Linux topics

State of DESY Linux 5 discussion

Notebook support

Stephan WiesandJune 17, 2003

DL5: why and when

● DL4 is based on SuSE 7.2 Professional

● SuSE 7.2 was released July 2001

– is showing its age now

● KDE2

● glibc too old for recent gcc versions

– SuSE provides security patches for 2 years

● doing this ourselves is too much effort

● Ambitious schedule:

– June

● decision on DL5 base distribution

– August

● provide DL5 to early adopters, volunteers

– October

● DL5 default on new installations

selection criteria for DL5 base distribution

● should have a sufficient time to live

– security and bug fixes by distributor

– 2 years limit is forcing us right now

● even if we'd like to keep DL4, we couldn't

● should come with recent software

– glibc, gcc (new C++ ABI since version 3.2)

– KDE, application software

● should be supported by 3rd party vendors

– software (compilers...) & hardware (notebooks...)

● should fit well with HEP, GRID, ...

DL5 distributions considered

● Red Hat

– Professional

– Enterprise Server / WorkStation

● SuSE

– Professional

– SuSE Linux Enterprise Server / SuSE Linux Desktop

● Debian

– Stable “woody”

– Unstable “sarge” (or is it “sid”?)

debian

● PROs

– no license troubles

– no monetary cost

– long life time

● but undefined

– good patches support

● but: for Stable only

● no commitment to 100% compatibility

– very complete

● CONs

– software in Stable is old (like DL4)

– no release date for next Stable

● this year? next year?

– no commitment to timely, compatible patches for Unstable

– poor support by 3rd party vendors

Red Hat Professional

● PROs

– de facto HEP standard

● but which one?

– HEP uses 7.x today– current is 9

– no license troubles

– no monetary cost

– good 3rd party support

– fairly complete

– CERN considers going for version 10

● CONs

– life time: 10-12 months

● 6 months after next release (4-6 months)

● 1 year DL release cycle?

● start working on public beta releases?

– “... a vehicle for exposing new technology to the community” (RedHat)

Red Hat ES/WS

● targeted at professional customers, not SOHO

● no free download, but product and updates still GPL

– cost is 1k € per year for 1 ES +1 WS systems

● for “Red Hat Network” services & support

● Sales is unable to talk about site licenses (“not yet”)

● patches provided for 5 years

● reduced number of packages

– true for all Enterprise distributions

● current version 2.1 corresponds to Professional 7.x

– next release Q3-Q4, no beta yet, betas are not public

SuSE Professional

● PROs

– life time: 2 years

– very complete

– up to date

– some 3rd party support

– no monetary cost

– little license troubles

– comes with

● AFS

● globus

● CONs

– life time: 2 years

– common misconception about YaST license

● though it's ok for HEP

– considered less compatible with HEP, GRID than Red Hat

● again: which Red Hat ?

SuSE Enterprise

● no free download, but product still (mostly) GPL

– exceptions: truetype fonts, Codeweavers Wine

– cost is 1.5 k € per year for 1 SLES +5 SLD systems

● for “SuSE Maintenance Web” services & support

● Sales is able and willing to talk about site licenses

● patches provided for 5 years

● reduced number of packages

– additional ones possible for a fee

● current version 8 corresponds to Professional 8.1

– SLD has more recent KDE

DL5: summary

● 6 months ago, the decision would have been easy

– Red Hat Professional best choice

– Enterprise Desktops were not available

– SuSE Professional was not in good shape

● since then, conditions have changed

– Red Hat reduced support time from 2 years to 1

– mature SuSE Professional available

– Enterprise Desktops available

● and SuSE's is even up to date

DL5: Options

● Red Hat Professional, effective ttl ≈ 10 months

– at least some HEP institutes are heading there

– they also talk about throwing money at Red Hat for extending the support time

– can DESY wait for the outcome ?

– too late for version 9 anyway

● SuSE 8.2 Professional, effective ttl ≈ 1½ years

● SuSE SLES8/SLD8, effective ttl ≈ 4 years ≈ ∞

– buy one, install many, or

– negotiate licensing with SuSE

DL5: next steps

● Evaluation Matrix will be presented and discussed in Linux User Meeting in HH next week

● if DL5 is important to you:

– do come, and speak up

– or brief me, and I'll speak up

● continue talking to SuSE about Enterprise products

– licensing terms, additional packages, cooperation

● talk to HEP community

● hopefully, take a reasonable decision for DL5 soon

– if it's not reasonable & available today, it's DL6

Notebook Support: Outline

● centrally supported notebooks

– why linux notebooks anyway ?

– hardware issues

– support concept

– current service level, to do list

– can linux notebooks replace desktops yet ?

● unsupported / private notebooks

– what we can do for users, and what we can't

– common pitfalls

Why Linux notebooks ?

● for many physicists, Unix is still the environment

– where they feel at home

– where they work most efficiently

● Windows on notebooks is not trivial, either

– nobody's talking about not supporting that

● Pooled Linux notebooks make sense

– Windows notebooks currently work best for a single user

Hardware issues

● Linux likes slightly dated hardware

– Power management: prefer APM over ACPI

● APM allows suspend, and is still much more stable

● alas, recent notebooks no longer have it

– WLAN

● 802.11b cards (Dell TM 1150, Cisco Aironet) work

● 802.11a/g cards don't, and may not anytime soon

– Graphics

● nvidia GeForce: works, but not easily

● older ATI works fine, recent chips: unknown

● i830M works fine, recent chips: unknown

Recommended Hardware

● Linux sort of works on most notebooks today

● It works really well on very few available models

● Standardization committee recommendation now: Dell Latitude D600

– reasonably priced, powerful, good battery life

– untested under Linux yet (should basically work)

– no WLAN option for Linux (we'll try the old card...)

