 Let's see, again, I'm going to skip some facts, so if you got any questions, ask me afterwards. We've got a short window at about 15 minutes for questions, or you just catch Jan and me, we will be at DebConf until tomorrow afternoon. How Lemak's got started. There may be differences in what you already know. There are press reviews or reports all the time, Munich does this, Munich does that. I want to show you what the Munich IT is like, what the client's components are, the infrastructure we have, some other projects, not included in our project, but I'll just show you because it somewhat depends on each other when you do an office migration, for example, that's not part of our Linux migration, actually. I want to tell you something about the current state of the project and upcoming milestones. And then the demo stuff. Short history project approval in 2003, real lift off in 2005, that's exactly the first January 2005 when I started to work for the city of Munich and yeah, then the project started, so it's mainly my duty. Re-open source for desktop operating systems, that's a very important point. We're don't touching the servers. We have to live with the server infrastructure. We got everything, you'll see later, and the recommendation was that new application should be developed, at least platform-independent, better would be web interfaces or something like that. Yes, okay, that's the heterogeneous part of our network infrastructure. We got 14,000 PCs, 16,000 users, some Windows NT4, Office 97, 2000, others needed to switch to Y2K, W2K and Office2K. We also bought some used licenses where some press agency reported that we're migrating to W2K, I don't know why, that's some strange thing. We got at about 170 special applications that we have to take care of. We got 300 common software products which are available through the whole city of Munich. We got almost every file service imaginable and yeah, the Windows 2 of course. Many different products for system and config management and installation. Hitch-based installation by Shoes, the administrator goes to the worker and install and just puts the CD in the CROM and various MS Office-based solutions for template and boilerplate management. That's it. Nifty solutions, everybody has to do because he doesn't get his favorite program, so he does it by word macro or something. Yeah, what's very important is that we are not the ones who say you got to set up this client, we're just developing. We're supporting and developing, we're doing second and third-level support, but the departments, for example, the KVR, which is giving the passports out, has its own IT department and they're installing and administrating their clients and service. We have nothing to do with that, we're just supporting if they run into problems or something. Seventeen are generalizational units with their own IT, 350 overall IT stuff, that's not us, that's the whole IT stuff from the city of Munich. 120 LIMOX project members, that's not the development team, of course, we're just...actually, we're only two, that's us. We got an external support from GONICOS, of course, but if we run an accident, the project will run into problems for sure. We got a centralized IT strategy management, which gives most recommendations and hardware procurement recommendations because you can force the other IT departments to do what does not fit in the daily workflow and the first premise has to be that the work can be done. Yes, and it's a decentralized, independent IT operation with their own support concepts. I think that's it for the complexity part, this has to be enough. That's a short overview of the components the LIMOX client consists of, it's mostly Debian Sarge with some back-ported components like KDE 3.5, New York XORG, OpenOffice, Thunderbird, Firefox, it's not ISFU or something, it's still Thunderbird because we have to, of course, give the user some stable names for the applications or they will be confused, it's not that we can just simply rename that. We got a new kernel, of course, but not the edge kernel and then your UDEV, the FIE 2.10 but it's not a real FIE version because we got some own patches in it which we're working with Thomas to get into official FIE releases but we'll see, we got a little fight and the upcoming release will be based on Edge, we're working hard on that and of course there will be some back-ported packages from Lenny. That's just a short overview of some of the components we had to integrate, for example the LDAP, for central system config management, for user information, addresses, telephone numbers, all is in LDAP at the City of Munich, that's the only central component we can trust if you want to. There are file services, SMB, NCP, business applications, Windows terminal services, the software distribution servers are mostly only our servers, we did the separate, there's a client and an FIE distribution server for that which also runs GOSA and that's a picture how it all works from infrastructure view. That's an interesting side note about the other THAP projects, actually it's parallel projects but simply spoken it's the office migration which is running at about 13 templates, macros and forms are in use at the moment or were in use, in active use which had to be consolidated, which had to be viewed manually, you can do that automatically, we had some students do that and the Volmux which is in own development of our office team, that's a team of separate three people, that's a Java based document creation system which does its work over the open office UNO interface which the main features are, if a secretary wants to do write a letter for their officer then he just selects and drops down, okay I run the letter for my officer and then the values are filled from LDAP and the letter is generated and she can only press print and it all works, there's a form designer and yeah I am leading the Volmux so it's German for it, you have to do everything and it has to do everything and everything must work and to work perfect, then we have the important application migrations, we do that mostly with either terminal server based solutions, web images or VINE, it depends but for future developments I already said it's a web