 So welcome everybody. I'm here presenting Andreas Mund, who will be talking about Debian local area network. So welcome him. Thank you very much Andreas. Let's have a look. We all say Debian is the universal operating system. What does universal mean? Of course you can take this word on different areas and it's a pretty universal word. I'm taking this word and use it for the number of machines you want to manage. And we know this works pretty well with individual machines, which you can install different kind of machines. You have the Debian installer, you prepare the machines, configure them and it works fine. We all know that. Then there is another use of Debian in enterprises, big enterprises. We have several examples of this and what you usually need to do that is an office of sysadmins. So you need to have people to care about the systems and to configure them, to install it. That's something done and something that works. And what Debian line wants to do is to help you if you want to do something in between. So your local area network, not in a big enterprise but maybe in a school or in a university workgroup where you have your take apart from the university network and really have it on your own. Or in a small enterprise startup, something like that. Non-governmental organizations you want to support or associations. Maybe in your home network for your family, just have centralized user management, backup system and so on. Or you want to use, prepare a test environment. Maybe for Debian you want to test network, authentication, NFS or whatever. Where you need several machines, where you need, it's not enough to test a single machine. And this is where Debian local area network wants to help you with. Okay. So what Debian line tries to do is to complement Debian and make it possible or simplify it to install Debian in small or middle sized environments. Okay, just an outline about my talk. I already showed you the introduction. Then continue now with goals, challenges and the status of the Debian local area network project. I will show you how it is done and how it works. We have to look a bit more into details because Debian line uses phi and you need to have an idea about how phi works. And then I close with a summary and conclusion. Okay, let's have a look at the goals and challenges as well as of the status. I already said it. Debian line tries to help you setting up a local area network as easy as possible only with software in Debian. And it tries to do this as flexible as possible. So what are the challenges? You want to have a simple installation, simple setup and of course maintenance and upgrade should be also as simple as possible. And with maintenance, it's not only the maintenance of the network after you've set it up. It's also the maintenance of this information you used to build this Debian local area network. And it has to be updated for every Debian release of course. And this needs also to be done in a way that is maintainable. Every network is slightly different from another one. So probably you want to change something in the setup. And this modifications, it should be possible to implement these modifications easily. And finally, it wants to use only Debian stable repositories and no extra packages. Okay, what's the status for the time being? There are two network topologies, Debian line supports. One is shown in the upper picture. You have a dedicated gateway and a main server. And then you have client machines. You can have a diskless client machine, a standard workstation or a roaming machine. From the use experience, all these client machines are the same. But for diskless machines, you don't need to have a hard drive. You just mount the file system from the main server. And for the roaming machine, you have caching of credentials. So after you've logged in, having the machine in this local area network, you can remove it from the network, take it at home. For example, laptop, and you can still log in. And you have two home directories which you might want to synchronize or something like that. Then there is the second network topology where the main server acts also as gateway. You need two interfaces in that system. And the firewall which is implemented in the gateway in the other setting is included in the main server in the lower setting. These machines, I've just wrote down a few attributes. The gateway has a firewall that's masquerading. And then the main server, we have only one server and it provides all services. So most important are authentication, Kerberos KDC. Then we have a directory service LDAP. We have Kerberos NFS version for home directories which are provided by the server. We have an internal email system and much more. I come to that later. Then on the clients, you can install every desktop environment you like. And you can, of course, install other packages. For example, if you're in a university mathematics workgroup, you can use the packages provided by the Debian blend of mathematics or biology or physics, whatever you need. Or if you're in a school, you want to provide educational software. And maybe if you're in a medical institution, you want the packages from Debian Meet. And you can tune the workstations as you want. Then, as I said, the diskless workstations, same as normal workstations, and the roaming machines, as I said, they just cache the credentials. Okay, what services have been implemented on the main server? It provides DNS and DHCP. A Kerberos KDC is configured. Then I already set that LDAP home directories are distributed via Kerberos NFS 4. We use GOSA for user management. GOSA is a tool used by the city of Munich to handle their infrastructure. So it's implemented here as well. Then Kerberos Kerberized local email. So there is a Exim configured and DoveCut. And you have every user can have his own home page for the intranet. The system is monitored by a KINGA and UNI. You just have to add the size you want to allow. Then there is a web proxy, a package cache. If you need to provide packages not in Debian, there is a pre-configured local app repository where you just drop a package, run a little script and from then on it will be available on all machines. The firewall is implemented. Hatchkeeper just to see what your configurations are, how they develop. System backup and you can install the machines over the network. How this works I will explain soon. And a few things more that are not so important. Okay. Now we come to the next topic. How is it done? I want to explain how the Debian LAN installation works and to understand that you need a rough idea about how FI works. And I will explain that, the class concept to you. And I will just show you the installation procedure, how that works. And then I focus on the Debian LAN system and how it is implemented