Linux Desktop Deployment Postmortems?

duffbeer703 asks: "My employer runs alot of desktop and laptop computers -- something in the neighborhood of 40,000 PCs. Currently they are all Windows 2000 & XP managed by Active Directory and other big, complicated enterprise management tools, all of which can support Linux in one form or another. I'm looking for ways of making Linux (and maybe Unix or even Apple desktops) an option as we replace or add PCs. The problem is, most of the resources that you find online about deploying Linux focuses on server environment, and the articles that I do find about desktop Linux focus on standalone developer workstations, the IBM conversion to Linux (which doesn't seem to have happened) or things like LTSP, that won't integrate well with our infrastructure. Is anyone out there successfully using Linux for regular users? How did it go, and how did your IT and user communities adapt to the new kid on the block?"

Ghost et al.

[meisenst]

I was able, at some point a few years back, to produce a Ghost image with Red Hat, OpenOffice, and a login model that used my office's Windows infrastructure to authenticate users automatically. It worked very well. I used it on several test PCs and was able to boot them up, ghost them, and have them come up connected and ready to use.

It was fairly straightforward to set things up with simple additions to /etc/skel. The only real kneebiter was the fact that the vast majority of the office required Outlook, and for some reason (I don't recall what) Evolution wouldn't quite cut it. I seem to recall problems with lookups in the Active Directory using Evolution, but for all I know that's been fixed by now.

I ran this thing on my PC for months before my employer even noticed. I used VMware for my Windows needs (as I was a network administrator, I needed to run some troubleshooting in Windows for user support) and Samba for all of my day-to-day shares and printing. In the end, the only reason anyone knew what I was running was that I was sick one day, and someone tried to sit at my desk, with very small amounts of success.

Now if only I'd kept a copy when I was let go!

Also evaluate thin clients, especially Sun Ray

PCs don't always make a lot of sense, especially if you need 40'000 of them :-)
I would also evaluate thin clients, especially Sun's Sun Ray technology:
http://www.sun.com/sunray/success.html/

That said, I know of a Swiss company (news agency with around 200 employees) who switched from Windows to Debian for the desktop PCs. Mostly Java applications. No serious problems were reported.

Desktop Linux in the Enterprise

[John+the+Kiwi]

I've been trying to get Linux instaslled on the desktop for a few of my customers, but had problems finding a suitable model for deployment. Say what you will about Microsoft (and here most people do) but their deployment tools are pretty good. All of my new deployments utilise RIS (Remote Install Services) which greatly reduces client installation times.

Roaming Profiles and publishing applications via Active Directory also greatly reduces on site time. Workstations can be restored without anyone technical being required on site at all.

I've looked and looked and haven't been able to find any resources for doing similar tasks with Linux based desktops. The closest I've come up with is to use custom built CD Rom desktop OSes, but these are much slower than using a workstation with the OS installed on a local hard drive.

I'm sure it can be done, perhaps by remotely mounting common application and /home folders to a central server. But I've never seen any Howto's or even descriptions of anyone having done this in the enterprise before. Not to say it hasn't been done, just that noone's written how it's done (that I've been able to find).

Not much help I know, but it shows why my company is still an MS shop.

John the Kiwi

Re:Desktop Linux in the Enterprise

[Dan+Ost]

Can I do a base install of Linux in 30 seconds like you say? What technologies would I use?

Here's how I've done it in the past:

0. make tarballs of the machine where I built the system image (with users and everything). Make them once, use them forever.

At the machine I want to install on:
1. boot off a CD or network image
2. create boot and root partitions (~10 seconds)
3. install the bootloader (~10 seconds)
4. fire off a script that untars the boot tarball onto the boot partition, untars the root tarball onto the root partition, ejects the CD, and then reboots the machine.
5. walk away.
6. come back later to adjust the BIOS if necessary.

How do you make sure the kernel is compiled with all of the appropriate drivers?

If each machine is the same as the machine you imaged, then there's nothing to worry about. If not, then build a kernel that has everything you're likely to need built as a module or use a kernel from Suse or Redhat or Knoppix where they've already done this for you.

