|
Review: Ubuntu Server Edition 6.06Friday, September 8. 2006
The release of Ubuntu 6.06 (Dapper Drake), back in June, brought not only a new desktop system to the Linux world, but also a server system with long-term commercial support. It has one key advantage over similar offerings from Redhat and Novell; the flexibility of the Debian dpkg packaging system.
This was of particular interest to me, as a system administrator who generally installs Debian, if given a choice. One of the annoying problems with Debian has been its potentially short support lifespan; essentially as long as it takes to get two more releases out. Admittedly this hasn't been a real problem, to date, but not having firm dates has been an issue in some environments in which I've worked. Another was its perceived lack of commercial support, which often made it very difficult to bring into a corporate environment. While I've worked in situations where I had complete authority to use whatever OS I chose, I've also been in workplaces where it has been made clear that Debian simply would not be used, due to the lack of a commercial organisation providing security support. Ubuntu's server release solves both of these problems, so I installed a copy to see how it held up. InstallationInstallation of the Ubuntu Server Edition uses the standard text-based Debian installer. It's a fairly straightforward process; a few locale settings at the start, networking, partitioning and finally setting up the bootloader. The partitioning manager gives you the option of automatic partitioning - which builds you a system with a small boot partition, and a large LVM partition containing everything else; or of manually choosing your own partition scheme, which allows for complex setups involving RAID and LVM. Organisations that need to roll out large numbers of identically configured servers can take advantage of the option to use a Debian-installer pre-seed file at boot time, however it is poorly documented and is lacking much of the functionality of more mature auto-installation systems such as Redhat's Kickstart. Most notably, it is not yet possible to use preseed installation to install a system using software RAID. Default InstallAfter installation, the running set of services are limited to udevd (the user space daemon responsible for creating and deleting device files under /dev), syslog, mdadm (running in monitor mode, to watch for software RAID events), cron & atd, and a bunch of gettys. The only bound port was that of dhclient (the DHCP client) - and in most serious server installations, this would not be used anyway. So, in a situation where you install Ubuntu Server with a static IP address, there are /no/ services listening on any TCP or UDP port at all. This gives Ubuntu, in my opinion, a considerable advantage over many other Linux server distributions in the security stakes; there's nothing worse than installing a server and then spending hours shutting down all the open ports from running services that are neither desired nor needed. The set of packages installed by default is quite minimal; enough to get the server onto the network, little more. KernelUbuntu Server comes with kernel 2.6.15. There are three kernels available in the x86 world: the default server version, which has been optimised for 686-class machines; a 386 version, which is unlikely to be used in a server environment, but is provided as it will likely work with older equipment; and a BigIron version, intended for use on BIGSMP, ES7000 and Summit systems. In addition to this, Ubuntu Server has been released for AMD64, PowerPC and, new for this release, UltraSparc T1 architectures. It has support for EXT2/3, XFS, JFS and ReiserFS, so it's already ahead of Redhat Enterprise in terms of filesystem support; RHEL supports only Ext2/3, to the chagrin of many system administrators. Furthermore, the Redhat Cluster Filesystem, GFS, is also available in Ubuntu, although the userspace programs for this aren't provided as part of the default installation, and must be installed manually. Interestingly, the userspace utilities for the newer Reiser 4 filesystem are provided as part of the base install, but there isn't any kernel support for the filesystem. I don't see any clear reasoning for this. Moving over to the network side of things, Ubuntu's kernel has IPv6 support available out-of-the-box, plus a number of non-IP network protocols, such as Appletalk, IPX and DECNET. For those wishing to use Ubuntu for advanced networking purposes, there is support for network load balancing with IPVS, bridging support, and firewalling capabilities with netfilter. There's no firewalling on by default, however, nor is there a system for easily turning iptables rules on and off, as there is for Redhat Enterprise. The iptables package maintainer has provided an example of the old init script, which was previously used for this purpose - but has recommended against its use. I consider this to be a fairly serious omission. Web ServersPossibly the most common use for Ubuntu server will be for webserving, and it is well equipped for this, primarily by way of Apache 2.0.55, which is supplied along with a number of third party modules, including mod-perl and php5. Further to this, the installer even provides a LAMP installation option, which automatically installs apache, php, perl and mysql. Apache proved very simple to get running; apt-get install apache2 was all that was required. This installed the package and its dependencies, gave