Again, a harsh open source for state-owned companies and big business with examples of solutions. I believe in him, if that

I (on the right) are trying to explain to big business what open source is, and my colleague on the left gives open-ended decisions to sincerity.

After I told about the myths of the open-source , we were asked less about whether only “garage” system administrators were true in this area. Plus, the economic situation has made many not only plan for vendor replacement, but seriously consider open source software. In general, joy and glee.

But there are still many things to explain. Therefore, I will talk about a bunch of questions about mail servers, virtualization, office rakes and other products that I most often ask.
')
I will not start with this. To begin with, let me remind you that on December 17, 2010, at disposal No. 2299-p, V. Putin signed a plan for the federal authorities and budget institutions to use free software. Now I will tell you how we are already planning to live in the world of Russian open source.

- What was in the old order?
In December 2010, a plan was established for the transition to open source software for a number of state-owned companies. The points are as follows - in 2012, exact qualification requirements from the Ministry of Communications and the Ministry of Social Development and Social Development of the Russian Federation, changes in the program for schools and universities (+ the Ministry of Education and Science), from 2013 to 2015 - specific recommendations for software requirements are rolled into state-owned companies. At the same time, there is the technical part: in 2011 - the formation of a package for solving typical tasks and the beginning of support work, in mid-2012 - the creation of a single repository for federal agencies. The end of 2012 - the first test implementation. 2014 - the main launch. Here you can see the entire plan.

- And what is true, rolled?
Not so much that it turned out - many points were of a recommendatory nature, there were certainly difficulties between communication of departments, etc. In general, something I do not see the ubiquitous Russian open source, but some progress has really been. Now another important thing is happening - on January 27, 2015 there was an order of the Government on “creating favorable conditions for the development of domestic competitive software”. This is a plan for import substitution and direct deployment of an independent open source software development center for state-owned companies. It sounds optimistic, but exactly what it is and how it will be clear in a couple of months.

- What is the problem to do everything now?
In that the plan of import substitution involves the development of Russian software. And what falls under this definition is difficult to say. For example, it is unclear whether the Parallels software goes there - and it is even incomprehensible whether the creation of Bolgen falls there. As soon as the wording appears, it is obvious that almost all commercial players will try to match them.

Hope it's done with the boring part. Let's have a FAQ!

By mail server

- What should I replace to make it look like MS in interface and support?
Usually we need tasks, calendars, meetings, and so on. In general, everything that is required for full-fledged office work. Plus, this is usually a transition, that is, you still need to drag all user data and save the existing mail. Especially popular are:
• Zimbra Collaboration, the functionality of which is extended with the help of zimlets
• And Zarafa

- What will the users be after?
After migration, most likely, most users will continue to work in Microsoft Outlook (synchronization via MAPI). In fact, users in this case do not notice the replacement of the mail server.

- And who worked through the browser?
Those who worked through Outlook Web Access will have to learn a new interface. They will only need to get used to the Zimbra Web Client or Zarafa WebApp. Here is an example:


Zimbra Web Client Interface


Zarafa WebApp interface

- What is architecture?
The user-level solution architecture is very similar to Exchange. But the "backend" is different. To ensure the resiliency of the solution, I also include servers of different roles, but the duplication-replication of the database is organized differently. For example, you can use the same storage virtualization, GlusterFS, or Ceph.

In general, the topic has been studied quite well, and there are fewer questions on it.

Office software

The office was and remains one of the main items of IT costs.

- What is the difficulty of the transition?
The main difficulty in the transition to OpenSoftis (and others like it) lies in the difference in the formats of MS documents (docx) and ODF - we are talking about setting up open solutions to work correctly with proprietary formats. Some of the functions MS completed in its own way, and they are absent in the standard. Wrong way of transition - change the office suite and start fixing the bugs that arise. Correct - first work out the transition to the use of ODF. That is, change the format for saving documents while you still have an MS solution. By and large, you need to identify those functions that are not in the ODF, and exclude them from use (as a rule, they are implemented differently). There are several ways, from simple additional training of users to the development of templates, in which the necessary parameters and customization of the office suite itself will be displayed.

- What's up with macros?
Macros will have to be redone.

- What's next?
After users start working in this mode after some time, it will be possible to replace the office suite itself without too much difficulty. With old documents in each case will have to invent their own way. You can leave a few MS Office to convert particularly complex documents - or we can organize a massive conversion of the archive into PDF. The question is why an old document is needed (and God forbid, this is some complicated engineering document that needs to be edited often).