based or at least platform independent solutions are preferred and of course the training for the client and for the servers for the administrators who have to work with the new Linux text stops, okay thumb numbers, we've got people using Linux in three departments mostly voluntary based, we've got two ways of migration in general that means open source applications like open office, Firefox and Thunderbird are used on Windows though the people who get used to it and don't recognize the difference when they get Linux installed, when they're in the weekend or something or switching directly to Linux, uncritical users first if some user cannot switch because of some applications and we just ignore it, we won't lose any time, the first release was completed in September 2006 and that's also where the e-learning platform went online and up to date 330 workstation computers are already fully converted to Linux, immigrated to Linux, 200 additional test workstations in the upcoming departments are installed and administrated of course, 1,300 employees are trained, 1,000 workstations with open source software under Windows are running, 80s administrators trained for Linux and notably the client usability was confirmed by the German TIF for usability that the TIF is a German institution for, yeah I don't know, yes it's some tests and certifies it puts a stamp on it, it costs money for a stamp okay but it's definitely important for marketing, for internal marketing also and we received the European e-learning award earlier in 2007 for the e-learning platform and we want to have migrated 2,000 workstations to Linux in 2007, okay that's for the boring part and now we're gonna demo it, real installation Jan has prepared some re-embry images to show you, so I hope it all works out, have fun, I don't know, I don't know, we got a special workgroup who had looked at the client from a user view, so there were users which were viewed while they were working with the client when they saw it the first time and yeah what things were not so good or what is to improve and when we implemented all changes they wanted to, for example you, the focus, when you look at Jan, the start menu please open it, in our client when you open the here the the Büroprogramme what's called office tools then you don't get open office org you get office writing tool or something so that's a simple example how you aid the users to the right programs even if they don't know it, yeah yeah sure, the question was if we just implemented the changes and there were no additional review did I get it right or yeah sure sure there was a special workgroup for that, it's a pretty important point I guess from my mind it's about 60% of the whole project budget went into e-learning and learning for administrators and users, it's not the development which is the big part but I think we can take the questions afterwards, it would be great, okay then I'll give to Jan. Okay, yeah what do you think now is the first locking the administrator seeing when he's logging into the yes what we call it depot server which means the software depot where all the installation is running from and where all releases are lying so I just do locking now this is the main interfaces normally Goza has a lot of more features but we are just using a few of them for user management for group management to manage applications and get the systems running and very special plug-in we were developing in the last one year is the PHY integration so you can do a Debian PHY installation from LDAP directly from a web interface so basically I just deleted the old workstation so it's not known any more to the system so that's the normal stuff you have DHCP running you have a PXE running and now it gets them configuration file from server which is automatically generated so the server knows that it doesn't have them client with its name and the MAC address in the database in LDAP and send some installation file so it will check out where hardware it's found and write the initial LDAP object into the database take some time it's not internationalized so there's just written that there's the hardware detection running and since it's running VMs it takes a little bit more time and now there's written please contact your system administrator and it will have now a new object and goes on so there's a new device now you can select basically select a target system it means for us it's just you can install a workstation or another server object we just stay with the workstation okay the first thing you said the installation mode that you activate the system then you set up startup options it means you select the kernel you want to install the LDAP server you want to use so if you're for the whole city we have a distributed LDAP server so you have fallback if the local servers and the departments are not running they automatically go to the main one but you can select them here we just stay with the default server you can select the installation server and you select a release that's something I will show later we just install the current default or development version that's lemux you select the file class you want to add okay then you define the device is like keyboard and like the resolution and the driver for for x this will hopefully get better when when we are switching to edge I think Lenny will have x 7.3 so maybe we'll get some kind of auto configuration for x there otherwise now you have to just enter some values normally you can use ddc but it's not really supported by VMware so we just add some and then simply saving the object and then you can can see that okay the picture is not that good configuration is running now it's generated from the from the LDAP information it generates the file config space so it's basically dropping all the required LDAP objects which make this installation into plain text files because I have talked before with the virtual terminal normally it's switching automatically just so the user sees just the progress bar this is just simply parsing the FAI output and printing some numbers and calculating the face where the current installation is running so now it's formatting the hard disk all the installation normally on a PC is about 12 minutes