Date post: | 22-Jan-2018 |
Category: |
Software |
Upload: | univention-gmbh |
View: | 769 times |
Download: | 0 times |
Univention Product Roundtrip
Highlights 2016 and look-out 2017
Dr. Alexander Kläser, Ingo Steuwer
Univention GmbH
About us
Dr. Alexander Kläser
Since 2010 @Univention
Product Development
Web, UX, App platform, ...
Ingo Steuwer
Since 2003 @Univention
Head of ProfessionalServices
Agenda
(5) Ideas & Vision for 2017+
(4) What else to else to expect in 2017 ?
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
Agenda
(1) What happened in 2016 ?
UCS 4.1 retrospection – Overview
UCS 4.1-0 Release: 2015/11/17, Highlights:
Docker integrated
SAML as a default
(Password) Self Service
Since then:
Fixes, improvements and extensions in >350 Errata Updates
Upgrades and new features in dedicated Apps
New features without new releases? – Challenge: Release cycles
“Classic” linux distribution release policy:
upstream upgrades only in feature releases
“Upstream”:
Debian, Kernel, Samba, Firefox, …
→ Various release cycles
Various maintenance durations, version numbering, ...
One release cycle can’t match all upstream cycles
→ Univention decided to deliver “needed” updates
New features without new releases? – Goals
UCS Errata Updates are result of an agile development to
Address security issues
Fix bugs
Improve the usability of the product
„Apps“ deliver dedicated features
Separated environment where possible (Docker)
Individual release process
But: stable APIs
New features without new releases? – Content
Ease-of-use is a major focus of UCS:
Usability and user experience of graphical user interfaces
Improvements to make existing functionality better (example: App Center)
Updates of upstream packages that are not maintained anymore or better
the stability or compatibility (example: Samba)
Enhancements in Errata updates introduce a risk
Errata must not break existing functionality!
Release process – Automated tests (I)
Automated tests to ensure stability
Each release is undergoing tests
Single instances and full
environments in IAAS
August
September
October
November
December
January (estimation)
0
5000
10000
15000
20000
25000
30000
35000
instance usage (hours)
UCS-4.2
UCS-4.1
UCS-4.0
UCS-3.3
UCS-3.2
Release process – Automated tests (II)
~50 scenarios
~1.500 test cases
~190.000 lines of code
Run for
Errata
Releases
Apps
Release process – Docker & Apps
Docker allows individual environments for Apps
No conflicts between App dependencies or UCS
Example: different PHP versions
→ App releases are independent
… of each other
… of UCS
Release process – Results
Shorter test periods / quicker releases
Incidents per customer (Support requests) reduced
Growing number of „combinations“ tested
Scenarios (server roles, number of instances)
Releases (Upgrades and mixed environments)
Apps (single Apps and combinations)
Agenda
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
Highlights – SAML
SAML = Security Assertion Markup Language
Allows Single Sign-on (SSO) for web services
Identity Provider (IdP) = Server for authentication (e.g., UCS)
Service Provider (SP) = Web service (Office 365, GSuite, Salesforce, ...)
IdP's certificate has been registered at the SP
Via browser redirects → Works with IdP accessible only via intranet
Passwords remain at the IdP + can be managed centrally (via UCS)
SAML integration in UCS
UCS provides an IdP by default
Access via: ucs-sso.<mydomain>
IdP service runs on DC master + DC backup roles
High availability: SAML sessions are synchronized (via memchache)
Implementation via simpleSAMLphp
Note: DNS needs to be configured for clients
Fallback login without SAML for UCS test instances
UMC loginwith UCS 4.1
SAML loginwith UCS 4.1
Highlights – Office 365 / GSuite with UCS
Apps for providing:
Wizard to guide the setup process of establishing a secure connection
Connector = listener module for synchronizing user accounts
What is the connector doing?
