Tuesday, April 21, 2009

What I Want the Ubuntu Server To Be

My Canonical Ubuntu Server Team colleagues, Soren Hansen and Thierry Carrez, have recently published manifestos on what they would like to see the Ubuntu Server become. Accordingly, here are my thoughts on the matter...

What I Want The Ubuntu Server To Be...

Secure

Security is the most important element of a server to me. Kees, Jamie, and Marc on the Ubuntu Security team do a fabulous job keeping the Ubuntu packages updated, and our servers safe from published CVE's and known security bugs. They have hardened the Ubuntu toolchain in such a way that protects Ubuntu binaries from vast classes of vulnerabilities.

But, I believe that security goes far beyond fixing bugs in code. I believe that Security also consists of feature development. I believe that we've done a decent job integrating some really useful security features, such as:
  • AppArmor
  • Encrypted-Home and Encrypted-Private directories
  • ufw
I hope that we expand this list tremendously over our next releases.

I think every Ubuntu user (desktop and server) should automatically have an Encrypted Private directory where they can store their most sensitive information, with an easy option to encrypt all of $HOME.

I think we should use swap files, rather than partitions, by default, with supporting applications to automatically and manually resize it when your memory availability and requirements change. And I think you should be able to easily enable/disable swap encryption at your discretion--encrypted swap is essential for encrypted-private and encrypted-home directories.

I would like to see us move toward having ufw enabled and running by default. I think this means that all services would need appropriate hooks to open the necessary ports for operation--something that needs to be implemented carefully and over time.

I would like AppArmor and/or SELinux profiles for everything! This is a lot of very expert-level work, that I don't really want to do myself ;-) I want to run my servers with fully enforcing MAC protection, but I don't even want to know it's there. Yes, this is a tough one, I agree. I was an SELinux developer working on Fedora and Red Hat when they first turned SELinux 'on'. It was painful. Maybe it still is? (I don't know.) This is a lot of work, but totally worth it in my opinion.

Easy To Use

I would like the Ubuntu Server to be the easiest, friendliest Linux server on the market.

To some people, this means having a graphical desktop. For those people, I'd like to expose a simple option to basically:
$ sudo apt-get install --no-install-recommends ubuntu-desktop
Which would install a graphical desktop manager without some of the desktop addons like Evolution and OpenOffice, but continue to use the server flavor kernel. It might even be worth using XFCE rather than Gnome...

I don't think graphical desktops should be installed on the majority of servers, however. Most people don't need a graphical desktop manager, they simply need a window manager. For that, we have the command-line utility 'screen'. I've blogged several times about a new package I created with help from Nick Barcet: 'screen-profiles'. I think one of the screen-profiles configurations should be configured by default for each user on the server, and automatically launched on login. I believe that a shell running inside of a screen-profiles configuration for 'screen' should be the face of the Ubuntu server.

I would also like to see an ever growing set of tasksel package sets, for creating Ubuntu servers with stacks of applications configured and working well together. I have been installing Tomcat on Linux servers since the Summer of 2000, and it's been a huge pain for almost 8 years. Thierry's work on Ubuntu's Tomcat packaging (and all the Java dependencies) has finally made this a one-step operation... sudo apt-get install tomcat6. Beautiful! I would like to see the same quality for other complex application stacks (eg, alfresco, sugarcrm).

Also, a complete "collaboration server" stack would be phenomenal, containing servers for a wiki, irc, document editing, listserv, pastebin, etc. Any small business using open tooling should be able to get all of these in a box, up and running in a matter of minutes or hours.

Stable

We added LVM-by-default for Ubuntu servers in Jaunty. And Soren had the brilliant idea of always installing Ubuntu Servers with a degraded RAID-1. This would make it really easy to add a second disk to a server sometime later. Great idea. I've done this before with my servers (actually, created a mirrored RAID on a server that was not setup for it). There was a painstaking set of very specific steps that had to be executed perfectly. We would need some additional tooling in userspace (beyond just the installer) to make the feature practical. But this is quite doable.

I hope we take a close look at ksplice for Ubuntu servers. For non-ABI-changing kernel updates, ksplice can actually roll out kernel changes to a running kernel, merely by compiling some code and inserting a module. Scary, I know. And it needs some heavy testing and security review. But in the interest of uptime, this could be an incredible feature. I met the developers at the Linux Foundation Collaboration Summit, and it seems that they do much of their testing and development already on Ubuntu. I think this would be pretty cool.

Also, I'm a big fan of Thierry's work on putting /etc under revision control. This is a great idea, very easy to use, minimal overhead. I'm hoping we'll see this on Ubuntu servers by default very soon, and possibly on the desktop too.