there. Okay. We start with a general question. You want to roll out this network with different machines. And so in the beginning you ask yourself what is needed to install an arbitrary machine. So that's what you need to know. And well, it's more or less when you run an installation what the installer asks you. So in the beginning it usually asks you how to prepare your disk. What partitions do you want to use or to create. And this is the first thing you need to know. Then you choose some packages. That's what's going to be available on that machine later. And finally these packages have to be configured or more generally the whole system has to be configured. And there are two ways to do that. You can use that con proceeding. Or if it's not implemented and for some configurations it probably does not make sense to implement it as that configuration you have to prepare, edit, manipulate configurations. And that's all information you need for every machine. And this has to be provided and the more structured and flexible this information is provided the more you can make use of. Because you have maintained this information, you want to modify it, you have to update it, things develop. So this information you need to provide in a well-structured and flexible way. And one possible way to do that is to use FI short for fully automatic installation. Just to get an idea, who of you has an idea about FI? Okay, so maybe half of you. I will now just explain how it works. So you don't have to know the details but you should have an idea about the general concept. So FI uses glasses. Just think of not complicated programming glasses but just like containers where you can drop actions or attributes in. And every host name is mapped on a set of glasses. So this is important. Every machine is a member of a set of glasses. And these glasses define the complete setup of the machine. So we said just in the slide before we need to provide how we prepare the disks. This is defined in a class. We have to define which packages we want to use. This is also defined in a class and then we have to run the configuration. And all this is available in these glasses. And these glasses are defined in a so-called FI config space. And I just show you here directory listing of such a config space just at the top level. It's just a directory structure with some files in it. And from the file name, the file name defines which class the file connects to. So when we start with the directory class, this is a directory with some scripts which map the host name onto glasses. There are also some variables defined there which you can use when you do the installation. Then there is the directory depconf. And there you can populate the depconf database by proceeding. And you can do this for every class you want in a different way. Then we have the disk config. That's where I started the slide before. We have to provide some information about how we want to partition our hard disk. That's in the disk config directory. Then we may want to drop some files on the system. We can put them in the files directory. We want to run hooks during the installation. Then we can drop these hooks in the hooks directory. Package config. This directory for every class there is a file that lists all packages that have to be installed on a machine, which is a member of this class. Then we need in some cases to run a script or scripts to configure the system in detail. That's in the scripts directory. And finally, that's more or less something we don't have to care about, because FI cares about it out of tests. So at the end of the installation, you can run tests and check if everything worked as you wanted or whatever. Just an example to make that a bit more clearer. I said we have a gateway host and this gateway is associated with the following classes. There's the class PhiBase, Debian, DHCP, Firewall and Gateway A. And so what do these classes mean? PhiBase is just a basic class which every host usually is a member of. It just does the basic stuff on the machine, what you usually need always. Debian is a class where all Debian specific basic stuff is done. DHCP means you want to have this machine accessed as a DHCP client. And then Firewall, that's where we set up the Firewall thing and Gateway A. That's a class which separates machine-specific stuff from the Firewall. So you have the Firewall classes used to be useful on every machine you want to have a Firewall on. And then maybe in this specific setup there's a special configuration you put that into the gateway. And all packages defined in these classes will be installed and configured accordingly. We want to look a bit more into detail of the Firewall class for example. We can look in our config space and look for the file named Firewall. And we see there are two occurrences of Firewall. There is package config Firewall. So this is where the package is defined. You want to use on that machine as Firewall. And then you need to configure that Firewall that's done in the scripts. And if you look into these files you will see that the package Firewall will be installed. And you have to provide some configuration for that package which is done in the script Firewall. Okay, Firewall allows to install the machines. It works in the following way. You boot a file live system from CD, from USB stick or over the network via PXE. And then you mount the file config space. So just the directory structure I just showed you, you mount that on the machine. You can use NFS there as default or even connect to a Git repository. Or there's a huge amount of things you just need to get the information to the local host. And then you map the host name to its classes. And then the machine is depending on its classes and it's going to be installed. So first it's starting to partition the local hard drive. Then it configures the packages or it precedes the DevCon database. Then it installs all packages and it configures the target system. It runs the scripts. And after you boot from the local hard disk your host is set up exactly as you wanted it. You have another mode which Firewall can run as. That's the soft update mode. You can run it on an already installed machine and it will do almost the same as above but it will skip the partitioning of the hard drive, fortunately. But apart from that it's more or less the same. Of course you can make in your scripts a decision if you want to run parts of your script only if you're in the install mode or only if you're in the soft update mode. So these two modes are important for Debian LAN. I will now focus how we use or I use Fire to install the Debian LAN system. What Debian LAN does it just provides this complete FireConfig space for the networks I explained earlier. And to get started to roll out such a network