UCS Product Roundtrip – Highlights 2016 and Look-Out 2017

Univention Product Roundtrip

Highlights 2016 and look-out 2017

Dr. Alexander Kläser, Ingo Steuwer

Univention GmbH

[email protected] / [email protected]

About us

Dr. Alexander Kläser

Since 2010 @Univention

Product Development

Web, UX, App platform, ...

Ingo Steuwer

Since 2003 @Univention

Head of ProfessionalServices

Agenda

(5) Ideas & Vision for 2017+

(4) What else to else to expect in 2017 ?

(3) What to expect in UCS 4.2 ?

(2) App & feature highlights in UCS 4.1

(1) What happened in 2016 ?

Agenda


UCS 4.1 retrospection – Overview

UCS 4.1-0 Release: 2015/11/17, Highlights:

Docker integrated

SAML as a default

(Password) Self Service

Since then:

Fixes, improvements and extensions in >350 Errata Updates

Upgrades and new features in dedicated Apps

New features without new releases? – Challenge: Release cycles

“Classic” linux distribution release policy:

upstream upgrades only in feature releases

“Upstream”:

Debian, Kernel, Samba, Firefox, …

→ Various release cycles

Various maintenance durations, version numbering, ...

One release cycle can’t match all upstream cycles

→ Univention decided to deliver “needed” updates

New features without new releases? – Goals

UCS Errata Updates are result of an agile development to

Address security issues

Fix bugs

Improve the usability of the product

„Apps“ deliver dedicated features

Separated environment where possible (Docker)

Individual release process

But: stable APIs

New features without new releases? – Content

Ease-of-use is a major focus of UCS:

Usability and user experience of graphical user interfaces

Improvements to make existing functionality better (example: App Center)

Updates of upstream packages that are not maintained anymore or better

the stability or compatibility (example: Samba)

Enhancements in Errata updates introduce a risk

Errata must not break existing functionality!

Release process – Automated tests (I)

Automated tests to ensure stability

Each release is undergoing tests

Single instances and full

environments in IAAS

August

September

October

November

December

January (estimation)

0

5000

10000

15000

20000

25000

30000

35000

instance usage (hours)

UCS-4.2

UCS-4.1

UCS-4.0

UCS-3.3

UCS-3.2

Release process – Automated tests (II)

~50 scenarios

~1.500 test cases

~190.000 lines of code

Run for

Errata

Releases

Apps

Release process – Docker & Apps

Docker allows individual environments for Apps

No conflicts between App dependencies or UCS

Example: different PHP versions

→ App releases are independent

… of each other

… of UCS

Release process – Results

Shorter test periods / quicker releases

Incidents per customer (Support requests) reduced

Growing number of „combinations“ tested

Scenarios (server roles, number of instances)

Releases (Upgrades and mixed environments)

Apps (single Apps and combinations)

Agenda



Highlights – SAML

SAML = Security Assertion Markup Language

Allows Single Sign-on (SSO) for web services

Identity Provider (IdP) = Server for authentication (e.g., UCS)

Service Provider (SP) = Web service (Office 365, GSuite, Salesforce, ...)

IdP's certificate has been registered at the SP

Via browser redirects → Works with IdP accessible only via intranet

Passwords remain at the IdP + can be managed centrally (via UCS)

SAML integration in UCS

UCS provides an IdP by default

Access via: ucs-sso.<mydomain>

IdP service runs on DC master + DC backup roles

High availability: SAML sessions are synchronized (via memchache)

Implementation via simpleSAMLphp

Note: DNS needs to be configured for clients

Fallback login without SAML for UCS test instances

UMC loginwith UCS 4.1

SAML loginwith UCS 4.1

Highlights – Office 365 / GSuite with UCS

Apps for providing:

Wizard to guide the setup process of establishing a secure connection

Connector = listener module for synchronizing user accounts

What is the connector doing?