it a default configuration and started it up. It comes with a number of modules for providing various services - mod_dav, mod_ssl, mod_proxy, to name just a few. The default configuration only enables two of these: mod_cgi, which enables the use of CGI scripts, and mod_userdir, which allows users to serve webpages from their home directories. PHP (5.1.2) was similarly easy to install; apt-get install php5. This necessitates a switch from the apache2 worker server to the prefork model, but fortunately this is all handled by apt. The CDROM provides a number of php5 modules: gd, ldap, mysql, odbc, pgsql, snmp, sqlite, sybase, xmlrpc and xsl, amongst others. Zope 3.2.1 is also available, which will be attractive to web developers with leanings towards python. Again, installation was simple, but it wasn't so clear how to get it going. It would have been nice to have had a note in the README.Ubuntu file explaining the need to run mkzopeinstance, or even to have a default post-install script that created an instance for the user. Mailserving is handled with a choice of postfix or exim, on the SMTP end, and dovecot to handle POP3 and IMAP. Postfix is chrooted by default, to add some extra security, and asks a few simple questions upon installation to ensure that it works straight away. After the operating system was installed, it required all of one minute to get a working mail server using Postfix, handling mail for local Unix accounts. Beyond that, there are separate packages available to provide LDAP, Mysql and PostgresQL maps for users and/or mail routing. Dovecot needed a bit of work to get going; by default, none of its available services (IMAP, IMAP-SSL, POP3, POP3-SSL) are running, and must explicitly enabled in the dovecot.conf file. Furthermore, the pop3 daemon needs to have its UIDL format set in the configuration file, without which it will automatically exit when a user connects. This isn't documented in the README.Debian file, though. Despite this minor problem, it took me only a further ten minutes to build a working SMTP and POP/IMAP server that worked perfectly with Mozilla Thunderbird and Outlook Express. It's a shame that neither spamassassin nor clamav have been provided on the CD, as they are almost essential in today's internet environment. Both of these tools are available in the online Ubuntu repository, but unfortunately they are in the unsupported Universe section. DatabasesMost modern sites will require the use of some sort of relational database, and Ubuntu certainly does not hold back in that department. It supports the two most popular open source database systems, Mysql (5.0.21) and PostgreSQL (8.1.3), and for situations with more modest hardware requirements, sqlite libraries are available. MySQL is compiled with big-table support (tables with more than 4G rows), raid support, InnoDB, the CSV storage engine, the federated storage engine and NDB cluster, amongst other things. Importantly, Ubuntu server has been certified for MySQL, although there's no indication if this is referring to the MySQL packages that come with Ubuntu, or if it's just the platform that is certified to work with packages built by MySQL AB. PostgreSQL doesn't have quite the wide range of backend options that MySQL has, but nevertheless is also a good choice for a database system. Upon installation, the server is run automatically, listening only to the machine's loopback address. Network ApplicationsShould you wish to use your Ubuntu system to manage an internal desktop network, there is Samba for fileserving, ISC DHCPd for network management, CUPS for printer handling and OpenLDAP to manage single sign-on. vsftpd comes pre-configured to be an anonymous ftp server and actively rejects non-anonymous connections. At first I thought this to be strange, but it then occurred to me that no-one should be using ftp for transfer anymore. This was the first time I've encountered vsftpd, having previously been using first wu-ftpd, then proftpd and finally pureftpd. According to the documentation, vsftpd has been designed with security in mind; hopefully this continues to be true. Configuration of the server is quite straightforward, consisting of a single configuration file. The supplied version of OpenLDAP is 2.2.26, which is from a fairly old OpenLDAP line. It's a shame that the current supported release version of OpenLDAP (2.3) isn't included in the distribution. It has been compiled with all modules as dynamic shared libraries, syslog and IPv6 support and with a number of backends included, BDB, HDB, LDBM, LDAP, Perl, shell and SQL, just to name a few. Upon first installation of slapd, the only question asked is for an administration password. The installer automatically determines the base DN from the system's domain name, and then creates a slapd.conf file and initial database. Should the administrator want more flexibility, then running "dpkg-reconfigure slapd" will re-configure the package and ask quite a few more questions, such as the name of the administration bind DN, whether LDAPv2 is to be used, and so forth. Anyone looking to replace their problematic Windows servers, or just wishing to serve a number of Windows client machines, will undoubtedly want to look at Samba. There's little in the way of default configuration provided with the Ubuntu server package; all it appears to do is advertise itself in the MSHOME workgroup. Fortunately, the swat web-based configuration tool is part of Ubuntu server; this tool makes the Samba's smb.conf file, with its huge number of options, considerably less difficult to build. The version of Samba released with Ubuntu Server is 3.0.23, and this has support for SMB file and print sharing, domain controlling (both primary and backup), LDAP authentication, and also the winbind service, which allows Unix users and groups to be resolved to a Windows NT server. DHCP support is provided by way of the ISC DHCPd (version 3.0.3). It needed a bit of manual intervention to get it going; for fairly obvious reasons, the server isn't going to know which interfaces that DHCP servers should be run on, so the user has to specify this, amongst other things. Ubuntu can turn your server into a site-wide print server, using CUPS 1.2. This huge program is pretty much the swiss-army knife of print systems; it can accept print jobs from the local command line using both BSD and System V interfaces, it can accept print jobs from the network using the Internet Printing Protocol, LPR and, using Samba, via Windows networking. It can send print jobs out to remote printers via IPP, LPR and, again using Samba, Windows networking. Furthermore, it has drivers for hundreds of printers. Most business networks will require the use of a proxy server, generally to handle outgoing requests, reducing bandwidth by caching pages where possible; or as a web-accelerator, caching static pages and passing dynamic requests onto internal servers. While Apache can do much of this, Ubuntu also provides a dedicated proxy server, Squid. Squid arrives all configured and ready to run for the localhost only, and the user must manually modify the configuration to allow local networks to access it. A few patches have been applied to the package, but none of these change the behavior of the proxy noticably. Ubuntu uses ISC Bind as its nameserver. The default configuration, upon installation, has it acting as a caching server only. Disappointingly, the server is wide open to the world; anyone with network access to the server's port 53 can use it to look up names. I consider this a security issue, given Bind's history of problems; it would be preferable for it to be bound only to the server's loopback address at install time, and then force the user to explicitely allow external networks to access it. Quagga is a fork of the zebra routing protocol daemon, with implementations of a number of routing protocols, including RIP, RIP2, RIPNG, OSPF, OSPF6 and BGP. A fairly clever feature of Quagga is its configuration system; every daemon can as command-line interface which can be accessed via telnet, where commands can be entered to take effect immediately. Furthermore, these CLIs have been designed to mimic Cisco's IOS, so anyone with a bit of Cisco experience will be quite comfortable with them. As mentioned earlier, Ubuntu has support for load-balancing network traffic, using IPVS. Such configurations, however, tend to then turn the load balancing server into a single point of failure. To alleviate this issue, the keepalived package provides an implementation of the VRRP protocol for network redundancy. Rather than just having a single IPVS server, two or more servers are used, each with keepalived configured to ensure that one (and only one) of those servers has a network interface with a particular IP address. Should that server fail, at some point, one of the other servers will then assign the IP address to its own network interface, allowing continuity of service. Redhat Cluster SuiteOne feature of Ubuntu that isn't yet available in Debian is Redhat's Cluster Suite. The suite provides GFS, a local filesystem that can be mounted on several servers at one time; typically via a SCSI, SAS or fibrechannel disk array, but presumably using iSCSI, or ATA-over-ethernet also. Unfortunately, specific documentation for running this on Ubuntu wasn't readily available. Installing the suite resulted in a number of errors, primarily due to the lack of a configuration file. Not really knowing where to turn, I first created a test installation on a couple of servers that I had running Redhat Enterprise, and then copied the configurations across to Ubuntu. After a quite a bit of messing around, I eventually got it to the stage where all the packages were installed properly, and it started up correctly, and sure enough, I had a filesystem that was mounted on both servers. I feel that this is possibly a touch too convoluted for most people, however; it would be much nicer if a default configuration could be created that would at least allow the packages to install correctly in the first place. ConclusionIn general, I found Ubuntu 6.06 Server to provide a good range of software for use on production machines. The various packages generally seemed to be in a much more ready-to-run state than I've found for comparable Linux Enterprise distributions; there's certainly much less messing around to get the system going. All that remains to be seen now is whether companies such as Oracle will come to the table, and certify the system for use with their software. I'm sure such an event would then provide the answer to the wishes of many a system administrator; to have a homogenous network of only Debian-based servers, without the need for one or two Redhat or SuSE servers purely to handle Oracle. If you found this article helpful, consider making a donation to offset the costs of running this server, to one of these addresses: Trackbacks
Trackback specific URI for this entry
No Trackbacks
|