you have two possibilities. You can just prepare such a five CD yourself. This five CD contains the configuration space. It's like a net install CD. And if you prepare the CD yourself, if you already want to make modifications to your setup you can put this in your configuration space before you build the CD. After that you have a customized CD, net install CD where you can immediately install your main server exactly like you wanted it. And that's an alternative way where we use the FI soft update. So with this method you install a minimal Debian installation with the Debian installer for example as few packages as possible and you run, you just install FI for three commands, you just install FI and then you name the host main server and you run the FI soft update and it will convert this minimal installation into a Debian LAN main server. After you've installed the main server, you've mostly done all other machines you can boot over the network and install over the network. When you take a unknown machine, a machine unknown to the network, plug it in and boot it over the network, you get the following installer. So it looks like the usual Debian installer. In fact, it is a Debian installer which you can boot. You can boot just standard Debian PXE installer but additionally you can run a Debian LAN live system. So this system does not touch your hardware at all. For example if you want people bring their own laptop to your network they can just boot via PXE and they have the standard system available on their own machine. You can also install a roaming machine. You just have to choose the point in the menu and that's all so far. If the machine is known to the network which means that you add the MAC address to the DHCP server then immediately after you boot from the network it will start the fine installation. Those of you who have run a fine installation, that's how it looks like and you don't have to do anything like fully automatic means. So after some minutes your machine will be set up included into the network and run out of the box. Okay, I want to go a bit more into detail about these five classes that are prepared by Debian LAN because that's of course the heart of the whole system. So the main server maps onto the following classes. We already learned a bit about five base Debian and then there is the five server class. It includes all that is needed to make the machine a server which can provide the TFTP environment to boot other machines over the network from the server and to install from the server. Then there is the class LVM88. That's just a short name for the partitioning. So it defines the partitioning. It means something like local volume manager and the number of partitions is eight and if you want just to have an idea when you just read it how exactly the setup is done you have to look into that class. Then it's a member of the diskless server class so anything that is needed to set up the provision of diskless machines is implemented in this class. Firewall class, we already had it. It's a cup server, so the printing is configured there. It collects all locks from the network. It acts as a proxy. It provides network time protocol to the network. It's implemented in the NTP server class. It's a DNS server, network file system server, mail server. It's an LDAP client as well as an LDAP server to the network. It's a Kerberos client. It provides the Kerberos KDC. Then there is the KDC uses LDAP as a database and this is implemented in the KDC LDAP class and then of course these classes are not completely independent so there need to be a server class, server A class which does all the stuff that can't be associated with one of these classes and finally GOSA which integrates the graphical user interface for managing the system. We can take a look at the workstations. That's of course much simpler. What is new there? We are a CUPS client, a LOC client, LDAP client, NFS client, Kerberos client, NUIS XORG and the desktop class which defines I want to have XFCE or GNOME or whatever on my system. What is the philosophy behind these five classes? From the class names it became clear that for every service, for every feature, there has been implemented, it has been tried to implement it as a separate class and only nonspecific modifications which cannot be associated with one individual features which sort of connect to features they have tried to be put in the server class or client class. You can easily extend this class space. You can just add, for example, a class edu if you want to provide the school with software. In fact, this class is already available in the Debin LAN config space which says, okay, on my desktop machine I want to have this educational software as well. Or if you're a developer, you need some development software, put that in the devil class or the localization you can put in the German or French-Belgian class or whatever and it's completely easily to modify and extend it without touching the original system. So you have added your class if it doesn't work anymore after you've added that class it's clear that something in your class went wrong. So you can always easily go back just do not map your host on your new class and if things work again, you know that something with your class is wrong and has to be fixed. And this leads to a very nice development and maintenance features. For example, if my network time protocol setup doesn't work anymore, I just have to look in this class either on the server where I set up the NTP server or on the clients. It's pretty clear in this config space where you have to look for a fix. And this is because of this complex system which every component is not so complicated but all in all it gets pretty complicated. But with this structured setup I made the experience that it's really easy to add features and to debug features. There are also the five internal debug features help because you get logs for every installation of packages for every script you see if it worked or if the script failed and if you do this in a careful way you have really a very good setup which works pretty nice so far. Then with these classes you get sort of a modular system. You can take these modules and, for example, I will show an example later if you want to have two machines or different setups you can take part of the classes and get rid of others. And as I already said it's easy to extend the system. Okay, just an example how you can reuse these classes. For example, if you have this gateway setup you might want to include a proxy there. So it's easy to be done by just moving the proxy class to the gateway and then you have to check if you need to adapt the server A and the gateway A class to make it work again. Of course it changes a bit but you already have a rough idea