worth it alone (for the company, that is).

Re:Totally obvious

[swv3752]

I was highballing the number of Machines that a windows Admin would manage, lowball the number Machines a Linux admin would manage, and guestimate an amount of machines based on the licensing fee. We are probably looking at 100 to 300 machines. Combine this with the low wage that a small college IT department pays and the old mixim that you get what you pay for, plus the fact that the majority of MSCE I know personally, and the average holder of an MSCE is pretty worthless. While there are some amazing Windows Admins, and some of those even have an MSCE, they are not likely to be attracted a college IT job. If I was in my mid-twenties and single, with the corresponding level of experience that indicates, I would be all over such a job for a Linux Admin.

Re:Totally obvious

[geomon]

You need to think long-term.

Works for you and I, but the learning curve to a completely open source environment is fraught with a complex operating operating system with new syntax and concepts.

As for me personally, I made the move to Linux in 1995 and have never looked back. I have been Microsoft free in my home ever since 1997.

Re:Totally obvious

It's a common misconception that a "...working supported enterprise management solution..." is really that. How much clout do you think you really have with most companies such as IBM, Microsoft, Novell, etc. In the 10 years I've been in IT, if something is broken, you're either told one of two things:
1) Yes, it's broken. Thanks for telling/reminding us. We'll be fixing this is the next version, make sure you buy it!
2) Thank you for the information, but we will not be fixing this issue. We recommend you either do this ad hoc (and usally labor intensive/failure-prone) workaround, or look at purchsing product X, or Y for the feature(s) you desire.

In the first case, vendors do this all the time, and frequently dont really implement said feature(s), or they only partialy implement them. In the second case, that's yet one more product to license, install, patch, upgrade, break, and otherwise manage.

Whereas, with OSS, when we dont find what we need, we either:
1) Write the program ourselves
2) Add/fix feature(s) ourselves
3) Hire or work through another developer whom can add/fix feature(s)

Updates

I work at a school district and we use Scriptlogic Desktop Authority for mapping drives, printers, configuring email profiles and managing windows updates. Maybe this is what you are looking for - im not sure....

www.scriptlogic.com

What a shameless plug - and i dont even get anything for it..

I would think very carefully

[Timesprout]

before venturing into the unknown with a system that currently works for the sake of saving a few thousand dollars. If the savings were greater or there was areadily accessible tried and test means then go for it. But for the sake of a few grand, if it works I would leave well enough alone.

I just updated FF on a couple hundred macs...

[mattyohe]

in about 10 minutes.

Re:I just updated FF on a couple hundred macs...

Umm...good for you. Are you expecting to get a cookie?

How does this help the poster? Or, for that matter, anyone?

Please think also "free software on WINDOWS"!!!

[Heraklit]

Befor you all start shouting about a Debian repository and mounting /usr/local/from-server, please consider:

The question is most probably about updating free software on Windows desktops!

Re:Please think also "free software on WINDOWS"!!!

The obvious answer is VB SendKeys, and one confused user wondering why his pc is jumping around on it's own.

Re:Please think also "free software on WINDOWS"!!!

[Chemicalscum]

No ! He talked about using Novell Desktop Linux.

Re:Please think also "free software on WINDOWS"!!!

[Heraklit]

ZENworks is cross-platform. So even if the server is Novell Linux...

http://www.novell.com/products/zenworks/quicklook. html

$15,000 fo 200+ Desktops

[mikejz84]

$15,000 for that many desktops seems....well...very reasonable. I can understand you wanting to move to a FOSS, but in the end most of your students and faculty are use to Microsoft crap (I mean software...) and the price seems fair as compared to headaches of users when they don't get it.

Wow! How things have changed!

[PSargent]

It used to be that Microsoft could never be considered for "enterprise" (I HATE that word) type instalations becuase there was no way that software could be centrally managed.

Now we have questions asking how you do it on a unix. You do it the same way it's been done for decades, and that's to have a central reposistory which is mounted by all workstations. You install and run your software to/from here.

Main problem is no package manager that I know of is able to cope with such a concept :rolleyes:, so you have to get your hands dirty.

Re:Wow! How things have changed!

[starfishsystems]

Main problem is no package manager that I know of is able to cope with such a concept :rolleyes:, so you have to get your hands dirty.

Actually, I've found over the years that the Solaris package manager is very good at relocatability. The same is equally true in theory of RPM, though in practice not as consistently.

When software distributed in one of these package formats doesn't relocate simply and correctly, it's not a failing of the package manager. It's because the developers have overlooked some detail required to make the software relocatable. Typically that's a simplistic installation/removal script embedded inside the package.

Developers, please don't forget that /usr/local is only the nominal installation directory. Many sites are obliged to use other conventions, in particular when filesystems are mounted remotely.

By the way, source distributions which use autoconf tend to be the best behaved of all, in the sense of correctly processing changes to prefix and exec_prefix. That's remarkable, given the size and variety of configuration spaces among source distributions.

Re:Wow! How things have changed!

That's the way I used to do things. Now I don't bother due to software like rpm and yum.

It takes no more time to package software using rpm and have yum install it every night, than maintaining an NFS software share. Having the software installed locally has several advantages over the NFS software source. Less network traffic (not insignificant for large installs), faster app startup time, less central RAID fileserving capacity required, and much easier to move machines to client sites (happens a lot for consulting types).

Can someone say...

...up2date? The RedHat tool that's been around forever and automagically updates systems to the latest version of whatever?

MS Shop

[BenTheManager]

I also run a small MS shop, servicing about 150 desktops and about 15 servers, all MS.

I too have been looking to make a migration, but there is no straight forward solution.

We also use SUS and Group Policy to push updates and security settings.

If a migration was to be feasable, a stepped approach would have to be taken.

First start changing client apps on Windows desktop, then change desktop OS. Such as Firefox for IE, Openoffice for MS Office. It would be very helpful to be able to use Group Policy and SUS for maintaining those apps!

Same on server side, port .Net apps to Mono running on Apache on Windows (yikes!) than move OSs. The other option would be to port the app and run on new server. Course, one of the apps has been done with Java, so no probs there. :)

I know I can run Samba for shares and printers and the like, but what about services like MS Exchange. Apps will have to be moved from MS SQL Server to Postgres or the likes.

Big job! Plenty of costs involved. Then there's training! Talk about vendor lockin.

Re:MS Shop

[j-cloth]

Am I missing something completely obvious? Why are you not using group policy to push out whatever software you want? Group Policies do not have to be 100% MS.

Re:MS Shop

[erth64net]

It would be very helpful to be able to use Group Policy and SUS for maintaining those apps!

Once on a Linux desktop, you will not have tools such as SUS and Group Policy - as other Linux-based options, such as apt-get and Mozilla's lockPref() will replace them. Consider that you need to learn how to use your new administration tools, just as much as your users will need to learn how to use their new tools.

apt-get upgrade <list>?

[Doc+Ruby]

Debian's apt-get lets me crontab an 'apt-get upgrade', but that upgrades every package in the system. The "Debian way" seems to be to maintain a local package repository, in the versions I want, and upgrade against that. But how do I automate the upgrade of just those packages? Is there any apt tool that lets me maintain just a local list of packages to maintain at the "latest" version (including dependencies, of course)?

downgrade?

Wasn't the Enterprise's software downgraded from "Enterprise" to "ToS"????

yeah I'm trolling today... I'll admit it.

I think everyone misunderstood what is being asked

[dyfet]

I gather what is being asked is how to manage updates of specific free software packages (firefox, openoffice) that are deployed on a microsoft windows platform. I see lots of people mentioning apt-get and such, but I don't believe that is what is being asked here.

Zenworks 7

[G+Money]

We currently use Zenworks 6.6 to manage ~2000 NLD and SLES systems for system patching. It works great for that purpose. It doesn't offer more than very basic inventory management and reporting yet. I say yet because I'm on the beta for the next version and it is amazing. It makes managing Linux dekstops and servers ridiculously easy. If you've used Wen for Windows, they've basically pulled all the same functionality into the Linux realm. Imaging, patching, configuration management, security policies, reporting, inventory/asset management, remote access (vnc or ssh), everything is all wrapped into one bundle. Some of the other pieces we use are at our site if you're interested in other open source and commercial packages we use. It's not much more than basic marketing material at this point but feel free to ask any questions.

This has got "duh" written all over it

Let's assume you have 300 PC's, that's $0.96 per desktop per week for IT infrastructure which appears to be working well. If you were having all sorts of problems I'd suggest otherwise but given the information you've supplied I'd argue that your dislike of Microsoft (or preference for FOSS) is getting in the way of your ability to think logically. Remember the first rule of engineering: it it ain't broke don't fix it

Re:This has got "duh" written all over it

Remember the first rule of engineering: i[f] it ain't broke don't fix it

Funny, it was told to me as: "If it ain't broke, add another feature."

Re:This has got "duh" written all over it

"... Remember the first rule of engineering: it it ain't broke don't fix it..."

Old school thinking. With that mentality, the competition will leave you behind. Now for software, the rules may be a little different.

