}w !"#$%&'()+,-./012345
M ASARYK UNIVERSITY FACULTY OF INFORMATICS
Formalisation of the Central Management Service and broadening of the Solution for Unattended Installation M ASTER ’ S THESIS
Matej Antol
Brno, autumn 2013
Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.
Matej Antol
Advisor: Mgr. Kamil Malinka, Ph.D. ii
Acknowledgement I would like to thank my work advisor, Mgr. Kamil Malinka, Ph.D., for his scientific and professional advisement. I would also like to thank Jaro, Radim, Martin and Nika for their time, help, opinion and advice. Finally, I would like to thank Dávid, Hanka and my parents for their support during my whole studies.
iii
Abstract This thesis is divided into two main parts. The first part consists of a description of the Central Management Service provided by the Institute of Computer Science. The purpose of the Service is to unify the working environment and support for various localities at Masaryk University. The aim of this part of the thesis is to create a formalized document describing the Service, define the terms of service and introduce its technical solutions. The second part consists of a description, analysis, design and implementation of the upgrade of the system for unattended OS installation. This system is currently used as part of the Service, and its state is no longer sufficient in terms of the requested functionalities and their scope. The aim of this part of the thesis is the implementation of the new system with all the required functionalities.
iv
Keywords ICS, Service of Central Management, unattended installation, OPSI, terms of service, remote OS installation.
v
Contents 1 2
3
4
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Content of chapters . . . . . . . . . . . . . . . . . . . . . Central management as a part of IT . . . . . . . . . . . . . . 2.1 Central management of localities at Masaryk University 2.2 Unattended installation of operating systems . . . . . . Central Management Service at Masaryk University . . . . 3.1 Description of the Central Management Service . . . . 3.1.1 Institute of Computer Science . . . . . . . . . . . 3.1.2 Technical departments and their competencies . 3.1.3 Windows domain ucn.muni.cz . . . . . . . . . . 3.1.4 Localities managed by the Central Management Service . . . . . . . . . . . . . . . . . . . . . . . . 3.1.5 Lifecycle of the workstation in the Central Management Service . . . . . . . . . . . . . . . . . . . 3.2 Formalization of the Central Management Service . . . 3.2.1 Overview of the created document . . . . . . . . 3.2.2 Additional materials . . . . . . . . . . . . . . . . 3.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . Solution for Unattended Installation . . . . . . . . . . . . . 4.1 Description of the Solution for Unattended Installation in the Central Management Service . . . . . . . . . 4.1.1 Current technical system for unattended installation . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.2 Process of the OPSI netboot product installation 4.1.3 Netboot products . . . . . . . . . . . . . . . . . . 4.2 Alternative technologies and tools for unattended OS installation . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Microsoft System Center Configuration Manager (SCCM) . . . . . . . . . . . . . . . . . . . . . 4.2.2 Unattended with Unattended GUI . . . . . . . . 4.2.3 Automated Network Installations (ANI) . . . . 4.3 Analysis and design of the new Solution for Unattended Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Analysis of the current unattended installation system . . . . . . . . . . . . . . . . . . . . . . . .
1 1 3 3 4 6 6 8 9 10 11 12 15 16 19 20 21 21 22 23 25 28 29 30 31 32 32 vi
4.3.2 Design of the new Solution . . . . . . . . . . . . Implementation of the designed Solution for Unattended Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Upgrade to the OPSI version 4.0.3.2 . . . . . . . 4.4.2 Carrying cluster . . . . . . . . . . . . . . . . . . . 4.4.3 OPSI testing environment . . . . . . . . . . . . . 4.4.4 Former OPSI server in the upgraded solution . . 4.4.5 Synchronization of the OPSI servers . . . . . . . 4.4.6 Installation process speed optimization . . . . . 4.4.7 Support of the SSD discs and two partition division . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.8 Operating Systems deployment outside the UCN domain . . . . . . . . . . . . . . . . . . . . . . . . 4.4.9 Software deployment outside the UCN domain 4.4.10 Kill Disk netboot product . . . . . . . . . . . . . 4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 Description of the Central Management Service . . . . A.2 Popis služby centrální správy . . . . . . . . . . . . . . . A.3 Information poster: Computer study rooms and classrooms on MU . . . . . . . . . . . . . . . . . . . . . . . . A.4 Information poster: Univerzitní poˇcítaˇcové studovny a uˇcebny MU . . . . . . . . . . . . . . . . . . . . . . . . . A.5 Process of addition of a new workstation . . . . . . . . A.6 Process of workstation removal . . . . . . . . . . . . . . A.7 Process of the OS installation via OPSI system . . . . .
33
4.4
35 35 35 35 36 36 39 40 41 41 42 42 43 44 47 48 64 79 80 81 82 83
vii
1 Introduction The scope of study of Information Technologies are systems used for storage, retrieval, processing and transporting various types of data. It can be divided into two main parts: the first one, concerning the physical equipment – hardware, and the second one, covering the logic and instructions run on this equipment – software. This thesis focuses on the software solutions for remote administration of larger IT units with emphasis on administration of workstations. These are deployed in various localities belonging to the structures of Masaryk University, possessing similar technical and usage characteristics. The solutions, approaches and tools described in this thesis were developed in order to provide an easily manageable homogenous working and studying environment. The maintenance of such an environment requires vast, reliable and secure tools and technologies. On the other hand, the unification of technical environment throughout the university provides a number of benefits for both users and technical employees managing this environment. The thesis is divided into two main parts. The first part describes the general approach to the centrally oriented management on Masaryk University. The aim of this part of the thesis is to create a set of documents and materials describing this approach in both a technical and a practical way. The second part is a detailed description, analysis and upgrade of one of the core technical solutions, which ensures the remote unattended installation of operating systems via the university network. The thesis has been created in cooperation with the Institute of Computer Science.
1.1
Content of chapters
The second chapter of this thesis introduces central management as a part of the information technologies. It describes its position and significance in today’s business dependent on modern information technologies. Central management is then further described as a necessary component of the IT infrastructure on Masaryk University. 1
1. I NTRODUCTION There can also be found reasons for its documentation and formalization, introducing the third chapter of the thesis. The last section is introduces one of the technical solutions for the central management service, which is processed in the fourth chapter of this thesis. The third chapter is divided into two parts. The first part is the general description of the current Central Management Service and its environment. The service is described in the context of the IT infrastructure of Masaryk University and its requirements. The second part consists of a description of the resultant formalized document created as a subject of this thesis and minor materials derived from this document. The fourth chapter of this thesis deals with one of the core solutions of the central management service. The reasons for the use of unattended installation tools are presented in the context of the centralized administration approach on Masaryk University. Selected tools for unattended installation are presented and described. Based on the presented requirements and state-of-the-art technologies, an upgraded version of the Solution for Unattended Installation is designed. The fifth chapter concludes the thesis, briefly describing all the achieved results. The appendices contain the created documents concerning Central Management Service.
2
2 Central management as a part of IT Central management can be understood as both service and technology area of IT. Nowadays, it is one of the main IT areas, concerning administration of greater heterogeneous units serving similar purposes. With the spread of IT technologies into everyday work in most businesses, a need for their effective administration arose. The purpose of central management systems is therefore the administration of these technologies in larger businesses, such as companies, universities or state offices. A management of such scope consists of three main parts, covering the lifecycle of both HW and SW equipment: •
Deployment of IT technologies and infrastructure
•
Maintenance of these technologies and infrastructure
•
Removal of these technologies and infrastructure
It can also be divided by focus given either on the HW or the SW equipment, or by the provider of the service into self-provided and outsourced IT management.
2.1
Central management of localities at Masaryk University
Masaryk University[1] is an institution consisting of more than 40 000 students, 5 000 employees divided into dozens of localities such as faculties, institutes, centers, departments and offices. Its infrastructure is fully dependent on IT technologies during everyday operations of both working and study purposes. This infrastructure, together with all the IT equipment in the Universities’ possession, has to be efficiently maintained in order to provide transparent and straightforward working environment for all students and employees. Central Management Service has been developed as a service distributed across selected university’s localities[2]. Its main role is to 3
2. C ENTRAL MANAGEMENT AS A PART OF IT unify the IT environment, allow access to the centralized IT resources, define administration rights and rules and provide all practices and technologies to the interested localities. The problem with the currently available information concerning central management on Masaryk University is that it is incoherent and partially out of date[3]. The objective of the first part of this thesis is therefore the creation of one core document describing the Central Management Service. It should cover three main parts: description of the service, terms of the service (containing roles and duties of all interested parties) and the final part describing the technical solutions forming the Service. This document shall be used for mainly for presentation and informative purposes. It will serve as an informative material for users (students and employees) and other departments participating in the service provision. A number of less detailed materials should be consequently created in order to provide the necessary information to localities and technical departments, using the most appropriate and effective means. It will also serve as a documentation of the provided Service, which is necessary considering its size, impact and number of employees working in its individual sections. It should simplify the comprehension of all supported solutions to all mentioned parties. The created document must be consistent with the dean’s directive concerning the management and use of computer network[4] and computer study rooms’ operating regulations[5]. Majority of these solutions the Service consists of can be considered tools for remote administration. One of the most important solutions provided as part of the service is the Solution for Unattended Installation. Its description and upgrade is the subject of the second part of the thesis.
2.2
Unattended installation of operating systems
Over the last two decades, hand in hand with the development of the IT technologies, the significance and use of network infrastructure also arose. This fact enabled the deployment of remote tools for administration, which provided an extreme increase of efficiency 4
2. C ENTRAL MANAGEMENT AS A PART OF IT and scope of coverage of the IT remote administration. It was also boosted by the increase of the Internet coverage during this time. Today technologies enable various functionalities, means and tools such as HW and SW audits and real-time monitoring, OS and SW deployment and updating over the network, HW failure detection, grouping of users, workstations and administrators into logical organization units, access and rights management and many more. In addition to increasing the efficiency of remote management, these tools are also crucial in areas such as the administrated units’ process transparency, definitions of the roles and rights inside these units and application of safety policies. One of the core solutions aggregated into the Central Management Service is the Solution for Unattended Installation. Its role is the installation of operating systems on workstations through the university infrastructure, with emphasis on uniformity (in order to guarantee easy administration), security and reliability of the provided system. The problem with the current system is that it has now been in use for more than three years, and its capabilities are no longer sufficient for the current needs of the Service. It is also not updated to the current version because of the complexity of the performed adjustments. Documentation of some of these adjustments is also lacking. With the growing demand for administration outside of the Windows domain, new options for unattended installation are required in order to guarantee standardized and easily manageable environment. Among the requested functionalities are installation of operating systems and software deployment outside the UCN domain. All changes need to be done with the emphasis on further support of all present capabilities in their full range. It is also important to create a testing environment for further development of the suggested solution. This environment should be as up-to-date and maintenance free as possible.
5
3 Central Management Service at Masaryk University As it was indicated in the previous chapter, centralized administration of workstations and other IT equipment of various localities of Masaryk University provided by the Institute of Computer Science[6] is known as the Central Management Service.
3.1
Description of the Central Management Service
The purpose of the Central Management Service is the management of university workstations and related infrastructure. The main tool of the Service is the University Computer Network domain, also known as UCN. Its benefits in comparison with various local solutions are integrity of the working environment and the same level of security and consistency of the services offered throughout the university’s offices and departments. It also allows optimization and automation of the administration and crisis solution using standardized tools. Localities integrated into the central administration allow users to sign in using unified credentials, use unified working environment and a standard set of up-to-date software. A major benefit is provision of the same environment in both classrooms and study rooms. Central administration, however, offers a much larger variety of services and use cases. Remote access to the workstations allows easily accessible re-installation of the operating system on every workstation included in the Service. Related to this approach is the possibility of remote access to workstations, including tools for their turning on, shutting down and restarting. This led to the creation of time schedules for regular software updates (including the operating systems). The schedule is created in order to minimize the size of interruption gaps during the working process caused by these updates. Remote access to the managed workstations also provides better response during support and solution of occurring crises, tasks and requests. Central management of workstations also provides more efficient 6
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY and transparent management of SW licenses. There is a set of tools used for monitoring of workstations, granting access to their SW and HW audit results and observation of the current state of the computers and logged-in users. One very important part of the Service is provision of regular updates for the basic set of software throughout the whole UCN domain. This is done in two basic regimes: automated, for software distributed in all similar localities in order to fulfill the intention of unified environment, and on demand, which concerns specialized software used during lectures or any other specialized tasks. Selected applications are provided via terminal servers[7] accessible from the university network. The Service also covers a system for management of attached printers. Users are therefore able to use all printing devices on the managed localities using their ISIC Card and university credentials. Localities included in the Service are also able to use the developed solution for examination period. Workstations in this mode to not allow selected functionalities such us access to email, internet, student profiles or installed software equipment. It is also possible to allow access only to the selected examination websites of the Information System of Masaryk University (IS MU). An analysis of the Service’s possibilities should consider the role of the service provider. It should also examine the roles of different technical departments managing various different parts of the Solution in order to clarify their roles and interactions. The hierarchy of the UCN domain is also examined, as it is the essential technical system of the Service. For further purposes of description of the Service as a product, it is necessary to analyze its receiver in form of administrated localities, which are grouped by their administrative position in various child domains.
7
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY 3.1.1
Institute of Computer Science
Institute of Computer Science (ICS) is an institute of Masaryk University (MU). Its main role is research and development of the information and communication technologies at the university with long term focus on areas of digital libraries, healthcare, distributed systems and high quality multimedia processing. The institute also plays an important role in the maintenance, development, coordination and services in application of IT technologies at Masaryk University. This includes development of the university network and its connection to the academic network infrastructure. ICS also takes part in a number of international projects, research and technology development in various fields of networking, supercomputing, internet libraries and more.
