[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD Admin Comments Digest



Hi

	I've received many comments. Following, a small digest.
In fact, there are two main ways: HTML or X+curses (a single
binary that can run on tty or X). (or HTML+curses+X ??)
	I prefer pure C code for the base program, to make it independent
of external tools (perl, tcl/tk, etc)

	I belive that X+curses is better, because it's self-contained and
works in the worst situations (no net/ip, no X, single user, only
root mounted, etc), but comments are welcomed. About security, the 
html problem is the WWW server admin (an external tool). Curses can
be used from console and has no IP interaction (and can be used to
install the system too). But, HTML allows multi-platform remote
administration.

	Please, if you want, submmit your vote about HTML vs X+curses so
I can start to build some preliminary specification. I'll compare
and considerate all the choices.

(I've worked with SCOadmin, SAM and IRIX admin, and I'm going to see 
the rest of the pointed tools)

	Or... do you prefer a remote MS-Windows based tool ? :-) :-) :-)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	some of your comments :
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I would perhaps suggest a series of phython scripts or tcl/tk.

i think any admin tools like that, should make you very aware of the
changes they are about to make _before_ commiting the changes. verbose
logging preferably to syslog would also would be a good thing.

I believe something like webmin will be really useful. In fact we took
webmin and stripped down everything else except for its perl-based web
server, and used that to configure IPFilter and ipnat.

You might want to review the design and implementation of 'NetInfo' 
which is a distributed, redundant, hierarchical database that 
encompasses all the typical BSD /etc/* config files in NextStep
and OpenStep.  It's something that Microsoft's various registry
implementations try to be.  The UI might be more hostile than you
want but it does import and export of numerous file formats for
compatibility with classic Unix systems.  On NS and OS, many standard
libraries and utilities are modified to use this database instead
of or in addition to the old files.  Code for netinfo has been
released by Apple as part of the Darwin project.

look at the IRIX system commands from SGI.  they do use an HTML system to 
do commands.  its been rather nicely setup as well.

> HTML probably is more nice and easy to mantain, and text/X is solved
> by Netscape/Lynx, but I think that there are many security and configuration
> issues that turn it impractical or not safe. You must think also in
> single user scenario (comments ?)
Yes, there are problems. Some can be avoided by using your own http server
rather than trying to use CGI with an existing server. 

Some problems are:

- No IP, so http doesn't work.
  You can really only re-configure an interface using the browser solution. 
  It does mean you can configure X before it's going, which is an advantage 
  over X based configuration. X can be going without IP, but it's easier
  to configure IP 'manually' than it is to configure X.
  
  Maybe you can use lynx to http://localhost:1616 (assuming a http server
  on port 1616) to configure a machine that has no IP and no X? 
  I should try it and see what happens.
  
- No security, everything's clear text over the wire.
  Same problem for X (and telnet). No easy answer to this. Best solution
  may be to use ssh (once it's configured). Ssh works with a telnet/curses
  style solution, and allows you to tunnel X connections. It also allows
  tunnelling of arbitrary ports (e.g. port 80), but that requires a bit
  of effort to set up and is probably a bit of a stretch for a beginner.
  Could be useful for administrators who want a secure graphical interface
  though.

> The second is OBSD specific :
> 
> I'm not thinking in an OBSD specific tool, I'm thinking in a framework
> with scripts/binaries that do the job but, doing it 'for OBSD' means to
> make that scripts for the most of OBSD tasks. Also it means user extensible.
> If you make some very 'generic', it's only configured and used by the 
> people that don't need it...
Yes. A 'generic' tool that has to be set up for specific system types,
configured to work on an OpenBSD default system. If Linux/Solaris/AIX
or whatever want to use it all they need is to generate a configuration
for their system.

Have you seen webmin ? [http://www.webmin.com/webmin/] I looked at an early
version, and considerable development has taken place since the version I 
looked at. The web site appears to be down at the moment though.

SMIT has a nice feature that keeps a log of the exact actions taken by the
tool written as command line text. You could replay part of the log as a
shell script to do repetitive actions.

The user interface to SMIT sucks. The menus go too deep and by the time
you get there, you forgot what you were going to do.

Make it statically linked, usable with a curses terminal for when the
system is very ill. Maybe you can include a dumb editor like Pine's pico
or a statically linked vi for editing fstabs in single user mode.

HP's SAM looks nice but there are many places where it hides a lot of
ugliness that we need to look at. The most frustrating example is when
they turn on C2 security (US government's idea of "commercial security").
"Press this button and wait... done!". That's not likely to make the
OpenBSD crowd happy!

It needs a framework to add your own scripting. For instance I use Smail
instead of sendmail. I would want to modify any mail handling according to
my preferences.

Start simple! Do the common tasks that a newbie admin would need to do.
 - set up PPP
 - set up sendmail for the local site
 - add/remove users
 - play with fdisk, disklabel and newfs
 - Manage printing
as a start.

There is a SAM-like tool recently released for FreeBSD. Maybe you can have
a look at what they've done, and maybe maintain an OpenBSD-specific
variant. That might be easier than starting from scratch. See the exerpt
below from DaemonNews (March 99).

However, I'm not sure such a tool would be a priority in the project (I'm
just an enthusiastic user). There are many more tasks that would come in
handy, for instance, a tool to set up IP filtering and forwarding --
that's my favourite example right now. A tool to manage a VPN (photuris,
isakmp, sshd and other IPsec protocols).

There are several free sysadmin tools around, but none have matched what I want 
well enough for me to actually use them.

I'd like a tool that allowed the administrator to set up a system.

 - configure interface[s] IP address, subnet mask, etc (or use DHCP)
 - configure hostname
 - configure DNS (domain, search, server[s])
 - configure timezone
 - set system time (with rdate?)
 - configure ntp (when is ntp going to be intergated into OBSD?)
 - configure users/groups
 - configure X
 - configure printing
 
By 'configure' I don't just mean set up once. I mean able to change an existing 
configuration.

I'd also like to be able to manage some services like:

 - DNS
 - DHCP
 - File sharing with NFS
 - SAMBA (like SWAT only better)
 - inetd
 - Apache
 
I'd suggest the best/easiest way to do this is with a simple web interface. 
Something that works with lynx for the text only interface and with any 
graphical browser. SWAT (comes with SAMBA) is an example of how this can be 
done, although SWAT isn't quite there yet.

SMIT and SAM are perfect examples of how *NOT* to do sysadm tools. I've also
seen some linux "control panel" tool using tcl/tk (or looks like that); I
wasn't terribly impressed by it either.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

============================================================================
 Ministerio de Economia y Obras y Servicios Publicos
 Secretaria de Hacienda                    Tel    : +54 1 349-6110
 Pablo Luis Bucich                         Fax    : +54 1 349-6505
 Buenos Aires, Argentina                   e-mail : pbucic_(_at_)_mecon_(_dot_)_ar
----------------------------------------------------------------------------
Never attribute to malice that which is adequately explained by stupidity.
                -- Hanlon's Razor




Visit your host, monkey.org