Re:This has got "duh" written all over it

I thought that was the first rule for people that don't know what they are doing..

it's all free, built in, and automagic everything

we are in the process of moving all of our i.t. infrastructure to ubuntu for clients and debian for servers.

we can purchase ubuntu support services, and finding support for debian is fairly straight forward as well, although we have inhouse expertise.

all 16 000 debian applications are updated for security patches automatically, as are all 2000 - 5000 supported apps under ubuntu.

it's all built in, it's all basically click and go, and you pay for none of it.

it is highly recommended to run your own mirrors however, if you have that many machines you will want one of your own mirrors pulling in from the debian and ubuntu repositories, then distributing the patches to the rest of your desktops automatically from there.

there are also push/pull components you can install, usually those require linux profficiency, but just incase some microserf tries to tell you linux doesn't have 'push patch' capability they are wrong. it's also free.

don't forget that setting up automated backups for your linux workstations is also available, there are many backup utilitys, some like bacula are enterprise class and free as well.

obviously labour costs money, but once this stuff is setup, it require little to no maintenance.

- your friendly neighbourhood cio

Software in the Enterprise...

[slapout]

...I thought that show was cancelled...oh wait, nevermind....

Firefox & GPedit & firefox.msi

[kbrosnan]

FirefoxADM is a way of allowing centrally managed locked and/or default settings in Firefox via Group Policy and Administrative Templates in Active Directory Latest news about FirefoxADM at http://spaces.msn.com/members/in-cider/
http://sourceforge.net/projects/firefoxadm

Unoffical Firefox MSI builds can be found at
http://www.frontmotion.com/Firefox/

Official Firefox Msi installers will be avaible in the 1.1 release nightly msi builds can be found at http://ftp.mozilla.org/pub/mozilla.org/firefox/nig htly/latest-trunk/ the nighlies are not ready for general use yet, but are availbe for testing.

Google is your friend

[NewbieV]

This website has downloadable MSI packages that will integrate Firefox into AD and GPO, as well as a howto.

This thread will show you how to do the same for OO.o, but only for the 2.0 beta version.

Re:Google is your friend

[Fnkmaster]

Agreed for Firefox, some version of the MSI installer process has been around for some time and this same issue has been discussed dozens of times in the Firefox Forums on MozillaZine.

Maybe it's not super fancy, but from what little I know of AD/Windows network administration stuff (not much), I would think that the MSI installer should do the trick just fine.

Parent should be modded up, pretty much answers the entire question.

cfengine

If you manage 1,000s of Linux machines and are not using CFengine, you have not been enlightened.
CFengine wiki
Allow it to use the built-in package management utilities for your distribution, but manage it from a central location.

.zip files

[Symb]

Naive question. You might want to smack your windows admins into reading the books they use to make their shelves look informed.

Use active directory assigned installs. Use zap files and batch files if there is no MSI. Set an upgrade policy in the installation. One GPO per installation/upgrade.

Next on slashdot, CEO wants to be CIO, but there is no 'I' in team. What are other slashers doing about the missing 'I'?

More journalistic slobber from the net's finest sensationalists.

I know about Zen

[bogaboga]

> Is anyone using Zen with Novell Desktop Linux?

Yes, I am. What I can say is that Zen on Linux, is kind-of slow, not as agile and feature rich as its Windows counterpart. All in all, it provides a good first step since improvements will always be done.

I assume you're still using MSFT desktops.

[TheLinuxWarrior]

So I would say that you should either create MSI packages of OpenOffice and FireFox (and of course, whatever other FOSS apps you want to use), then deploy via GPO, or perhaps consider using SMS for app deployment.

I know that my last two assignments have been large organizations and both have used SMS.

I read "Updating Free Software on the Enterpise"

[k_stamour]

Visons of Picard beating the tar out of Data and the bridge screaming something about "Blue screen of death no more!....Compile me Kernel 18.2.3e!!!!! MAKE IT SO!"

Enterprise management

Larger corporations use Solaris in combination with Tivoli and BMC CTSA (Control-SA).

Or they use thin clients like SunRay that boot off of a central server (usually a Solaris server).

Updates

[Todd+Knarr]

This is only really a question in the Microsoft world. In the Unix world it's old hat. Possibilities:

1. Have a central fileserver with all your software on it, have all the workstations mount that central store to a known location and add the appropriate directories to the PATH (or use them as the target of desktop menus and links). Then all you have to do is update the central server and all workstations automatically see the updates. Extra points for the small scripts to insure that each workstation is logged out and the central server unmounted before the update and that everything's remounted after the update.
2. Remember that in Unix the console is just another terminal. Have a script that ssh's out to each workstation in turn and performs the update on the workstation
3. Remember that in X11 the local display is no different from a remote display. ssh out to each workstation, run the GUI installer and install the update on each workstation from the comfort of your desk. Then write a nastygram to your software vendor asking why they insist on a manual GUI for installation and why can't they provide a nice scriptable installer?
4. Set up a cron job on each workstation that will poll a central server for updates at regular intervals and update any packages found. Your workstation distribution probably includes an update utility (eg. up2date, rpm --freshen, apt-get and so on).

ZenWorks

[Azul]

I was about to suggest you use Zenworks right before I read you mention it in your question. I would advise you to give it a try: it was designed precissely to provide the functionality you seem to be looking for.

Not only it lets you automatically update software (other posts have pointed out that you can trivially do this in Debian-based distributions with a cron job) but it will also help you easily define default settings for each application and group of users.

Disclaimer: I work at Novell.

Radmind

You can also use something like radmind. If you are using any sort of *nix desktops. It is much easier than having a Debain repo. Plus it would use a lot less bandwidth and is tested and used in Universities mainly.

There are also things called login scripts in the Windoze world when it comes to updating things like OpenOffice.org and Firefox. . .

There is pyhton...

[a3217055]

We really don't know what your network, servers or desktops look like. I know that Sharp in the US has a large installtion of Slackware based servers. IBM uses Linux, and so do a lot of universities I know that the SuSe Enterprise edition is really great and you can use a local repository for all the updates or use another site etc... Let's say you ahve 20% servers and 70% dekstops and 10% laptops. The servers can be updated by using something called CSM which can run comnads and do installs etc. It uses ssh to connect to the machine and send the commnads etc.. Or you can write your own tool using perl or bash or python. Now for desktops you can have some sort of network install image and everytime you need to update them you can have them copy the image from the server to the local machine, or use scripting to set up or use some sort of cron set of jobs to check if they are updated available on an nfs mounted disk ( shared file system ) and install the packages. And laptops can be doen on a per user basis or have scripts that check if they are on the site lan and if they are run a script for updates and backups. Etc... In college I used to admin about 35 servers and 80 desktops and 40 latops and all of them ran Linux. Servers and desktops would get backed up every night and updated only when there was a critical fix using a specific perl script on an NFS moutned disk. And then there was the special / specific apps directory that was nfs mounted and was updated by hand etc. And the 40 laptops would all check when they were plugged in if they were on the site lan, needed and update and then they would update themselves. Now obviously all this was not secure, you can run any mallicious code if you code write to the common nfs server that held the repository and the scripts etc... I would say if you have a very big installation 1000+ computers I would reccomend you use a commercial software that does this sort of work. If you are small about 100 computers you can use an in house set of scripts ( get those students to write something ) or buy a commercial application. Over all there are many ways to do this sort of task the main thing is to have a good idea and knowledge of everything that is required. Then and only then do you design it. I mean you can do the whole thing for less than what you are doing now. If you have a good set of script writers you can do a lot of neat stuff. If you could give a better representation of the services and the type of computers you have things can be a lot of easier. Updating FOSS is the easy part making it all work nicely and integrating is the true essence of insanity :)

Firefox MSI

[asv108]

If you want to continue to use windows and windows deployment tools, there is an msi package for firefox.

Is it worth it?

[demon_2k]

I don't think it's worth upgrading free software in entorprise.

If it ain't broke, don't fix it.

Specially with linux, newer package versions may cause more problems to someone who wants a stable and/or secure system. Unless the new packagas have some new features you cannot live without, or has bug fixes. It's not worth touching. Entorprise value stability and security over almost all alse.

The same way it has always been done...

[HermanAB]

Unix upgrades have been centrally managed since some time before the dinosaurs, using tools like rsync and NFS shares.

Nowadays, with RPM and DEB package managers, you also have the option to put all packages on a central FTP server and then schedule an update using the native update utility eg. apt, rpm or urpmi.

So, my reaction to anyone claiming that there is 'no support' for Unix, or that Unix is 'hard to manage' or that Unix 'doesn't have enterprise tools'. Is one of incredulity - like where have you been the past 500 years, man??? Sleeping???

Re:The same way it has always been done...

[marcosdumay]

Not sleeping, they have beeing using Windows. Windows is an OS that requires administrative tools even for dumb tasks like running a script on several machines (*nix people are surprised by that every time). When win people ask about administrative tools for *nix, they really mean that, and you'll have a very hard way telling them that you just administrate your system, with no 3rd party tool.

Yes, I know you alread know that, but just beeing surproised will not give them the best impression. Most win people will think that you don't know what you're talking about, when you have to show them that they are the ones that don't know that.

haven't tried it, but have heard good things

NetOctopus
http://www.netopia.com/software/products/netoctopu s/

Does it really matter?

IE gets updated all the time and it's still broken.

Keeping Systems Updated

[kwalker]

This has been solved so many ways...

Debian uses apt-get, which can be scripted to feed off a (group of) particular server(s). I don't use Debian, so I can't speak specifically to its strengths and weaknesses, but I'm sure someone else will.