Create accounts at Azure/Google when activating access for user

Sync selected attributes of user accounts (configurable via UCR)

Disable/delete accounts at Azure/Google

Highlights – Office 365 / GSuite setup process

Common setup steps:

Configure client access to Azure/Google API for connector

Download config data + credentials and pass them to connector

Only Office 365: Upload Manifest file from connector to Azure

Upload IdP certificate:

Office 365: Can only be done via a Windows system

GSuite: Can be done via the browser

Setup wizard for Office 365

Setup wizard for GSuite

Enabling GSuite access for a user

Highlights – (Password) Self Service

Goal: Save time as users can reset passwords on their own

App allowing to reset a users password via SMS / email address

Custom password recover channels can be configured

"Forgot password?" link can be included by other Apps

Among the top 10 Apps

Access via the UCS startsite

Resetting a password (1)

User can set alternative contacts

Contacts are saved at user object

Highlights – French translation

Since UCS 4.1-4

Translations for installation

wizards + web interface

UCS translation tools have been

greatly improved

Installed automatically if French is

chosen in Installer

… or package univention-l10n-fr

Highlights – Active Directory Connection password sync (I)

Active Directory Connection: Sync Users, Groups and

other objects between MS Active Directory and UCS

Until mid of 2016: dedicated service for Windows DC

needed to synchronize passwords:

Introduced in 2007 with first UCS AD Connector

Based on old NT “debugging” API

Needed wide permissions, had it’s own TCP port and authentication

→ Installation complicated & security concerns

Highlights – Active Directory Connection password sync (II)

App Upgrade in Mai 2016

Password Hashes are now synced based on standard RPC calls

→ No dedicated service on Windows DCs needed!

→ Standard Windows rights management

Compatible to all maintained Windows versions

Easy configuration

Details: https://www.univention.com/2016/05/bye-bye-active-directory-password-service/

https://www.univention.com/2016/05/bye-bye-active-directory-password-service/

Highlights – Univention Corporate Client 3 (I)

Easy deployment and integration of Thin and Fat Clients

Image based, including UCS LDAP & Kerberos integration

Core Changes:

Based on Ubuntu 16.04 LTS

Official support for mixed architectures (32bit / 64bit)

Improved tools and integration:

Central reporting of image version

Easier “move” of UCC LDAP objects

Highlights – Univention Corporate Client 3 (II)

Major changes Fat Clients:

64bit image

Default Desktop: Unity

Major changes Thin Clients:

Update of RDP and Citrix clients

Improved management & offline

capability for read only clients

Still “Citrix Ready” certified!

Highlights – UCS@school 4.1

Feature Release: 2016/06/16

Improved import tool with generation of attributes:

login, mail address, …

API in “classroom” UMC module for 3rd party integrations

Real “multischool” accounts for teachers and pupils

Highlights – UCS@school 4.1 – “multischool” accounts – Old

Creation of one account for each assigned school

School A

School B

User 1

User 1*User 1*

User 2

DC school A

DC school B

Highlights – UCS@school 4.1 – “multischool” accounts – New

One account, replicated to each assigned school

School A

School B

User 1

User 2

DC school A

DC school B

Highlights – UCS@school 4.1 – Behind the scenes

iTalc improvements

example: better handling of temporary (dis-)connected clients

Large environment improvements

more consistency checks during setup

better conflict handling for sync between schools

Streamline LDAP ACLs (security & performance)

Highlights – App Center market place relaunch in Q4/2016

One place for licenses/maintenance

and support for Apps and UCS

Reachable by App Catalog

(web page) and App Center (UMC)

Buying + selling Apps much easier

Supports Reseller accounts

Register now!

Highlights – App Center Provider Portal

Allows App providers to easily manage their Apps

All meta information is edited via form fields

Translations are entered separately

Packages are uploaded / docker images are registered

Logos, screenshots, videos are uploaded and previewed

Changes are synchronized directly to the test App Center

Univention publishes final version to the App Center

Overview of all available Apps

App details – Description

App details – Logos

App details – Screenshots and videos

App details – Software packages

App details – Docker settings

Agenda




Annual UCS Minor releases….?