for 1.5 gigabytes of software all the scripts are running all all the adaption of the hardware this will take about on the VM half half an hour 20 minutes so we'll just continue with the with some more stuff from the presentation while it's installing so what you can see what's different from the normal installation would fire it first you have the DHCP request and a PXE Linux is running this is really normally contacting just the TFTP server but we implemented an own TFTP five demon and LDAP kind of demon which is just delivering all the stuff directly from the LDAP so the PXE Linux requests the config for MAC address the demon looks that up and the LDAP directory generates on the fly the configuration file and deliver it to the client so you can just manage your whole clients in the LDAP directory this is really running on the fly and after that we have a special hook it's the only hook we are really using from five which just be it's called the config hook which normally gets your configuration from an SVN or from an external server so what we are doing is simply we are running a tool LDAP 2.5 which drops the configuration based on the client classes and releases and while the installation is running it's normally sending to status updates to five monitoring demon we also catch that and write those status into LDAP so you can see if the installation is running fine or if there are errors or what's going on or what are the main changes we made to fire and all this stuff is that we switched from normal IP status configuration to MAC based because that for us is much easier and for in the LDAP we use the MAC as the main information and identifier for our system we added in a DRAM FS support so we do not use the normal five kernels which are distributed in such but we use one kernel for everything so the kernel is running the client the kernel is running the servers and the kernel is running the installation so you do not get problems when with different kernels where the installation and the configuration doesn't match next is NFS version 4 support which was required by our security people in the city which means you just have one port you do not need to open all firewalls you just can use I think 2049 port for NFS4 and everything is going over that port so that hopefully a little for them it's much more secure yeah then there's with Enchants 5Mundi you can say which do TFDP and PXE and the status updates in LDAP and yeah the dumping tool to really dump our release informations and find informations on the local disk and this little tool which just part of the five output and prints some progress bar so basically for us we have developed five main FAI classes first class is really the client which meets the basic system which is normally installed for all the people in the city then there's an little enhanced version of the basis client which just has some more administrative tools we call it admin PC then there's a special functionality because first we thought okay everything is in LDAP what is the best way we get an installation which can run without an LDAP server obviously there you could just create all all the files locally which from the LDAP information but that would be a lot more work because now the user management and everything is connected to the LDAP so the idea was simply create an caching feature which just when the user lockins creates a cache for the machine and the user and so you can after the first lock-in you can simply switch off the net and the user lock-in will run fine for even without the network that's basically used for telecommuteers which are just not working most of the time in the city and outside of the city with notebooks the most other interesting class is really the depot server which means it's a complete server running goza running fi and having all the release repositories so with this you can replicate the releases into the city so you do not have a local server where everybody is installing from but you can every every time you can say okay for this department there's not a good connection do a new installation and then you just enter something like a parent server where it's synchronized to and for the local installation is running from this server and this server gets the updates from the parent server and so you have a distributed installation mechanism in the whole city especially because there are some outer department which is just going by ISDN so it's very very slow line and you cannot install okay you could install clients over that but I think it takes days to get an installation what you can also do in goza generally is just create for a cd from a file configuration it means to this go to the counter to the workstation say okay I want this installation in a department which does not have a network connection probably and you get in cd and it puts the cd or dv okay for us it's a dvd because a lot of software and you get a running system okay we've talked a lot I mentioned a few times the go goza system for everybody who doesn't have doesn't have heard of it it's basically just an LDAP management tool so what you can do you can really manage a lot of stuff like users groups you can manage applications you can manage your systems the file what we did and you can combine systems to called object groups there are a lot of more plugins available in vignette just check out their homepage there's a lot of okay maybe not a lot but there's quite some documentation there and how to set up goza running on your own PCs okay let's see how much the installation is running it will take some time some more but every second there's a pre-installed client so if it now it's 30% I think it at least would take an hour 20 minutes I don't know so I will just simply kill it and use the pre-installed version okay oh yeah while we are waiting for the mred startup is there already some questions to answer I don't know are you doing how you're doing updates and migrations and that sort of thing are we doing them update yeah you're doing like get upgrade on the machines and things they're installed normally fire has a mechanism it's fire software update and basically that's what we are using okay so the software date is just the normal fire