Virtualization and terminal access

- What to put on virtualization on the infrastructure of an average company?
Most easy to implement oVirt and Proxmox. Architecturally, these products do not differ much from typical commercial ones, but there are differences in scaling. Proxmox, for example, is not intended for large installations. Monitoring is done via Zabbix or Nagios. For reporting, download schedules, etc., you can use, for example, Jasper, for integration with which there is a corresponding adapter in oVirt and a set of predefined reports already exist. Naturally, we are always ready to expand and customize it for a specific customer. Proxmox is very good up to 16 iron servers, and oVirt up to a hundred.

- What can replace terminal services in principle?
Terminal solutions, in one form or another have many. Often these are solutions from the well-known company with the letter C. But lately they have become extremely expensive and everyone is looking for an alternative. Practically on all points the decision can be picked up. Although we must honestly admit that for now, it will be difficult to compare with the leaders of commercial decisions. But again, 100% often these products are not used. Of those that we can recommend, the Ulteo solution is open source software with paid and free versions. There is also a paid commercial product Thinlinc.

- What else do you need to know about switching to * nix after Win?
Architecturally, products have role-separation and resiliency mechanisms similar to the rest. By the way, they can use Windows servers as terminal servers, that is, the broker itself will work on Linux, manage the Linux terminal farm, and the windows terminal farm. From the point of view of the channel used per user, a protocol similar to RDP is used, so the requirements are similar.

- What to do with Win-applications?
Many customers still have applications that they cannot port to the Linux platform yet. And so there are a lot of questions about what to do with them when migrating terminal services. There is the option of using paid Wine: Colleagues support a fairly large number of office and accounting software. Running a Win-butt on Wine often requires debugging and configuration, but as a rule, there are usually native counterparts. If we have the source code of our own samopisny software, we can port it in a relatively short time.

- Can I leave Win-machines and change only the main solution?
Yes. A frequent transition case is the first year on Windows terminals with the replacement of the terminal solution itself. This at least significantly reduces investment in it.

- What about certification?
It is important to clarify whether there is a special type of protected information: Alt linux, Rosa linux, Astra linux is sometimes required due to the certification of the FSTEC, the FSB, the Ministry of Defense. If certification is not needed, then you can use CentOS, OpenSUSE, or their paid options, Redhat Desktop linux, Suse Enterprise Desktop linux. We recommend what we have already seen in practice, so the actual list of options is probably broader. The interface most of these systems is close to the Windows environment, it will be difficult to get confused.

Directory Service

Almost everyone wants to change directory services, but since this part of the infrastructure is quite critical, the customer usually touches it last.

- How to replace and not lose the functionality of group policies?
The main approach to solve this problem: LDAP + Puppet or chef control system.
The management system will allow you to replace group policies in terms of scripts, settings, and other things that they do.

- What do you need to know about Samba and OpenLDAP?
Probably everyone has a rumor for Linux, Samba version 4.x., which can work as a domain controller, supporting the schemes of the domain level forest Windows 2003, 2003 R2, 2008, 2008 R2. OpenLDAP, working in conjunction with the Samba file server, can be a replacement for Microsoft Active Directory and Windows file servers. OpenLDAP is an open, cross-platform implementation of the LDAP protocol distributed under its own free license - OpenLDAP Public License.

- What about group policies?
For Win-admins there are difficulties with group policies, so we recommend FreeIPA + Puppet or Chef (LDAP-directory and control systems).

- Is it possible to log in to the AD domain with a Linux machine?
For authentication and authorization of Linux in the Active Directory domain, the use of additional tools is not required. The necessary functionality is implemented in standard means.

- Well, all the same, what is most like AD?
Rather, FreeIPA is an open source project that provides centralized authentication, retaining the data of users, groups, hosts, and other objects necessary to manage a computer network. FreeIPA via the web interface and / or using the command line allows you to centrally manage the secure infrastructure of the enterprise and the available resources. Starting with version 3.0.0, FreeIPA also uses Samba to integrate with AD using the trust method. Able to manage such things as 389 Directory Server, MIT Kerberos, DogTag, DHCP, DNS, NTP.

Load balancing

The fact is that the “iron” eminent balancer can cost as a cast-iron bridge. But in the open source, everything is not so simple - each solution differs depending on the OSI level at which it can load balance: channel, network, transport or application. A lot of restrictions imposes an existing fleet of equipment. In general, the implementation qualification is very important.