For more than 5 years there was an annual feature release

– why not 2016?

Focus: new Apps & migration to Docker

Prepares a smooth upgrade to UCS 4.2

Features have been delivered

in Apps (and Errata)

No urgent needs

Release schedule UCS 4.2

UCS 4.2

Milestones in February

Release Candidates in March

Release in April

3 Patchlevel Releases in 2017

UCS 4.2 – Main features: based on Debian 8

Based on current Debian stable “Jessie”

New: no full rebuild but direct use of Debian

upstream packages

Less differences between UCS and Debian

Security updates for "unmaintained" repository (following Debian updates)

Univention builds for selected packages, examples:

Kernel, OpenLDAP, Samba

Debian major release vs. UCS minor release

Including a major upstream release in a minor UCS release…

… a conflict with release policy expectations?

Expectation: stable environment (for Apps)

→ Is given using Docker: Container can stay with UCS 4.1

→ Most Apps will be directly available with the release of UCS 4.2

Expectation: stable APIs

→ Our processes (like automated testing) ensure the needed stability and compatibility

UCS 4.2 – Debian upstream features

Goal: use Debian packages where possible

But newer packages if needed

Changes introduced by Debian upgrade:

Upgrade of core libs (like libc)

systemd to replace “old” init and runsv

KVM upgrade (including challenges like migration of snapshots…)

...

UCS 4.2 – Samba upgrade

Goal: Samba 4.6

Improved NETLOGON Performance

Improved Replication Performance and Impact on Receiver

Improved Performance: Add and Delete of Accounts

Fix uploading Point-and-Print printer drivers from Windows 10

Samba 4.x upcoming features

Samba 4.7 Roadmap

Improved Samba/AD LDAP performance (multi-process)

Implementation of print server protocol MS-PAR

replacing MS-RPRN

Inter-Domain trust

Windows Search Protocol (MS-WSP)

UCS 4.2 – Usability changes

Portal page as central view on the full UCS domain

Overview of all Apps in the whole domain

Entries can be managed and modified / added

Favorites visible after login

Corporate branding: Custom logo / background can be configured

UCS 4.2 – Usability changes (2)

Central login page for portal page + UMC

SAML as default authentication process when possible

Fallback to normal login otherwise

More prominent side menu

Mark modules that are not installed yet (DHCP, Printing, Mail etc.)

Usability adjustments for (Password) Self Service

Also better integration (e.g., into side menu)

Mockups 4.2 – Portal view

Mockups 4.2 – Portal viewlogged in

Mockups 4.2 – Portal viewwith menu

Mockups 4.2 – UMCoverview

Mockups 4.2 – User list

Mockups 4.2 – User grid

Mockups 4.2 – User details

Mockups 4.2 – UMCoverview

Agenda





Planned for 2017 – Connector upgrades

Sync more attributes between OpenLDAP and Samba 4

RFC 2307 attributes: uidNumber + gidNumber

Merge improvements implemented in S4 connector to AD connector,

examples:

Improved caching

Differential updates

Error handling, logging

Planned for 2017 – Transparent Maintenance

Difference between UCS Core Edition and Subscription:

Core Edition may need to update to the latest release to get all Errata

Maintenance will be more transparent:

Improved "end of maintenance" messages

Guide updating to releases available for current maintenance contract

Same for Apps

Transparent status: free Apps, test periods, usage / updates that require a charge, ...

Planned for 2017 – Simplified App integration

Option for App activation checkbox in user module [UCS 4.1]

Easy way to specify LDAP schema extension [2017]

Extended configuration settings for docker Apps [2017 Q3?]

