Slashdot Mirror
Updating Free Software in the Enterprise?
wallykeyster asks: "I'm an IT Director for a small private university in the U.S., and we are largely a Microsoft shop. We pay over $15,000 each year for our Campus Agreement so that we can upgrade the desktop OS to our version of choice, run Office, and have some Client Access Licenses. I would like to move to FOSS solutions, but I'm having trouble finding support for Enterprise management. For example, OpenOffice and Firefox (both of which I use personally) would be easy first steps, but IE is updated automatically via our SUS server (and settings pushed to clients via group policies) and Office updates will be included soon. How are other larger organizations (i.e. more than 200 desktops) dealing with software deployment and updates? Is anyone using Zen with Novell Desktop Linux?"
Run a local Debian package repository, only put updates you want in it, point your system's sources.list at the local repository, and add the following to the crontab for every system you deploy:
/usr/bin/apt-get update; /usr/bin/apt-get upgrade -yq
0 3 * * *
just use an RPM upgrade utility and crontab...?
rsync, rdist, and yum. Well yum is not to standard.
What I did for other schools was having /usr/local mounted on a file server with all the Linux applications installed so we just installed it once and they were all uptodate. But that may not work for all casses. Companies such as IBM have tools that can help keep Linux systems uptodate as well as Windows systems. Like IBM Director. Or you can find an OSS project and see if you can get a contact with a smaller consulting firm to help keep your OSS up to date and well managed.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I've used GNU cfengine for automated updates at a company I used to work for. Basically, you write rules about how the system shoudl look and cfengine enforces them.
However, we used to automate updates, apply system patches and rebuild the world if necessary. With about 5 lines changed to a single server, I could force all the workstations to re-install themselves overnight.
We also used this system to push out passwd file updates (poor-man's centralized auth).
http://www.cfengine.org/
I suggest you look at all of the package managers including Gentoo's portage which can be applied to other distributions.
Portage can handle binary packages and can be "pushed"
I completely agree. Imagine the stress of changing and the downtime (something always goes wrong). My campus switched from Microsoft Windows/Office to Linux/OpenOffice in one faculty and the computers were down for over a week. After the change a massive education process had to be started. While everything is working now.. the transition was not easy and people are still having to adjust.
We currently use Zenworks 6.6 to manage ~2000 NLD and SLES systems for system patching. It works great for that purpose. It doesn't offer more than very basic inventory management and reporting yet. I say yet because I'm on the beta for the next version and it is amazing. It makes managing Linux dekstops and servers ridiculously easy. If you've used Wen for Windows, they've basically pulled all the same functionality into the Linux realm. Imaging, patching, configuration management, security policies, reporting, inventory/asset management, remote access (vnc or ssh), everything is all wrapped into one bundle. Some of the other pieces we use are at our site if you're interested in other open source and commercial packages we use. It's not much more than basic marketing material at this point but feel free to ask any questions.
FirefoxADM is a way of allowing centrally managed locked and/or default settings in Firefox via Group Policy and Administrative Templates in Active Directory Latest news about FirefoxADM at http://spaces.msn.com/members/in-cider/
g htly/latest-trunk/ the nighlies are not ready for general use yet, but are availbe for testing.
http://sourceforge.net/projects/firefoxadm
Unoffical Firefox MSI builds can be found at
http://www.frontmotion.com/Firefox/
Official Firefox Msi installers will be avaible in the 1.1 release nightly msi builds can be found at http://ftp.mozilla.org/pub/mozilla.org/firefox/ni
These people look deep within my soul and assign me a number based upon the order I joined. -Homer Simpson
This website has downloadable MSI packages that will integrate Firefox into AD and GPO, as well as a howto.
This thread will show you how to do the same for OO.o, but only for the 2.0 beta version.
"For every right, an equal responsibility..."
You can also use something like radmind. If you are using any sort of *nix desktops. It is much easier than having a Debain repo. Plus it would use a lot less bandwidth and is tested and used in Universities mainly.
There are also things called login scripts in the Windoze world when it comes to updating things like OpenOffice.org and Firefox. . .