Efficient

I would like the Ubuntu server to be the 'greenest' Linux server distribution on the planet. We took a couple of steps in this direction in Jaunty (ondemand cpu frequency scaling on by default, server suspend/hibernate/resume working, powerman & pwrkap packaged). But there's a lot more to do!

Cloud computing and virtualization presents us with new opportunities and challenges with respect to power management. I'm hoping to keep Ubuntu on top of these, with integrated functionality for migrating and consolidating workloads to the minimum number of virtualization hosts required to do the job, placing the rest in a suspended or hibernated state, and dynamically resuming hot-spare hardware when dictated by load.

Performant

I'm quite interested in btrfs. I don't know that we're quite ready to default to btrfs (for stability reasons), but I'm quite interested in heavily testing btrfs in Karmic, as there are some tremendous performance benefits available.

:-Dustin

12 comments:

  1. Dustin I hope you'll post your btrfs impressions. I've read the info on it and it sounds like once stable it will be an ideal default fs for linux as a whole.

    ReplyDelete
  2. What to have on an Ubuntu server?


    Look at what Red Hat is doing....don't copy them...but they _are_ doing good stuff there...stuff worth looking into...

    ReplyDelete
  3. Ksplice sounds really interesting!

    But I've been thinking on kernel updates for features you either don't use or are in modules that can be unloaded - these packages should be possible to install without reboot using a much simpler approach. This would only require some changes in how the kernel module directory is named and a script to check if reboot is required to apply updates.

    I think that this can be a half step towards Ksplice, that is much less scary, what do you think?

    ReplyDelete
  4. All of your ideas sound really good and I agree that screen-profiles are totally a huge help in using ubuntu servers. Especially the collaboration stack also sounds really good.

    Just one thing: at the top, both your links point to Soren's blog.

    / Matt

    ReplyDelete
  5. If security is an important feature for you, I think you need to talk about the apparmor support more. Especially if you want to target enterprise users. For good or ill your apparmor support is a differentiator.

    Especially talking in more detail about what packages contain apparmor rules and what those rules actually protect against in Ubuntu server. What's protected out of the box? What applications/services packages include their own rules?, mysql does what else?
    What does apparmor-profiles in universe additionally protect?

    Selinux has a public track record of known vulnerabilities that it has mitigated. Look at the Selinux Mitigation News feed at:
    http://www.tresys.com/innovation.php

    I haven't found anything similar for apparmor which makes the case that apparmor actually protects anything in a real world usage situation. The mitigation information that is available is buried in the ubuntu security notices. You should probably think about lifting out the that information from the USN notices and making your own mitigation news feed to raise the level of awareness of apparmor's successes moving forward.

    -jef

    ReplyDelete
  6. If you want to encrypt swap, then you may be want to encrypt /tmp too.

    Also - as a long term goal - you can constrain the write-access to $HOME for every process, that belongs to a user, who are using encrypted home-directory by using SELinux.

    ReplyDelete
  7. Dave-

    Good suggestion. I'll try to roll up my thoughts on btrfs, and post about it.

    For one thing, we're looking at rolling ecryptfs into btrfs, and provide encryption directly into the filesystem layer (rather than as an overlay). Should be interesting...

    :-Dustin

    ReplyDelete
  8. toofirme-

    Thanks.

    I do not deny that Red Hat has an excellent server product.

    What would like to see on the Ubuntu server?

    :-Dustin

    ReplyDelete
  9. matt-

    Thanks for pointing that out. It's fixed now!

    :-Dustin

    ReplyDelete
  10. aladin-

    Actually, I suggest that we make /tmp a tmpfs (entirely in RAM). That's what I do on all of my real systems (ie, not VM's).

    I've suggested that we do this by default for Karmic.

    :-Dustin

    ReplyDelete
  11. Jef-

    You can find the list of AppArmor profiles here:
    * https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

    Clearly, that pales in comparison to the profiles available for SELinux. I grant that, and I think that we should re-evaluate at every Ubuntu Developer Summit which MAC system provides the security functionality needed by Ubuntu users. Until now, AppArmor has served that purpose. I think now is a good time for Ubuntu developers to discuss the MAC model (if any) that we should use going forward.

    :-Dustin

    ReplyDelete
  12. Dustin:

    thanks for the link. As the AppArmor support grows you should probably push that information to a more visible location like in the introductory material for the Ubuntu Server releases.

    Maybe even make that a bullet point to stress as differentiator with Debian server once the out of the box AppArmor support gets to where you want it.

    Moving forward I would imagine security in the cloud is going to be come more important. Red Hat's already implementing SVirt, it will be interesting to see what Canonical puts forward as an alternative to SVirt for virtualization security based on apparmor to stay competitive for paying virtualization customers.

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin