1 / 63

HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.

HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD. Overview. HEPiX/HEPNT web pages at: http://wwwhepix.web.cern.ch/wwwhepix/ Contain links to this and recent meetings. Summary by Alan Silverman Videos of presentations as well as slides. 73 attendees

medwin
Télécharger la présentation

HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.

  2. Overview • HEPiX/HEPNT web pages at: http://wwwhepix.web.cern.ch/wwwhepix/ Contain links to this and recent meetings. • Summary by Alan Silverman • Videos of presentations as well as slides. • 73 attendees • Vendor talks/exhibits (RedHat, Microsoft, Parnasus, Ibrix)

  3. Timetable • HEPiX-HEPNT first three days. • (first day largely site reports). • ‘Large Systems SIG’ /Security Workshop Thursday/Friday. • Parallel sessions Friday morning.

  4. Windows in Site reports (1) • Oxford University • WTS (2000, 2003), Exchange (to 2003) • 200 PCs Win 2000 / XP. • SLAC • XP migration about complete (total 1700 systems). • Exchange from 5.5 to 2003. • TRIUMF • Use of SAMBA, WTS 2003 starting, Docushare.

  5. Windows in Site reports (2) • LAL • IN2P3 forest across multiple sites (7 labs so far, 4 to join). • SMS for upgrades • CERN • New PCs with WXP (and/or LINUX) • Mail migration from Solaris servers to Exchange • Pilot WTS 2003; WebDAV • CPU cycles from Windows Screen saver for simulation.

  6. Windows in Site reports (3) • GSI • Windows 200 AD. Testing W2003. • DESY • Test migration to Windows XP summer 2003. • Install via RIS. • JLAB • Windows 2000 domain upgrade done. • NIKHEF • SUS used to update. • Install via RIS or GHOST

  7. First Experiences using Windows Terminal Services on Server 2003 Alberto Pace for the IS group

  8. Terminal Service Pilot at CERN • Approved by CERN Management on June 2003 • 3 standard computers • desktop 2.4 GHz, 1 GB RAM, 40 GB mirrored disk • Usual scale out architecture • Built-in load balancing • Supported freeware clients • Linux Redhat, Solaris being tested • Mac OS X • All recent Windows versions (98, Me, 2000, XP) • Thin clients simple to install & use • Internet Explorer 4 is enough on Windows • Simpler than the current ongoing effort on supporting Hummingbird Exceed

  9. Options that were dropped • Platform-independent clients • HOBLink JWT Java applet, http://www.hob.de/www_us/ • Not freeware, License cost prohibitive • Citrix ICA (http://www.citrix.com/) • Uniquely X11 based • No additional client software required on UNIX clients • Performance issue • Complex Licensing mode

  10. Linux clients • rdesktop • freeware client • www.rdesktop.org • Source available • Compiled on Redhat standard IT version and Mandrake 9.0 • tsclient • freeware front-end for rdesktop (XP look) • www.gnomepro.com/tsclient

  11. Discussion with user representatives • A large majority of delegates requested to continue and extend the service • Continue the standard service for the core applications • A subset of the existing one • Envisage the possibility of having instances of TS nodes centrally maintained where a particular service provider could install his own software • LHCB build service • AB/CO controls applications, with managed JVM • ST/MA Asset Tracking and Maintenance Management • EP/SFT for several custom applications • IT/PS for some engineering applications • TH to read mail attachments for non-windows users

  12. The proposed “standard Service” • Core set of applications for the standard service • Microsoft Office XP with Frontpage • Office XP Professional Multilanguage Pack (French, German, Italian) • Adobe Acrobat, Distiller, PDFMaker, Adobe PostScript Printer Driver • Putty 0.53b • CERN Client Printing Package • CERN Phonebook 2000 • Zephyr • Symantec Antivirus Client • To be discussed • ActiveState Perl • Python • Visual Studio .NET • OpenAfs • OpenAFS has been one of the most welcome application but it had several technical issues • Microsoft MS Project 98 / MS Project 2002

  13. Conclusion • A step forward in Linux / Windows / Mac integration • Freeware clients exists for all platforms • (except legacy Mac OS 8-9) • STOP or GO decision in November, based on manpower cost • LONG TERM COMMITMENT of 0.5 – 1 FTE

  14. Web-based file systems and WebDAV gateway services to CERN DFS file system Alexandre Lossent, Alberto Pace

  15. The “Web” is part of the solution • Standard extensions to the HTTP protocol allow managing files on web servers as if these would be part of the local file system • HTTP Extensions for Distributed Authoring (WebDAV IETF RFC 2518) have been widely adopted on all major OS • Several commercial and public-domain implementations exists