I repackage Firefox into an msi for group policy deployment. I used to use Winstall LE that came with Win2k server, but eventually I learned enough about how msi works to be dissatisfied with that (it often gets lots of unrelated registry changes since so much background crap always happens in windows). Now I just build them by hand.
MakeMSI is a good tool for rolling your own, though it's best if you have some knowledge of how the tables work. Often I'll use Orca to tweak/double check things.
Firefox was a bit of a pain to package the first time because of all the subdirs, but it's really light on the registry keys and for updates it's mostly a matter of just dropping in the new files.
Your IT director is an idiot. How much does it cost to do updates by hand? Ask him to quantify it. Ask him to quantify ZEN Works. I was able to get a high school I used to work for to buy it. The support guys couldn't be happier when patches were done with a couple of clicks in ConsoleOne and boom...the whole directory is updated on next reboot. Mass deployments? Use multicast. Aplications assigned to users that are installed automatically on the workstation when the user logs in? Check . The cost was about one month of my salary. But then I understand you, they changed the IT Director and put an ass kisser that stopped us from using ZEN Works (and backup exec, so backups were done with "copy /s", and saddly I'm not kidding) so it all went down the drain. ZEN Works is worth it, believe me.
please excuse my apathy
They want to answer this exact question, for you, for free. Call them.
Novell (SUSE) or RedHat.
They are both commercial vendors, and they want you to use their products. They will happily provide guidance on issues like this.
Use the resources that are out there!
http://unattended.sourceforge.net/
This is a great way to script installation of windows machines. You can put any applications you want into the system and use it to push machine upgrades out.
Since it's impossible to reason about security except with respect to a given configuration, this is a subject which deserves close attention, especially at larger sites where economies of scale are most effective.
Mark Burgess at the University of Oslo developed a mechanism called cfengine as a solution to the configuration management problem. It's multiplatform, mature, stable, comprehensive, secure, and it scales very well. I recommend it.
Parity: What to do when the weekend comes.
I just love you guys that spout off without knowing one thing about which you speak! He clearly stated that he presently uses SUS, as in System Update Server. You clearly know nothing about Microsoft systems newer than perhaps Windows 95.
The SUS server, free from Microsoft, automatically downloads all of the updates from Microsoft's Windows Update server and stores them on a local server. The administrator, one only, then reviews the downloaded patches and authorizes which ones he wants to be installed on the workstations. Using Group Policies, the administrator reconfigures the Automatic Update service on all of the Windows 2000 or greater systems on his network and points it at the SUS server, rather than the default Windows Update site. The next morning, ALL SPECIFIED systems have been updated.
It only needs ONE FRIGGING GUY to manage 10 machines or 50,000 machines and he doesn't have to leave his desk! The entire setup from start to finish can be setup and configured in an hour or less.
Now, the next level is to do this with applications beyond the Windows Operating system. But, hey, they have solutions for that too. Microsoft Operations Manager(MOM) and Microsoft Systems Management Server(SMS) provide complete management control over the Windows systems on the network. MOM is for smaller scale operations while SMS is the full on enterprise package. No, they aren't free but, organizations that require them can easily afford them.
... at least, according to some articles they do. See my post on Mozillazine:# 10
http://mozillazine.org/talkback.html?article=6602
It would be very helpful if they would release them, even in some incomplete, unsupported state.
Our company has evaluated alot of different packages lately. The two top contenders have been Radia and Marimba. Marimba is expensive but does everything you can imagine for both Windows and Linux. Radia is much cheaper but not as mature. When you look at how many man hours Marimba saves, the price becomes far more resonable (I would never be able to call it cheap)!
Alteris is a rather large and complicated client management suite (windows centric, thought there is some linux, unix & mac support). As for package creation, with the tools provided you can create a silent installation package by creating a baseline, installing the software, then track changes after the install to create the package .The it can be pushed to the client.
Hi Wally,
There are many softwares available that can repackage an install as an MSI. You can than repackage your updates to Firefox, etc and apply using Group Policy as you are used to. There are even some OS efforts (http://msi-repackaging.sourceforge.net/)
I hope that you don't let software distribution be a stickler here. The benefits to rolling out Firefox, etc are many.