The reason that you don't see much documentation on this subject is that there really isn't much to it. If you understand how a linux system boots and know how to use common tools like tar and ssh/wget/curl/whatever, you can build this type of thing from scratch faster than you can look it up online.

Head over to the gentoo wiki and see if they've got an article that describes this sort of thing. If they don't, request one. They are amazingly responsive to requests and, while the resulting guide will be aimed at gentoo users, once you see how they've done it, adapting it to another distro should be simple.

Disaster

[TedCheshireAcad]

I used to work at a private high school in the Northeast. You can probably figure out what one by looking at my user name. Anyhow, we (read: I) tried a rollout of Linux on our file servers and routers. Here's what happened:

The Linux file server worked beautifully. We had a simple NT4 domain, setting up Samba with proper permissions was easy. It was easy to administer, very reliable, and fast.

The Linux router(s) worked well, too. I had a nice collection of scripts run with cron that would turn off internet access to the dorms at a specified time, and then turn it back on in the morning (remember: this was a high school).

I was even in the process of developing a grading system with the LAMP stack, since at the time, teachers did their grading manually, and often complained about it.

Everything was running beautifully for months, until politics entered the game. Some higher-ups bought software without consulting the IT department (me and one other guy) that of course only ran on Windows. They also decided that we were going to go with FileMaker for a grade database, that was maintained by some high-price consultant. In the end, they wanted everything to be Windows for some reason or another (misinformed about how Open Source works, you know, the whole deal). My wonderful little Linux environment disappeared, and eventually, so did I.

Moral of the story: technical challenges aside, your project can always be torpedoed by someone who is self-important and more powerful than you.

Re:Disaster

[stevey]

I've had similar things happen to me in the past, more than once.

The most common experience I've had is working with a small company with approximately 50 staff on site, and a few remote. The backend is entirely Linux based, Exim for Email, Apache for the webserver, Samba for roaming home directories, etc. (Each desktop user will typically have an Windows 2000/XP installation, some brave types [like myself] might run Linux, and no Microsoft servers at all.)

Fast forward a year or two and the company gets bought out.

The next thing you know the entirely open, working, stable, and proven backend is replaced en masse by a Microsoft solution - to make it identical to the software that the parent company has been using.

Having recently been through this for the third time I'm quite cynical. It is almost painful to see a company suddenly lock themselves into paying for upgrades and still losing services which were available previously.

Not to mention switching from nice open POP3+Imap to "improved" installations such as Exchange, or Lotus Notes is enough to make grown men weep.

Re:Guitar Strings

[Coryoth]

Although it might count as blasphemy to say as much on Slashdot, Microsoft, of all companies, understands that, and except in really extreme situations will usually work with a company to get them in compliance, for NO fine (even offering a discount to "help them out" in some cases). The BSA, on the other hand... Absolute pure evil. It amazes me that anyone would allow them on-site without a warrant and a police escort.

That would be the "good cop, bad cop" approach. You need a decent stick to beat people with (the BSA) but you also need to be able to present yourself as the "good guy" trying help the person out...

Jedidiah.

Re:Ubuntu?

[HolyCrapSCOsux]

Here's my story. I worked in a callcenter. VERY M$-centric. They were using MSAccess to handle all their supervisory overhead. (write-ups, time tracking,HR stuff) and it was horrible. the damn thing crashed EVERY DAY.
This is a server story--->
I got permission from my boss (who was not in the IT department) to build a proof of concept web based replacement for 200 users.

system:
Compaq Armada 7400 Laptop
PII 300
64 MB RAM
Slack 10

Now, Everything was going well for months. All the supervisors were happy. The system was operating flawlessly. Then one overly ambitious assmonkey decied that he could curry favor with the site manager by filing a complaint against my "going against IT policy by having an unauthorised server".
The IT department was fully aware of the server being on the network. Obviously. They knew I wasn't going to break their infrastructure. They merely looked the other way, as it filled a need.
Nonetheless, the project was scrapped. Everybody who used the system got pissed at the guy who filed the complaint because it tripled their workload. That guy resigned. Ha Ha. But it still terminated the project.

Moral of the story: if you want to try to help people and "increase productivity" get top-down approval of the project.

Re:Desktop and Server technique convergence

[John+the+Kiwi]

I know this can be done. My question is how?

Where is the information? Where are the success stories with Howto's? What symbolic links should I mess with?

It's all very well to talk about AFS and ACLs and updating a bazillion desktops but you've given me nothing. Got any links to any of this? Bonus points for finding links and information that shows good ways to integrate this with Samba and CIFs to support current Windows based wiorkstations while we integrate Linux based desktops.

So thanks for your post, but unfortunately I have to rate it -1 uninformative.

John the Kiwi

Re:Rationale to a company...

[molarmass192]

Why would a company arbitarily cut an annual check to Microsoft?

Annual support contract, most companies have them.

Re:Ubuntu?

[Robert+The+Coward]

Old data. The client is now free and included with both Fedora Core 3 and 4. It doesn't work well at all it is slow and crashes way to easilly. If they turn on IMAP support the problem goes away thought. As I use Exchange All day long using IMAP without any problems at all.

Re:Out of compliance?

[rbochan]

...A mistake was made and a disgruntled employee noticed and reported it to the BSA.

Even nicer was the fact that the same former employee was responsible for keeping the licensing info.

Re:Desktop and Server technique convergence

[CrazedWalrus]

Well, then, maybe I can salvage my KiwiKarma a little...

A good place to start would be Linux Terminal Server Project (click 'Documentation' on the left). Even if it's not exactly what you're looking for, it'll teach you a lot about setting up thin clients, DHCP server, diskless PXE (network) boots via TFTP, mounting root NFS filesystems, etc. They tell you all of this in the context of setting up LTSP, but most of it is general knowledge, and very transferrable to whatever purpose you had in mind.

It might not be everything you need, but I bet it's enough to get you mostly there. At the very least, you'll know what to look for.

As for the symbolic links, that's a little trick I've seen in various enterprise setups, allowing transparent upgrades from the client side, but allowing multiple concurrent installs on the fileserver side.

Example is Firefox. /path/to/apps/firefox/1.07 /path/to/apps/firefox/1.5

Until a couple of days ago, I would also have on the version level a symbolic link called 'prod' or 'current' that pointed to 1.07. Upon installing 1.5 this week, I would test it (maybe via a 'testing' symbolic link, or running from the versioned directory directly). If it works, I would swing the symbolic link 'current' to point to 1.5.

All of the desktops can run firefox via: /path/to/apps/firefox/current/firefox

So the next time they start firefox, they're instantly upgraded -- without reboot.

This can also be applied to network boots. Since you are exporting a path via NFS, you can use the release symbolic link to upgrade whole installations (though, if I recall, there might be some options to tell NFS to follow the symbolic link, since it's a potential security risk. I don't remember, to be honest.) Overnight, once the new system release has been tested, change the 'release link' to the new system version. Things break? Change it back and reboot the workstations.

For large companies, NFS probably will not be the solution you're looking for, but the principles apply no matter what you choose -- AFS, SMB, NFS, etc.

As I noted before, AFS is nice for enterprises, because it a) can be highly redundant, and b) supports filesystem group ACLs. It's also significantly more complicated than NFS/SMB, but allows for lots of neat tricks if you're willing to learn it.

Unfortunately, what you need to read depends on what you need to know, which is dependent on what you want to set up. Fortunately, the system is modular and HOWTO's for popular components are easy to find. Once you get the system running, the rest is just system administration as you would on an individual box.

Hope this helps a little more.

Re:Just why did Ernie get busted?

[airblaine]

I work for Ernie Ball's IT department and was here 5 years ago when the shit hit the fan. The rockin' on article describes it all very well. The truth is, we downloaded the BSA tools and they DIDN'T WORK. I had proof that I had downloaded them a couple of weeks before the armed guards came storming in. It didn't matter to them. We have been completely M$ free since then and have had no problems at all.