without almost just partitioning so you do not do real partitioning but otherwise it's just running fire it's get update it gets the scripts running again so they have to be in depot then so you can run them more than once without installing the whole system that's a little bit complicated but I don't know about that so you can trigger that inside of goza you just go there to the workstation as you can see there's now the client is starting up you go simply to workstation okay too much stuff for a little notebook and you're going to do migrations to the next version you know from sarge to etch using the same upgrade tool um to etch I'm not sure if that will work we're just checking that out currently we are just first porting our stuff but normally the installation is 12 minutes so if you have really an incompatible version where you cannot do the simple software update you just say okay install it with pc because we what we are doing we have kind of a mechanism for roaming profiles so when we use the locks out the whole home directory is copied to the server because since we we cannot change the server systems running we just have smp and ncp ff and so you cannot use that at real home directory so what we are doing is saving yeah saving all the flags and copy all the stuff and we should normally just put most of his stuff into a network drive which is mounted when you are logging in so what you have in the first page there's some actions okay now the client is not running now if the client is running you can directly trigger a new installation where the user gets a pop-up and says hey the administrator wants to do a new installation please close all your stuff and or want to reboot or whatever you can imagine and for this okay I have just killed it so there's just reinstall or the scheduled update which is running on the next boot up and by this it's barely doing via shh and there's a user with a with a certificate with a key there and it can run I think three or four commands and so the security is quite high because nobody really could use it to do something on the client it's just for those commands so yeah now there's the login stream since it's just 800 600 pixels it's a little bit compressed but that's basically it it's it's the test it's from the test laboratory so there are no secure passwords obviously that's not the same password I'm using for the normal for my normal so now the login is running this is the pre-configuration which is running before card is really starting up so it's it's setting printers it's setting USB devices it's setting or changing the resolution it's creating the cardie menu it's creating the desktop icons it's creating the panel and a few more stuff I have some feet in the demonstration and now the real buzz client is and cardie is running and that's it so obviously everything was configured the way that it looks like Microsoft we have to say that because we have the most people in the city never have seen a linux system before and we want to keep the training low and actually we have also already spent or we wanted to spend already half of the money for the training and while due this configuration we we even could just keep the cost quite low so there's not really something you wouldn't expect from anything it's just playing cardie there's the only difference is that the menu is just generated when they log in from the application configured in goza so okay so it was about the client start up then the login screen then the pre-configuration then cardie splash and the desktop so what's really happening and where all this configuration is got from held up is two points versus the boot process in the boot process yeah you generate an instant first held up configuration then x is configured to start up correctly um you get correct up installation and sys logging and time servers all the rest is configured when the user logs in so you we create the held up case if required we configure printers for so capsules configured and special user rules are generated because in the city it's normally not allowed to use any external storage devices so people do not bring stuff on their computers or back to the net but you can in goza you can enter with bids and allow them to work then you have all those shares mounted you get a special kiosk profile which configures cardie and allows the users yeah to have a shell or not and different stuff you get the thinking of a roaming profile um there are special locking scripts we can you can assign to the users and at least you generate the cardie menu and all the applications for the system so yeah that's a really short overview the administration yeah book it's all you can say really the book for for the normal administrators in the city just to get some introduction stuff there's a few hundred pages already so it's nothing you can just show everything in an hour and you just have well I don't know how much time is left a few minutes left so I think we have 10 minutes to go and answer some questions you want to bring the microphone it's I think it's easier again yeah you you mentioned during your introduction that you began with uncritical users so could you give us a more accurate definition of what are uncritical users the critical part is not the user it's the application the user is using if you corrupt the workflow for example for getting passports out you get a problem of course because people have to pay for their passports and they don't want to spend five hours waiting because the linux client has some problem with some application though that's a critical user if you want so okay my question was more about strategy for deploying such disruptive changes experience shows that and I imagine you had the same experience that it's not usually widely accepted or there are resistance to change and what I would define myself as uncritical users and the first one to start with is upper management so my opinion but I don't know if this strategy you used the first person to use this desktop should be the mayor of the city of Munich he already is but yeah you're right you're absolutely right but I think the mayor is not a critical person in our not not from a technical point of view it's his secretary you