Radmind is exactly what you're looking for. It makes managing lab, office and kiosk machines a snap. It works on Linux, Solaris and OS X. I've been using it for years as have many other schools that use these operating systems. It's pretty easy to use (I had no real command line experience coming to use it on OS X, but do it all via command line now), fast and actively developed. Essentially it is a filesystem manager, but works with transcripts (essentially lists) of files and there is a priority system for what can override what. It gives you lots of control and is very scriptable. I highly suggest you check it out.
Dumb ass moderators.... Yes you may spend more, but the $15,000 figure quoted is only for software licensing. We don't know what the budget for special projects and staff currently is set at.
Migrating may cost some money upfront but the software would be free, and will continu to be free. Chances are there is a budget for major projects, upgrades etc.
Also it is wel know that Linux/Unix systems are much cheaper per server/per machine to administer. One study I believe quoted aprox 1 admin to 30 machines for Windows while 1 admin for 200+ Unix/Linux srvers. Obviously, there are a myriad of factors to consider.
Anyway, the point is this original comment most certainly is not insightful, it is misleading at best and malicious flaim bait IMHO at worst.
-MS2K
Better to help fund or contribute work toward the programming of PSPP, a free software replacement for SPSS. The questioner did ask specifically about free software.
Digital Citizen
No. Put it somewhere else.
If you want to learn how to scale unix systems management a good start is infrastructures.org. You don't have to follow their ideas slavishly but it'll get you into the right mindset, and that's what matters.
Keeping Unix boxes up to date is simple once you understand how, the effort required to manage 1000 machines is only marginally more than 100 which is only marginally more than required for 10.
Deleted
A lot of people have seemed to think this question was about going totally Linux (and many claiming that the MS deal was a good "value").
0 92929216
In case the question was about using FOSS on a Windows network (for the time being), the following might help.
This tool is fairly useful for deploying Firefox on a network:
http://firefox.dbltree.com/
As for OpenOffice, I use central network location, see the setup guide (I think you have to run setup.exe with the -net option). I'm not sure what must be done from there to automate installation, we usually do it manually because Workstation installs of OOo (from a central network location) take seconds.
As for the question of whether the MS deal was a "good value". First, let me say that there's more to "value" than cost. Also realize that $50000 per year might be cheaper than MS's $15000. Once you figure in MSCE training for an IT team and the increased labor it takes to run a Windows network you might be surprised. Believe me, once configured, Linux machines can be dead reliable and reimaged lightning fast, I do it for a living. That said, Firefox has saved me 8 hours per week at one client that only has 10 computers.
Well, ask your purchasing department how many suppliers it has for, say, light bulbs. While more than a few places say "just one", I find universities in particular tend to have four or five suppliers solely for the purpose of leveraging one against the other for good pricing.
What's the point of my story? The point is that MS as a single supplier means you will pay as much as they want you to. Of course it will always be "a little cheaper". In a software world with real competition, that will change.
Regardless, it's worth pointing out that increasingly it is the case that people are choosing FOSS for reasons other than price:
http://www.groklaw.net/article.php?story=20050426
I think Mauve has the most RAM. --PHB (Dilbert Comic)
As I mentioned, you need a silent install. For F., there's different ways to do that:
- Use FrontMotion's MSI for Firefox
- Follow the instructions and created your own MSI using MakeMSI (which is free as in beer, not speech)
- Follow the instructions on Unattended's wiki and roll a silent install from the
.exe
I've tested the first and last w/o any problems.Carousel is a lie!
SUS = Software Update Services
WSUS = Windows Server Update Services
Both free. WSUS is the follow on product to SUS. WSUS is currently available in Release Candidate form. With reporting capabilities this is a nice match for a smallish (~200) workstation environment.
If you're going to rant about M$ knowledge get the facts right.
Unfortunately, the current version of Zenworks Linux Management really is just Red Carpet Enterprise with a little more polish. The next version which is due out in a few months if I'm not mistaken is worlds appart and is almost on par with the feature set currently available for Windows. Everything you could want is built in. I don't think there will really be a desktop and server line as Linux is Linux. The remote access via VNC and application security policies (Firefox must have x as it's home page, evolution can't change the smtp server, etc....) are more desktop oriented but the end result is the same. You have one tool to perform all your system management if you're a Linux shop.