ICS management
Operational and Economic Division
Communication Infrastructure Division
Computational and Storage Infrastructure Divison
Information Systems Divison
User Support Divison
Financial and Administrative Office
Security Department
Server and Data Storage Administration Department
Library and Information Centre
Contact and Monitoring Centre
Technical and Operational Office
Collaborative Systems Department
System Administration Department
Information Systems Administration
Complex Services and Training Department
Investment and Public Tender Office
Network Infrastructure Department
Software Development Department
Information Systems Development
Technical Support Department
Personnel and Wage Office
Figure 3.1: Institute of Computer Science departments organization
Institute of Computer Science is divided into five specialized divisions, each consisting of a number of departments or offices[8]. Organization of ICS departments is depicted in Figure 3.1. The department responsible for administration of the Windows UCN domain (and consequently majority of the university workstations covered by the Central Management Service) is the System Administration Department. 8
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY 3.1.2
Technical departments and their competencies
UCN domain is administrated by four basic working units with different competencies, rights and responsibilities. By these parameters they can be divided into the three levels: •
1st - Contact and Monitoring center
•
2nd - Technical Support Department, local technical offices and departments
•
3rd - System Administration Department Contact and Monitoring Centre
Contact and Monitoring Centre is a department of Institute of Computer Science. Besides its roles that are not in the scope of this work, the role of the Centre is the first contact and support to all administrated localities. This department serves as a connection point between the Institute of Computer Science mostly in the role of the provider of the Service, and localities, which possess the role of the customer in this relation. This department has no rights to the administration tools. Technical Support Department Another department of the Institute, the main task of which is the support of students and employees in localities which are not partially self-supported by local departments. Employees of this department possess corresponding domain rights due to their job description. This includes full access to the managed workstations, active directory infrastructure and other tools for remote management restricted to administrated localities. Local Technical Offices and Departments Local Technical Offices and Departments is a mutual title for all departments managing localities in the Central Management Service, which do not belong into the infrastructure of the Institute of Computer Science, but to the administrated locality itself. Their competencies are similar to those of the Technical Support Department.
9
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY System Administration Department This department is responsible for the high level administration of the whole UCN domain, development of new features, tools and solutions, writing documentation and guidelines for the departments of lower competencies. It also functions as the highest support department, solving issues of the highest importance and impact regarding the Central Management Service. 3.1.3
Windows domain ucn.muni.cz
All the current computers belonging to the Central Management Service are administrated by the Active Directory computer network system provided by Microsoft[9] as depicted in Figure 3.2. This domain is called ucn.muni.cz, and it is divided into 6 child domains of different purposes and different levels of centralized administration. Child domain ups.ucn.muni.cz Subdomain consisting of majority of classrooms and study rooms of Masaryk University without the need for individual child domains. Among these is also the University Computer Centre, which is the greatest of administrated study rooms with the capacity of 150 workstations. Child domains phil., law. and fss.ucn.muni.cz These domains were created to fulfill needs of faculties of Arts, Law and Social Studies. They consist of libraries, classrooms, study rooms and working departments belonging to these faculties, and they are locally administrated by their technical departments. Nevertheless, there is a strong connection due to the technical capabilities developed in the Central Management Service used by these child domains. Child domain zam.ucn.muni.cz In this subdomain are located all the offices and working departments belonging to the University Campus in Bohunice. Also, employees’ workstations from the Faculty of Sport Studies can be found here. 10
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY UCN.MUNI.CZ
UPS.UCN.MUNI.CZ
ZAM.UCN.MUNI.CZ
Study Rooms
Class R ooms
Restricted
Working places
University Computer Centre
Chemistry Class Room
University Computer Centre
Faculty of Spo rts Stu dies
Faculty of Social Studies
Geography Clas s Room
Faculty of Education
University campus Bohunice
Faculty of Education
Geologie Class Room
Faculty of Arts
Faculty of Arts
Faculty of Education Class Room
Faculty of Science
Faculty of Science
Uni. Centre Telč Class Room
University campus Bohunice
PHIL.UCN.MUNI.CZ
LAW.UCN.MUNI.CZ
PHIL
LAW
Library
Library
FSS.UCN.MUNI.CZ
FSS
Class rooms
Study rooms and Class rooms
Library ALEPH
Employees workstations
Class rooms
STAFF.UCN.MUNI.CZ
Working places
Technology Transfer Office
Rectorate of Masaryk U niversity
Uni. Centre Telč
Institute of Computer Scien ce
Vinařská Dormitory
University campus Bohunice
Figure 3.2: UCN Windows domain Child domain staff.ucn.muni.cz Child domain staff.ucn.muni.cz is designed to carry working departments from the Institute of Computer Science, along with the selected working departments belonging to other MU structures. It is the last created child domain in the UCN infrastructure. It was created due to the necessity of employees’ workstations’ operating systems migration and rearrangement of the UCN domain. 3.1.4
Localities managed by the Central Management Service
Localities administrated by the Service can be divided into three main groups:
11
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY •
Study rooms
•
Classrooms
•
Working departments
Both study rooms and classrooms are technically similar, using the same security policies and standardized set of software. The only difference between these two types of localities is the additional software provided on demand in the administrated Classrooms. On the other hand, working departments are conceptually different to the study rooms and classrooms. Software is a combination of the standardized applications and applications demanded by the employee using the workstation. This organization is similar to the software equipment of a standard classroom. More importantly, while considering the unattended installation, the hard drives of these computers are divided into two partitions, which enables redirection of local employee profile to the second partition. This solution was designed in order to prevent any data loss in case of OS re-installation or system failure. 3.1.5
Lifecycle of the workstation in the Central Management Service
Based on the experience with the administration of the workstations in the UCN domain, necessity of formalization of inter-department cooperation arose. This experience had been projected into a short list of actions occurring in workstations’ lifecycle. These can be divided into two independent processes: addition and removal of the workstation in the UCN domain. Analysis of these sequences of tasks should increase both effectiveness and speed of their completion and the transparency during the execution. It should also help with prevention of human-caused mistakes in the process such as errors in assets evidences, software license evidences, organization of network connections and active directory organization units.
12
Technical Support Department
- Registration of the WS – DKP code (
[email protected]) - Report of licenses pre-installed on the WS (
[email protected])
Notification accepted
+
New WS acceptance
Request of WS registration
+
- Creating DHCP, DNS and rev. DNS records (
[email protected]) - Adding WS into OPSI server - Moving WS into proper AD OU
+
WS installation & network settings adjustment
WS delivery to the employee
F & A Office
Notification of the incoming WS
Request acceptance
External Employee contractor
Addition of a new workstation (WS)
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY
Order of new WS
WS registration confirmation
+
+ WS registration notification acceptance
Request of the new WS
New WS order acceptance
WS acceptance
New WS preparation, WS provision
Figure 3.3: Process of addition of a new workstation Addition of a new workstation (Figure 3.3 1 ): •
Placement of an order for a new workstation from an external contractor
•
Notification of the new incoming workstation to the Technical support department (workstation installation order)
•
Acceptance of the new workstation
•
Workstation hardware and software registration into the ICS assets evidence
•
Hardware workstation installation - Creation of a DHCP registration, creation of a reverse DNS record
•
Software installation, licensing of software used on the workstation - Creating OPSI record, managing workstation in MS AD
•
1.
Delivery of the workstation to the employee
Figure of the process also available in the appendices.
13
Technical Support Department
- Re-registration of the WS – DKP code (
[email protected]) - Report of released licenses from the WS (
[email protected])
Request acceptance
WS removal
Request of WS registration removal
+
WS registration removal confirmation
F&A Office External Employee contractor
Removal of a workstation (WS)
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY
Request of the WS removal
+
- Deleting DHCP, DNS and rev. DNS records (
[email protected]) - Removing WS from OPSI server - Removing WS from AD WS stored in
WS data deletion & network settings adjustment
To stock
x To liquidation
for further use WS sent to liquidation
+
WS registration removal notification acceptance
WS liquidation
Figure 3.4: Process of the workstation removal Removal of the workstation (Figure 3.4 2 ): •
Withdrawal of the workstation from employee
•
Hardware workstation uninstallation - Deletion of DHCP and reverse DNS records
•
Workstations’ data deletion, report of unused licenses - Removal of the workstation from OPSI and MS AD
•
Report of changes in ICS assets evidence
•
Displacement of the workstation either to the stock, or to liquidation provided by an external contractor
2.
Figure of the process also available in the appendices.
14
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY
3.2
Formalization of the Central Management Service
The concept of the centralized administration was announced in 2000, and it went through many changes and updates since then. Because of its wide impact and great number of technical solutions, which were in some cases significantly customized in the process, it became necessary to create a formalized description of the service with the definitions of terms and conditions of its provision. This formalized definition of the Central Management Service should be used in many adapted forms by: Users Description will be provided on the official website of the Institute of Computer Science in order to inform about the capabilities and possibilities of IT equipment integrated into the Central Management. It will also be used as a source material for selected informational posters. Local technical departments It is necessary to provide local support employees with guidelines and descriptions of administrated solutions. This document will also assist as a definition of rights and responsibilities during administration of localities, problem reporting and solution. Representatives of the newly integrated localities In this scenario, description will be used as a supporting material during negotiations on the inclusion of new localities. Representatives of the existing localities Some localities are not fully aware of all the advantages resulting from the incorporation to the Central Management Service. The created document will provide them with the basic information, which will simplify and clarify all future communication and demands. Management of the ICS Management of the ICS can use this material for the purposes of tracking progress and development concerning the Service, including feedback from localities in the form of results of demanded solutions. 15
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY Following section of the thesis consists of detailed description of the created document and minor materials fulfilling all the requested parameters. They can be found in their full forms in the appendices of the thesis. 3.2.1
Overview of the created document
Description of the Central Management Service is a document capturing current aspects of its focus, usage and technical capabilities. Data contained in this document is also used as an underlay for the other presenting materials such as informative posters and presentations. It is divided into three parts: •
General description of managed localities
•
Terms of Service
•
Technical description of the service General description of managed localities
General description of the Central Management Service contains information about origin of the Service, its primary purpose and description of its capabilities. Three target groups of localities are identified and categorized. There can also be found a list of all managed localities. Terms of Service The second part of the document, Terms of the Service, consists of these parts: •
A list of actions belonging to the responsibilities of the System Administration Department
•
Inclusion of a new locality
•
The settings of the included segments
•
Preparation of the software equipment
•
The responsibilities of the local technical departments, description of routine problems solution and reporting definition 16
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY Responsibilities of System Administration Department All localities are managed by two levels of technical departments: Local, which is either Technical Support Department of ICS or local technical department of the administrated locality, and centralized – System Administration Department. In this chapter are listed all the responsibilities of System Administration Department in the context of cooperation of these two levels of management. Inclusion of a new locality New localities can be included into the Central Management Service in two scenarios, distinguishing localities with the capability of covering its server needs and those without it. In the case of the second scenario, in which a locality does not possess resources needed for its inclusion, all server equipment is provided by the Institute of Computer Science. The settings of the included segment Network settings of the administrated localities must be both compatible with the needs of all provided solutions of the Service and secure to guarantee its proper functionality and safety. All the required settings and rules are included in this chapter of the document. Preparation of the localities’ software equipment It will be described later in this document that software installed on managed localities is divided into two groups: standardized and local. Local software must be requested by lecturers and employees of the included locality, and it must be done according to the listed conditions. Compliance with these conditions minimizes room for mistakes and misunderstandings caused by the shortage of time set aside for their preparation. The responsibilities of the local technical department The first part of the Terms of the Service describes the role of the System Administration Department in the management of administrated localities. This section describes the responsibilities of the local technical department, making the line between these two levels of Management. This chapter also contains the description of requested reactions to selected problems occurring on administrated workstations. 17
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY Technical description of the service The last chapter consists of description of the major Solutions, which are available to the managed localities as a part of the Service. These Solutions are: •
Solution for Unattended Installation
•
Solution for Software Distribution
•
Solution for User Profiles Administration
•
Solution for Central Data Store
•
Solution for Remote Wake-up and Shutdown
•
Solution for Examination Modes
•
Solution for Monitoring of Localities Solution for Unattended Installation
The section describing the system used for remote installation of products on boot, mainly operating systems. Full-scale view of this Solution is the subject of the next chapter of this thesis. Solution for Software Distribution This part consists of the approach of software assignment and installation on various localities of the UCN. There is also a list of standardized set of applications installed in all administrated study rooms and classrooms. Solution for User Profiles Administration Homogeneity of the working environment is partly ensured by migrating student profiles. Organization of the user-accessible organization units on workstations of the UCN domain is described in this section of the document. Solution for Central Data Store In this part is a description of the solution providing data store capacities to all students and employees of Masaryk University. 18
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY Solution for Remote Wake-up and Shutdown The technical capability to remotely wake-up, shutdown and restart administrated workstations is an important tool of all administration departments. It is described with a brief sketch of the necessary settings required for its proper function. Solution for Examination Modes This section of the document describes two examination modes available in the computer study rooms and classrooms in the Central Management Service. These were developed in order to provide the lecturers with the means to use the available IT infrastructure during examination period. Solution for Monitoring of Localities Information concerning monitoring technologies which are set on all managed localities. 3.2.2
Additional materials
The document described in the previous section also serves as a background material for presentations and posters. A sample of these materials can be found in the appendices of this thesis. Posters Generally, posters containing selected information contained by the document are used to provide information in selected administrated localities. The poster used as an example in the appendices is displayed in the majority of the UCN domain study rooms and classrooms. Presentations Regular meetings are being organized in order to keep local technical support teams informed about current technologies, available solutions and changes in the Central Management Service. They are also necessary during the process of integration of a new locality into the central administration. In order to provide all necessary information during these meetings, support materials are used, some of which are the presentations concerning the current description of the Central Management Service. 19
3. C ENTRAL M ANAGEMENT S ERVICE AT M ASARYK U NIVERSITY
3.3
Summary
The aim of the first part of the thesis was the creation of a formalized description of the Central Management Service provided by the Institute of Computer Science. After examining the relevant aspects of the service such as the role of the provider and recipient of the service, the technical possibilities of the administrating departments, a document describing this service was created. Its description is introduced in section Overview of the created document. Its full form can be found in the appendices of this thesis in both Czech and English language versions.
20
4 Solution for Unattended Installation As mentioned at the beginning of this thesis, the Central Management Service is based on the administration of the majority of Masaryk University’s IT infrastructure. For these purposes, a number of technical solutions have been developed, one of which is the Solution for Unattended Installation.
4.1
Description of the Solution for Unattended Installation in the Central Management Service
The present role of the Solution starts after a workstation is connected into the university network. Its role is installation of the operating system with pre-selected parameters concerning correct drivers assignment, disk partition and very basic security settings. During this process, every new workstation is added into UCN domain, ensuring fluent transition from OS installation phase to the middle phase of a computer lifecycle – administration by Microsoft Active Directory. The solution is used as an exclusive tool for addition of workstations to the UCN domain. It also provides a number of tools used for monitoring of workstations and for erasing their hard drives. It is accessible to selected technical employees and domain administrators via a web application. This solution therefore provides two basic functionalities: •
Unattended installation of operating systems on supported workstations
•
Adding computers to the UCN domain for further automated administration
21
4. S OLUTION FOR U NATTENDED I NSTALLATION 4.1.1
Current technical system for unattended installation
The current Solution for Unattended Installation is provided using a system called Open PC Server Integration (OPSI)[10] version 4.0.2.1. OPSI is an open source Linux-based client management system, which has by now been used as the main and only software fulfilling the scope of the Solution for Unattended Installation. It is capable of installation of operating systems and software via network, either using either the tftp LAN boot, or the pre-installed OPSI client on the administrated workstation. Among its basic purposes are also functions like SW and HW audit, initiation of remote memory checks and hard drive deletion. System is operated via web application depicted in Figure 4.1.
Figure 4.1: OPSI web application Unattended OS installation supported by OPSI is based on the boot of a Windows OS image[11] via network. In the first step, workstation boots a Unix-based operating system from the network locality determined by the BIOS and DHCP configuration. This system initiates the download of the desired image and installation of 22
4. S OLUTION FOR U NATTENDED I NSTALLATION the appropriate Windows operating system (or any other supported product). The whole process is performed by series of configuration scripts. These adjust the most important settings in the context of the Central Management Service. Once the installation of the operating system is concluded, a fluent transition to the integration into the infrastructure begins. This process sets the workstations’ security settings, delegates the maintained applications and grants access to printing solutions and user profiles. The server carrying the OPSI system in the UCN domain is alia.ucn.muni.cz. Product version of product 4.0.2.1 has been installed here, and it has been the only fully-functioning server working as the core system of the solution for unattended installation. The operating system of the alia server running the OPSI server is Debian GNU 6.0.7[12]. Basic functionalities of applied version 4.0.2.1 of the OPSI system are: •
Automatic OS installation
•
Automatic software distribution (not stable)
•
Hardware inventory
As the OPSI is an open source system, it can be controlled both via provided web application and direct access to the OPSI server. It is configured by a series of scripts and configuration files, which can be found within the application installation files in two basic directories: •
/opt/pcbin/install
•
/var/lib/opsi
4.1.2
Process of the OPSI netboot product installation
There are two types of software products installed via OPSI: netboot products and local boot products. Netboot product is a general term for software installed during a workstation’s boot period (namely 23
4. S OLUTION FOR U NATTENDED I NSTALLATION operating systems and minor service applications). Local boot products are applications which can be installed during the workstation’s runtime, and their installation is managed by the OPSI client. The installation process of every netboot product (Figure 4.2 1 ) is dependent on the proper server, network and client configuration: The proper name and MAC address of the installed clients need to be set on the server.
•
Network configuration requires permission of TFTP, SAMBA and RPC communication between the OPSI installation server and client workstations.
•
Client configuration consists only of proper BIOS setting (boot order first device set on LAN). OPSI Version 4.0.2.1 also does not support UEFI mode, which has to be forbidden in order to guarantee proper function of the unattended installation.
Assign product deployment to the client
OPSI Server
Preparation of a Netboot product installation
+
Client (Workstation)
Start of the Client
DHCP server data request
DHCP Server
Installation process of the OPSI Netboot product
Web Application
•
Provision of IP address, PXE Boot server and image directory
Provision of Unix-based OS, setup.py
Installation of Unix-based OS
x
Boot from LAN
Provision of Windows installfiles
Execution of: HW Inventory Drivers installation Partition division Windows PE downloading
Success
x Failure
Boot from HDD
Install Windows PE
x
Reboot Reboot
Request of Windows installfiles
+
Installation of requested OS
Deploy installed Windows OS
Figure 4.2: Process of the OS installation 1.
Process of the OS installation figure also available in the appendices.
24
4. S OLUTION FOR U NATTENDED I NSTALLATION After the creation of a new client in the web administration, selection of requested netboot product and verification of the proper settings of corresponding devices, the process of installation of the product is ready to commence. It starts after the reboot of the workstation. In this scenario, workstation requests boot files from OPSI server, which was pre-configured on the corresponding DHCP server. 4.1.3
Netboot products
As alia has always been used exclusively for installation of operating systems within the UCN domain, neither any Local boot products nor the OPSI client itself have ever been installed. Delegation and management are handled by the Windows domain, leaving OPSI only as a tool for boot software installations. For these reasons, OPSI client is not even installed on the workstations of UCN domain. This means that alia is used for installation of: •
Operating systems
•
Hardware inventory
•
Memtest
•
Disk cleanup Netboot products - Operating systems
The Central Management Service supports installation and management of these operating systems and bit versions in both English and Czech languages: •
Windows 7 x64
•
Windows 7 x32
•
Windows XP x32
An option to divide the HDD into multiple partitions is available if the installation is launched from the customized web interface. This has been implemented in order to support the working departments’ installations, as was described in the first part of this this 25
4. S OLUTION FOR U NATTENDED I NSTALLATION thesis in subsection Localities managed by the Central Management Service. Other netboot products Despite the fact that alia.ucn.muni.cz is not used for installation of applications, number of basic netboot products are still being used either before the OS installation process, or during troubleshooting of occurred problems. These products are: •
Disk cleanup
•
Hardware Inventory
•
Memtest Disk cleanup
Netboot product designed to erase any partition division. In the current solution, division into two partitions of pre-defined size is done by a set of static scripts. OPSI is therefore designed to expect only one of three hard drive state options during the installation process: disk without partitions, disk with one partition or disk divided into two partitions defined by the OPSI scripts. Hardware Inventory An inventory of the equipment of an installed workstation has to be made in order for the drivers to be delegated properly. Hardware inventory is therefore included into in the process of OS installation. It can also be deployed alone as a separate netboot product. Memtest Memtest[13] is a third-party tool used in order to verify proper memory state on selected workstation. Deployment of drivers Drivers of supported computers are stored in subdirectory of selected operating systems. This means that every operating system has its own set of workstations which it is capable to install to. Drivers are assigned to computers by automatically created identifiers of every integrated driver. These are assigned to the appropriate workstation during the OS installation process. 26
4. S OLUTION FOR U NATTENDED I NSTALLATION OPSI server customization Despite the fact that OPSI supports all demanded functionalities, it had to be adjusted to fit into the Service itself in many ways. Major changes are related to the web interface and partition division scripts. Web interface OPSI does not support groups of users accessing the web interface, and it assigns everyone full rights to all of its functions. As described before, the domain of Masaryk University is administrated by many departments of varying level in a number of localities. In order to provide the solution for all of these localities and local administrators, a new web interface was developed (Figure 4.3). This interface fully supports groups of accessing users, who can consequently modify only a pre-selected number of workstations. These workstations are grouped by their usage, locality and local administration department.
Figure 4.3: Developed web application 27
4. S OLUTION FOR U NATTENDED I NSTALLATION Two partitions option It has been explained earlier that workstations included in the Central Management Service can be divided into two groups according to their usage: employees’ and students’ workstations. In order to support redirected local profiles of employees’ workstations, OPSI has pre-defined alternatives in which the operating system can be installed. These are the standard mode (with one partition used while installing computers in classrooms and study rooms), and two partition mode (for employees’ workstations).
4.2
Alternative technologies and tools for unattended OS installation
Larger corporations now often rely on their IT infrastructure, which has a direct connection to the use of various management tools. Among those are systems for unattended installation, updates, remote SW and HW audits and many more functions enabling the effective management of large infrastructures. In the context of the Solution for Unattended Installation, the former system ensuring the unattended OS installation was built on the OPSI system. One of the aims of this thesis is to upgrade this solution, which includes consideration of all available technologies with demanded functions. There are a number of requirements which should be covered by the system selected for further use, if it would be chosen as a successor to the Solution for Unattended Installation built on OPSI. These requirements include fluent transition from the former system to the new one, full coverage of all currently used functionalities, preferably an open source solution with low or no costs, but with prospect of further development. In this section are described the best known systems with focus on fulfilling the requested properties.
28
4. S OLUTION FOR U NATTENDED I NSTALLATION 4.2.1
Microsoft System Center Configuration Manager (SCCM)
Formerly known as Microsoft System Management Server, SCCM[14] provides remote control, software installation and updates, SW and HW auditing and operating system deployment on client devices (Figure 4.4). It supports selected Linux-based, Windows and Mac OS X versions of OS, including mobile operating systems such as Windows Mobile, Android, iOS and Symbian.
Figure 4.4: SCCM configuration console[15] SCCM as one of the leading products in the area of remote configuration management and it covers a great number of functions. The most important of these features are SW and HW inventory, software distribution and updates, advanced deployment of operating systems, a number of remote tools and more. All these functions are compatible with selected Microsoft products, making the product even more complex and powerful if used with the Windows domain. However, despite all the advantages of this large and professional system, its non-negligible price makes it unsuitable as an alternative to the OPSI system in the Solution of Unattended Installation. 29
4. S OLUTION FOR U NATTENDED I NSTALLATION 4.2.2
Unattended with Unattended GUI
Unattended[16] is a narrowly specialized system designed for the installation of selected versions of Microsoft Windows operating systems. It is platform independent, running on both Windows and UNIX based servers. Separately from the original Unattended project, a user interface has been developed. This interface, known as the Unattended GUI[17] (depicted in Figure 4.5), simplifies access to the supported features. The key features of the Unattended system are web based management, support of automatic unattended installation (including deployment of OS and software), network management, multi location support, inventorization, image deployment, PXE Network booting, client and license management and many more.
Figure 4.5: Uranos Unattended GUI interface[18] However, despite the good technical level and a wide base of functions of this system, no additional features which would enlarge or improve the scope of the Solution have been found. 30
4. S OLUTION FOR U NATTENDED I NSTALLATION 4.2.3
Automated Network Installations (ANI)
ANI[19] is another Linux-based and open source system for unattended installation, which supports installation of selected versions of MS Windows. For reasons which will be explained at the end of this section, the analysis of this system will start with the description of the process of the OS installation. This process starts with the installation of an initial ANI client using the boot CD. Attributes of the OS installation are selected using the client’s dialog interface (Figure 4.6). Data of the installed OS is consequently downloaded from the pre-configured ANI server, delivering all requested data. After the installation is finished, a number of post Windows installation scripts are being run in order to join the installed workstation to the windows domain and notify about the installation outcome via email services.
Figure 4.6: ANI client dialog interface[20] The whole process of client installation is similar to the installation process of the OPSI. However, without further analysis of this system, it is obvious that it has two major drawbacks. The first and greater one is currently incomplete support of operating systems from Windows Vista family (and so Windows 7 is not yet supported by 31
4. S OLUTION FOR U NATTENDED I NSTALLATION this system), which makes the product as it was created useless for the current needs of the Solution for Unattended installation. This fact also indicates unreliable future of the whole ANI project. The second drawback is requirement of local administrator interaction during the whole installation process (insertion of an installation media, filling of the workstation name, resolution, client type). For these two main reasons, ANI is not suitable as an alternative to the OPSI in context of fulfillment of needs and goals of the Solution.
4.3
Analysis and design of the new Solution for Unattended Installation
4.3.1
Analysis of the current unattended installation system
The former Solution for Unattended Installation possesses a number of drawbacks. All changes, updates and troubleshooting are performed on a single production server, making the system vulnerable during these tasks (despite the fact that the server is being regularly backed up). The whole system should be made more robust, adjusted for crisis situations and providing a fully-featured development and testing environment. This solution also does not support SSD disks, which are already included in newly-ordered workstations. The new Solution for Unattended Installation should be able to support OS installation of workstations outside the UCN domain. Such functionalities are not fully supported in the deployed system version, and support of these workstations is not implemented at all. As all workstations installed using the former system were automatically added to the Windows domain, software distribution was provided using the domain policies. The former solution therefore does not support software installation, which is one of the requested functionalities for the upgraded Solution for Unattended Installation. Software deployment using the upgraded solution will be used together with the option of workstation installation outside the UCN domain. Considering the driver deployment, addition of a new worksta32
4. S OLUTION FOR U NATTENDED I NSTALLATION tion type often results in non-deterministic behavior caused by the assignment system and the (no longer necessary) complexity of their delegation. All these factors cause an occasional wrong driver assignment of already supported workstations. After consideration of available technologies for unattended installation in the previous section of this thesis, functionalities which need to be preserved, costs of migration to another system and benefits of the current system, it was decided that the Solution will continue to use the OPSI system of version 4.0.3.2. The new solution will support the following new functions and parameters: •
Robust application cluster
•
Compatibility with the former system
•
Easy maintenance and synchronization
•
Support of workstations outside the UCN domain
•
Support of selected new OPSI functions and netboot products (for example support of SSD disks and Kill Disk netboot product)
4.3.2
Design of the new Solution
A new version of the Solution will be built on a newer version of this system 4.0.3.2. It will be made more robust in comparison with the former Solution. Its core will consist of 4 servers: •
Tali1 and tali2 – two identical servers in one cluster carrying the Solution after the upgrade.