Fedora/Red Hat systems have RPM and yum, both of which are network aware (Though no one uses the network functionality in RPM that I can find). I have smaller networks (40 machines in one, and 12 machines in another) that feed off of one yum server, which is a box that would otherwise be re-purposed into a boat anchor. I've even rolled my own RPMs (and signed them; none of my machines will install any un-signed package) and had those updated on all of my servers by the next morning, and created my own repositories (They can even be on different machines if you like). You can have different repositories setup for different groups, as well as share network-wide repos. It's really easy once you (or one of your geeks) can truck through the learning curve. And if they're a Linux or UNIX geek, they're probably part-way through already.

Ximian has Red Carpet, which I believe they sell "big boy" licenses to (Or did before Novell bought them). I haven't touched this in a while, but it seems like a cross between what I've outlined above and Windows Update Services / Software Update Services.

With all of the above (And I'm sure there are more such as Mandriva's urpmi or whatever they're using now) can be customized to only have the software you need, though I would recommend keeping mirrors of the base OS (for network installs, and installs of software later), and updates. Especially with > 200 desktops, I wouldn't want to tap-dance on any of the mirrors' nerves by beating on their servers nightly running my updates.

As for the rest of the question (upgrades, CALs, Office), faggedaboudit. Once you standardize on a distro, you can upgrade as often as you want; some distros will even let you roll out whole OS upgrades through the above-mentioned software updaters. You may want to think carefully about that, since most office workers I know don't like arriving in the morning to find their OS is different. However, it is easy to walk around with (several) net boot CDs and upgrade a bunch of systems over the network. And no Free or Open Source software requires anything as asinine as CALs.

easy way

Put Apt (http://freshrpms.net/apt/) on the computers. Change settings so that the only repositories it reads off are ones on a local file server. Setup a chron job for "apt-get update" (and whatever switch you need to make it not require a user to press "y"). Then, just setup your own repository on the specified fileserver (all you need is a web/ftp server and some time messing around with directories).

Note that users will need to reset/restart any services that are running for their updates to be applied (this is a GOOD thing, as it can run completely in the background).

All comes down to money and time in the end

In the end it all comes down to money and time. I know everyone wants to fight the good fight and go with open source, but you hit the nail on the head when you said that it is very easy to use SUS and group policies to update your systems.

Running a cron job with apt-get and what not isn't feesible. And just like the other poster have brought up, have you even looked to see if you have any homegrown apps that need to be ported? MSSQL is 100 fold eaiser to use and program in then anythingout there and takes a lot less knowledge to adiministrate.

The other thing is to save 15K you'll need to hire someone who can manage all this crap, since your contract probably has onsite support in it. So if something is broken you call MS and they send tech monkey down there to fix it. A Unix administrator that knows what their doing is going to run you about 60K or more a year.

I really don't think that you thought this thing all the way through. Personally I think that because you are using OO and FireFox, you decided to jump onto the FOSS bandwagon without giving too much thought and that's not what a director is suppose to do.

nfs/ftp/http site + bash script on boot/cron

[higuita]

i would say aply the KISS to it!!!

-setup some secure place to...err... place the files... i would say a webserver with encription
-create several dirs to the several different systems you want to update (or one dir for each machine, with syn/hardlinks to the packages needed for each machine)

-place the distro packages you want to update there

-setup a bash script that connects to the https (and verify the certificate, just in case someone plug a fake network to takeover a site... better yet, sign your packages!!)
-get the file list and grep -v with a list of already installed packages
-fetch the needed packages
-install (and check the signature if it exist!!)
-send a email with the update result and update the installed package list
- optional check the email result and automaticly remove updated packages

-profit!!!

each server/computer will update the files, you have one central place to update everything, you can manage what updates you will install in each server by the synlinks/hardlinks
if you need to run a extra script, just umcompress a rc.local or a new crontab file that do what you need and revert to the old one in the end...

setting up this is simple and fast, its cheap and its hard to break

Fanboy moron!

Ummm, if that someone was at all knowledgeable in Linux, do you think that he would be asking Slashdot? Don't you think that he would already know the answer to this and be hacking happily?

He's a Windows shop manager and may or may not have Windows centric staff. He does not have an Linux people so, hiring Linux people for just the migration would probably cost him more than the $15,000. But, the cost doesn't stop there, he will need to have Linux knowledgeable support personnel for ongoing support. That means either train what he has now or hire other people. Either way, he is likely to run over the $15,000/yr. Microsoft tax.

I love Linux and use it exclusively, as I have for over four years. but, there are times when Linux is not the best solution and it sounds like this is one of them. $15,000/yr. is dirt cheap for Windows server licenses and CAL's, probably Exchange and SQL licenses, Windows Desktop licenses and Office licenses. It WILL cost him much more, at least for the short term(1-2 years) to switch. And, that all assumes that he truly can switch and that some application isn't going to force him to continue buying Microsoft anyway.

Re:Fanboy moron!

[Master+of+Transhuman]

It's not likely any of this is true.

If he is a "small private university", it's likely he's talking about a 100 to 1,000 students, and a faculty and staff of less than a couple hundred.

This is not a huge migration effort if planned properly.

If you go the usual educational organization route and hire expensive consultants, yes, it will be expensive to hire Linux migration people and Linux support contracts. You don't HAVE to do it that way, however.

There is likely plenty of professional and semi-professional Linux help in his area if he looks for it (I assume he's not in the wilds of Montana with nothing but trees around.) A lot of it can probably be drawn on for little money as long as you don't work people.

Training also does not have to be nearly as expensive as people make it. Just sitting people down for a few hours a week with someone knowledgeable about Linux would be enough in many cases. In fact, "partnering" Windows and Linux people together works well as most people learn from the guy in the next cubicle far more than they do from any "official corporate training".

Ongoing support for an organizational deployment of Linux will be minimal once the initial shakedown period is over. A lot of consultantcies will run remote system overview/management contracts for a few hundred a month.

Mission-critical Windows applications are not a show-stopper either unless they have to literally run on everybody's machine. A server with Terminal Services usually takes care of that.

There are solutions to these issues, but you have to have both imagination and some knowledge of what's out there to discern them.

It's likely his organization pays MUCH more than just the $15,000/year Windows licenses for his IT operation, even if he's a small university. He probably has consultant contracts and other detritus already in the budget. Repurposing some of that stuff probably would cover migration expenses.

The real savings in migration doesn't come from the licenses anyway - it comes from higher uptime, fewer disasters, lower personnel costs, improved productivity and other such hard-to-measure stats that never seem to show up on the Windows-vrs-Linux TCO studies.

Hire a Friggin' Vulcan

[Microsift]

They'll rock the Enterprise OSS or not!

Does no one use XCOPY anymore?

[wfberg]

I mean, really, what's the deal here? Most apps can be easily kept up to date by an easy-peasy daily xcopy command. What's up with all this "enterprise management" bullcrap? An application is a bunch of files, they change, you copy the new version over them.

Just because this won't work for spectacularly ill designed applications such as the likes of internet explorer doesn't mean you should become a drooling idiot if an app doesn't come with an MSI or a SUS server.

I mean fer cryin out loud, on most well-managed LANs you can run firefox off of a shared folder on the network and no-one'd notice..

But then I guess adding a little batch file that uses xcopy to "check for updates" to your clients' shortcuts is HARD. It doesn't come with a click-and-drool interface suitable for monkeys, does it? *sigh*

Re:Does no one use XCOPY anymore?

[borawjm]

Does no one use XCOPY anymore?

No, we use robocopy. Which is also apart of the Windows Server 2003 Resource Kit Tools.

Re:Does no one use XCOPY anymore?

[otis+wildflower]

I mean, really, what's the deal here? Most apps can be easily kept up to date by an easy-peasy daily xcopy command.

Registry.

Re:Does no one use XCOPY anymore?

[mgpeter]

Kixtart scripts to the rescue -

Kixtart will allow you to remotely write to the computer's registry (considering you are a Domain Administrator). I use scripts to remotely install just about every "custom" app our school uses.

For example - writing 2 7-zip registry keys to remote machines:
$ = WriteValue("$workstation\HKEY_LOCAL_MACHINE\SOFTWA RE\7-Zip", "Path", "C:\Program Files\OSS\7-Zip", "REG_SZ")
$ = WriteValue("$workstation\HKEY_LOCAL_MACHINE\SOFTWA RE\Classes\*\shellex\ContextMenuHandlers\7-Zip", "", "{23170F69-40C1-278A-1000-000100020000}", "REG_SZ")

Re:Does no one use XCOPY anymore?

[wfberg]

Registry.

Well-behaved apps don't abuse the registry to such an extent you need to add keys before using a newer version. Even badly behaved apps won't balk if you just use a .reg to add some entries - just use a registry compare tool to see the differences when an app is upgraded.

Hand-rolled MSIs aren't much more than a registry and filesystem diff. Usually, the former is not even needed.

Login scripts

We do it with login scripts. Very simple. Very effective. (TM)

Re:Login scripts

I read that three times before I no longer saw "Logic Scripts"... the Star trek references in here are getting to me.

Re:I think everyone misunderstood what is being as

[geomon]

Every item that comes on a Redhat workstation (Firefox, OpenOffice) is updated by RHN on my machine.

If I get something outside of the RHN update inventory, I have to update it myself.

That would be no different in a Microsoft environment.

Stick with Windows

You're getting Windows and Office on 200+ desktops for only $15,000 and you consider that too much? Are you on CRACK? That's like quibbling over whether you'll pay three peanuts here or walk 1000 miles to pay two peanuts.