→ See also expert talk “Make an App” tomorrow

Planned for 2017 – Testing UCS

We will continue to write more tests for UCS in 2017

Goal 1: Automate more product release tests

Product release tests are carried out manually before every release

Goal 2: Cover more and more complex scenarios

Goal 3: Automate GUI tests (Debian Installer + setup wizard)

Planned for 2017 – Automated browser tests

Working framework and proof-of-concept tests exist

Framework is based Selenium + integrated in Univention test lib

Todo:

Integration into Jenkins

Integration into Selenium grid to test different browser types

More tests

Some aspects of UMC are already tested via scripted HTTP requests

Planned for 2017 – Automated GUI installation tests

Test framework using a VNC connection + optical character recognition

(OCR) has been developed

Actions: Wait for text to appear + Click on text

Proof-of-concept tests exist

Allows to fully automate graphical tests

Debian installer + UMC setup wizard

Todo: Integration into Jenkins + more test

DebianInstaller

DebianInstaller –OCR output

l!‘ univention

Select a language

Choose the language to be used for the installed system. The UCS installer only supports English and German and will use English as fallback. Similar restrictions apply to other parts of the installed system which have not yet been localized.

Language.-

Chinese (Simplified) - EPYU’H‘WK) AChinese (Traditional) - CPYlSE)Croatian - HrvatskiCzech - CestinaDanish - DanskDutch - NederlandsDzongkha - E'FlEnglish - EnglishEsperanto - EsperantoEstonian - EestiFinnish - SuomiGalician - GalegoGeorgian - dafimacgmGerman - Deutsch v

Screenshot ‘ Go Back ‘

DebianInstaller

DebianInstaller –Button detection

UMC wizard

UMC wizard –OCR output

k(El univention

Account information

Enterthe name ofyour organization and ' 'an e-mail address to activate UCSi UnlventlonOrganization name

lE-mail address to activate UCS (more information)

UMC wizard

UMC wizard –Button detection

Agenda

(5) Ideas & Vision for 2017+





… things we want to talk about

Discussed feature – Separate UMC modules into Apps

Idea: Everything in App Center is accessible as separated App

Goal: Clearer navigation + separation of concerncs

If installed as App, it should be found on the portal

Current counter example: UCS@school, UVMM, UCC

Separated App for all UDM modules

UMC for solely for system administration with fixed set of modules

Maybe as UX concept for UCS 5.0

Discussed features – Mail stack

Mail forwarding

Wizard for general mail settings as well as fetchmail

Enforce mail identity when sending mails

Validate incoming emails via Sender Policy Framework (SPF)

Makes sure email arrive from an authorized mail server

Simple monitoring for mail queues

More discussed features…

Further integration of the App Center marketplace (look'n'feel)

What about community Apps? Is there an interest?

Monitoring: Nagios vs. Icinga 2

Make AD domain trusts production ready

Various use cases for integrating AD services in UCS (MS Exchange, ...)

More flexibility for working with UCS and AD

Need: Get started easier

Some users

struggle to

… decide technical questions (sizing, network, ...)

… get resources (hardware, people, …)

but want to

… start quickly

… avoid long term investments

Vision: “UCS as a Service”

Standardized, Cloud based UCS offering

On premise services if needed

“Pay per use”

Full service (deployment, updates, support)

Scalable Apps and services

Customer decides what to use

“UCS as a Service” delivers – technical needs included

Need: Deploy Apps in existing environments

Docker is expected to become the

standard IAAS platform for

Private Clouds

Cloud Service Provider

but…

Deployment & Maintenance of Apps is different

Current Container often struggle with updates

Software Vendors may not have the needed knowledge

Vision: App Center deploys to Kubernetes

App Center brings everything to deploy and maintain Apps in Docker

Currently: if Docker runs on UCS

Vision:

Enable App Center to also deploy to non-UCS Docker

Expected “API”: Kubernetes

Thank You!

Contact

Dr. Alexander Kläser Ingo Steuwer

[email protected] [email protected]

http://www.univention.com

http://www.univention.com/

UCS Product Roundtrip – Highlights 2016 and Look-Out 2017

Software

Transcript of UCS Product Roundtrip – Highlights 2016 and Look-Out 2017