  16. WebDAV • Web Distributed Authoring and Versioning • IETF RFC 2518 (February 1999) • http://ietf.org/rfc/rfc2518.txt • An extension to the HTTP protocol • New verbs (PROPFIND, MKCOL, LOCK...), headers and status codes • Uses XML to format information • Initially designed as a way to author web sites • Redundant with FPSE in the Windows world • Versioning is limited to file locking (check in/out) • Can be used as a low-end network filesystem • WebDAV Home page • http://webdav.org • See it also for related open-source projects

  17. WebDAV today • File access: • Create / delete files and folders • Read / write files • Copy / Move / Delete / rename files and folders • Document locking • prevent the overwrite problem, where two or more collaborators write to the same resource without first merging changes • Allow implementation of offline folders • Properties • XML properties provide storage for arbitrary metadata

  18. WebDAV tomorrow ? • Access control • Set / View / Modify Access Control lists using http • Versioning and Configuration Management • The V in WebDAV means “Versioning” • Document check-out, check-in • Retrieval of the history list • Offline files and folders • Other advanced features • Symbolic links • Ordered collections • Aggregated operations

  19. WebDAV servers • Supported by all common web servers • Apache module mod_dav • WebDAV package in PHP PEAR • Built-in support in IIS 5 and 6 • Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting) • Permissions are managed by NTFS ACLs • Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a script’s output or its source (source access setting)

  20. WebDAV servers • Supported by all common web servers • Apache module mod_dav • WebDAV package in PHP PEAR • Built-in support in IIS 5 and 6 • Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting) • Permissions are managed by NTFS ACLs • Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a script’s output or its source (source access setting)

  21. Summary • Use of WebDAV as interoperable network filesystem possible today • Can be applied to collaborative tools as well (Exchange) • Takes advantage of HTTP and XML ubiquity • Excellent level of interoperability for file access • Really reachable from any device / anywhere • Very simple to implement • But... • Still few implementation glitches • https support is still limited • Not a high-performance file system • Not a replacement for native file system (eg NTFS) • Permission management still require custom implementations

  22. CERN Print Manager Michel Jouvin LAL / IN2P3 jouvin@lal.in2p3.fr

  23. CERN Print Manager Approach • 1 central database describing all printers • Printer server (in a dedicated DNS zone) • Driver to be used for each printer • Per OS version (currently W95, WNT, W2K) • Printer default settings • 1 client with 3 main components • PrntTray : Printing Control Center (main application) • LPRServ : LPR client (ability to show LPR transactions) • PrinterWizard : add/remove printers, change defaults

  24. Client : PrntTray GUI

  25. Multi-sites Configuration • Allow to switch between different sets of parameters • Central database locations, LPR parameters, … • No conflict between sites • Differents directories for data files • Differents registry paths • Site definition in an INI file • Client can be distributed with several sites preconfigured • Easy addition of a new site

  26. More information • Ivan.Deloose@cern.ch • http://printpackage.web.cern.ch/PrintPackage

  27. Installation of W2K/WXP using theunattended.sourceforge.netproject Rosario Esposito1 Francesco Maria Taurino1,2 Gennaro Tortone1 INFN - Napoli1INFM - UDR Napoli2 HEPiX/HEPNT 2003 – Vancouver

  28. Unattended installation systems [2/3] Unattended.sourceforge.net It’s an OpenSource project to manage unattended installations of Windows 2K/XP workstations • Advantages: • No need of Windows and Active Directory at server side • Supports a large number of network adapters • Customizable partition scheme • No need of .msi format to deploy applications HEPiX/HEPNT 2003 – Vancouver

  29. Unattended installation systems [3/3] Unattended.sourceforge.net • Disadvantages: • No user-friendly interfaces • Tuning of some perl scripts and batch files is required at server side to obtain a good site dependent installation system • No support for disk imaging based installations HEPiX/HEPNT 2003 – Vancouver

  30. Conclusion • Unattended.sourceforge.net is a valid alternative for Remote Installation Service (~OpenRIS !), primarily in a Unix-oriented server environment • It’s completely FREE and presents all of the advantages (and flaws) of an OpenSource project • It has interesting features, like the extreme flexibility of installation scripts • It’s not the optimal choice in the case of homogeneous hardware • No support for application deployment after the installation HEPiX/HEPNT 2003 – Vancouver