Re:Stick with Windows

[geomon]

Agreed. You are talking about 1/5 of an FTE for full support of your desktops.

You are getting a great deal.

Re:Stick with Windows

As much as I would prefer an open source solution, 15,000 a year for Windows for that many desktops is just irresistible.

If the politics (and I don't mean this in a troll-y way) mean more to you then of course Debian, apt-get, cron, Firefox are going to do it for you better than Windows.

As for OpenOffice, Abiword, etc... they're catching up but still qualify as MS Office's retarded cousins if you really want to be honest.

On the other hand, every upgrade MS makes ruins Office just a little bit more, screws you up just a little bit more, gets in your way just a little bit more but without really adding any useful features. Soon there will come a time when retarded OpenOffice converges with senile MS Office in usefulness and that will be the magic hour when open source rules the desktop.

But honest, I really am a Linux booster, just disappointed with the apps!

Re:Stick with Windows

[Cyno]

Let's say those desktop cost $1000 each. That's $200,000 worth of hardware. $15,000 comes out to 7.5% MS tax.

Now let's say those desktop cost $300 each. That's $60,000 worth of hardware. That same $15,000 now comes out to 25% MS tax.

In any case I would sure love to have $15,000 in cash sitting around to replace faulty hardware or pay for extra bandwidth, etc.

The point is you do have a choice. Its up to you. If you want to spend your money instead of save it, go right ahead. Your competitors will be laughing all the way to the bank.

Re:Stick with Windows

[wallykeyster]

You are talking about 1/5 of an FTE for full support of your desktops.

Welcome to the world of higher education - $15,000 is 1/2 of an FTE on average, not 1/5. And this money does not provide full support of our desktops. It is software licensing and nothing more. We still have a desktop support person who removes spyware, Ghosts machines, troubleshoots Outlook, etc, and a systems administrator who (among other things) manages a SUS server and GPOs to push down software and updates. If we could switch to FOSS solutions without increasing the workloads of these two folks, that money would go a long ways towards other needs.

You are getting a great deal.

Compared to standard Microsoft pricing, we sure are. Yet, there are other schools and businesses providing similar functionality with significantly lower software licensing costs. So, the great deal is quite relative. While I don't see us jumping to Linux on the desktop in the near future, such a change would also save us nearly $20,000/year in antivirus, antispyware, and DeepFreeze licenses.

Re:Stick with Windows

[wallykeyster]

You're getting Windows and Office on 200+ desktops for only $15,000 and you consider that too much? Are you on CRACK?

It seems that the Mods are the ones on crack. $15,000 may be peanuts to Anonymous Cowards, Inc, but it is significant to a small university. Our department lost one of our four technical positions last year due to budget cuts and we're staring at two years of not replacing a single server. We've cycled out less than 30% of our desktops in the past two years (combined, not per year). Don't tell me about peanuts.

Re:Stick with Windows

[geomon]

Welcome to the world of higher education - $15,000 is 1/2 of an FTE on average, not 1/5.

Are you including benefits and administrative overhead?

Take the annual salary and multiply by 1.5. That covers benefits. Add in administratve overhead (departmental adders) and you have a salary of $30K pumped up to $75K.

We hire students and post-docs from universities all of the time. What we get charged by your department is different than what you see in your administrative reports.

Re:Stick with Windows

Didn't realize how small your university was! I was assuming that 15,000 is a drop in the bucket of a budget that goes to supporting 200+ desktops. And as for support staff, I expect a pretty much level playing field between supporting a Windows environment vs. supporting a Linux environment. Also you have to look at the additional end-user support costs in moving your students and admin staff off of Windows/Office into Linux/OpenOffice (and before anybody jumps on me, I would make the same point in talking about a move from Linux to Windows). You WILL get sgnificantly more desktop support calls in your first year. You will pay a lot of overtime rolling out your new setup.

How many servers or desktop systems does 15,000 buy anyway? Is it worth the hassle? It just seemed to me that 15,000 is awfully, awfully cheap - to the point that even though there is a lot to be said for switching to open source, in your case it doesn't look practical.

AnonCow Inc.

Group policy

[amcdiarmid]

This is the way MS suggests in 2K:

Step1) Use Sysdiff to create MSI files of the application to be installed/removed.
Step2) Use Group Policy to apply the template to your workstations (In active directory)

You can use sysdiff /snap and /diff to create installation packages for the applications.

You then use group policy to apply/remove the packages to your workstation-guinea-pig and workstation groups at the appropriate times.

Get a case before you start. It will be more fun that way.

Question

[Tbeehler]

Quick question. Mod me as an idiot, but why couldn't he write a script that updates the desktops software to whatever version that is current? For example, if everyone's running firefox, next time they login, couldn't a script be ran to install firefox silently? Most, if not all, software that I've seen has some sort of silent install. The SUS server could probably stay if he didn't want to totally convert. I'm just curious because just about everything in my server room is Linux based, and I do all of my stuff through scripts instead of paying for another service. Of course, he could start out small, say only replace 1 or 2 servers with Linux, such as the print server or something simple like that. That way, if something does fail horribly, he can revert to his old setup rather quickly and not have 200 people breathing down his neck.

Keep it like...

[chris_eineke]

Keep it like us programmers keep it with optimizing:
1. Don't.

For experts only:
2. Don't (yet).
3. Profile before you optimize. ;)

huh?

[Knara]

This question was very poorly phrased, as it's not easy to tell if the goal is to go entirely FOSS for OS and applications, or just for some applications and leaving the underlying MS Windows platform in place.

Red Hat Enterprise Linux

Red Hat Network

There are companies that WANT to answer this

They want to answer this exact question, for you, for free. Call them.

Novell (SUSE) or RedHat.

They are both commercial vendors, and they want you to use their products. They will happily provide guidance on issues like this.

Use the resources that are out there!

If you are only deploying firefox...

[oringo]

http://corporatefirefox.blogspot.com/

Re:If you are only deploying firefox...

[Saint+Aardvark]

Now that's a helplful link. Thanks!

Unattended

[SuperQ]

http://unattended.sourceforge.net/

This is a great way to script installation of windows machines. You can put any applications you want into the system and use it to push machine upgrades out.

Re:Unattended

[esbjerg]

I can only agree. I use it to manage software installation and upgrade for all MS machines at the company where I work.

With unattended one can install and update not only MS products but all win32 software that can be installed/patched unattended.

Re:Unattended

[WillAffleckUW]

This is a great way to script installation of windows machines. You can put any applications you want into the system and use it to push machine upgrades.

And a great way to install virii and worms too ...

Use cfengine

[starfishsystems]

Software deployment is part of a more general subject sometimes known as software configuration management.

Since it's impossible to reason about security except with respect to a given configuration, this is a subject which deserves close attention, especially at larger sites where economies of scale are most effective.

Mark Burgess at the University of Oslo developed a mechanism called cfengine as a solution to the configuration management problem. It's multiplatform, mature, stable, comprehensive, secure, and it scales very well. I recommend it.

Re:Use cfengine

[drsmithy]

It's also a freakin' nightmare to setup and configure.

(But once you get your head around the weirdness, quite capable - although I only concur with the recommendation due to a dearth of alternative options.)

PatchLink

[bcit]

I work for a small college and PatchLink is the way to go for updates. It will update Windows machines, Linux boxes, Mac OS, and several other OS platforms. The system allows you not only to push out critical updates but software updates including office. You can also create custom packages and roll out your own software applications for Windows-based machines. Yes, there is a license fee but it is one package that I believe is worth the cost if you are going multi-platform. The company's URL is http://www.patchlink.com/

ZENworks Linux Management

[ezs]

Novell showed the next version of ZENworks Linux Management at BrainShare this year - it got a /. post or three: here

Key things - this is not just software distribution anymore - it's full stack management of Linux - server and workstation; Red Hat as well as SuSE/Novell.

As for customers - yes it's in use; yes Novell use it internally to manage their desktop and server machines. Usual disclaimers.

Re:ZENworks Linux Management

[G+Money]

Yes, version 7 is quite an improvement over what is essentially Red Carpet Enterprise. If they can integrate AppArmor security policies into it there really won't be any need for any other tools. The difference in the web interface alone is enough to make an admin cry. Just out of curiousity, you're not the same gentleman from Novell whose business cards actually read "Evil Zen Scientist" are you?

Re:ZENworks Linux Management

[ezs]

Is there another?

Unis have it easier....

[otis+wildflower]

... Just pxeboot everything and run diskless. Less electricity and more security. Upgrading becomes a matter of upgrading the server's boot and root shares, then rebooting the clients.

In fact, given a given upgrade and software budget, it may be cheaper and easier on you to write off the 'legacy' PCs and build a pxebooting set of diskless thin clients off Gentoo. You could even use them as a compile farm so when it comes to upgrading/patching your boot servers, all the little clients are actually _helping_ out!

That's SUS, Goober.

I just love you guys that spout off without knowing one thing about which you speak! He clearly stated that he presently uses SUS, as in System Update Server. You clearly know nothing about Microsoft systems newer than perhaps Windows 95.

The SUS server, free from Microsoft, automatically downloads all of the updates from Microsoft's Windows Update server and stores them on a local server. The administrator, one only, then reviews the downloaded patches and authorizes which ones he wants to be installed on the workstations. Using Group Policies, the administrator reconfigures the Automatic Update service on all of the Windows 2000 or greater systems on his network and points it at the SUS server, rather than the default Windows Update site. The next morning, ALL SPECIFIED systems have been updated.

