Glockenspiel
"Hot GNOME love for Admins"
Glockenspiel is GNOME's Lockdown Spiel. Get it?
Right now this is a bunch of semi-structured notes. We'll massage it to get to a good spec for working on the GNOME administration tools for deployments.
World Domination as an Optimization Hack (Report from the GNOME Deployments, July 2006)
GOALS
- Productize Sabayon/Pessulus. FIXME: this is vague.
Hint: Don't use "Sabayon" or "Pessulus" as brand names.
- Write high-level APIs for GNOME lockdown.
- Modify GNOME apps which are doing lockdown by hand to use the APIs.
- Have a basic, useful set of lockdown keys.
- FIXME: what is useful? Printing, saving, plugging hardware, running programs, logout, screen saver, reconfiguring the panel, reconfiguring nautilus, what else?
Everything in the Preferences menu. Mouse, Keyboard, and Accessibility settings may be more lenient but easily revertable. [MatthewPaulThomas]
- Key for "this is an old PC" aka "thin client mode" that does performance enhancing stuff (like, pick a fast theme that doesn't suck, disable thumbnails if I'm on NFS, etc.)
- Admins want more hw control (Vista is going to do this)
- I want to be able to deny certain classes of hardware.
- Disallow mounting completely
- Be able to mount in a noexecute, read only mode.
- The ability to override any key with a password. (like you do with gksudo)
- Logout Customization. Log out on idle, or enforce login times. aka "Labs are open from 9-5, no one can login outside those times.
- FIXME: what is useful? Printing, saving, plugging hardware, running programs, logout, screen saver, reconfiguring the panel, reconfiguring nautilus, what else?
- Make this pluggable so that Novell's admin/deployment tools make sense as the "driver".
- Flexible enough to get buyin from every GNOME-shipping distro
- Have a way to deploy settings (i.e. no copying Sabayon zip files by hand).
- It would be nice to have a place to put a URL or something that exposes the zip to admins.
- Make it so I can version control my profiles! So I can roll back stuff, or merge from other people.
- For large enterprises, having settings in a directory server (LDAP) seems the right thing. Think Windows Group Policies.
- See what Windows does
- Notes on the GUI
TBD - I have screenshots and stuff, I'm going to do a full rollup of this soon. (JorgeCastro)
- Notes on Window APIs for lockdown
- Go to an Internet Café, and see how their Windows is locked down.
- Notes on the GUI
- High-level modes:
- Public terminal, no file access
- Thin client
- Etc.
- Tie to Sabayon profiles?
- About Me Integration
- Tie the e-d-s About Me dialog to an LDAP server so users can update their information and then that becomes available to everyone on the network.
- Study Sabayon
- See gnome-deployment-list (nearly defunct):
- We need to ressurect this
- Study Pessulus
- How to integrate Sabayon/Pessulus with things like Zenworks?
- Does Zenworks propagate the config changes to clients?
- Userful modified RHN to have their desktops check in with a server to deploy stuff.
- Is Sabayon pluggable that way? LDAP / scp'ed tarballs / etc?
- Where does the "GNOME" part end and the "distribution" part begin?
- Paper mockups and usability tests on actual sysadmins.
Going to try to do this at Ubuntu Mountain View conference (JorgeCastro)
- We'll audit some basic/core apps for accessibility
- that's also the list of apps we want to audit for basic lockdown.
- ZMD has a lockdown module, and it uses GConf. See what's up with that.
- Lockdown:
- How do you plug in modules to control Firefox's and OOo's own lockdown infrastruture? How do you deploy those? Hard problem.
- Need "only visit certain directories" in Nautilus and the file chooser? See
Windows; DeepFreeze product.
- Upon logout, clean my ~
- Look at Windows Public Computing Toolkit
- Windows: "resource control".
- YES. Quotas and limits. "No user can use more than Foo of this resource."
- Useful for thin clients
To-do list, at the end of http://live.gnome.org/TheseAreNotTheDroidsYouAreLookingFor
- STATELESS LINUX: What's up with that? Can we reuse it?
- Side hackery:
- Systemwide .desktop files to be shown on users' desktops (like KDE's).
- Menu editor? Alacarte? How are the changes propagated?
- Autostart is solved now (/etc/xdg/autostart)
- Strategy:
- Sysadmins are not programmers. If they need to extend Sabayon, they'll prefer a "simple" language like Python instead of C#.
- Will they actually want to extend this?
- I think so, the Microsoft Management Console has a "snapin" functionality that people extend to do all sorts of things
JerryHaltom: Windows admin's don't "extend" this using the "snapin" functionality. ISVs provide MMC plugins for their own products. Admins simply attach those into their UI consoles. The ISVs either write those in C++ or C#.
- API / documentation:
- Lockdown APIs
- Documentation
- How to add lockdown support to your application
- Checklist
- Can your program spawn other programs? Make sure you follow the "disallow_running_other_programs" thingy.
- File/Save, File/Print
- GConf and preferences.
- Which menu items to disable based on which settings.
- Audit the core desktop apps
- If you disable File/Save, then the menu item must be disabled, *and* Control-S should not work. The toolbar, too.
- Checklist
- Stock LDTP tests for this?
- How to add lockdown support to your application
- Communication with other teams/projects.
- Need to talk to distro LDAP people (FDS?)
- Transparent planning so we don't reinvent the wheel, do this right here upstream to encourage collaboration between projects
- Need an eDirectory hero to explain all the cool things that eDir does to those of us who don't know jack about it.
- Add support for coiners
- create a deamon for communicating with coiners
- add dbus interface for getting amount of current money and decreasing it
- create a client
- enhance gdm for a possibility to perform logout triggered by a program
- use libnotify for displaying amount of money
- decrease money based on gconf options and send it to the deamon
- create a deamon for communicating with coiners
NEW QUESTIONS FOR DEPLOYMENTS
- First, how do you use lockdown?
- What kinds of things would you like to prevent your users from doing?
- Is the current user interface in Sabayon/Pessulus enough for your needs, or do you need something different?
- How do you send that configuration data to your machines?
- Do you change your users' configurations often, or do you set them up just once at installation time?
- Have you used lockdown tools in other systems (Windows, KDE, etc.)? If so, what do you like / not like about them?
- Do you have any other comments?
- Finally, would you mind it if I made your answers available to the public?
- Remind them to join gnome-deployment!
NOTES
- Kiosk:
http://websvn.kde.org/trunk/KDE/kdelibs/kdecore/README.kiosk?view=markup http://developer.kde.org/documentation/tutorials/kiosk/index.html Figure 5, "lack of handles in locked-down kicker". I.e. applets with handles cannot be moved, so they don't display the handles. http://lists.kde.org/?l=kde-kiosk&r=1&w=2 http://enterprise.kde.org/articles/ Aaron Seigo: http://enterprise.kde.org/articles/korporatedesktop.php Novell document: http://enterprise.kde.org/articles/Kiosk_customization.pdf
* Sabayon:
http://www.gnome.org/projects/sabayon/ High-level description: http://www.gnome.org/~seth/blog/sabayon http://mail.gnome.org/archives/sabayon-list/ + Revision history for profiles:
+ User stories:+ http://www.gnome.org/projects/sabayon/ldap.html + Does Sabayon display a revision history for profiles?
- MarkMC mentioned it at some point in the mailing list.
- Stateless Linux:
- Windows Group Policy Objects:
http://en.wikipedia.org/wiki/Group_Policy http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx Spreadsheet with list of Windows Vista policies: http://go.microsoft.com/fwlink/?LinkId=54020 Best practices:
- Windows supports "Organizational Units" and "Sites" and stuff. This is so that you can delegate administration to your subdivisions. You can say at the top level which things they *must* inherit from the base config, and which ones they are allowed to change. It is meta: you can say who has permission to define policies.
- Actually you can't, policies are directories on the 'Netlogon' share on the domain controllers. You need write permission there to create (or change) a policy and normal file access permissions apply. Once the policy is defined though, there's a permission on the OU that indeed says who can attach policies to it.
- Jorge Castro on admin tools:
- Jerry Halthom (wasabi) - knows about directories, LDAP. Ask him about reviewing some directory-ish stuff.
GDM lockdown: http://bugzilla.gnome.org/show_bug.cgi?id=361000
Dave Richards on plugging USB sticks to thin clients: http://davelargo.blogspot.com/2006/10/usb-access-to-thin-clients-via-server.html
Alberto Ruiz on Unidistro (common distro for Spanish universities): http://aruiz.typepad.com/siliconisland/2006/10/unidistro_guada.html
- student-control-panel in Ubuntu
BUGS
- Turn on "Panel/Lock down the panels" in Sabayon's lockdown dialog. Open a right-click menu in a panel applet or in the panel; you get extra separators.
- Turn on "Panel/Disable lock screen". Main-menu still has that option enabled.
- Turn on "Panel/Disable logout". Main-menu still has that option enabled.
- Lots of console spew from Sabayon.
- Suse bug? Missing /var/sabayon? Is it needed?
- Manu Cornet started doing the "disable logout fade-to-dark" thing.