  31. Windows and UNIX Interoperability - tips, tricks, and secrets Peter Skjøtt Larsen Lead PM Microsoft Corporation

  32. Client Options for UNIX code • A number of alternatives exist today: • Improved UNIX clients with better applications • Better desktops apps for Linux, etc. • UNIX like environments on Win32 API • Cygwin, uwin, mks • UNIX emulation on Windows Kernel • Microsoft Services for Unix • Virtual Machines • Microsoft Virtual Server • Windows like environment on UNIX • Wine

  33. All the comforts of home … • Replaces Posix subsystem (in Windows) • C Shell and Korn shell • Single-rooted file system • Symbolic links • Win32® programs • Terminals and other devices • Services and daemons • Man pages • X windows

  34. Windows Win32 Subsystem Interix Subsystem Windows Kernel win32k.sys NFSClient Server Gateway Other device drivers CDFS FAT NTFS Hardware Abstraction Layer Windows And SFU UNIX Applications Windows Appli- cations X11 R6 server Windows Appli- cations Motif UN I X S D K (gcc) Open Source tools: Apache, Tcl/Tk, bash, etc. Windows GUI X11 UNIX, XPG, POSIX.2 commands & utilities UNIX shells Windows system admin, commands & networking Windows command Shell SFU/Interix telnetd 3rd Party BSD Sockets winsock Windows APIs UNIX /POSIX APIs Color Legend

  35. Cmd& Util Cmd& Util Cmd& Util Gui X11 Gui Shell Shell Shell Managed Co-Existencewith Virtual Server Windows APP NT 4.0 APP UNIX APP Virtual Server Windows 2003 API NT 4.0 API UNIX API Windows 2003 Kernel NT 4.0 Kernel UNIX Kernel Virtual Server Hardware Abstraction Layer

  36. Virtualization Results • Linux app runs in the Windows environment with integrated … • User file store • Security context • Command execution environment • Access Linux transparently from Windows • Linux / UNIX apps run out of the box • Performance acceptable for many classes of apps

  37. More info … • http://www.microsoft.com/windows2000/migrate/unix Email … • migrate@microsoft.com • petela@microsoft.com

  38. Windows Discussion (1) • Software Update Services. • Good results reported. • Care if using more than one way to update (SUS, SMS etc.). Varied internal mechanisms to decide if patch applied…. • Need to reboot when requiredby SUS otherwise possibility of SUS blocking and not caching more updates. • Synchronize with Microsoft’s updates (Tuesdays). • Maybe issues of handling Windows 2000 and XP clients at same time.

  39. Windows Discussion (2) • Suggestion of putting personal firewalls on all systems…. • (Felt to be too complicated). • SLAC have contracted Microsoft to write a dll that will synchronize passwords between Active Directory and Kerberos. Hepnt-2000@fnal.gov – mailing list. Hepnt-2000-request@listserv.fnal.gov – to join.

  40. Computer Security Update Bob Cowles, SLAC bob.cowles@stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

  41. SLAC Computer Security Thinking evil thoughts Protecting from evil deeds

  42. Slammer Impact

  43. MSBlaster Released MSBlaster at SLAC

  44. Microsoft @ Stanford • Universities tend to be a worst case • Diverse, unmanaged • Population • Hardware • Software • Unlikely to fit into AD model • Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes

  45. Conclusions [Unchanged from last year] • Poor administration is still a major problem • Firewalls cannot substitute for patches • Multiple levels of virus/worm protection are necessary • Clue is more important than open source

  46. CERN’s Computer Security Challenge Denise Heagerty, CERN Computer Security Officer

  47. Incident Summary, 2001-2003

  48. Site Security: actions in progress • Hardware address registration enforced for computers using DHCP (wireless, portables) • Allows the user to be informed of problems • Started for some buildings, rest of site before Xmas • Off-site FTP closure • Firewall block planned for 20 Jan 2004 • AFS password expiry enforcement • Forced annual password changes + email warnings • Already enforced for Windows/Mail passwords • Network connection Rules • Defines acceptable network and security practice • System admins must agree before connecting systems

  49. Worrying Trends • Break-ins are devious and difficult to detect • E.g. SucKIT rootkit • Worms are spreading within seconds • Welchia infected new PCs during installation sequence • Poorly secured systems are being targeted • Home and privately managed computers are a huge risk • Break-ins occur before the fix is out • SPAM relays used a new hole before a patch and anti-virus available • People are often the weakest link • Infected laptops are physically carried on site • Users continue to download malware and open tricked attachments • Intruders and worms can do more damage • When?

More Related