- What is worth a closer look?
• There is such a piece of the kernel - Linux Virtual Server (connecting IPVS), realizing packet switching at the transport layer (L4). Everything that works at this level, in one way or another, works in a tight bundle with LVS. Solution example - Keepalived - software for balancing and ensuring high availability of solutions based on OS of Linux family. With this solution, you can solve the problem of creating fault-tolerant load balancing at the transport level (L4); Fault tolerant load balancing on a bundle with, for example, On the other hand, the same Haproxy or Nginx work at the application level (L7). Load balancing at the level of network packets requires less computational cost and provides better scalability.
• HAProxy - load balancer and application level proxy server (L7), capturing with its performance;
• BalanceNG - balancer operating at the data link layer (L2), with good functionality and ease of configuration;
• Pound - a narrowly targeted tool, which is a reverse proxy server and load balancer for HTTP and HTTPS (L7);
• Crossroads - provides load balancing for any TCP services, and provides the possibility of flexible configuration.
• Zen Load Balancer - supports balancing at the transport level (L4) for the TCP, UDP protocols and at the application level (L7) for HTTP / HTTPS. The main feature is the presence of a web interface.
• Keepalived is a simple and reliable balancer of the 4th level.
• And we can also nginx and apache as 7th level balancers, if you need SSL offload.
• In general, we can do Trusted TLS on GOST encryption. This is especially interesting for portal solutions that are exposed on the Internet.

- What tasks are most often solved?
For example, organize a fault-tolerant solution and provide load balancing.
◦ on any ports and on any ports;
◦ support for server NAT and client NAT menisms;
◦ check the status of cluster nodes;
◦ the ability to memorize the session;
◦ ability to connect to network equipment via TRUNK and organize virtual addresses in different VLANs.

There are several solutions whose algorithms and methods are already described in the article “ Load Balancing: Basic Algorithms and Methods ”, and we can recommend some of them as proven.

Backup

About backup, we are almost never asked, although the topic is very interesting. The area of ​​data protection is perhaps the last thing that customers are willing to trust in “incomprehensible” open source software. But here is a separate product from Bacula, it is loved and appreciated by those who tried it. The remaining products due to the scarcity of functional work with the databases of enterprise-software can only protect small infrastructure with file data.

General issues

- What is more dangerous for data security - open source software or a commercial product?
In general - the same. In the closed software, you can not look and figure out, and an open product is bad in the first stages. When a serious community is assembled around a product, open source software in its properties of reliability and functionality directly competes with commercial solutions.

- How to evaluate the effectiveness of the introduction of open source software?
There are no capital costs for licenses. There are costs of integration and refinement, they are almost the same as for commercial software. For infrastructure solutions, everything is usually much cheaper, and in the butt, it sometimes happens (rarely) more expensive due to additional development. Instead of a vendor with support, there is almost always a company that does the same for a particular project, plus you can put any other team on support. The problem is in personnel - they, as a rule, need to be trained while there is a shortage of competent specialists in open source software. Able to wear a tie.

- What is the difference between open source software and commercial?
On the fingers, the estimate for commercial software is: “So, it fits here, it doesn't fit here, and this is almost perfectly expensive — it's a million from you”. And for open source software, “So, it fits here, it doesn't fit here, and we’ll just add one module to this.” It turns out cheaper and everything rises as it should.

- What about the rights?
Taking into account that we do not develop infrastructure solutions, the rights to our development are transferred to the customer. The customer can do anything with them, even lay out in open access. But not all do so.

- What is the relationship with the community?
We are an integrator, not a developer, so we give back a little. Nevertheless, the same Alt Linux received from us almost half of its annual budget for supporting one of the projects. We give feedback, help edit compatibility bundles between large vendors and open source developers on integrations (as a rule, both sides will update in the main branch). Most importantly, we know how the big project looks and what the problems are. STR developers often do not have an understanding of big solutions. This enterprise is scary because of the hellish hemorrhoids on a bunch of different little things. Such projects do not like and are deservedly afraid of them. Actually, this is normal, the task of the developer is the product, not the final implementation. But the application for us - and then a whole sea of ​​surprises.

- Where are the myths of open source?
But here it is . Here about support and much more, plus a list of solutions.

- What has changed now?
Everything. The attitude to open source software has changed - before the nose was turned up, and now, at the stage of the IT development concept, companies add an item about import substitution. Open source software is prioritized. Some industries, industry research institutes are just the opposite, developing their own and infrastructure solutions based on open source software and application. Plan to use universally within their industry companies. Customers understand open source software better. More often there is a request for implementation options, prices, then we have an IT manager, with whom CAPEX and OPEX are discussed, and then the admin with whom my colleague (see Fig. 1) solves technical issues is materilized. But we, of course, in the department are not two, but much more.

Any questions?

If you have any questions, come to our webinar on vendor replacement , April 29th. Details and registration form here .
If you fail to get in, my mail is AlBelyaev@croc.ru and lichka are available for questions.