•
Tail-test – server similar to tali1 and tali2, which will be used as testing environment during future upgrades and changes. It will also be used as a gateway during the routine tasks executed on the OPSI server.
•
Alia – the original OPSI server. It will be preserved for several months in order to guarantee fluent transition from the 33
4. S OLUTION FOR U NATTENDED I NSTALLATION current system. For this time, it will be partially synchronized with the updated version. After full migration of all managed localities, this server will be fully removed from the Solution. In order to fulfill the requested functionalities, three of the new functions developed as part of the OPSI will be altered and used: support of installation using SSD disks, software deployment and installation of the Kill Disk netboot product. A number of new functions will be implemented, such as synchronization of all servers participating in the Solution and installation of operating systems outside the domain. Some of the currently used tools will also have to be altered. These are changes in the developed web interface used across the University, changes in hard drive partitioning scripts and more. Some of the current approaches will remain, such as the use of VMware[21] virtualization and related backup system. The current backup schedule will also be preserved. After an analysis of the existing system, the following changes, updates and functions have been proposed: •
Update of the current system for security and functional reasons
•
Carrying server will be doubled in a cluster
•
Creation of compatible testing and development environment
•
Full coverage of all currently supported functions
•
Optimization of maintenance demands
•
Optimization of the installation process speed
•
Support of SSD disks on local computers
•
Option of installation outside the UCN domain
•
Deployment of software outside the UCN domain
•
Addition of the Kill Disk netboot product 34
4. S OLUTION FOR U NATTENDED I NSTALLATION
4.4
Implementation of the designed Solution for Unattended Installation
4.4.1
Upgrade to the OPSI version 4.0.3.2
Actual OPSI version 4.0.3.2 was installed on the newly created virtual servers. All currently supported workstations, localities, access groups and users were manually migrated from the former OPSI server alia. After full overtake of all relevant data, requested netboot products were installed and configured. Tali servers will no longer support XP versions of the Windows operating system. Windows XP will only be supported by the former OPSI server, therefore only OS netboot products of various versions of Windows 7 have been prepared. These were equipped with drivers for new incoming workstations, gradually expanded by drivers of migrated localities. A chapter describing driver deployment of the upgraded version can be found further in this thesis. Other netboot products were implemented similarly to the products known from the previous OPSI version, namely Disk Cleanup, Memtest and HW Inventory. 4.4.2
Carrying cluster
Servers tali1 and tali2 are designed as a pair of identical servers carrying the Service for Unattended Installation. Active-passive failover cluster of these servers is built up using the Pacemaker[22] cluster resource manager and Corosync[23] cluster engine. The passive server is activated either in case of an active server unavailability or during failure of one of the main OPSI services. In order to increase the reliability of the Service, physical servers running these two OPSI instances are located in different server rooms. 4.4.3
OPSI testing environment
Probably the most important demand on the upgraded Solution for Unattended Installation is the creation of a fully operational testing environment identical to the actual unattended installation system. This environment is designed to fulfill a number of tasks, most im35
4. S OLUTION FOR U NATTENDED I NSTALLATION portant being the simulation of newly added drivers and operating systems, testing of their changes and alterations and observation of its behavior during the whole-system upgrades. A server called tali-test was created for these purposes. It is, by design, kept in exactly the same state as the pair of carrying servers, making it perfect for execution of all the described demands. The synchronization of this server with other servers participating in the designed solution is described in the following sections. It is important to note that the synchronization is semi-automatic and on-demand. This makes the testing server easy to use during the replication of the requested changes to the cluster, as it can be added and removed from the synchronization process using only one simple script. 4.4.4
Former OPSI server in the upgraded solution
Server alia.ucn.muni.cz fulfills only a secondary function in the prepared Solution. Its purpose is to ensure the full support of all administrated localities during the transition to the updated version. This transition is expected to last for approximately one year, during which it will only be maintained without any extension of its functions or impact. Approximate date for the shutdown of the alia server is December 2014. 4.4.5
Synchronization of the OPSI servers
One of the most important demands on the prepared solution is simplicity in further use and maintenance. The former solution was built on only one server and did not require any system for file synchronization, as all changes were simply made directly on the server alia.ucn.muni.cz. This was both unstable during routine maintenance and inflexible when reacting to occurring problems. Both these problems are solved by the design of the upgraded Solution, but a question of handling the problem of synchronization of all changes arose. The concept of the carrying server synchronization is depicted in Figure 4.7.
36
4. S OLUTION FOR U NATTENDED I NSTALLATION tali1.ics.muni.cz
tali1/opt/installfiles
tali-test.ics.muni.cz
tali-test/opt/installfiles
Two-way synchronization on request
Carrying cluster
Periodic one-way synchronization
alia.ics.muni.cz
alia/opt/installfiles
tali2.ics.muni.cz
tali2/opt/installfiles
Figure 4.7: Four application servers synchronization model Synchronization of drivers OPSI version 4.0.3.2 fully supports drivers’ assignment according to the detected Vendor and Model of the installed workstations. These data must be pre-filled in BIOS of the installed workstations (this request was successfully agreed on with the external supplier of IT equipment at MU). Assignation of drivers therefore commences in order of priority, starting with vendor and model. In case there are no folders of vendor and/or model of the installed workstation, its drivers are assigned from the folder filled with additional drivers. All the drivers which are not found in these two folders are finally assigned from the most universal folder containing most versatile driver versions. The suggested solution is built on the use of tali-test as a gateway for all executed changes. In case that new computers are requested to be added into the UCN domain, the drivers of these computers need to be filled into the directory of the appropriate operating system. This is firstly done, in contrast with the former approach (described in section named Alia customization), on server tali-test. Server talitest must first be synchronized with the carrying pair of servers (and thus be in an identical state). After a proper test of the newly added drivers, these changes can be (on demand or during scheduled automated synchronization) replicated on the old server alia.ucn.muni.cz and on the pair of new servers tali1 and tali2. As tali-test is not by design in the correct state at every moment of its use, the approach to its synchronization was designed to be on demand instead of fully automated. The synchronization is, by default, 37
4. S OLUTION FOR U NATTENDED I NSTALLATION turned on between the pair of carrying servers and server tali-test, leaving its state identical to tali1 and tali2 during its disuse. During the execution of testing operations, the synchronization with tali-test is turned off using easily manageable scripts[24]. These were created in order to provide the requested flexibility. By re-addition of talitest to the synchronization process after the testing procedures, this server is once again ready for further tasks, having its state identical to the carrying pair of servers tali1 and tali2. It was described earlier in this thesis that drivers are stored in every individual operating system. However, their characteristics allow for the use of the same drivers for operating systems with the same bit versions, regardless of their language versions. Leaving this state unaltered would lead to an undesirable redundancy of data, and also complicate the synchronization procedures. In order to evade this unwanted behavior, a common folder was created for all drivers of every server (namely folder opt/installfiles/drivers, Figure 4.8) with created symlinks to their original locations.
OPSI server
Windows 7, 64 bit, CZE, in domain
drivers Install.wim
Windows 7, 64 bit, CZE, NOT in domain
drivers Install.wim
Windows 7, 64 bit, ENG, in domain
drivers Install.wim
Windows 7, 32 bit, CZE, in domain
drivers Install.wim
64bit
installfiles/drivers
32bit
Figure 4.8: Scheme of the drivers’ synchronization It is important to emphasize that in order to preserve the full support of all earlier-installed workstations using alia, the synchronization with this server is unidirectional. Synchronization of operating systems The Central Management Service supports workstations using two operating systems: Windows XP and Windows 7. All tali servers will be currently used only for installation of Windows 7. These are supported in following versions: 38
4. S OLUTION FOR U NATTENDED I NSTALLATION •
Windows 7 x64 ENG (inside the domain)
•
Windows 7 x64 CZE (inside the domain)
•
Windows 7 x86 CZE (inside the domain)
•
Windows 7 x64 CZE (outside the domain)
Windows 7 core is stored in a single file install.wim stored among other installation files. It can be easily updated using new Microsoft updates, also known as KB files. These files were redirected (similarly to the alteration executed on drivers’ folder) into the common folder opt/installfiles/wim (Figure 4.9) using Linux hard links. Windows XP will be further maintained separately directly on the alia server.
OPSI server
Windows 7, 64 bit, CZE, in domain
drivers Install.wim
Windows 7, 64 bit, CZE, NOT in domain
drivers Install.wim
Windows 7, 64 bit, ENG, in domain
drivers Install.wim
Windows 7, 32 bit, CZE, in domain
drivers Install.wim
7 – 64 -cz 7 – 64 en
installfiles/wim
7 – 32 cz
Figure 4.9: Scheme of the synchronization of operating systems’ installation files
4.4.6
Installation process speed optimization
All tali servers will possess features and alterations increasing its operational speed compared to alia.ucn.muni.cz. There are two main factors making this optimization possible. The first factor is the possibility to improve the carrying hardware, specifically in terms of full compatibility with more than 2 core processor systems presented in version 4.0.3.2. This also makes the whole system easy to upgrade using the VMware virtualization tools running the tali servers. 39
4. S OLUTION FOR U NATTENDED I NSTALLATION The second factor is an implemented alteration of storage of clients’ configuration data into a single SQL[25] database instead of separate files, which is the default approach in the original system. This modification greatly optimized the time needed for the process of simultaneous installation of a greater number of workstations. 4.4.7
Support of the SSD discs and two partition division
New workstations provided by a supplier can be divided into four basic categories according to their storage equipment those with: •
1 HDD
•
1 SSD
•
2 HDD
•
Combination of 1 SSD and 1 HDD
Managed study rooms and classrooms are equipped only with the first two possibilities with just 1 disk of any type. Installation of an operating system in all of these localities is therefore independent of disk organization, using one disk with only one partition. In the case of employees’ workstations, all four possibilities need to be handled for correct division into system and data partition. The older version of OPSI did not support SSD disks at all. Although version 4.0.3.2 is able to install on SSD disks (covering the first three categories of new workstations), a solution for handling a combination of SSD and HDD disks in one configuration is not supported. The selection of the future system drive is done by automated scripts. These take into consideration only two parameters. The system is installed either on the previous system drive (detection of installed operating system is implemented), or on the first drive on the controller. During communication with the OPSI developers team, an alteration of the configuration files was suggested which would select the future system partition during the OS installation process. Altered configuration scripts were accepted by the OPSI team for further use, and this suggested feature has already been announced to be present in the next OPSI version 4.0.4.2. 40
4. S OLUTION FOR U NATTENDED I NSTALLATION 4.4.8
Operating Systems deployment outside the UCN domain
For installation of a selected operating system outside the UCN domain, one of two approaches had to be chosen: either the use of the same system core for installation inside and outside the domain, or the creation of a brand new netboot product. After consideration of flexibility and probability of further differences possibly demanded of the non-domain systems, the solution with the new netboot product was selected. A number of basic alterations to the standard netboot operating system had to be made in order to enable this change for broad use. One of these was disabling the scripts responsible for computer addition and consequent settings. This includes alterations made in order to enable installation of the OPSI client during the OS installation. The OPSI client enables an alternative form of remote administration without the use of the Windows active directory domain. Finally, the operating system was added to the altered web application as a new netboot product, making it available to the other technical departments. 4.4.9
Software deployment outside the UCN domain
One of the functionalities provided by OPSI is installation of software using OPSI client, which is pre-installed during the post OS installation phase. These software packages are named local boot products. Their preparation is in many ways similar to the deployment of netboot products. Software is stored on the hard drive in specific folder and format with necessity of alteration of a number of configuration scripts. These determine the software’s main attributes. After a proper integration of the new netboot product, the product is available to install using the original web interface. In case of netboot products, OPSI supports automated installation packages for all supported Windows versions, which significantly simplifies the whole process of a new netboot product preparation. However, as the OPSI team does not create these automated packages for local boot products, these packages must be created either manually, or using third party packages such as by GeosOne Opsi 41
4. S OLUTION FOR U NATTENDED I NSTALLATION Pro[26]. In order to distribute the option of software installation to all technical departments, an updated version of the developed web interface with maintained software packages will consequently be deployed. 4.4.10 Kill Disk netboot product Kill Disk is a newly released netboot product, which is able to erase workstation’s hard disk memory. Configuration scripts manageable via web interface allow for multiple iterations of the erasing process, ensuring safe data deletion. This new netboot product will be an important step during the migration of workstations between different localities or employees, providing greater security of the former user’s data deletion.
4.5
Summary
The aim of the second part of the thesis was an upgrade of the current system for unattended OS Installation via OPSI used as part of the Service. This system should be upgraded based on its analysis and requests of the provider of the service. The former solution was analyzed and described. Based on the discovered drawbacks and requested functionalities, a new system has been designed and implemented. This system is based on the upto-date version of the OPSI system. All changes and improvements are documented in the section called Implementation of the designed Solution for Unattended Installation.
42
5 Conclusion The first aim of this thesis was the creation of a formalized document containing the general description, the terms of use and the technical description of the Central Management Service. The second aim was an upgrade of the current Solution for Unattended Installation with the requested new functions and with great emphasis on security and reliability of the newly designed system. The thesis has been created in cooperation with the System Administration Department of Institute of Computer Science. At the beginning of this thesis were described motivations for the central management approach and the significance of tools for remote administration in the context of today’s technical trends. These trends were then projected onto the requirements of Masaryk University and the current capabilities of the Central Management Service. In order to consistently present all the available solutions, a set of materials was created. All the created materials described and enclosed with this work are the results of this thesis. The second part of the thesis dealt with the Solution for Unattended Installation, its significance in the context of the Service, a comparison with state-of-the-art tools and finally the implementation of the upgraded version. The system carrying this Solution was adjusted to meet all the requested functionalities. The author’s contribution in this part of the thesis is the design of a new solution, its implementation and adjustment of selected functions listed in the thesis. The results of this thesis are a set of promotional documents and an upgrade of the Solution for Unattended Installation. The created promotional documents in their full form can be found in the appendices of the thesis.
43
6 Literature [1] Masaryk University. Available on WWW:
[2] Babinec, P., Rychnovský, L., Tuˇcek, P.: Centralized Approach to Large User and Computer Infrastructure management. Available on WWW:
[3] Peša, R., Krajíˇcek, O., Rychnovský, L.: Poˇcítaˇcové studovny MU. Zpravodaj ÚVT MU. ISSN 1212-0901, 2005, roˇc. XVI, cˇ . 1, s. 9-11. Available on WWW: [4] Fiala, P.: Správa a užívání poˇcítaˇcové sítˇe Masarykovy univerzity. Smˇernice MU cˇ .6/2011. [5] Bek, M.: Provozní rˇ ád poˇcítaˇcových studoven Masarykovy univerzity. Smˇernice MU cˇ .7/2012. [6] Institute of Computer Science. Available on WWW: [7] Rychnovský, L., Babinec, P., Tuˇcek, P.: TServer - terminálový server UCN. Zpravodaj ÚVT MU. ISSN 1212-0901, 2008, roˇc. XVIII, cˇ . 5, s. 9-11. Available on WWW: [8] Bek, M.: Organizaˇcní rˇ ád Ústavu výpoˇcetní techniky Masarykovy univerzity. Available on WWW: [9] Microsoft Active Directory. Available on WWW: [10] OPSI - Open PC Server Integration. Available on WWW: 44
6. L ITERATURE [11] Stanek, W. R.: Windows 7 Administrator’s Pocket Consultant. Microsoft Press, August 26, 2009. [12] Debian operating system. Available on WWW: [13] MemTest86. Available on WWW: [14] System Center Configuration Manager (SCCM). Available on WWW: [15] System Center Configuration Manager console. Available on WWW: [16] Unattended. Available on WWW: [17] Unattended GUI. Available on WWW: sourceforge.net/projects/uranos/>
[18] Unattended GUI console. Available on WWW: [19] Automated Network Installations (ANI). Available on WWW: [20] Automated Network Installations (ANI). Available on WWW: [21] VMware. Available on WWW: [22] Pacemaker. Available on WWW: [23] Corosync. Available on github.io/corosync/>
WWW:
45
6. L ITERATURE [24] Hertzog, R., Mas, R.:The Debian Administrator’s Handbook. Freexian SARL, December 24, 2013. [25] Stanek, W. R.: Microsoft SQL Server 2012 Kapesní rádce administrátora. Computer Press, February 27, 2013. [26] GeosOne Opsi Pro. Available on WWW:
46
A Appendices •
A.1 Description of the Central Management Service
•
A.2 Popis služby centrální správy
•
A.3 Information poster: Computer study rooms and classrooms on MU
•
A.4 Information poster: Univerzitní poˇcítaˇcové studovny a uˇcebny MU
•
A.5 Process of addition of a new workstation
•
A.6 Process of workstation removal
•
A.7 Process of the OS installation via the OPSI system
47
A. A PPENDICES
A.1 Description of the Central Management Service The concept of unified central management of workstations was created based on the experience with technologies used in the University Computer Centre. University Computer Network (UCN) was established, enabling effective administration of workstations and unified working environment for students and employees across the university. This infrastructure is currently used for three different purposes: university computer study rooms, classrooms and employees’ workstations. Localities included in the central management provide users with integrity of working environment, higher security and uniformity of provided services, unified environment of the Microsoft Windows OS and a standardized set of installed software. The service supports ˇ and secunified logon using standardized logon information: UCO ondary password. There are several basic types of supported software. Standardized software is centrally maintained and available in all localities. Also available is specially licensed software covered by the university licenses. The solution also offers an option to include a wider set of software according to individual requests. The main advantage is a great reduction of costs paid for IT administration and provision of a unified working environment throughout the whole MU for lectures as well as for all university study rooms. The infrastructure itself provides administrators with the following functionalities: unattended installation of workstations (OS + SW), regular update of centrally provided software, granting access to troubleshooting tools, remote access to the workstations, their monitoring and more. Workstations are regularly updated during scheduled time frames. These are generally planned during the late night hours. During the update time frames, the deployed software and operating systems are updated. Occasionally, the service tasks associated with these updates are also executed during this time. The main advantage of this approach is the provision of a constantly up-to-date environment without the need for any user interaction. One of the functions of UCN is the mediation of connection to the centralized printing systems. These enable uniform payment using an ISIC card (via SUPO account) and a standardized printing 48
A. A PPENDICES environment throughout the various managed localities. Besides the localities’ standard running mode, two special modes designed for students’ examination are also supported. These modes are adjusted in order to restrict access to undesirable applications, email and internet, or to restrict access to the profile data. Technical courses and assistance are also offered. Currently, the central management is (on various levels of integration) composed of study rooms, classrooms and workplaces from over a half of the organization units of Masaryk University. Among these are: •
The rector’s office
•
Institute of Computer Science
•
Faculty of Science - geography classroom - geology classroom - the library - science club
•
Faculty of Law - study rooms and classrooms
•
Faculty of Art - full administration of employees’ and students’ workstations - the library
•
Faculty of Education - the library - one classroom
•
Faculty of Social Studies - the library - two classrooms - selected employees’ workstations 49
A. A PPENDICES •
Technology Transfer Office - full administration of employees’ workstations
•
University Campus Bohunice - UCB Library - chemistry classroom - Faculty of Medicine localities
•
University Computer Centre
•
University Centre Telˇc
•
Accomodation and Catering Services of MU
Division of localities The Service of Central Management is offered throughout the Masaryk University in a number of modes according to its use: •
Study rooms – computer rooms available to students
•
Classrooms – computer rooms used during lectures
•
Employees’ workstations
Study Rooms Study room is a computer room intended for use by students for freetime studies and associated activities. Students are granted access to the basic set of software and selected software related to their subject of study. Uniform user environment for both study rooms and classrooms is also provided in the form of roaming profiles, storage and access to shared drivers and printing devices. 50
A. A PPENDICES Classrooms Classroom is computer room dedicated for lectures and associated activities. Students are granted access to the basic set of software and selected software related to their subject of study (this set of software is requested during the integration of the classroom into the Service, and is updated every semester). A uniform user environment for both study rooms and classrooms is also provided in the form of roaming profiles, storage and access to shared drivers and printing devices. Employees’ workstations Computers in the employee workstation mode offer functionality similar to the functionality of study rooms. In addition to the basic set of SW, employees also have access to the SW associated with their work requirements (economic software, asset management, etc.). This set of software is agreed upon during the integration of the workplace into the central management. Employees also have local storage space, access to shared drivers, printing devices, remote desktops and network backup storage at their disposal. The profile data is stored locally on the workstation.
Terms of Service The Service of Central Management is accessible to all economic centers of Masaryk University and is free of charge. The responsible persons from ICS are listed on the contacts page. On the side of the economic centers, the head of LVT of the associated EC is considered the responsible person. This person can delegate all technical matters further throughout the locality. The current possibilities of the System Administration Department in terms of applied solutions enable the use of the Service of Central Management in two scenarios: localities with their own server equipment and localities without it. Since 2013, new localities have been included exclusively according to the second scenario, i.e. without the need for localities to have their own server equipment. 51
A. A PPENDICES Both scenarios are identical from the user’s perspective: profiles, software equipment and all central settings are identical in both these scenarios. The difference in functionality is in the access and rights of local administration departments and individual requirements. In this case, local server equipment can offer a wider range of local functions and services. SAD ICS (System Administration Department of the Institute of Computer Science) provides the following activities as part of the Service of Central Management: •
ˇ and secondary passmanagement of authentication via UCO word
•
management, monitoring and backup of servers
•
management of workstations’ unattended installations
•
management of the basic set of software
•
local distribution of hotfixes and updates for Microsoft products
•
local distribution of updates for Eset anti-virus products
•
availability of printing devices using the Active Directory
•
management of student profiles
•
management of host profiles in order to grant access of the UCN and ICS services (Eduroam, VPN, . . . ) to MU visitors
•
provision of information concerning the security state of the IT infrastructure – security audit
•
troubleshooting – solution of serious and critical software problems on workstations
•
general consultations concerning the area of IT
In localities included into the Central Management (with local administration not provided by the ICS), the local administration departments are responsible for: 52
A. A PPENDICES •
management of the extended set of software, which is not distributed centrally
•
reaction to the UCN administrators’ requests
•
reporting of occurring problems to the UCN administrators
•
management of the network infrastructure of local workstations and servers
•
complaints related to the locality’s hardware
Inclusion of a locality without HW equipment Following conditions must be fulfilled in order to include an EC into the central management: Hardware: •
In this scenario, localities use HW equipment of the ICS. Software:
•
the appropriate number of Microsoft OS licenses for workstations included in the UCN infrastructure
•
the appropriate number of CALs for workstations included in the UCN infrastructure
•
the appropriate number of anti-virus licenses for workstations included in the UCN infrastructure
Inclusion of a locality with HW equipment Hardware: •
3 servers (service included)
•
backup power supply in case of a power outage (for example UPS) 53
A. A PPENDICES •
network switch and reserved network segments for servers and workstations Software:
•
three server licenses of Microsoft OS (by arrangement with ICS)
•
the appropriate number of Microsoft OS licenses for workstations included in the UCN infrastructure
•
the appropriate number of CALs for workstations included in the UCN infrastructure
•
the appropriate number of anti-virus licenses for workstations included in the UCN infrastructure
Settings of the client segments Inclusion of workstations into the central management is associated with a set of rules: •
Workstations are added into the domain exclusively using the system for unattended installation of operating systems OPSI at https://tali.ics.muni.cz/
•
Subnet (WLAN) containing workstations from the domain may not contain any other device from outside the domain. It must also not be allowed to automatically assign IP addresses in this segment.
•
IP addresses are distributed exclusively via DHCP server, which is configured according to the instructions from UCN domain administrators
•
Correct setting of DHCP reservations on associated servers
•
Correct setting of reverse DNS records 54
A. A PPENDICES Preparation of SW equipment SW equipment of classrooms is modified before the beginning of each semester according to the instructions from the person responsible for the classroom, who also communicates with all the lecturers who are going to be using the classroom during the semester. Requests for addition/modification of SW must be reported at least three weeks before the beginning of the semester in order to ensure sufficient testing of the environment. Requests reported after this date might not be handled before the start of the semester. One week before the start of the semester, the classrooms will be ready for testing by lecturers. Local technical departments Local administrators may not interfere with the system in a way that would allow for the elevation of a common user’s rights. Furthermore, under no circumstances is the local administrator allowed to disclose the administrator password or their own password to another person. Violation of these two rules will be considered a severe security breach and may lead to disconnection of the locality from the central infrastructure. Local administrators are responsible for local hardware and software management, solution of routine problems and mediation of communication between users and domain administrators. This includes: •
Setting of BIOS according to the requirements of the Central Management.
•
Installation and management of locally distributed applications and printers.
•
Solution of local problems that have no direct connection to the functionality of the Service of Central Management.
•
Mediation of requests, questions and requirements related to the Service of Central Management to the domain administrators. 55
A. A PPENDICES •
Local assistance to the domain administrators in solving routine and crisis situations on the locality.
Troubleshooting Problems can be divided by severity into three groups: •
Common - occurrence on a single workstation, solved by reboot or reinstallation of the workstation - occurrence on a single user profile on multiple workstations, solved by a repair of the user’s profile
•
Severe - occurrence on multiple workstations, solved by contacting the UCN domain administrators
Restart or reinstallation of a workstation Restart of a workstation ensures restoration of domain policies and application of domain scripts. Reinstallation of a workstation provides a completely new configuration of the reinstalled workstation (operating system, drivers of devices, software, domain policies, security of the file system). In case of employees’ workstations, profiles and D: drive are left untouched by the reinstallation process. If these methods fail, the problem should be reported to the UCN domain administrators. User profile repair If the user profile correction tool is not available to you, contact UCN domain administrators at [email protected] and request profile ˇ correction. This request must contain the user’s UCO. Before contacting administrators, verify that the user’s profile is not full – approximately half of the problems with user profiles are caused by insufficient profile space, and the users are capable of solving this issue on their own. 56
A. A PPENDICES Specification of the problem, report of the problem to the UCN domain administrators In case of occurrence of a severe problem, please contact the UCN domain administrators by email at [email protected]. The report of the occurring problem should be as detailed as possible. Every e-mail reporting a problem to the UCN domain administrators should contain: •
Locality (Classroom XY of faculty ZW).
•
Problem description.
•
Time of the problem occurrence (i.e. today, yesterday, last week, on Wednesday, 14.2., . . . ).
•
Any changes to the workstation, which could be related to the problem (power outage, change in hardware equipment, newly installed application, . . . ).
•
If the contact person is not the same as the sender of the report, ˇ or school the name of the contact person (equivalently UCO mail address).