It is relatively straightforward to build a Firefox .MSI package using WinINSTALL LE and push that .MSI package to domain clients using a Group Policy.
Sadly, there isn't a perfect answer - yet. The Mozilla wiki covers this problem in more detail here.
Firefox ADM partially covers this ground - here.
There's another tool similar to Firefox ADM, but I can't find info on it at the moment.
Summary: Firefox is almost there, but in most enterprise situations, there's still a few features (mostly in the lockdown, and setting default features department) that are lacking. I expect that will become a non-issue by the end of this year.
If you are on a small budget, you can just go with simple scripting. Pick a Debian based distro or an RPM based one (SuSE or RedHat only) and you can script all you need. Enable SSH for every system you deploy, desktop and server. Then you just write a few simple scripts _once_ and you can push down any update you need.
Red Hat has their own update stuff and you can pay them extra and run your own update server on your local network. However, where I work we have found Red Hat to be _way_, _way_ overpriced (I work for a multi-billion fortune 500). We are starting to look toward Novell SuSE for our Linux needs. Novell SuSE is _way_ better priced. If you look at a Red Hat Linux solution and an MS Windows Solution, MS will usually be less expensive! I personally don't know what Red Hat is thinking. However, if you go with Novell SuSE, you will see that Novell SuSE is far less expensive than MS. Also, Novell SuSE has some very nice tech that they got from Ximian. As you pointed out, Ximian, now Novell, Red Carpet, is a very nice corporate update client. That is the whole design of the product. You have one local update server and put the client on all your deployed systems and Novell Redcarpet handles the rest.
With Linux you have tons of options. If you have a really bare-bones budget, I would personally recommend a nice Debian solution. I have been using Ubuntu on my desktops at work and at home and have been very pleased with how easy it is to upgrade with out dependency problems. I originally used Fedora Core, however I would run into repository conflicts often because every Fedora repository out there tried to be "The" repository for Fedora. So you would have 3 or 4 versions of every package and they would all conflict. You won't run into that with a Debian based distro.
If you have a bigger budget, look into Novell SuSE (which is still very cheep) and their Red Carpet client/server to handle updates. If your budget is even bigger, you can look into BigFix. However, I think BigFix is priced more as a bigger corporate product, though for our budget, BigFix was still priced nicely per/client.
As I said, you have _tons_ of options with a GNU/Linux deployment. Build yourself a seperate subnet and spend a few days testing to see what level of support you want. Obviously, the less support you or your staff want to do, the more you will pay for your solution. You could spend 10's of thousands if not 100's of thousands (or millions like us) for a complete MS software "assurance" package or you can go very lowlevel and build your own GNU/Linux system like Linux From Scratch (which was very fun for a personal project but _way_ too much work for a professional solution for more than 5 systems).
I persoanlly think your best bet is a hybrid system of Linux and MS Windows. As I said, get a test lab/network. Then use the right tool for the right job. Try to build a lab that is all or almost all Linux servers with mostly MS Windows XP desktops. On your MS Windows desktops try to use OSS software. For example, deploy Firefox and OOo.org. Maybe for some more tech users you could even get some Linux desktops in that mix. For your development needs, use OSS tech such as Tomcat or PHP.
Honestly, I would personally love to be in your position. It sounds like you have the ability to use the "right tool for the right job" without all the PHB crap or extreme OS bias. Where I work we have 140,000 employees and changing technology is like the changing of the North pole ; )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
This may be useful for building custom install packages, then running them through domain login scripts,
Nullsoft Scriptable Install System
http://nsis.sourceforge.net/
The standard package format on Windows is a windows installer (MSI) package. This is used by Office 2000/XP/2003 etc. Think of it as functionally equivalent to an RPM.
The windows installer package can be deployed with the built-in software installation via group policy (aka intellimirror) or the more feature rich (and expensive) options like SMS, ZenWorks, Altiris etc
Increasingly more FOSS projects are distributing the installations for Windows as windows installer packages - for example Apache
For FOSS projects that use legacy installers, the installation can be repackaged into windows installer format using a variety of tools.
[Blatant self promotion]Building windows installer packages is one of my companies core skills, we actually have our Firefox and Thunderbird packages available for free download[/Blatant self promotion]