In order to manage the 1000+ Unix/Linux hosts in SCS, we install a custom managed-computing environment on hosts that we deploy. This environment provides distributed system management capabilities, integration with SCS services, and better security. This computing environment is known as "Dragon", after the dragon in the logo of the School of Computer Science.
PhilosophyIn response to the overwhelming desires of the user community expressed in the 2010 Facilities Linux Survey, Dragon differs significantly from the older Facilitized platforms. By far, the most-requested feature for a proposed new Unix environment was for Facilities to get out of the way of the vendor's mechanisms for doing things, so as to not break a user's expectations of how to interact with a specific Unix or Linux distribution which they may already be deeply familiar with. The second-most requested feature was to leave most software and configuration options up to the user of the system.
As such, the Dragon computing environment attempts to adhere as much as possible to what a user would get from installing a stock system from the vendor's installation method. Dragon will only very rarely install additional software that is not present in a vanilla install, as there are often many different choices of software available from the vendor for a particular computing task. The only exceptions to this philisophy are when a particular piece of non-default software is required to be present and/or configured a particular way to interact with core SCS services (for example: Kerberos or Printing) or when the default absence of a particular piece of software or configuration option results in a security vulnerability (for example: Dragon Ubuntu systems come with fail2ban — a log-scanner/firewall-blacklister — installed and enabled by default to prevent brute-force password-guessing attempts via SSH.)
Because the Dragon environment only installs the stock vendor software choices, and because there can be countless software options for a particular computing task, Dragon primarily relies on the operating system vendor for security and bugfix updates. SCS Facilities can and will provide security and bugfix updates for stock, core software if the vendor is not timely enough in releasing an update, but non-default software is left to the vendor to fix. For example, Facilities will address and fix a security or operational problem in Ubuntu 12.04's default LightDM graphical login manager, but not the KDE Display Manager, as kdm is neither installed nor enabled by default.
Modifications and additions that have been made to the stock vendor environment on Unix/Linux hosts running SCS Dragon include:
- OS and vendor-provided software updates are pulled from a local mirror of the distribution vendor's package repository. This mirror lives on the SCS network to provide reliability and conserve bandwidth.
- Hosts are configured to run the vendor's automatic software upgrade system nightly.
- An additional software repository is configured which contains locally-modified or patched versions of vendor-provided software, in order to provide timely response to security problems or bug fixes. These updates are provided in the vendor's package format, and are integrated into the standard OS package management systems.
- Configuration is installed that grants Facilities staff access to the host for system maintenance and troubleshooting.
- Many system configuration files get the majority of their defaults from the OS vendor, but Facilities provides a few tweaks that are merged into the existing system configuration. The automated configuration-merging systems also take care to preserve any user or local administrator changes away from the vendor or Facilities defaults.
- The vendor's AFS client is installed as the standard means for providing central file services.
- Kerberos support is enabled for many services by default.
- The mail system has been configured to forward all mail to the central SCS mail system.
- A daemon is installed to provide desktop backups (on machines that request them)
- SUP & Depot are installed to provide nightly updates of locally-written software (mostly cross-platform system administration utilities used by Facilities for automated management of a large number of systems)
For the most part, host-specific customizations can be done according to the OS vendor's typical mechanisms. See the SCS Dragon Unix/Linux administrators guide for information on how to perform certain system administration tasks and customize Dragon hosts in situations that deviate from the vendor's provided utilities. The SCS Dragon Unix/Linux quick reference has an overview of some common questions when using SCS Dragon on Unix/Linux hosts.