Provision of all the information as described above during the first contact with the UCN domain administrators will help to significantly speed up the solution of the problem. Examples of serious problems can be: dysfunctional anti-virus software on the workstation, inoperative license server of the maintained software, inability to log in to the workstation for a larger group of users, unavailability of user profiles and more.
Technical description of the service Central management (or infrastructure of the central management) is built on Microsoft Active Directory. Standard technologies such as group policies and scripts are used for workstation management. The central domain is the UCN domain. Located in this domain are the infrastructure’s servers ensuring the proper function of the 57
A. A PPENDICES service. A number of subdomains are included under the UCN domain (e.g. PHIL, FSS, . . . ). These are partially administrated by local administrators, allowing them to take over a significant part of the management (e.g. to develop their own policies, to add and remove workstations and more). Solution for Unattended Installation of operating systems Workstations included into the central management are installed exclusively by automated tool OPSI, which is installed on servers alia.ucn.muni.cz and tali.ics.muni.cz. The following preparations have to be made in order to enable installation into the central management: •
Configuration of BIOS of the installed workstations according to the instructions from the UCN domain administrators.
•
Insertion of discovered MAC addresses of the installed workstations into the network according to the description in the chapter Setting of client segments.
•
Request to the UCN administrators for the new workstations to be added to the system for unattended OS installation (the names of the workstations from DHCP and their MAC addresses must be included).
Solution for Unattended Installation of OS is based on the boot of operating system via network. In the first step, the workstation boots a Unix-based operating system from the network locality according to BIOS and DHCP configuration. This system initiates the download and installation of the desired Windows operating system. The whole process is completed by a series of scripts. These adjust the most important settings in the context of the Service of Central Management. Once the operating system has been installed, a fluent transition to the process of integration into the infrastructure is enabled. This process sets the workstation’s security settings, delegates the maintained applications and grants access to printing solutions and user profiles. 58
A. A PPENDICES Solution for Software Distribution One of the basic functions of the UCN domain is the distribution of SW equipment. There are two sets of software: •
Basic – identical for all localities, contains all commonly used software.
•
Extended – typically SW equipment requested by specific localities for lecturing purposes.
The basic software package contains the software equipment common for all study rooms, be it on individual faculties or in the university-wide study rooms. This whole set of software is regularly updated every two or every four weeks across the whole UCN domain. This ensures a homogenous environment by offering the same software versions across the domain. In case of necessity to centrally deploy software specific to the selected faculty/locality, the preparation of this installation is done by the local administrators (e.g. Total Commander instead of the centrally maintained Altap Salamander). If certain parameters are met, the local software can be incorporated into the central management. The extended set of software is updated according to an agreement between UCN domain administrators and local administrators. Changes in software versions can cause differences in functionality or compatibility problems, which could severely affect the lectures. Adjusting the frequency of updates of the extended set of software to the needs of lecturers helps to prevent these problems. The basic set of the maintained software consists of: •
7-Zip
•
Adobe digital editions
•
Adobe Reader
•
Altap Salamander
•
ArcGis
•
CD Burner XP 59
A. A PPENDICES •
Mozilla Firefox
•
Flash
•
Gimp
•
Google Chrome
•
Internet Explorer
•
IrfanView
•
Java JRE 6
•
Java JRE 7
•
Matlab
•
NOD 32
•
Notepad ++
•
Opera
•
PDF 24 Creator
•
PDF Creator
•
PsPad
•
Putty
•
Statistica
•
TexLive
•
VLC Player
•
WinSCP 60
A. A PPENDICES Solution for User Profile Administration One of the main advantages of the central management is the homogeneity of the user’s working environment independent of the classroom and workstation they currently operate on. This is guaranteed by the use of user profiles that are stored on network storage devices, and copied to the workstations at every login. This way, the user has access to an invariant working environment that allows for better work conditions. The following network repositories are available to the users: •
I: TEMP directory shared from a server. This directory is fully accessible to all users. For example, it can be used to transfer data between stations. The directory is not intended for longterm data storage – these capacities are not backed up and they are regularly erased.
•
J: Applications shared on a server. This repository is read-only. It includes applications that do not require installation on the client side.
•
K: User Profile that contains all user settings (particularly files of browsers and mail clients). These capacities can be used to store personal files – they are available in the My Documents folder on the workstation’s desktop. The size of this storage has a limited capacity, i.e. the total data size of this folder (including files from the mail clients, browsers, etc.) must not exceed the given limit. After reaching the limit, the correct behavior of applications or personal settings cannot be guaranteed.
•
The only folders on the local disk with full student access are: ˇ (on Windows XP C:\Documents and - C: \Users\UCO ˇ Settings\UCO) - A copy of the roaming user profile. This includes user’s desktop and documents. - C: \Temp - Local folder. Its size is limited by the capacity of the local disk, and it is erased as required. 61
A. A PPENDICES Solution for Central Datastore All students and employees of Masaryk University are provided with custom profiles, which are made available after logging onto any workstation in the central administration. Individual storage capacities are also created for all university employees, intended for storage and sharing of their daily operational data. These storage capacities are available either from the MU network, or via the use of VPN MU. These capacities are available at ˇ with credentials: \\sam.ics.muni.cz\UCO •
ˇ Login: UCN\UCO
•
Heslo: secondary password
Solution for Remote Wake-up and Shutdown Localities included in the Service of Central Management are offered an option of centrally controlled wake-up, turn-on and shut-down of workstations according to a pre-arranged schedule. This service is only provided to localities with Windows 7 in both bit versions. An early consultation about the deployment of this Solution is also necessary, usually accompanied by a technical audit of the network infrastructure and the workstations’ hardware equipment. For the Solution to function correctly, it is necessary to adjust the Wake on LAN option (typically referred to as WOL) in the locality. These adjustments must be done on both the BIOS of the administrated workstations and the active network components. The Solution also depends on the workstation’s network card being capable of the WOL functionality. It is also necessary to allow the broadcast communication of the UDP protocol. Solution for Examination Modes Examination modes are one of the options supported under the Service of Central Management. Lecturers can transfer the workstations from the normal mode to the examination mode in a matter of minutes. Two examination modes are currently supported: 62
A. A PPENDICES •
“Odpovˇedník” mode: After being transferred to this mode, the workstation logs in with a special account and launches an answer sheet from IS MU. This is the only way the workstation can be used in this mode. The students have no access to the internet, their own data or the installed applications.
•
“Zkouška” mode: In this mode, the stations are disconnected from the network. Students do not have access to their own data, but all the installed software is fully available.
Solution for Monitoring of Localities For various security, informative and technical reasons, all the localities in the central management are equipped with technical solutions gathering information about users and workstations. Among this information is data about workstations, study rooms and the entries of students into the study rooms. It is also possible to monitor who is ˇ and currently occupying a given workstation, along with their UCO basic information. This data is displayed in real time and recorded.
63
A. A PPENDICES
A.2 Popis služby centrální správy Koncept jednotné centrální správy poˇcítaˇcu˚ vznikl na základˇe zkušeností s technologiemi využívanými v Celouniverzitní poˇcítaˇcové studovnˇe. Vznikla Celouniverzitní poˇcítaˇcová infrastruktura (University Computer Network, UCN), která umožnuje ˇ efektivní správu osobních poˇcítaˇcu˚ a jednotné prostˇredí pro studenty a zamˇestnance napˇríˇc univerzitou. Tato infrastruktura se aktuálnˇe využívá pro tˇri ruzné ˚ úˇcely: univerzitní poˇcítaˇcové studovny, fakultní výukové uˇcebny a zamˇestnanecké poˇcítaˇce. Lokality zaˇclenˇené do centrální správy poskytují z uživatelského hlediska integritu pracovního prostˇredí, vyšší bezpeˇcnost a uniformnost poskytovaných služeb. Služba využívá jednotné pˇrihlašování ˇ a sekundárního heslo, pomocí standardních ovˇerˇ ovacích údaju: ˚ UCO jednotné prostˇredí v OS Microsoft Windows a standardní množinu základního softwaru. K dispozici je standardní SW specifikovaný dále, který je centrálnˇe udržován. Dále jsou k dispozici speciální liˇ cencované programy, které jsou kryty univerzitní licencí. Rešení také nabízí možnost zaˇclenˇení rozšíˇrené množiny SW, dle individuálních požadavku. ˚ Hlavním benefitem je výrazná celková úspora nákladu˚ na správu a poskytování stejného pracovního prostˇredí v rámci celé MU a to jak pˇri výuce, tak v univerzitních studovnách. Z hlediska správcu˚ poˇcítaˇcu˚ poskytuje infrastruktura následující funkcionalitu: bezobslužná instalace PC (OS + SW), pravidelné aktualizace centrálnˇe poskytovaného SW vybavení, zpˇrístupnˇení nástroju˚ pro rˇ ešení problému, ˚ vzdálený pˇrístup na stanice, monitorování stanic a další. Aktualizace jsou na stanicích pravidelnˇe instalovány bˇehem servisních oken, které jsou obvykle naplánované na pozdní noˇcní hodiny. Bˇehem tohoto cˇ asu se vykonávají aktualizace operaˇcních systému˚ a nasazeného softwaru, cˇ i jiné servisní úkony spojené s aktualizací vybavení stanic. Výhodou tohoto pˇrístupu je poskytování vždy aktuálního prostˇredí bez nutnosti jakéhokoli zásahu ze strany uživatele. Jednou z dalších funkcí UCN je poskytování pˇripojení k centralizovaným tiskovým systémum. ˚ Ty umožnují ˇ uniformní platbu pomoci ISIC karty pˇres úˇcet SUPO a standardní tiskové prostˇredí na ruzných ˚ lokalitách. Kromˇe standardního režimu podporujeme speciální režimy ur64
A. A PPENDICES cˇ ené napˇr. pro zkoušení studentu. ˚ Vyznaˇcuje se zabezpeˇcením proti opisování, pˇrístupu k nežádoucím aplikacím, poštˇe a internetu cˇ i zamezením pˇrístupu k datum ˚ v profilech studentu. ˚ Dále nabízíme podporu pˇri ruzných ˚ školení apod. V souˇcasnosti jsou do centrální správy v ruzných ˚ úrovních integrace zaˇclenˇeny studovny, uˇcebny a pracovištˇe z více jako poloviny organizaˇcních jednotek MU. Mezi ty kupˇríkladu patˇrí: •
Rektorát MU
•
Ustav výpoˇcetní techniky
•
Pˇrírodovˇedecká fakulta - Poˇcítaˇcová uˇcebna Geografie - Poˇcítaˇcová uˇcebna Geologie - Knihovna - Pˇrírodovˇedecký klub
•
Fakulty Právnická - Studovny a poˇcítaˇcové uˇcebny
•
Filozofická Fakulta - Kompletní podpora studentských a zamˇestnaneckých poˇcítaˇcu˚ - Knihovna
•
Pedagogická fakulta - Knihovna - Poˇcítaˇcová uˇcebna
•
Fakulta sociálních studií - Knihovna - Dvˇe poˇcítaˇcové uˇcebny - Vybrané zamˇestnanecké poˇcítaˇce 65
A. A PPENDICES •
Centrum pro transfer technologii - Kompletní podpora zamˇestnaneckých poˇcítaˇcu˚
•
Universitní kampus Bohunice - Knihovna univerzitního kampusu Bohunice - Poˇcítaˇcová uˇcebna chemie - Lokality lékaˇrské fakulty
•
Celouniverzitní poˇcítaˇcová studovna
•
Univerzitní centrum Telˇc
•
Správa kolejí a menz
ˇ Clenˇ ení lokalit Služba Centrální správy je v rámci Masarykovy univerzity nabízená v nˇekolika variantách podle úˇcelu použití: •
Studovny - poˇcítaˇcové místnosti volnˇe pˇrístupné studentum. ˚
•
Uˇcebny - poˇcítaˇcové místnosti urˇcené na výuku.
•
Zamˇestnanecké stanice.
Studovny Studovnou se rozumí poˇcítaˇcová místnost urˇcená na volnoˇcasové studium studentu˚ a aktivity s ním spojené. Studenti tady mají pˇrístup k základní sadˇe SW a vybraným SW souvisejícím s jejich pˇredmˇetem studia. Nabízí uniformní uživatelské prostˇredí spoleˇcné pro režim uˇceben a studoven v podobˇe cestovních profilu, ˚ úložného prostoru a pˇrístupu k sdíleným diskum ˚ a tiskárnám. 66
A. A PPENDICES Uˇcebny Uˇcebnou se rozumí poˇcítaˇcová místnost urˇcená na výuku a aktivity s ní spojené. Studenti tady mají pˇrístup k základné sadˇe SW a SW souvisejícím s jejich pˇredmˇetem studia (tato sada je dohodnuta bˇehem zaˇclenˇení uˇcebny do centrální správy a obnovována každý semestr). Nabízí uniformní uživatelské prostˇredí spoleˇcné pro režim uˇceben a studoven v podobˇe cestovních profilu, ˚ úložného prostoru a pˇrístupu k sdíleným diskum ˚ a tiskárnám. Zamˇestnanecké stanice Poˇcítaˇce v režimu zamˇestnaneckých stanic nabízí cˇ ásteˇcnˇe obdobnou funkcionalitu jako studovny - zamˇestnanci tady mají pˇrístup kromˇe základní sady SW i k SW souvisejícímu s jejich prací (ekonomické SW, správy majetku, a pod., tato sada je dohodnuta bˇehem zaˇclenˇení pracovištˇe do centrální správy). Dále mají k dispozici lokální úložný prostor, pˇrístup k sdíleným diskum, ˚ tisku, vzdáleným plochám a zálohovaným sít’ovým úložištím. Data jsou uložena na dané pracovní stanici.