● The committee also recommends:

– for Linux, still consider Dell Latitude C series

● available until Q3/03

What hardware to buy today

● Dell C840

– works well, but: heavy, nvidia graphics needs tweaking

● Dell C640

– untested (probably works)

● Dell C400

– well tested and now supported, works very well

– very lightweight

– reasonably priced

● get a TrueMobile 1150 internal WLAN card

● getting a US keyboard is no problem

First centrally supported notebooks

● there are now 9 identical C400s at DESY Zeuthen

– providing real support starts making sense

● basic setup:

– dual boot Linux (SuSE 8.2 Professional) / Windows XP

– hard disk shared 50-50

– 1GB FAT32 partition for exchanging data

– Linux

● programmed remote installation

● automatic / remote maintenance (first steps, anyway)

Support model

● this is not considered support:

– handing out pristine notebooks and a stack of CDs

– handing out functional notebooks and forgetting them

● this could be, but isn't feasible due to manpower:

– handing out notebooks, letting users deal with them, and helping with individual problems

● this is:

– handing out functional notebooks and caring for them

● keeping it functional and secure (remember it has a mic)

● providing configuration improvements when available

The concept

● programmed remote installation

– well defined initial state

– this is the easy part, similar to current mechanisms

● automatic configuration maintenance

– make current state converge to correct state

– this is the challenge: notebooks

● have no permanent network connection

● must work in very different environments

● must allow the user to change the current state

– easily & failsafe

– existing mechanisms for desktops simply don't work

Automatic Maintenance

● rpm package “postinstnotebook”

– cfengine scripts + archive of files

– executed on network startup, by cron, by SuSEconfig

● notebook

– pulls updates of postinstnotebook when network runs

– confirms by http request to install server

● dhcp server

– notifies install server by http request

● install server

– tries to push updates when client fails to confirm

Automatic maintenance

Notebook

DHCP server Install Server

HTTP server(client DB)

HTTP Server(updates)

request

ack

notify

confirm

check

push

pull

pull

when the notebook network starts

● the latest postinstnotebook release is downloaded

– 50 kB

– unless inhibited by user

● it sends confirmation to the install server

– if on our network

● after 30 seconds delay starts cfengine scripts

– unless inhibited by user

– these do the work

● only a very small subset is executed during boot

what the cfengine scripts do:

● some examples:

– make sure the network configuration is secure

– make USB work

– add necessary sudo entries

– correct the hardware clock configuration

– if on our network, sync the system clock

– if on our ethernet, download certain updates

– make sure important services are running (apmd,...)

– enhance the AFS client configuration

● have a look in /var/run/cfengine/features

functional today:

● LAN

– Ethernet, Wireless

– start/stop/configure/restore by user

● AFS client

– start/stop/cell change by user

● Suspend (to RAM)

● optional USB Intellimouse

● USB memory sticks work

– backup your mobile work !

● external VGA port (for beamer)

A simple GUI for some functions

● convenient access to some important settings

● make it easiest to do it right and safe

● allow without being root

● simple surface for commands

– intelligence not in GUI but in scripts it calls (maintainable)

not yet available

● will be rolled out by update mechanism when ready:

– base configuration and start/stop by user for

● ISDN (with & without callback)

● Modem (maybe even the C400's internal winmodem)

● DSL

– printing on DESY printers

● CUPS or LPRng ?

– automatic security updates & bug fixes from SuSE

● using local mirror, only on Ethernet, in background

– directory information (passwd, group)

● will (try to) avoid interfering with manual settings

About replacing desktops by notebooks

● current philosophy for notebooks:

– boot as quickly as possible, avoid timeouts

● do not start any network interface by default

● no kerberos/AFS login

– local accounts and home directories

● no backup !

● accounts created manually today

– no interface to user registry– allow ALL ifh.de accounts w/o password by default?

– avoid deviation from SuSE default setup

● no HEPiX11, no customized ssh,...

– no NFS access (read only, at best)

Private / unsupported notebooks

● what we can provide:

– an up to date installation/package repository

– a handful of installation profiles that should work for most notebooks, for programmed installation

● manual modification possible

● manual confirmation required

– postinstnotebook should work on any SuSE 8.2 system

– Linux pages in HH hold some goodies for individualists

● what we can't

– the manpower for fixing messed up installations

– a linux administration hotline / tutorials

Common pitfalls: networking

● all notebooks are confined to a certain subnet

– dynamic DHCP only available in this subnet

● this subnet is only available on certain wall sockets

– public access points in terminal rooms

– ask for using a free socket in your office

● eventually, any wall socket in lab building

– will work for any registered device

– will lock out unknown devices - have yours registered

● use only a single network interface at a time

– or you have to deal with routing

Common pitfalls: accounts & groups

● on supported notebooks, let us create the accounts

– hook it up to the Ethernet, we'll do it remotely

● if you do it yourself:

– use the same name/UID as on central systems !

● makes using AFS, ssh,.... much more convenient

– do NOT create groups with GID < 100

● they may clash (many common DESY GIDs are < 100)

● not needed

Common pitfalls: ssh access to DESY hosts

● there is no way to correctly log in to a DESY computer without giving a password

– actually there is one, but if we catch you using it, we'll assume your account has been hacked and lock it

● for this reason, ssh public key authentication does not work correctly from notebooks to ifh.de hosts

– will let you in, but

● after some timeout

● no kerberos ticket, no AFS token, no X11 forwarding

Linux Notebooks: Summary

● choose hardware carefully

– talk to us before buying

● whether or not the notebook will be supported by us

● accept our support

– please be patient, it's just evolving

– do provide feedback

– don't expect full desktop functionality

– don't expect all the familiar gimmicks & customizations