what to do. Or another example is if you want to split that on two servers you just add the new machine to your mapping which does the mapping from the hostname to the classes and you map all classes you want to move from one machine to the other you remove it from the one machine the classes and add it to the other machine. After that you fine tune the setup by adopting the server B and you need to create a server B class then and you need to make it work again. Okay, I'm coming to more or less to the end now so we have time for questions but first I want to give you a list of resources where you find more information about the project and the system. I used the Debian LAN wiki there is now a package available and it just made it to backports so the system is always targeted at the stable Debian release and you can fetch the config space from this backports package and just take a look at the user share, doc, Debian LAN config readme and there it's described how you set it up it's pretty easy, just a few commands and we have a git repository where all the work is done and the mailing list so if you run into problems or if everything works great please report to the mailing list and so far I can sum up and conclude that Debian LAN provides a way to install a complete Debian-based network out of the box including Kerberized services, central user management, discuss clients and roaming machines I use Fi to set up that system and to install the machines in my experience this works pretty nice very transparent, very flexible, very clean and you are invited to provide additional classes if you want to make it work different from what it's done right now maybe it does already work it would be fine of course as well and so if you plan to install a system of that kind then I would be happy to if you would consider and give Debian LAN a try and that's so far everything thank you very much for your attention and I think we have some time for questions Hello, it's not exactly a question it's about the system of classes a few days ago Martin Kraft, Alias Madduck provided a conference about a tool he called Reclass which is about externalizing all this class system with inheritance and it looks like exactly and his idea of this tool is to manage your data and describe it in the end a specific tool such as F5 or anything else would apply that so I feel it's a nice split and maybe someday F5 would use it but I wanted to tell you about Thank you, I have to look at that I have a comment about this I guess FAI is mostly about installing the thing and bringing up the machine and I guess the other tool is mostly about managing an already installed machine and making changes to it this is my point of view I feel more it's about describing and some other tool would apply it One question you have a lot of FAI classes so I think maybe nearly 25 classes I think it's a very good idea to have a lot of classes to be very flexible but for example in a school environment I think the teacher who is also the admin of a Debian LAN system does not like to adjust the classes but he likes to have a tool to say I have two new machines I want to say this machine is a workstation, a disk list or a roaming machine do you also have some tools that make it very easy for a teacher admin to add new machines or does he have to edit the DHCP config the DNS config are you using Goza for this that he just clicks on three buttons and then he can add new machines to his LAN I try to keep as much as possible of Goza so I only have the user management so the things that changes quite often or more often after you've set up the network only this is done in Goza if you want to add a machine I prepare the script where you can just give the command Debian LAN add to DHCP and I think then you have to switch on the machine you want to add and switch all others often it checks in the ARP cache for the MAC address and you can choose if you want to install that machine as a disk list machine or workstation and then if you've done that the script adds the MAC address to the DHCP configuration and to the DNS system it's transferred via dynamic setup so the MAC address is only if you want to change that it's only in this one point and then so it's not graphical but it's pretty simple and I hope it's it's always a trait of what you implement has to be maintained it's great because I was waiting for such a script for a long time and I never had the time to write it by my own so now I know there's this script for a very simple setup add a new machine to a file configuration thank you very much for the script I will look at it yeah but I have been using Goza for pretty long while so it might have been much improved since then but already at the time I used it it made adding a machine to Goza's database and defining what the machine should do really really easy without having the need to like turn off everything else and just turn off the machines I have to have a clean up cache so why exactly did you keep the integration with Goza to a minimum because I mean it's got tools to administrate the mail server printers, clients, everything yeah I I got the impression that it's it's not supported that more upstream and I had problems with for example the carburized stuff because I have to provide the key tab to the machine and things like that and it's not the Goza people did it with some agent thing but it never made it into Debian and whenever I asked them about this service which cares about this carburization stuff they said it was sometimes working sometimes not and it's not the quality they really want to make a package of and so after all this happening and if you look at the upstream repository of Goza and then there was this fork so I don't want to depend on it too much and you can also switch off this Goza class so if you say okay I'm managing my users I'm using there is a package in Debian it's called LDAP scripts where you can add users to LDAP and you can use that without Goza just to I think there's even a little script provided by Debian line which you can you prepare a list of users just first name, second name and you send this script to the you send this you send this list to the script and it just takes the name and creates a user name and creates all users in one one batch so if you're a bit familiar with command line and I think in the end you have to be that if you really want to run a Linux network then it should work and maybe if there are demands or wishes for better tools we can think about it but it's always someone has to do the work so it's now done that it works fine for me everybody's welcome to contribute and well we will see what it evolves into Time over, thank you very much Andreas again and the next talk will be in a quarter of an hour I don't really remember about what