Podmínky poskytování služby Služba centrální správy je dostupná všem hospodáˇrským stˇrediskum ˚ MU a je poskytována zdarma. Odpovˇedné osoby na stranˇe ÚVT jsou uvedeny na stránce kontaktu. ˚ Na stranˇe hospodáˇrských stˇredisek považujeme za primární kontaktní osoby vedoucí LVT pˇríslušného HS, kteˇrí mohou záležitosti centrální správy delegovat dále. V rámci aktuálních možností Oddˇelení systémové správy v kontextu nasazených rˇ ešení provozujeme službu centrální správy ve dvou scénáˇrích: s vlastním serverovým vybavením lokality a bez serverového vybavení. Od roku 2013 jsou nové lokality již zaˇclenovány ˇ výhradnˇe dle druhého scénáˇre, tj. bez nutnosti mít vlastní serverové vybavení. Oba scénáˇre jsou z pohledu uživatele shodné: profily, SW vybavení a všechny centrální nastavení jsou naprosto totožné v obou verzích. Odlišnou funkcionalitu je možné rozeznat vzhledem k mož67
A. A PPENDICES nostem lokální správy a individuálních požadavku, ˚ kdy lokální serverové vybavení muže ˚ nabízet širší škálu lokálních funkcí a služeb. OSS ÚVT (Oddˇelení systémové správy Ústavu výpoˇcetní techniky) zajišt’uje v rámci služby Centrální správy následující cˇ innosti: •
ˇ a sekundární heslo správa autentizace pˇres UCO
•
správa, sledování a zálohování serveru˚
•
správa bezobslužných instalací uživatelských stanic
•
správa základního balíku softwaru
•
lokální distribuce záplat a aktualizací pro produkty spoleˇcnosti Microsoft
•
lokální distribuce aktualizací pro antivirové produkty spoleˇcnosti Eset
•
zpˇrístupnˇení tiskáren pomocí Active Directory
•
správa studentských profilu˚
•
správa hostovských úˇctu˚ pro zpˇrístupnˇení služeb infrastruktury UCN a UVT (Eduroam, VPN . . . ) návštˇevníkum ˚ MU
•
poskytování informací o aktuální bezpeˇcnostní situaci v infrastruktuˇre – audit bezpeˇcnosti
•
troubleshooting – rˇ ešení závažnˇejších a kritických SW problému˚ se stanicemi
•
obecné konzultace v IT problematice
V lokalitˇe zaˇclenˇené do centrální správy (kde koncovou správu zaˇrízení nezajišt’uje UVT ) zajišt’ují lokální správci následující cˇ innosti: •
správa rozšíˇreného balíku softwaru, který není nasazován centrálnˇe
•
reakce na podnˇety ze strany administrátoru˚ UCN 68
A. A PPENDICES •
hlášení incidentu˚ administrátorum ˚ UCN
•
správa sít’ové infrastruktury stanic a serveru˚
•
reklamace spojené s hardwarem vlastnˇeným fakultou
Zaˇclenˇení lokality bez vlastního HW Pro zapojení HS do centrální správy je potˇreba splnit následující podmínky: Hardware: •
Pˇri scénáˇri bez vlastního vybavení využívají lokality HW vybavení UVT. Software:
•
patˇriˇcný poˇcet licencí OS Microsoft pro stanice zapojené do infrastruktury UCN
•
patˇriˇcný poˇcet licencí CAL pro stanice, které mají být zapojeny do infrastruktury UCN
•
patˇriˇcný poˇcet licencí antivirového softwaru pro stanice zapojené do infrastruktury UCN
Zaˇclenˇení lokality s vlastním HW Hardware: •
3 servery (se zajištˇeným servisem)
•
záložní napájení serveru˚ pro pˇrípad výpadku elektrické sítˇe (napˇr. UPS)
•
sít’ový pˇrepínaˇc a vyhrazené sít’ové segmenty pro servery a stanice Software: 69
A. A PPENDICES •
3 serverové licence OS Microsoft (dle domluvy s ÚVT)
•
patˇriˇcný poˇcet licencí OS Microsoft pro stanice zapojené do infrastruktury UCN
•
patˇriˇcný poˇcet licencí CAL pro stanice, které mají být zapojeny do infrastruktury UCN
•
patˇriˇcný poˇcet licencí antivirového softwaru pro stanice zapojené do infrastruktury UCN
Nastavení klientských segmentu˚ Zaˇrazení stanic do centrální správy je spojeno se souborem pravidel: •
Stanice jsou do domény vkládány výhradnˇe pomocí systému pro vzdálenou instalaci operaˇcního systému OPSI na adrese https://tali.ics.muni.cz/
•
Do podsítˇe (WLAN), v které se nachází stanice z domény, nebude zaˇclenˇeno žádné zaˇrízení, které se v doménˇe. nenachází. Rovnˇež nesmí být umožnˇeno automatické pˇridˇelování IP adres na tomto segmentu.
•
IP adresy jsou distribuovány pouze pomocí DHCP dle dodané konfigurace.
•
Nastavení DHCP rezervace na odpovídajících serverech.
•
Nastavení reverzních záznamu˚ DNS.
Pˇríprava SW vybavení SW vybavení uˇceben se modifikuje pˇred zaˇcátkem každého semestru dle pokynu˚ zodpovˇedné osoby, která zajišt’uje komunikaci se všemi vyuˇcujícími, kteˇrí budou uˇcebnu daný semestr využívat. Požadavky na pˇridání/modifikace SW je nutné nahlásit nejpozdˇeji 3 týdny pˇred zaˇcátkem semestru, pro zajištˇení dostateˇcného otestování prostˇredí. Požadavky nahlášené po tomto termínu již nemusí být vyˇrízeny pˇred zaˇcátkem semestru. Týden pˇred zaˇcátkem semestru již budou uˇcebny pˇripraveny pro otestování ze strany vyuˇcujících. 70
A. A PPENDICES Lokální správci Fakultní správci nesmˇejí žádným zásahem do systému poˇcítaˇce umožnit zvýšení oprávnˇení bˇežného uživatele. Dále nesmˇejí za žádných okolností pˇredat administrátorské heslo ke stanicím ani své heslo jiné osobˇe. Porušení tˇechto dvou pravidel bude považováno za závažné narušení bezpeˇcnosti a muže ˚ vést až k odpojení z infrastruktury. Fakultní správci mají za úlohu lokální hardwarovou a softwarovou správu lokalit, rˇ ešení rutinních problému˚ a zprostˇredkování komunikace mezi uživateli a administrátory. To zahrnuje: •
Nastavení BIOS v souladu s požadavky Centrální správy.
•
Instalování a správa lokálnˇe distribuovaných aplikací a tiskáren.
•
ˇ Rešení lokálních problému˚ pˇrímo nenavazujících na funkcionalitu Centrální správy.
•
Zprostˇredkování požadavku, ˚ dotazu˚ a úloh souvisejících se Službou centrální správy administrátorum. ˚
•
Lokální asistence administrátorum ˚ pˇri rˇ ešení rutinních a krizových stavu˚ na lokalitˇe.
ˇ Rešení problému˚ Problémy se dají rozdˇelit podle závažnosti na tˇri skupiny: •
Bˇežné - výskyt na jednom poˇcítaˇci, rˇ ešené restartováním cˇ i reinstalací poˇcítaˇce - výskyt u jednoho uživatele na vícerých poˇcítaˇcích, rˇ ešené opravou uživatelského profilu
•
Závažné - výskyt na vícerých poˇcítaˇcích, rˇ ešené kontaktováním administrátoru˚ UCN 71
A. A PPENDICES Restart cˇ i reinstalace poˇcítaˇce Restart poˇcítaˇce zajistí znovuobnovení nastavení doménových politik a aplikaci doménových skriptu. ˚ Reinstalací poˇcítaˇce získáme kompletnˇe novou konfiguraci stanice (operaˇcní systém, drivery zaˇrízení, software, doménové politiky, zabezpeˇcení souborového systému). U zamˇestnaneckého PC je profil uživatele a disk D: reinstalací nedotˇcen. Pokud výše uvedené kroky nepomohou, oznamte problém administrátorum ˚ UCN. Oprava uživatelského profilu Pokud vám nebyl poskytnut nástroj pro obnovu uživatelského profilu, zašlete administrátorum ˚ UCN na adresu [email protected] ˇ žádost o opravu uživatelského profilu a uved’te uživatelovo UCO. Pˇred kontaktováním administrátoru˚ ovˇerˇ te, zda uživatel nemá zaplnˇený profil - pˇribližnˇe polovina problému˚ s profily je zpusobena ˚ právˇe takto a je v silách uživatele toto napravit vlastní cestou. Specifikace výskytu problému, hlášení problému administrátorum ˚ UCN V pˇrípadˇe vyskytnutí závažného problému kontaktujte pˇrímo administrátory UCN na emailové adrese [email protected]. Vzniklý problém se snažte hlásit s co nejpˇresnˇejším popisem. Každý email, kterým je hlášený problém administrátorum ˚ by mˇel obsahovat: •
Lokalitu (Uˇcebna XY fakulty ZW).
•
Popis problému.
•
ˇ Casový výskyt problému (t. j. dnes, vˇcera, poslední týden, ve stˇredu 14.2.,. . . ).
•
ˇ tehdy Místo výskytu problému (ideálnˇe cˇ íslo stanice, UCO pˇrihlášeného studenta, cˇ i se jedná o jeden výskyt nebo opakovaný na více stanicích / u více uživatelu. ˚ . . ). 72
A. A PPENDICES •
Pˇrípadné zmˇeny vykonané na stanici, které by se mohli týkat problému (výpadek proudu, výmˇena HW zaˇrízení, novˇe nainstalovaný software,. . . ).
•
V pˇrípadˇe, že se liší kontaktní osoba od odesílatele požadavku ˇ jméno kontaktní osoby (ekvivalentnˇe UCO nebo školská emailová adresa).
Poskytnutím všech výše uvedených informací administrátorum ˚ hned v prubˇ ˚ ehu prvního kontaktu pˇrispˇejete k rychlejšímu vyˇrešení problému. Pˇrípadem závažného problému muže ˚ být nefunkˇcní antivirový software na stanici, nefunkˇcní licenˇcní server pro software, nemožnost pˇrihlásit se na poˇcítaˇce pro vˇetší skupinu uživatelu, ˚ nedostupné uživatelské profily aj.
Technický popis služby Centrální správa (resp. infrastruktura pro centrální správu) je postavena na technologiích Microsoft Active Directory. Pro správu poˇcítaˇcu˚ využívá standardní technologie, jako jsou skupinové politiky a skripty. Centrální doména je doména UCN. V této doménˇe jsou zaˇrazeny infrastrukturní servery zajišt’ující provoz služby. Pod doménou UCN jsou zaˇrazeny subdomény (napˇr. PHIL, FSS. . . ) spadající pod fakulty a umožnující ˇ místním správcum ˚ pˇrevzít významnou cˇ ást správy (napˇr. vytváˇret vlastní politiky, pˇridávat a odebírat poˇcítaˇce. . . ). ˇ Rešení bezobslužné instalace operaˇcních systému˚ Stanice zaˇclenˇené do centrální správy jsou instalovány výhradnˇe automatizovaným nástrojem OPSI na serverech alia.ucn.muni.cz a tali.ics.muni.cz. Pˇredpokladem pro umožnˇení instalace je pˇríprava stanic na zaˇclenˇení do centrální správy, tj.: •
Nastavení BIOSu stanic dle instrukcí administrátoru˚ centrální správy.
•
Po zjištˇení MAC adres zavedení tˇechto stanic do sítˇe dle popisu v kapitole Nastavení klientských segmentu. ˚ 73
A. A PPENDICES •
Podáni požadavku administrátorum ˚ na pˇridání stanic do systému bezobslužné instalace OS (nutnou souˇcástí žádosti jsou jména stanic z DHCP a ich MAC adresy).
ˇ Rešení bezobslužné instalace OS funguje na báze bootu systému po síti. V prvním kroku koncová stanice dle nastavení v DHCP a BIOS naˇcítá boot operaˇcní systém na báze unix z pˇredvolené sít’ové lokality. Ta následnˇe lokálnˇe iniciuje instalaci požadovaného operaˇcního systému ze sítˇe. Celý proces je ukonˇcen rˇ adou skriptu, ˚ které na stanici upraví nastavení potˇrebné v kontextu Služby centrální správy. Po instalaci operaˇcního systému je možný plynulý pˇrechod k plnému zaˇclenˇení stanice. To obsahuje bezpeˇcnostní nastavení stanice, delegaci spravovaných aplikací, zpˇrístupnˇení tisku a profilu˚ uživatelu. ˚ ˇ Rešení distribuce softwarového vybavení Mezi základní funkcionality domény patˇrí distribuce SW vybavení stanic. Rozlišujeme dvˇe sady SW: •
Základní – stejná na všech lokalitách, obsahuje veškerý bˇežnˇe užívaný software.
•
Rozšíˇrená – typicky SW vybavení požadované konkrétními lokalitami za úˇcelem výuky.