It only needs ONE FRIGGING GUY to manage 10 machines or 50,000 machines and he doesn't have to leave his desk! The entire setup from start to finish can be setup and configured in an hour or less.

Now, the next level is to do this with applications beyond the Windows Operating system. But, hey, they have solutions for that too. Microsoft Operations Manager(MOM) and Microsoft Systems Management Server(SMS) provide complete management control over the Windows systems on the network. MOM is for smaller scale operations while SMS is the full on enterprise package. No, they aren't free but, organizations that require them can easily afford them.

Re:That's SUS, Goober.

[ganhawk]

Not to be a troll, but if that one guy is competent in Linux, he could set up a similar solution on linux where one box pushes updates or set up a cron in the image for all the computers to connect to the server and download updates. Sure it might not have the fancy GUI, but there are number of tools in Linux (we run a custom up2date server).

I have also built a system in the past for pushing files (not updates but data files for custom application) in the form of a ring. Each node runs a daemon that gets the updated file from the previos node, updates it and passes on to the next node.

Tivoli Configuration Manager?

[DennisInDallas]

Not excatly open source.. not even close.
Not cheap either.
It's probably an overkill if you only have a couple thousand boxes to manage.

Hiring students - rewarding the apple polishers with jobs - maybe the most cost effective method. It might have benefits from an educational perspective too.

Mod up parent

[wallykeyster]

Finally, someone who understands "make the stupid users update their own machines" doesn't work in the real world.

Re:Mod up parent

[Gilesx]

Sorry to reply to this thread like this, but I wanted to talk to you about your submission today, and can't find an email address - any chance you can drop me one?

Thanks!

I would be ashamed

[Vile+Slime]

Personally,

If I were the IT Director somewhere and I didn't even know the basics of what is arguably the most powerful networked operating system available today I would be ashamed to say it.

Get a job in another field. The people you support will be greatly appreciative.

Mozilla Foundation has management tools

[guanxi]

... at least, according to some articles they do. See my post on Mozillazine:
http://mozillazine.org/talkback.html?article=6602# 10

It would be very helpful if they would release them, even in some incomplete, unsupported state.

Marimba or HP Radia

[Smoky+D.+Bear]

Our company has evaluated alot of different packages lately. The two top contenders have been Radia and Marimba. Marimba is expensive but does everything you can imagine for both Windows and Linux. Radia is much cheaper but not as mature. When you look at how many man hours Marimba saves, the price becomes far more resonable (I would never be able to call it cheap)!

Re:Marimba or HP Radia

Go with Marimba. It is far more flexible, intelligent and diverse. Its supported on Windows, Linux, Mac OS and Unix. The architecture is slick and smooth. HA is built in. Works well with firewalls and proxies. If the product doesn't do what you want and you have a Java developer then the sky is the limit. The product has public Java APIs that are fairly easy to utilize to accomplish everything you can imagine. Not very many products out there had developers in mind but this one did from day one! The founders (4 of the original Java team at Sun) did a great job!

Re:Marimba or HP Radia

[Smoky+D.+Bear]

Thanks! They haven't given us alot of info so we didn't know about the Java API. That will make a big difference. Gotta love sales-people,

out of context quote

"I can do 2 students with room left over for a trained chimp" - tekiegreg

best one ive read all day

Sounds like....

[Procrastin8er]

you are getting off pretty cheap, at $15K. I would careful with any move you make, you could easily burn though $15K in a couple of weeks.

Completely true - your M$ solution is good value

[firestarter]

I sympathise with what you're saying, but you're getting a fantastic deal here.

Just for the manpower to change over you'd be looking at $50k+, and that wouldn't include training, hiring etc. to get the right people to manage an open solution.

You might want to sell this to management using another reason (security?) but you definately can't make a case out of the cost saving, 'cos there isn't any.

Re:apt-get upgrade ?

"apt-get install a b c d ..." would be the easiest way. You can also look up things like apt-pinning. But "apt-get upgrade" doesn't upgrade *every* package, only those which have newer versions in your local repository; so don't upgrade the software in your repository until you want to deploy it (you could probably set up separate unstable/testing/stable branches for a bit more control).

Another thing to look at is tasksel / virtual packages - you can define your own machine types ("software development", "hardware design", "management", etc.) and choose exactly what software (including specific versions) goes in each.

Red Hat Enterprise Linux is $25 per seat

[csoto]

This is an annual subscription. You get automatic updates via RHN (plus a lot of other crunch RHN goodness). I believe you might even be able to set up a local satellite server for updates. It's quite a good deal.

Re:Red Hat Enterprise Linux is $25 per seat

[gedhrel]

As someone with a colleague who works with a RH satellite server, I'd urge you to not just believe their press. The box turned up misconfigured; the support service was useless and my cow-orker had to figure it out himself. Not a good start for a site shelling out 25k (GBP) for apparently top-line support.

Then recently we had another support incident over an apparently "known issue". RH support give a list of instructions on the phone. "How do I back this out?" Well, you don't need to, done this a thousand times, it's a doddle. Hey presto: one f*cked satellite server. And the backout process they recommend? "Restore from backups."

We're less than impressed. If you're like us (25k users, about 10k desktops) I'd recommend rolling your own with debian. Since you wind up rolling your own with RH anyway :-/

Terminal Services / K12LTSP

A few 2 and 4 year colleges have adopted K12LTSP, and it may not be a bad way for you to go. Combinde with a few MS TS boxes, and you get both on the same box, at the same time. So instead of managing 500 boxes, you now have 20 to think about.

He's asking about Microsoft, not Linux...

[stanleypane]

The original poster of the "Ask Slashdot" article specifically stated that they are a mostly a Microsoft shop. Yet, the only +4-5 moderated posts I see all refer to easy ways of dishing out software via Linux or BSD. Am I missing something? Why give great moderation to someone answering a completely different question?

That being said, I think it's quite obvious that this is one area Linux appears to have an advantage over Microsoft. I know I'm tired of manually updating 50+ copies of the MS Office 2003 suite because it doesn't have an automated way to update itself. Unless, of course, I've missed something?

Zenworks Sucks

[mgrennan]

I work for a large car rental company with hundreds of Linux system running their e-comm systems. We started with the RedHat Network system. It worked ok and we where able to keep our servers "Up2Date". But this is a poor solution for workstations. It doesn't keep a good inventory and the licensing is a BIG hassle. You can also not add your own "packages" to the management process.

While still useing the RedHat network. I built our own YUM repository and reporting system. This was very secsessfull. Systems, including desktops where keeped updated well and I was able to keep an inventory of the RPMs and File exceptons on each system. Reporting was a bit ruff but it was in the work. This sort of hand rolled system was working well but management doesn't lile "hand rolled" work so we perchased ZenWorks as a recomendation of IBM.

I have been trying to get Zenworks 6 and 6.6 working for months now with little results. The installation was very ruff because the documenation is just brain damaged. Novel messed up the purchase and we went three months with no support.

I have support now and the support personal are trying their best but I can tell they are trying to make a silk bag out of a pigs ear. :-) System are not getting updated at all now. This system Hertz so much I've all but given up. Maybe version 7 will be better.

ZenWorks does support you creating your own channels. But like the RHN, reporting is bad. I tryed to figure out the database structure (Postgress) and write my own reports in Perl with limited sucksess.

If money is no limit. Write your own.

firefox 1.0.4 msi

[xpyr]

Found this through google:

http://frontmotion.com/Firefox/

They still haven't worked out the GPO quite yet, but it's definately promising.

Was I the only one who, for a second,

[the_rajah]

thought "Enterprise" meant NCC-1701 ?

Re:Was I the only one who, for a second,

[hansonc]

nope. you missed the joke by at least 5 other people... they weren't funny either though.

Re:apt-get upgrade ?

[Doc+Ruby]

That's Informative :). It seems that apt has the APIs to allow my common scenario. Any tool that lets me graphically maintain a structured list of just the apps I'm keeping current? With per-app rollback?

take of the blinders

fuck debian apt-get. I'm getting sick of hearing it. It is NOT a centrallly MANAGED solution for updating a large number of machines. Get it through your heads already

Repackage Updates as MSI

[sybarite]

Hi Wally,
There are many softwares available that can repackage an install as an MSI. You can than repackage your updates to Firefox, etc and apply using Group Policy as you are used to. There are even some OS efforts (http://msi-repackaging.sourceforge.net/)

I hope that you don't let software distribution be a stickler here. The benefits to rolling out Firefox, etc are many.

Radmind

[Joystickit]

Radmind is exactly what you're looking for. It makes managing lab, office and kiosk machines a snap. It works on Linux, Solaris and OS X. I've been using it for years as have many other schools that use these operating systems. It's pretty easy to use (I had no real command line experience coming to use it on OS X, but do it all via command line now), fast and actively developed. Essentially it is a filesystem manager, but works with transcripts (essentially lists) of files and there is a priority system for what can override what. It gives you lots of control and is very scriptable. I highly suggest you check it out.

I never new that....

[mestreBimba]

the Enterprise used open source..... but now that the series has been canceled isn't this whole discussion kind of moot?

And I didn't like how they killed off Trip in the last episode.

Use your current distribution system

[Colin+Smith]

You must have a distribution system for all of the existing applications you have on your machines. Just use that. Open Office and Firefox are no different from any other app.