I've never seen anybody typing so fast believe me any further questions I think I have maybe a similar question you started with 300 and you now have a 330 bc's migrated to linux but there are let's say more than 10,000 12,000 left what is your your time table for that of course we're not fixed until we wanted to initially until the end by the end of 2008 we wanted to be finished but you can't really plan that accurately the departments are pretty big there are some departments for example the for the social work where several thousand users and one big block and there are small departments which are only a couple of hundred or dozens of users and we we try to do one one big one next and then a couple of small departments after that and we'll see how it develops but initially we wanted to be finished by the end of 2008 okay let's say I'm from Vienna and there's another project in Vienna the the linux project and they have it as far as I know a different approach is this still the goal of of linux to to move to migrate all really every this this goal is is not there were the target really was to migrate 80 because there are some 3d software running for geologically special software which we will never be able to really migrate they won't work so the target was from our 14 000 PCs you know migrate about 12 000 okay so for the end of the year I think it's really manageable to do the first 2000 because currently in all the departments there are tests running and if the tests are completed and the people there and the administrators they say okay all my requirements are met and I can really do the rollout then it's quite fast because you just have to say okay 15 minutes for the first 10 PCs then next 15 minutes for the next 10 PCs so after that it's quite easy but the work before really doing the rollout is quite hard because there are there was one year of planning actually to say okay what are your requirements and and currently we said okay all the crime requirements are met and the people are coming and saying okay nice to have this but I also need that and that and that and that and I have this vendor was kind of it doesn't get out Linux version even as it says a year ago okay no problem there will be a one and yeah this is the main problem event and you also mentioned that the usage of VMware is this an option for for a larger scale it means that more than a few users will use Linux as their first desktop that's a primary system and VMware for special applications or is this only a now we call it for few cases for us it's mainly for really a few cases because normally you have to deliver the whole image and this is quite quite large even for installation and you have to have another license so it's not really an option from most of the time we tried to to use it wine and we have some external company who's helping to adapt the specialist software to wine and get that running so I think that's a primary option and we after that when it's running which simply put the wine version with the application and the dbn package and it gets installed and so the users can start that that's I think the main progress otherwise yeah VMware is especially nice for testing in the in the labs when the people come and want to test new hardware or something like that and on new installation it's quite good but for real distribution I don't think it will be high demand will there be a license change for warm looks it currently only allows debugging and development of open office there is the license the license it says on the web the city of Munich gives you a license for installation and use of the software solely for the purpose of open office or debugging and development yeah there's there are a few I can say legal problems because now what the main problem is that the state the state is not allowed to real to be concurrent to any company so if we release something and the next hairdryer is saying okay if you give me that much money I could do the same the state would be a problem there are people are figuring out how to release the stuff but those versions from walmux and which are distributed are mainly there because we found open office problems which were crashing open office from walmux and so we put that out so the developer can really test that but well we will see that's not we were we are asking few times if there's some progress going but yeah it's not our position to release anything so that's something yeah I think it's a little bit poor management but we cannot do anything about that and actually we have already 250 changes in our change management for the next few versions which somebody was calculating would take us 17 years to implement so yeah I hope that there's going some progress but I don't know do you actually get free software developers to look at your stuff when you license it like that wouldn't that be like a complete blocker to get the open office developers to actually look at the the files you provide when you are limited limiting it with that license we actually don't want to limit it we we're just not clear what the license could be for us we definitely want to give it out while we're at the moment mostly documenting so the decision from the upper management how to give it out is not that important at the moment so because we're just documenting you you can't you can read the source of course it would give it out but you will have problems in getting it running without a configuration examples and stuff like that well I'm a free software or did I get it wrong I don't think you understand the problem I'm a free software developer yeah and I'm very careful with the license of the source I read because if I'm not I might have a few lawyers visiting my house to do nothing to me sure and because of that I would not read the files you put on the web with that kind of license because then your lawyers might show up at my house to do nothing so that's a real problem if you actually want free software developers to look at your files and fix the software bugs that you have discovered that license is not going to work okay yeah I understand the problem but as that that's the case for the for the volmox not for the client part and the fi part because we're already