Základním balíkem softwaru je myšleno softwarové vybavení spoleˇcné pro všechny studovny jak fakultního, tak celouniverzitního rázu. Základní sada SW je pravidelnˇe plošnˇe aktualizována každé dva, pˇrípadnˇe každé cˇ tyˇri týdny v celé doménˇe. To zaruˇcuje homogennost prostˇredí díky nabídce stejných verzí SW v UCN. V pˇrípadˇe, kdy je potˇreba centrálnˇe nasadit software specifický pro danou fakultu/lokalitu, je pˇríprava instalace vˇecí fakultních/lokálních správcu˚ (napˇr. Total Commander místo centrálnˇe nasazeného Altap Salamander). Pˇri splnˇení vybraných parametru˚ lze lokální SW zaˇclenit do centrální správy. Rozšíˇrená sada je aktualizována podle dohody mezi správci centrální správy a správci lokality. Zmˇeny ve verzích SW mohou zpu˚ sobovat odlišnosti ve funkcionalitˇe cˇ i problémy s kompatibilitou, co 74
A. A PPENDICES muže ˚ vážnˇe narušit bˇeh výuky. Nastavením frekvence aktualizací rozšíˇrené sady vzhledem k potˇrebám výuky tak pomáhá v pˇredcházení tˇemto problémum. ˚ Základní sada spravovaného softwaru obsahuje: •
7-Zip
•
Adobe digital editions
•
Adobe Reader
•
Altap Salamander
•
ArcGis
•
CD Burner XP
•
Mozilla Firefox
•
Flash
•
Gimp
•
Google Chrome
•
Internet Explorer
•
IrfanView
•
Java JRE 6
•
Java JRE 7
•
Matlab
•
NOD 32
•
Notepad ++
•
Opera
•
PDF 24 Creator
•
PDF Creator 75
A. A PPENDICES •
PsPad
•
Putty
•
Statistica
•
TexLive
•
VLC Player
•
WinSCP
ˇ Rešení pro správu profilu˚ uživatelu˚ Jednou z hlavních výhod centrální správy je homogennost prostˇredí uživatelu˚ nezávisle na uˇcebnˇe a stanici, na které aktuálnˇe pracují. Ta je zaruˇcená použitím profilu˚ uživatelu, ˚ které jsou ukládány na sít’ových úložištích, a propagovány na stanice pˇri každém pˇrihlášení. Uživatel tímto získává nemˇenné pracovní prostˇredí, které mu umožnuje ˇ lepší podmínky na práci. Uživatelum ˚ jsou standardnˇe zpˇrístupnˇeny následující sít’ové úložištˇe: •
I: adresáˇr TEMP sdílený ze serveru. Tento adresáˇr je plnˇe pˇrístupný všem uživatelum. ˚ Je možné ho použít napˇríklad na pˇrenášení dat mezi stanicemi. Adresáˇr není urˇcen na dlouhodobé uchovávání dat – není zálohovaný a podle potˇreby se pravidelnˇe promazává.
•
J: Aplikace sdílené na serveru. Adresáˇr je zpˇrístupnˇen výhradnˇe ke cˇ tení. Obsahuje aplikace, které nevyžadují instalaci na stranˇe klienta.
•
K: Profil uživatele, který obsahuje všechny uživatelské nastavení (pˇredevším se jedná o soubory prohlížeˇcu˚ cˇ i mailových klientu). ˚ Prostor je možné do urˇcité míry využít k uložení vlastních souboru˚ – pˇrístupný je i jako složka Dokumenty na pracovní ploše. Prostor má omezenou kapacitu, tj. celková velikost dat této složky (vˇcetnˇe souboru˚ poštovních klientu, ˚ prohlížeˇcu˚ a podobnˇe) nesmí pˇresáhnout kvótu. Po dosažení kvóty není zaruˇcené korektní chování aplikací ani osobních nastavení. 76
A. A PPENDICES •
Jediné složky na lokálním disku, do kterých mají studenti explicitní právo zápisu, jsou složky: ˇ (na windows XP C:\Documents and - C: \Users\UCO ˇ - Kopie cestovního profilu uživatele. Sem patˇrí Settings\UCO) i plocha a dokumenty uživatelu. ˚ - C: \Temp - Lokální složka, její velikost je limitovaná kapacitou lokálního disku a je promazávána dle potˇreby.
ˇ Rešení centrálního datového úložištˇe Všem studentum ˚ a zamˇestnancum ˚ Masarykovy univerzity jsou k dispozici vlastní profily, které se zpˇrístupní po pˇrihlášení na jakoukoli stanici v centrální správˇe. Pro všechny zamˇestnance univerzity jsou také vytvoˇreny individuální úložištˇe, které slouží k ukládání a sdílení jejich bˇežných pracovních dat. Tyto úložné kapacity jsou dostupné pouze so sítˇe MU, eventuálnˇe mimo sítˇe použitím VPN MU. ˇ Tyto prostory jsou zpˇrístupnˇeny ve složce \\sam.ics.muni.cz\UCO s pˇrihlašovacími údaji: •
ˇ Login: UCN\UCO
•
Heslo: sekundární heslo
ˇ Rešení buzení a vypínání stroju˚ Na lokalitách zaˇclenˇených do služby centrální správy nabízíme možnost centrálnˇe rˇ ízeného buzení, zapínaní a vypínaní poˇcítaˇcu˚ dle pˇredem domluveného harmonogramu. Služba je poskytována výhradnˇe lokalitám s operaˇcním systémem Windows 7 v obou bitových verzích. Nutností je také vˇcasná konzultace možnosti nasazení tohoto rˇ ešení, kterou zpravidla sprovází technický audit sít’ového zázemí a hardwarového vybavení koncových stanic. Pro funkˇcnost rˇ ešení je nutností pˇrizpusobení ˚ nastavení lokality na Wake on LAN (typicky oznaˇcováno jako WOL). To je nutno provést jak v BIOSu koncových stanic, tak na aktivních prvcích sít’ového ˇ zázemí lokality. Rešení je také závislé na podpoˇre WOL samotné sít’ové karty stanic. 77
A. A PPENDICES Pro pruchod ˚ aktivními sít’ovými prvky je nutné povolit broadcastovou komunikaci protokolu UDP. ˇ Rešení zkušebních režimu˚ Jednou z možností režimu˚ stanic podporovaným v rámci služby jsou zkušební režimy. Vyuˇcujícím je k dispozici možnost pˇrevedení stanic z normálního režimu do režimu zkušebního bˇehem nˇekolika minut. Aktuálnˇe jsou k dispozici zkušební režimy dvou druhu: ˚ •
Režim odpovˇedník: Stanice se po nastavení režimu pˇrihlásí speciálním úˇctem a zpuštˇeným odpovˇedníkem z IS MU. Ten je v tomto režimu jedinou možností využití poˇcítaˇce. Studenti nemají pˇrístup na internet, k vlastním datum ˚ ani aplikacím stanice.
•
Režim zkouška: V tomto režimu jsou stanice odpojeny od sítˇe. Studenti rovnˇež nemají pˇrístup k vlastním datum, ˚ mají však k dispozici veškeré softwarové vybavení stanice.
ˇ Rešení monitorování lokalit Na lokalitách centrální správy jsou z bezpeˇcnostních, informativních a technických duvod ˚ u˚ nasazené rˇ ešení shromažd’ující informace o uživatelích a pracovních stanicích. Mezi tyto informace patˇrí informace o poˇcítaˇcích, studovnách a pruchodech ˚ do studoven. Lze také zobrazit obsazenost stroje uživatelem i s jeho uˇcem a základními údaji. Informace jsou zobrazovány v reálném cˇ ase a ze získaných dat je zaznamenávaná jejich historie.
78
A. A PPENDICES
A.3 Information poster: Computer study rooms and classrooms on MU
Computer study rooms and classrooms on MU You are currently in one of many computer study rooms and classrooms of Masaryk University. The network of study rooms provides you with a uniform environment adjusted to your needs as a university student. For more information visit our website at the address below.
Software
Reporting problems
All the study rooms included in the Service of Central Management are equipped with regularly updated software managed by the System Administration Department of the Institute of Computer Science.
In case of discovering any kind of problem or failure, please immediately report this state to technical support. This way, you can ensure a reliable workplace for yourself, as well as all the other students and lecturers who frequently use these study rooms during examinations. A report of the failure should contain:
List of installed software to date 6. 9. 2013
.NET Framework
Flash
Opera
7-Zip
Gimp
PDF 24 Creator
Adobe digital edit.
Google Chrome
Adobe Reader
Internet Explorer
Altap Salamander
IrfanView Java JRE
ArcGis
PDF Creator
All students of the Masaryk University have at their disposal migrating profiles as part of the Service of Central Management. This ensures homogeneity of workplace independent of the study room or the work machine they are currently using. In this context, the term 'profile data' means all the data stored in C:\Users\UČO. This includes all the data from the documents folder, desktop and all internet browsers.
PsPad Putty Statistica
CD Burner XP
MS Office
TexLive
Eprezenčka
NOD 32
VLC Player
Notepad ++
WinSCP
Mozilla FireFox
Data store capacities
Powershell
Matlab
Aspi
Locality (Study room XY on faculty ZW) A detailed description of the problem which occurred Time of the event (today, yesterday, last week, on Wednesday 14.2., ...) Location of the problem (computer number, student ID, ...) Possible changes made on the station that you are aware of (blackout, HW changes, newly installed software, ...)
Printing Printers managed by the Institute of Computer Science can be found in selected buildings across the university grounds. Printing services are available by using SUPO and university ID card ISIC or ITIC.
For more information about university study rooms please visit:
In case of any requests or questions concerning equipment of study rooms and classrooms please contact technical support:
http://www.ups.muni.cz
E-mail: [email protected], tel.: 549 49 7722
79
A. A PPENDICES
A.4 Information poster: Univerzitní poˇcítaˇcové studovny a uˇcebny MU
Univerzitní počítačové studovny a učebny MU Nacházíte se v jedné z mnoha univerzitních počítačových studoven Masarykovy univerzity. Síť studoven vám nabízí uniformní prostředí přizpůsobeno potřebám vašeho studia. Více informací naleznete na webu, viz níže.
Software
Hlášení problémů
Na všech studovnách centrální správy je studentům Masarykovy univerzity zpřístupněna sada pravidelně aktualizovaného software spravovaná Oddělením systémové správy Ústavu výpočetní techniky.
Při zjištění jakéhokoli nedostatku či problému hlaste tuto skutečnost neodkladně technické podpoře. Můžete tak pomoci nejen sami sobě, ale i vašim spolužákům a kolegům, kteří studovny běžně využívají i při zkoušení.
.NET Framework
Flash
Opera
7-Zip
Gimp
PDF 24 Creator
Adobe digital edit.
Google Chrome
Adobe Reader
Internet Explorer
Altap Salamander
IrfanView
ArcGis Aspi
Java JRE
Lokalitu (Učebna XY fakulty ZW) Detailní popis problému Časový výskyt problému (tj. dnes, včera, poslední týden, ve středu 14.2., ...) Místo výskytu problému (ideálně číslo stanice, UČO tehdy přihlášeného studenta, ...) Případné změny vykonané na stanici, které by se mohli týkat problému (výpadek proudu, výměna HW zařízení, nově nainstalovaný software, ...)
PDF Creator
Úložné prostory studentů
Powershell
Všichni studenti Masarykovy univerzity mají v rámci centrální správy zřízené migrující profily, jež zaručují homogennost pracovního prostředí nezávislé na studovně a stanici, na které aktuálně pracují. Data profilu jsou chápány jako složka C:\Users\UČO, do které patří mimo jiné i plocha, dokumenty či data internetových prohlížečů jednotlivých uživatelů.
PsPad Putty
Matlab
Statistica
CD Burner XP
MS Office
TexLive
Eprezenčka
NOD 32
VLC Player
Notepad ++
WinSCP
Mozilla FireFox
Hlášení nedostatku by ideálně mělo obsahovat:
Seznam software k 6. 9. 2013
Tisk Ve vybraných objektech napříč univerzitou jsou rozmístěny tiskové zařízení spravované Ústavem výpočetní techniky. Tisk je dostupný pomoci účtu SUPO a univerzitní karty ISIC, popřípadě ITIC.
Bližší informace ohledně studoven naleznete na webu:
V případě podnětů, dotazů či požadavků na vybavení studoven a učeben kontaktujte prosím technickou podporu:
http://ups.muni.cz
mail: [email protected], tel.: 549 49 7722
80
Technical Support Department
F & A Office
External Employee contractor
Addition of a new workstation (WS)
Request of the new WS
Request acceptance
Order of new WS
New WS order acceptance
+
Notification of the incoming WS
Notification accepted
New WS acceptance
New WS preparation, WS provision
+
+
WS registration confirmation
Request of WS registration
+
+
WS installation & network settings adjustment
WS acceptance
WS delivery to the employee
- Creating DHCP, DNS and rev. DNS records ([email protected]) - Adding WS into OPSI server - Moving WS into proper AD OU
WS registration notification acceptance
- Registration of the WS – DKP code ([email protected]) - Report of licenses pre-installed on the WS ([email protected])
A. A PPENDICES
A.5 Process of addition of a new workstation
81
Technical Support Department
F&A Office
External Employee contractor
Removal of a workstation (WS)
Request of the WS removal
Request acceptance
WS removal
+
+
+
x To liquidation
To stock
WS liquidation
WS sent to liquidation
for further use
- Deleting DHCP, DNS and rev. DNS records ([email protected]) - Removing WS from OPSI server - Removing WS from AD WS stored in
WS data deletion & network settings adjustment
WS registration removal notification acceptance
WS registration removal confirmation
Request of WS registration removal
- Re-registration of the WS – DKP code ([email protected]) - Report of released licenses from the WS ([email protected])
A. A PPENDICES
A.6 Process of workstation removal
82
Installation process of the OPSI Netboot product
Web Application
DHCP server data request
Provision of IP address, PXE Boot server and image directory
OPSI Server Client (Workstation) DHCP Server
Start of the Client
Assign product deployment to the client
x
Boot from LAN
Preparation of a Netboot product installation
Failure
x x
Install Windows PE
Execution of: HW Inventory Drivers installation Partition division Windows PE downloading
Boot from HDD
Installation of Unix-based OS
Provision of Unix-based OS, setup.py
Success
+
Deploy installed Windows OS
Request of Windows installfiles
Reboot
+
Provision of Windows installfiles
Installation of requested OS
Reboot
A. A PPENDICES
A.7 Process of the OS installation via OPSI system
83