Linux systems are simple. http://www.infrastructures.org/

Firefox/OpenOffice and SMS

Am I missing something? Why not use FireFox/OpenOffice with SMS or the like? Should be pretty simple to set up.

PSPP

[jbn-o]

Better to help fund or contribute work toward the programming of PSPP, a free software replacement for SPSS. The questioner did ask specifically about free software.

PC-Duo

[gsparrow]

We use PC-Duo for inventory and software distribution. Works fine with about 500 client PCs. I also think that it integrates with SUS. http://www.vector-networks.com/

Network filesystems, yes. NFS mount /usr/*LOCAL*?

[Colin+Smith]

No. Put it somewhere else.

If you want to learn how to scale unix systems management a good start is infrastructures.org. You don't have to follow their ideas slavishly but it'll get you into the right mindset, and that's what matters.

Keeping Unix boxes up to date is simple once you understand how, the effort required to manage 1000 machines is only marginally more than 100 which is only marginally more than required for 10.

Automated Deployment of Firefox / OO.org

[KagatoLNX]

A lot of people have seemed to think this question was about going totally Linux (and many claiming that the MS deal was a good "value").

In case the question was about using FOSS on a Windows network (for the time being), the following might help.

This tool is fairly useful for deploying Firefox on a network:

http://firefox.dbltree.com/

As for OpenOffice, I use central network location, see the setup guide (I think you have to run setup.exe with the -net option). I'm not sure what must be done from there to automate installation, we usually do it manually because Workstation installs of OOo (from a central network location) take seconds.

As for the question of whether the MS deal was a "good value". First, let me say that there's more to "value" than cost. Also realize that $50000 per year might be cheaper than MS's $15000. Once you figure in MSCE training for an IT team and the increased labor it takes to run a Windows network you might be surprised. Believe me, once configured, Linux machines can be dead reliable and reimaged lightning fast, I do it for a living. That said, Firefox has saved me 8 hours per week at one client that only has 10 computers.

Well, ask your purchasing department how many suppliers it has for, say, light bulbs. While more than a few places say "just one", I find universities in particular tend to have four or five suppliers solely for the purpose of leveraging one against the other for good pricing.

What's the point of my story? The point is that MS as a single supplier means you will pay as much as they want you to. Of course it will always be "a little cheaper". In a software world with real competition, that will change.

Regardless, it's worth pointing out that increasingly it is the case that people are choosing FOSS for reasons other than price:

http://www.groklaw.net/article.php?story=200504260 92929216

how Windows-like do you want to be?

[brre]

Windows has an advanced, highly effective software update method for the enterprise: it's called viruses. Such a bargain for only $15,000, you get all sorts of software delivered to your desktop.

Too bad SUS is crap.

SUS only pretends to be a solution. We've been trying to get it working for over half a year now. It's extremely "beta" in quality... perhaps actually "alpha" instead. It can successfully deliver minor and trivial patches and updates, but that's it. Any serious updates and it falls on its face -- still requiring a hands-on visit to each individual PC to do the familiar old "install-reboot-install-some-more-reboot-setup-reb oot-reboot-to-make-the-reboot's-reboot-take-affect " followed by another reboot just for good measure. About 1.5 to 2 man-hours per PC to get them back in working order after a SUS push-out botch-job.

Red Hat Network.

[gdek]

http://www.redhat.com/software/rhn/tour/

Two things to keep in mind:

1. Linux system management offerings across the board are a *ton* cheaper than their counterparts for other OSes -- largely because the mechanisms for installing and uninstalling software are integrated much more tightly into the OS. RPM is built into SuSE and Red Hat in a way that installshield never will be. But hey -- price it out and see.

2. This kind of service is *precisely* what an enterprise customer pays for. The ability to roll out hundreds of packages to thousands of systems, on demand, is what differentiates a large enterprise, that can pay a lot of money, from a small mom-and-pop. Small moms-and-pops? Install an apt server for your Ubuntu packages, or whatever. Growing company? You can spend a year's salary on a sysadmin who build and run your package distribution infrastructure for 200 systems, or you can pay a fraction of that for a system built to do that in 10% of a sysadmin's time. Like, say, Red Hat Network.

LANDesk Management Suite

[ErMaC]

I work at a large public university doing IT, and we use LANDesk Management Suite to do all our package management, OS patching, inventory, OS Deployment (imaging), and much more! The application is really great for people who like to get under-the-hood, because its package builder is robust and high configurable, and it supports scripting at multiple levels, can integrate with AD or run without it entirely (we ran it on our NT4 domain infrastructure for years), and the best part is if you have feature requests the company listens. They're a firm where you call up their tech support guy with a problem and he says "Yea, we've got a guy here who's been working on the problem, I'll send you the beta of our fix and you can try it out". They're smart people, and I like that.
We've gotten to the point where we can walk up to a machine, reboot it, PXE boot to Landesk's client, select an image from a menu, and the machine images itself, joins the domain, sets its static IP, reinstalls the Landesk client, patches the OS, updates applications, and reboots without us touching it again!
Version 8.5 even does Spyware detection and removal!
Highly recommended.

Re:That's SUS, Goober. Terms correction.

SUS = Software Update Services
WSUS = Windows Server Update Services

Both free. WSUS is the follow on product to SUS. WSUS is currently available in Release Candidate form. With reporting capabilities this is a nice match for a smallish (~200) workstation environment.

If you're going to rant about M$ knowledge get the facts right.

Re:I haven't had a problem

I've run both SUS and WSUS. Both have worked well for me. I have about 450 workstaions and 35 M$ servers. I patch them all without incident with WSUS now. For the last year I used SUS and my own reporting scripts. What I really like about WSUS is the reporting capabilities. Because WSUS is built on a SQL Server DB (or MSDE) you can build your own reports.

The only issues I had was getting it to run with the NSA security templates/guides. After that day of pain it's been clear sailing. Including SP4 on Windows 2000 Pro on 200 of the workstations.

Radia

[Bloody+Templar]

The company I work for uses a product called Novadigm Radia, which has apparently been bought up by HP, judging by the web site.

ts/citrix

[asciiRider]

Simple - use terminal server and use those PC's and thin clients.

If you add Citrix on top of Terminal Services, you get packaging and deployment tools as well.

This way you get a common platform that is easy to update and is accessible from any device, from any location.

zenworks

[simoncrute]

zenworks
http://www.novell.com/products/zenworks/index.html ?sourceidint=productscatmenu_zenworks

Manage windows and linux machines.

(yes, I'm biased. I work for Novell, and manage their internal ZLM server in emea)

Updating software on Mac OS 10

[Dr.Who]

Slightly off topic, but in line with the theme of non-windows system management in network environments.

What do people recommend to distribute software to a small number (say 10) of Mac OS 10 computers on a network?

It wastes time to have one person install and configure software on multiple computers. The results from having users install software themselves is extremely variable. One can try to conserve bandwith by downloading one image to a server, then installing from there, but it gets tedious (and error prone) after a few.

BTW: I suspect that most sites with 10 or so computers will not be running OS X Server on any computer, and will not have access to the Apple support resources.

Re:Updating software on Mac OS 10

[jakob_grimm]

Radmind.

check out Altiris Client Management Suite

[milobloom-ab]

This product performs the same functions (and more) than Microsoft's SMS. (different from SUS, I know.) The application packaging/deployment part of Altiris would be a way to apply updates for FOSS products, and the database tracks which application packages have been applied to which machines. It has its own client that has to be installed on each machine (though there is a client install wizard to speed that along). You might also sell this based on the ability to integrate Altiris' real-time inventory solution, using the same client software.

http://www.altiris.com/products/clientmgmt/

Comment removed

[account_deleted]

Comment removed based on user account deletion

The moral of the story... Test

One of the nice things about SUS/WSUS is you define whether it should auto-update or notify an SA there's a patch ready for install.

One of the things we are supposed to know about our environments is which patches have been tested and locally approved for install and their install deadline.

WSUS let's you define a test group of systems. After testing I auto-deploy to workstations and push the file to the servers for my SAs to install.

A few options (assuming your base platform is Win)

There are actually a few methods open up to you for either automating or managing your Windows-based applications and they aren't limited to the open-source apps alone, but pretty much are the same for all apps on the platform (Windows).

They include:
-3rd party proprietary products which are built for mananging Windows apps and/or desktops (or servers). They include products from companies such as: Altiris, HP (who remarkets Altiris solutions), Novell (ZenWorks), Microsoft (SMS), IBM/Tivoli, etc. Most of the products can end up being a bit spendy, but if your short-staffed, they can fit the bill quite well (and usually pay for themselves in time)...but please, try BEFORE you buy, because some of them just may not work as well as others or may not fit your organization as well. Make sure you identify what you really need the tool to do (as well as things you'd like it to do now or in the future) and make the vendor prove to you it'll work in your environment (set up a proof of concept and play with it).

-Scripts (via scripting languages, such as KiXstart, REXX, etc.) which can be kicked off separately or as part of the logon/logoff scripts to kick off updates or check config files. NOTE: these can call other 3rd party or open source apps, but they may not need to...I worked for a university in the past where we scripted quite a bit via logon scripts and were able to manage a number of updates for OS and apps, as well as other areas pretty effectively and very inexpensively. This used to be used more in the Netware days, but many organizations still utilize scripts to do quite a bit of work. Used to be much more reliable and flexible to use than group policies.

-Use group policies...believe you can use group policies to deploy software. I seem to recall you have to become familiar with the process of creating installer packages as well as get the software to create them (WinINSTALL?), but that it was possible.

-Open source products or components (such as cfengine, wget, etc.) which can be used with some method to kick them off on a regular basis (e.g. logon script, scheduled task, etc.). You could use these components as part of a bigger system. You could go so far as to take the work on apt and/or similar stuff and try to build a repository/package management system around MSIs, but that'd be a bit of work...could be someone has gone this far elsewhere?

Any or all of these can be used alone or in concert with each other--be sure to "right-size" the proper solution to the situation or application you need it to do.

Now this last bit is totally my opinion, but I do have to deal with folks who keep saying "nobody got fired for buying Microsoft". And before you ask, I don't hate MS or anything like it (use some of their stuff almost every day). Just feel that as an IT Director or Professional, you have to do your work and ensure that you are getting the best solution for the problem or situation you need to fix. Don't just blindly buy/use any product (proprietary or otherwise) without some investigation first!

Remember, MS is in the business of making money off of you. Because of that, it is in their best interest to lock you in to products/situations which further their cause, because they can't really afford to have folks look elsewhere. MS has never really wanted to play on a level playing field and avoid it at all costs usually (just look at their "get the facts" campaign where they compare the costs of Linux on a mainframe vs. Windows Server on an Intel box...puh-lease)...but open source software and Linux are proving to be a formidible foe, not just because of cost, but because FINALLY, there is some true competition on more of a level playing field than ever had before. Sure, IE/IIS/SUS/WSUS may be free, but that's only because they're getting money from you in other ways or already have it. And they know that once they've hooked you, you're probably never going to look around unless something pretty compelling comes and taps you on the nose.

Donald Trump is on line 2, for you.

We've been trying to get it [SUS] working for over half a year now.

Donald Trump says; "YOU'RE FUCKING FIRED!!!"

It only takes an hour to set up SUS for up to 1,000 client systems. More systems require more SUS servers so the time increases accordingly. If you've spent 6 months and still don't have it working, you really should be fired.

I know trivia is fun, but why is this news?

[ForemastJack]

Updating Free Software in the Enterprise?

I mean, I dunno; I never gave it much thought. I just always sorta figured that Mr. Scott handled it, or maybe one of his crew chiefs.

Wait -- what?

$15,000 / $500 is 300 new machines each year

In reality, you could buy off the shelf Dell or compaq machines with Office installed for $500 each and roll out 300 of them each year with no extra costs over your $15,000 maintenance.

If most users use nothing other than office, IE, and email, then you could force them to save on a network drive and use a generic desktop disk image.

It would help if this $15,000 is broken down into
a. desktop software costs
b. server software costs

If MS ever goes to the Novell Netware model with no locally writable disk, then your costs go down by an order of magnintiude.

Re:$15,000 / $500 is 300 new machines each year

[buckminster]

I don't follow you. You seem to be missing a zero somewhere. Is this new math?

300 machines at $500 each is $150,000.

Re:$15,000 / $500 is 300 new machines each year

[Dwonis]

$15,000 maintenance, not purchasing cost, I think.

Re:$15,000 / $500 is 300 new machines each year

[wallykeyster]

In reality, you could buy off the shelf Dell or compaq machines with Office installed for $500 each and roll out 300 of them each year with no extra costs over your $15,000 maintenance.

Other than the logistical impossibilities (we can't replace all 300 machines immediately so we're without licenses as soon as we cancel our Campus Agreement), this also puts us right back where we were just a few years ago. What happens when Office XL 2007+ comes out in a few years? What happens when we replace a machine? OEM licenses are not transferable and offer no upgrade protection. Also, your wonderful $500 machines usually have one year warranties, use shared video RAM, include the lowest end processors available, and generally are not built for the enterprise. What's the real cost of buying a slightly cheaper machine that has a significantly shorter lifespan? I'm sorry, but that is actually a much worse suggestion than our status quo.

Read my paper (self plug!)

[dieman]

I'm sorry I've still not put all of the extra stuff (configs) online, but this is how I do it:

Read my paper from the Asia Debian Mini-Conf 2005, Mass Debian Desktop Administration.

Marimba

[Stonent1]

Marimba makes their software management system for Windows and Linux.

On RedHat/Debin

You setup kerberos for authentication.
NFS for shared directories.

A local package reposisotry to hold your updates.
And a cron job that runs Yum/Apt.

Done/Done.

With Unix the management tools are largely built in, which is why you can't find them.

Call IBM

[The+Last+Gunslinger]

Seriously. Their Tivoli brand of software is aimed toward enterprise-class systems management...and the apps all run on Linux. Tivoli Security Compliance Manager lets you build profiles of what each system should have installed and how it should be configured (even the BIOS) and periodically scan them to make sure they match. And when any systems don't match your profile for how they should look, use Tivoli Configuration Manager to push out the changes that will bring it back into compliance. Also useful for pushing out patches, updates, etc, etc. Did I mention that it runs on Linux? http://www-306.ibm.com/software/tivoli/products/co nfig-mgr/

Re:Call IBM

Tivoli.... he only has $15,000 to spend... You couldn't get the Tivoli consultants to come in and say "HI" for $15K :)

UNIX has a long tradition of automated management

[tubaman24]

Check out http://infrastructures.org/

Blade server with vmware

[fadethepolice]

You can achieve all of your goals with the above. You will not save on the licensing fee, but who cares you've got a blade server that can launch virtual windows servers!

Re:A few options (assuming your base platform is W

Neglected to mention a few other 3rd party apps (sorry): Radia (also remarketed by HP), Marimba, Amtsoft (Prism Deploy/Pack), and there others too.

Re:That's SUS, Goober. Terms correction.

[ampmouse]

Actually, they are not free. In order to use any of Microsoft's "free" software you need their Operating System (Windows) which is NOT FREE. You are paying for both SUS and WSUS when you buy Windows.

yum (for rpm based distros)

I believe that this is exactly why yum was developed at Duke University. URL:http://linux.duke.edu/projects/yum/ It works well for fedora. I don't know about other distributions. --AC

How good is SUS?

[JimmytheGeek]

I've tried some other patch management stuff (I even was a contract tester for MS for SMS 2.0) and didn't see anything I'd be comfortable relying on.

Of course, an inactive sneaker-net is no improvement.

I'm just deeply skeptical that a registry bit saying an update is required is the same thing as getting the update installed and verified. Even Windows Update, presumably written to update Windows, absolutely SUCKS at this, with silent failure or even untruthful failure ("Update succeeded!" when update did NOT succeed)

Re:How good is SUS?

[Master+of+Transhuman]

And the nice part about Windows Update is the thing will say an install failed, but NEVER WHY. Real helpful...

Re:How good is SUS?

[JimmytheGeek]

I'm planning to push some hardware upgrades via Group Policies. All cd-r's are now cd-rw! Cool! I'll dictate that all workstations now have more memory, too.

Do It Hardcore!

[Maljin+Jolt]

Gentoo: compile your ebuilds on server then let workstation sync with binary packages only as often as you want. You will get absolute control over everything and you can have up to day security fixes.

I thought they cancelled ST:Enterprise?

[WillAffleckUW]

Is that why they need free software?

Just ask Kirk to write a check from his royalties for that travel firm - I'm sure he can afford it.

It's a little late for that...

Updating Free Software in the Enterprise?

It's a little late for this to help, but I'd go with: "Computer: Update your free software. Then take us to warp 5."

"Mod sheilds: UP!"

Re:It's a little late for that...

[Master+of+Transhuman]

Computer - Install mod spellchecker.

"Yes, Captain - mod installed"

Computer - Run spellcheck on parent post.

"Running spellcheck..."

"One error found - 'sheilds' should be spelled 'shields'"

Computer, disable parent access to the Net.

"Running...Parent disabled."

Upgrading software on the Enterprise?

[MiKM]

Re:Upgrading software on the Enterprise?

[Chris+Daniel]

I don't think you understand the idea of joke posts. You're supposed to make a joke.

simple

[killtheOSSnazis]

If you want to easily update and distrubte these updates.. you can do so with AD group policy. You will have to repackage the software with msi and do updates with mst files. The only real drawback is the machines imo, need to 100% exact for this to work properly. although it can work without it being exat it is however muych easier though.

BigFix?

[AstroDrabb]

We use BigFix. It is a _very_ nice program. We dumped SUS for it because BigFix is so much better. BigFix handles MS Windows as well as other platforms. BigFix can download SRPM files for our Linux servers, compile the source RPM and then deploy it. It handles our Solaris servers as well.

If you are on a small budget, you can just go with simple scripting. Pick a Debian based distro or an RPM based one (SuSE or RedHat only) and you can script all you need. Enable SSH for every system you deploy, desktop and server. Then you just write a few simple scripts _once_ and you can push down any update you need.

Red Hat has their own update stuff and you can pay them extra and run your own update server on your local network. However, where I work we have found Red Hat to be _way_, _way_ overpriced (I work for a multi-billion fortune 500). We are starting to look toward Novell SuSE for our Linux needs. Novell SuSE is _way_ better priced. If you look at a Red Hat Linux solution and an MS Windows Solution, MS will usually be less expensive! I personally don't know what Red Hat is thinking. However, if you go with Novell SuSE, you will see that Novell SuSE is far less expensive than MS. Also, Novell SuSE has some very nice tech that they got from Ximian. As you pointed out, Ximian, now Novell, Red Carpet, is a very nice corporate update client. That is the whole design of the product. You have one local update server and put the client on all your deployed systems and Novell Redcarpet handles the rest.

With Linux you have tons of options. If you have a really bare-bones budget, I would personally recommend a nice Debian solution. I have been using Ubuntu on my desktops at work and at home and have been very pleased with how easy it is to upgrade with out dependency problems. I originally used Fedora Core, however I would run into repository conflicts often because every Fedora repository out there tried to be "The" repository for Fedora. So you would have 3 or 4 versions of every package and they would all conflict. You won't run into that with a Debian based distro.

If you have a bigger budget, look into Novell SuSE (which is still very cheep) and their Red Carpet client/server to handle updates. If your budget is even bigger, you can look into BigFix. However, I think BigFix is priced more as a bigger corporate product, though for our budget, BigFix was still priced nicely per/client.

As I said, you have _tons_ of options with a GNU/Linux deployment. Build yourself a seperate subnet and spend a few days testing to see what level of support you want. Obviously, the less support you or your staff want to do, the more you will pay for your solution. You could spend 10's of thousands if not 100's of thousands (or millions like us) for a complete MS software "assurance" package or you can go very lowlevel and build your own GNU/Linux system like Linux From Scratch (which was very fun for a personal project but _way_ too much work for a professional solution for more than 5 systems).

I persoanlly think your best bet is a hybrid system of Linux and MS Windows. As I said, get a test lab/network. Then use the right tool for the right job. Try to build a lab that is all or almost all Linux servers with mostly MS Windows XP desktops. On your MS Windows desktops try to use OSS software. For example, deploy Firefox and OOo.org. Maybe for some more tech users you could even get some Linux desktops in that mix. For your development needs, use OSS tech such as Tomcat or PHP.

Honestly, I would personally love to be in your position. It sounds like you have the ability to use the "right tool for the right job" without all the PHB crap or extreme OS bias. Where I work we have 140,000 employees and changing technology is like the changing of the North pole ; )

The simple solution

[dtfinch]

Set up a big big squid proxy and let the systems auto-update normally, and be prepared to fix anything the moment it breaks.

Re:The simple solution

[tweek]

You might THINK that's a good idea but Windows Update for instance, changes the name of the downloaded file per host and also tells squid NOT to cache. You could get around it as we tried but it doesn't matter since the objects will do nothing more than fill up your cache beyond disk space.

SMS

SMS is a fairly simple answer. It will allow you to create pushes that you can send to all the machines in your AD domain.

Windows clients use SMS, Unix clients use cfengine

[ccktech]

On windows clients I would use SMS to push out changes. On unix clients I have set up cfengine to to the same.

Pushout of Firefox in MS environment

Create an MSI of the Firefox browser and use group policies to push it out.

Assuming you are running a MS Server there somewhere :D

wpkg a useful tool for application management

[gregoryo]

Wpkg or Windows Packager, is a tool that can be used for managing application rollout and versioning.

As long as a way to install, upgrade and uninstall a given software package silently (ie programmatically) can be found, then using this tool is a snap. It runs as a service on Win2k and XP (perhaps others) and causes the given machine to keep itself up to date with the central repository and profile status (xml files on a server). There's even a html back-end under way to manage the xml files.

http://wpkg.sourceforge.net/

Wrong option?

[zonix]

Just checked the options ... shouldn't that be:

firefox setup 1.0.4.exe -ms -cleanupOnUpgrade

z

Lesson number one: get rid of Microsoft

[Master+of+Transhuman]

Here:http://observer.guardian.co.uk/business/story /0,6903,1483969,00.html

The Networker
Lesson number one: get rid of Microsoft

John Naughton
Sunday May 15, 2005
The Observer

Drive past any secondary school in the UK and you'll see an institution that is struggling. No: this is not a column about academic standards, dumbing down, bureaucracy, Ofsted or any of the other obsessions of the Daily Mail .

In fact, many of these struggling schools are academically excellent. What they are having difficulty with is something much more mundane than teaching or learning. They are trying - and failing - to manage their IT systems.

How come? Most British schools are hooked on networks that consist of hundreds of PCs running various flavours of the Windows operating system and Microsoft Office software. Now it is perfectly possible to run an effective Windows-based network, just as it is possible to dig your garden using a teaspoon - provided you employ a hundred gardeners to do the work.

The problem is that keeping such a network up and running requires a great deal of technical support - the equivalent of three full-time trained technicians for an average secondary school. And upgrading the system to keep track of changes in Microsoft's operating systems is expensive. Basically it boils down to throwing out a third of your computers every three years and buying new machines that can run the latest version of Windows.

Nathan Myrhvold, Bill Gates's former technology guru, used to joke that 'software is like a gas - it expands to fill the space available'. The programmer Martin Reiser put it better: 'software gets slower more quickly than hardware gets faster'. (In other words: 'Intel giveth, and Microsoft taketh away.')

Although the corporate world complains about this virtual arms race, it generally pays up because it can afford to. But schools cannot - which is why when you talk to ICT co-ordinators in education you regularly hear phrases like 'running to keep still' and 'struggling to stay on top of it'.

You hear stories about how difficult it is to recruit and retain IT support staff on the salaries schools can afford, about staff spending much of their time rebuilding crashed or vandalised PCs, about teachers who are contemptuous of the level of IT support, about up to a quarter of PCs being unavailable at any given moment, and about dissatisfaction with the Microsoft-supplier compa nies, which enjoy a semi-monopolistic hold on the education market.

And you hear head teachers wondering what will happen when Longhorn - the much-delayed new version of Windows - arrives and renders most of their existing computers obsolete. The state of ICT in UK schools is a public scandal.

In part, this is due to the fact that head teachers are expected to be chief information officers without being given any training or support. As a result they are easy meat for commercial companies touting Microsoft 'solutions' to their ICT problems. They fall for upfront discounts and wind up with systems they can't afford to support or upgrade. Only later do they realise that between 50 and 60 per cent of their annual IT budgets will have to go to keeping their discounted networks running.

This last statistic comes from Becta (British Educational Communications and Technology Agency), which describes itself as 'the government's key partner in the strategic development and delivery of its information and communications technology and e-learning strategy' for schools. Until comparatively recently, Becta seemed to function mainly as a cheerleader for the proprietary status quo, effectively functioning as an agency for negotiating discounts from suppliers. But now, after a major shake-up and the installation of David Hargreaves as its chairman, Becta is finally waking up.

On Friday, for example, it released the fi

trouble finding support for Enterprise management

[dbIII]

but I'm having trouble finding support for Enterprise management

It's actually a lot easier to manage things in bulk outside of MSWindows. Look at the cluster management tools. It may be as easy as "cexec rpm -U new_package.rpm" typed on a single machine to upgrade an entire department to a new package - that example is c4 and Redhat, but there are a lot of other alternatives.

Script it

[vginders]

psexec @computerstodeploy.txt -u user -p pass firefoxsetup.exe -ms

Also check http://www.frontmotion.com/Firefox/

Keep local local, use /usr/share

[dbIII]

What I did for other schools was having /usr/local mounted on a file server

Informative? So many people miss the incredibly obvious, you use /usr/local for only the local stuff and /usr/share instead for the shared stuff. Developers rightly assume that you are going to put the local stuff in local, so for example your network UPS software designed to bring a pile of machines down when the one monitoring the UPS sees the charge dropping may not work as expected, since you'll have the one config for a pile of hosts instead of having a master and a pile of slaves.

Re:FREE Lesbian STRAPON PORNO-oh-oh-ohhhh

Cyndi Lauper is retarded or no?

Yes.

Patch Management/Deployment products...

[cowbutt]

...I'm looking at, so far, are Patchlink and Managesoft. Maybe even Symantec's ON iPatch, if they can be bothered to get back to me (I think they've renamed their product too, but they haven't bothered to tell me that either).

My current employer is a UK university with Windows PCs numbering in the thousands.

LTSP

[tmillard]

The Linux Terminal Server Project would make it "easy" to have everyone be the same.

Since you a Microsoft shop

[6502_C64]

If the software updates are MSI (Windows Installer format), you can deploy them using Active Directory group policies. If you already have SMS in your environment, you can use the software distribution feature to push out software. As for SUS, you're limited to distributing Microsoft Security and Office patches. Check the forums on myitforum.com if you want to roll your own solution.

hate admins

> and settings pushed to clients via group policies

may I kill the first admin who change my seetings?
With any luck there will be no second idiot...

Re:Network filesystems, yes. NFS mount /usr/*LOCAL

infrastructures.org? I dunno. When I see a website that is difficult to read (font, size, layout, use of HTML) and it is about technology, I figure that they don't have all their clues in place.

15,000 is nothing

[jbplou]

You pay 15,000 for office, CALS and upgrades to all your computer OS's. If that extends across your enterprize you'd be crazy to ditch that in favor of OSS. Its gonna cost you much more than to migrate to OSS and your users will not be happy if they can't use MS Office. I personnaly Open Office but non-nerds view MS Word as the only word processor anything is just a rip off to them.

Pointless

[dynamo]

Don't even bother updating the software. The show ended last Friday, so no one will see that BSOD on the science console.

Debian preseed install

[Todesmetall]

There's a very short explanation here

If Windows is the target System...

[the_archer666]

... and the workstations are uniform, may InstallWatch and InstallRite, together with an scheduled Task or logon-script would do the trick? http://www.epsilonsquared.com/