based on free software we gotta give it out somehow and you can have a look at it for sure we have to provide your look at it and you won't as far as I understand the GPL you have to and you won't run in any problems that's that's what the GPL is for another thing is the volmox I don't know what license it will be but I do know that the lead developer is very engaged in that in working at the draft at the GPL version 3 and he will do everything to get the right license for the product I don't know what it would be sounds good hi so I'm I'm doing very similar things at the Institute that I work up not nearly as sophisticated as the stuff you've got here yet but similarly I'm using fate or install desktops and blah blah blah one of the issues that I have and I'm curious to understand how you've addressed it is like you I having I'm having to deal with a mixture of Linux desktops that I'm administering and there's the windows desktops that the windows guys are administering they're all on the same network so mixing together getting and we really want a single centralized pixie and DHCP setup I don't want to be maintaining separate things and I'm still curious as to how you've approached that particular problem have you have you got sort of does everything pixie boot off the same server and you have is goes and managing whether something then actually boots off a windows server or in fact we have not addressed this at all as I said at the beginning we're we're developing and we're giving out recommendations we helped installing the servers initially and we're looking at the environment what the DHCP configuration is and where we could place our installation server but it's in fact and the the duty of the departments to get it running we're supporting that of course but as you may have seen we have a very very heterogeneous network and yeah of course we got problems we got problems with noble 6.5 DHCP servers which have a bug in broadcasting pixie a tfdp boot filenames boot image filenames the unicode signs in it I don't know why but it's definitely a bug no one knows about it but they of course don't do anything yeah we we got problems we can't agree that we we have to look at the picture when we with it the department for example so do you have people using land desk as well for sure but I don't know them we got everything for sure I don't doubt but if you get a special question in that direction you're always welcome to write them with email either to to me or Jan or the central email address I have a bunch of questions you call like linux a distribution does that mean does that mean like you rebuild all the packages is it a Debian derivative more so we rebuilt not all packages but yeah the the backboard at once mostly we we built it for us because we wanted to be sure that it worked so yeah we did not build all packages we of course just such base and then the working and I was gonna ask like productivity of people who are using these Linux desktops is there is it better than Windows I mean is there any like tangible benefits besides using free software type stuff you mean if they work more effectively with something like that okay yes if you give them more coffee they will do I don't know but but basically people are just saying we have some information days every half a year where people which are not using Linux in their department can come and see them some installations and can play with it and normally the people are just saying it's not really different it just feels like yeah like windows and that's what we were really targeted for so we do not have to bring yeah bring train a lot of new stuff and yeah I don't think it's more effective or less effective it's just most the same my question is related related to that one how much training are you giving pair standard administrative type user and once it's been given and they've gone back to use the new desktop what evaluation on that training are you doing so we got we get basic blocks for all users all users get that blocks it's I don't know from a couple of days to a week I think they can choose and then you got that optional blocks it's just e-learning where they just sign up and with the username and and there can choose which lessons they want to take for example if I'm not sure how to create a table and you just sign up in the web interface and okay how to create a table you get flash animations without and just do that and this this is one big part and of course you got additional courses for users and administrators which you can sign up for you just get everybody has to get the basic block and then you you you just have to choice so is the answer about two days up to about five days I think the minimum is three days and the maximum is about five days that's the maximum for the initial course you got you you don't have any any restrictions how much how much e-learning somebody can do because you can always sign up and redo some lessons is there any tracking of how much training are given on average the individuals are doing and how much retraining they're going back to doing not yet okay how many desktops have you rolled out now out of the 12,000 you're expecting sorry what what of the 12,000 desktops you're expecting to roll out how many desktops have you rolled out I think you just miss it at the moment productive it's 330 that's a month ago but it it will grow okay at what point in in the rollout are you anticipating checking how much training people are doing and how effective the training is being because you've mentioned earlier that this is by far the most expensive aspect of the whole rollout I don't know okay I'm just you know I'm just a developer that's going to deep I think we'll have to finish please if you have any questions get me or write an email or get Jan final note I personally and the whole team of of the Linux team and the distribution want to thank you for the distribution you did a great work great base also Thomas of course with FIE and we and I personally will be glad to give something back very soon I don't know don't know exactly what I can do for you perhaps help with the security team it's my one of my main duties or something but we want definitely to do that and yeah thank you