Create accounts at Azure/Google when activating access for user
Sync selected attributes of user accounts (configurable via UCR)
Disable/delete accounts at Azure/Google
Highlights – Office 365 / GSuite setup process
Common setup steps:
Configure client access to Azure/Google API for connector
Download config data + credentials and pass them to connector
Only Office 365: Upload Manifest file from connector to Azure
Upload IdP certificate:
Office 365: Can only be done via a Windows system
GSuite: Can be done via the browser
Setup wizard for Office 365
Setup wizard for GSuite
Enabling GSuite access for a user
Highlights – (Password) Self Service
Goal: Save time as users can reset passwords on their own
App allowing to reset a users password via SMS / email address
Custom password recover channels can be configured
"Forgot password?" link can be included by other Apps
Among the top 10 Apps
Access via the UCS startsite
Resetting a password (1)
Resetting a password (2)
Resetting a password (3)
User can set alternative contacts
Contacts are saved at user object
Highlights – French translation
Since UCS 4.1-4
Translations for installation
wizards + web interface
UCS translation tools have been
greatly improved
Installed automatically if French is
chosen in Installer
… or package univention-l10n-fr
Highlights – Active Directory Connection password sync (I)
Active Directory Connection: Sync Users, Groups and
other objects between MS Active Directory and UCS
Until mid of 2016: dedicated service for Windows DC
needed to synchronize passwords:
Introduced in 2007 with first UCS AD Connector
Based on old NT “debugging” API
Needed wide permissions, had it’s own TCP port and authentication
→ Installation complicated & security concerns
Highlights – Active Directory Connection password sync (II)
App Upgrade in Mai 2016
Password Hashes are now synced based on standard RPC calls
→ No dedicated service on Windows DCs needed!
→ Standard Windows rights management
Compatible to all maintained Windows versions
Easy configuration
Details: https://www.univention.com/2016/05/bye-bye-active-directory-password-service/
Highlights – Univention Corporate Client 3 (I)
Easy deployment and integration of Thin and Fat Clients
Image based, including UCS LDAP & Kerberos integration
Core Changes:
Based on Ubuntu 16.04 LTS
Official support for mixed architectures (32bit / 64bit)
Improved tools and integration:
Central reporting of image version
Easier “move” of UCC LDAP objects
Highlights – Univention Corporate Client 3 (II)
Major changes Fat Clients:
64bit image
Default Desktop: Unity
Major changes Thin Clients:
Update of RDP and Citrix clients
Improved management & offline
capability for read only clients
Still “Citrix Ready” certified!
Highlights – UCS@school 4.1
Feature Release: 2016/06/16
Improved import tool with generation of attributes:
login, mail address, …
API in “classroom” UMC module for 3rd party integrations
Real “multischool” accounts for teachers and pupils
Highlights – UCS@school 4.1 – “multischool” accounts – Old
Creation of one account for each assigned school
School A
School B
User 1
User 1*User 1*
User 2
DC school A
DC school B
Highlights – UCS@school 4.1 – “multischool” accounts – New
One account, replicated to each assigned school
School A
School B
User 1
User 2
DC school A
DC school B
Highlights – UCS@school 4.1 – Behind the scenes
iTalc improvements
example: better handling of temporary (dis-)connected clients
Large environment improvements
more consistency checks during setup
better conflict handling for sync between schools
Streamline LDAP ACLs (security & performance)
Highlights – App Center market place relaunch in Q4/2016
One place for licenses/maintenance
and support for Apps and UCS
Reachable by App Catalog
(web page) and App Center (UMC)
Buying + selling Apps much easier
Supports Reseller accounts
Register now!
Highlights – App Center Provider Portal
Allows App providers to easily manage their Apps
All meta information is edited via form fields
Translations are entered separately
Packages are uploaded / docker images are registered
Logos, screenshots, videos are uploaded and previewed
Changes are synchronized directly to the test App Center
Univention publishes final version to the App Center
Overview of all available Apps
App details – Description
App details – Logos
App details – Screenshots and videos
App details – Software packages
App details – Docker settings
Agenda
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
Annual UCS Minor releases….?
For more than 5 years there was an annual feature release
– why not 2016?
Focus: new Apps & migration to Docker
Prepares a smooth upgrade to UCS 4.2
Features have been delivered
in Apps (and Errata)
No urgent needs
Release schedule UCS 4.2
UCS 4.2
Milestones in February
Release Candidates in March
Release in April
3 Patchlevel Releases in 2017
UCS 4.2 – Main features: based on Debian 8
Based on current Debian stable “Jessie”
New: no full rebuild but direct use of Debian
upstream packages
Less differences between UCS and Debian
Security updates for "unmaintained" repository (following Debian updates)
Univention builds for selected packages, examples:
Kernel, OpenLDAP, Samba
Debian major release vs. UCS minor release
Including a major upstream release in a minor UCS release…
… a conflict with release policy expectations?
Expectation: stable environment (for Apps)
→ Is given using Docker: Container can stay with UCS 4.1
→ Most Apps will be directly available with the release of UCS 4.2
Expectation: stable APIs
→ Our processes (like automated testing) ensure the needed stability and compatibility
UCS 4.2 – Debian upstream features
Goal: use Debian packages where possible
But newer packages if needed
Changes introduced by Debian upgrade:
Upgrade of core libs (like libc)
systemd to replace “old” init and runsv
KVM upgrade (including challenges like migration of snapshots…)
...
UCS 4.2 – Samba upgrade
Goal: Samba 4.6
Improved NETLOGON Performance
Improved Replication Performance and Impact on Receiver
Improved Performance: Add and Delete of Accounts
Fix uploading Point-and-Print printer drivers from Windows 10
Samba 4.x upcoming features
Samba 4.7 Roadmap
Improved Samba/AD LDAP performance (multi-process)
Implementation of print server protocol MS-PAR
replacing MS-RPRN
Inter-Domain trust
Windows Search Protocol (MS-WSP)
UCS 4.2 – Usability changes
Portal page as central view on the full UCS domain
Overview of all Apps in the whole domain
Entries can be managed and modified / added
Favorites visible after login
Corporate branding: Custom logo / background can be configured
UCS 4.2 – Usability changes (2)
Central login page for portal page + UMC
SAML as default authentication process when possible
Fallback to normal login otherwise
More prominent side menu
Mark modules that are not installed yet (DHCP, Printing, Mail etc.)
Usability adjustments for (Password) Self Service
Also better integration (e.g., into side menu)
Mockups 4.2 – Portal view
Mockups 4.2 – Portal viewlogged in
Mockups 4.2 – Portal viewwith menu
Mockups 4.2 – UMCoverview
Mockups 4.2 – User list
Mockups 4.2 – User list
Mockups 4.2 – User grid
Mockups 4.2 – User details
Mockups 4.2 – UMCoverview
Agenda
(4) What else to else to expect in 2017 ?
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
Planned for 2017 – Connector upgrades
Sync more attributes between OpenLDAP and Samba 4
RFC 2307 attributes: uidNumber + gidNumber
Merge improvements implemented in S4 connector to AD connector,
examples:
Improved caching
Differential updates
Error handling, logging
Planned for 2017 – Transparent Maintenance
Difference between UCS Core Edition and Subscription:
Core Edition may need to update to the latest release to get all Errata
Maintenance will be more transparent:
Improved "end of maintenance" messages
Guide updating to releases available for current maintenance contract
Same for Apps
Transparent status: free Apps, test periods, usage / updates that require a charge, ...
Planned for 2017 – Simplified App integration
Option for App activation checkbox in user module [UCS 4.1]
Easy way to specify LDAP schema extension [2017]
Extended configuration settings for docker Apps [2017 Q3?]
→ See also expert talk “Make an App” tomorrow
Planned for 2017 – Testing UCS
We will continue to write more tests for UCS in 2017
Goal 1: Automate more product release tests
Product release tests are carried out manually before every release
Goal 2: Cover more and more complex scenarios
Goal 3: Automate GUI tests (Debian Installer + setup wizard)
Planned for 2017 – Automated browser tests
Working framework and proof-of-concept tests exist
Framework is based Selenium + integrated in Univention test lib
Todo:
Integration into Jenkins
Integration into Selenium grid to test different browser types
More tests
Some aspects of UMC are already tested via scripted HTTP requests
Planned for 2017 – Automated GUI installation tests
Test framework using a VNC connection + optical character recognition
(OCR) has been developed
Actions: Wait for text to appear + Click on text
Proof-of-concept tests exist
Allows to fully automate graphical tests
Debian installer + UMC setup wizard
Todo: Integration into Jenkins + more test
DebianInstaller
DebianInstaller –OCR output
l!‘ univention
Select a language
Choose the language to be used for the installed system. The UCS installer only supports English and German and will use English as fallback. Similar restrictions apply to other parts of the installed system which have not yet been localized.
Language.-
Chinese (Simplified) - EPYU’H‘WK) AChinese (Traditional) - CPYlSE)Croatian - HrvatskiCzech - CestinaDanish - DanskDutch - NederlandsDzongkha - E'FlEnglish - EnglishEsperanto - EsperantoEstonian - EestiFinnish - SuomiGalician - GalegoGeorgian - dafimacgmGerman - Deutsch v
Screenshot ‘ Go Back ‘
DebianInstaller
DebianInstaller –Button detection
UMC wizard
UMC wizard –OCR output
k(El univention
Account information
Enterthe name ofyour organization and ' 'an e-mail address to activate UCSi UnlventlonOrganization name
lE-mail address to activate UCS (more information)
UMC wizard
UMC wizard –Button detection
Agenda
(5) Ideas & Vision for 2017+
(4) What else to else to expect in 2017 ?
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
… things we want to talk about
Discussed feature – Separate UMC modules into Apps
Idea: Everything in App Center is accessible as separated App
Goal: Clearer navigation + separation of concerncs
If installed as App, it should be found on the portal
Current counter example: UCS@school, UVMM, UCC
Separated App for all UDM modules
UMC for solely for system administration with fixed set of modules
Maybe as UX concept for UCS 5.0
Discussed features – Mail stack
Mail forwarding
Wizard for general mail settings as well as fetchmail
Enforce mail identity when sending mails
Validate incoming emails via Sender Policy Framework (SPF)
Makes sure email arrive from an authorized mail server
Simple monitoring for mail queues
More discussed features…
Further integration of the App Center marketplace (look'n'feel)
What about community Apps? Is there an interest?
Monitoring: Nagios vs. Icinga 2
Make AD domain trusts production ready
Various use cases for integrating AD services in UCS (MS Exchange, ...)
More flexibility for working with UCS and AD
Need: Get started easier
Some users
struggle to
… decide technical questions (sizing, network, ...)
… get resources (hardware, people, …)
but want to
… start quickly
… avoid long term investments
Vision: “UCS as a Service”
Standardized, Cloud based UCS offering
On premise services if needed
“Pay per use”
Full service (deployment, updates, support)
Scalable Apps and services
Customer decides what to use
“UCS as a Service” delivers – technical needs included
Need: Deploy Apps in existing environments
Docker is expected to become the
standard IAAS platform for
Private Clouds
Cloud Service Provider
but…
Deployment & Maintenance of Apps is different
Current Container often struggle with updates
Software Vendors may not have the needed knowledge
Vision: App Center deploys to Kubernetes
App Center brings everything to deploy and maintain Apps in Docker
Currently: if Docker runs on UCS
Vision:
Enable App Center to also deploy to non-UCS Docker
Expected “API”: Kubernetes
Thank You!
Contact
Dr. Alexander Kläser Ingo Steuwer
[email protected] [email protected]
http://www.univention.com