German Foreign Ministry Migrates Desktops To OSS

ruphus13 writes "Here's another example of 'German Engineering' — The Foreign Ministry in Germany is migrating all of its 11,000 desktops to GNU/Linux and other open source applications. According to the article, 'this has drastically reduced maintenance costs in comparison with other ministries. "The Foreign Ministry is running desktops in many far away and some very difficult locations. Yet we spend only one thousand euro per desktop per year. That is far lower than other ministries, that on average spend more than 3000 euro per desktop per year ... Open Source desktops are far cheaper to maintain than proprietary desktop configurations," says Rolf Schuster, a diplomat at the German Embassy in Madrid and the former head of IT at the Foreign Ministry ... "The embassies in Japan and Korea have completely switched over, the embassy in Madrid has been exclusively using GNU/Linux since October last year", Schuster added, calling the migration a success.' The Guardian has additional coverage of the move."

Rather outdated

The 'additional coverage' is from Sunday June 22 2003...

Re:Rather outdated

The 'additional coverage' is from Sunday June 22 2003...

They're still waiting on those Gentoo desktops to compile. They'll be ready for deployment "any day now!"

OSS is not cheaper

Just now Microsoft made a statement to the press...

"OSS is not cheaper to maintain for the following reasons"

1. Employees will waste that extra time they get not waiting for reboots instead of using it for texting & other 'social' activities.
2. We pay people to stick their fingers in their ears and say "La La LA MS is cheaper La La Laaaaa".
3. Any money left will encourage your employees to steal it.
4. Steve Balmer needs it to develop sweat-proof chairs.
5. Windows 7 wont have any of the existing lock-in as previous versions of Windows. It'll all be new kinds of lock-in.
6. ???
7. Profit (for us not you)

Some more interesting tidbits from the article

According to the article, the migration is already well underway. From the 11.000 desktops, 4.000 already are migrated to Open Source and about half of the embassies are on Open Source Software now. That explains where they get their maintenance cost numbers from, good to see that the cost savings seem to be real and backed by their own data instead of being estimates :)

They also started the switch a long time ago, according to article, the infrastructure switch started in 2001 and the decision for the destop migration was done in 2004, so I think they have some solid experience with handling Open Source now, which I think is good.

Good for them

Well, at least Germany had the balls to stand up to Microsoft and actually go with the GNU/Linux solutions vs most other countries and corporations that just do this to get a discount from Microsoft. Here's a good quote from the article:

The conversation between Ude and Ballmer was confidential, but anyone who knows the Microsoft CEO can guess how it went. Let us say negotiation is not his forte. Ballmer is no more designed for the art of persuasion than the Abrams tank is for delivering meals on wheels.

Common sense to become common again

Interesting. Does that mean that there are still reasonable people in the world? Even in politics?

Why this will never happen in other countries

From the Guardian article:

Another interesting aspect of the Munich decision is that it was not driven simply by cost savings, because industry gossip has it that Ballmer offered heavy discounts on Microsoft software to stave off the threat. This was also the case in the Ministry decision to plump for open source. According to a BBC report, Interior Minister Otto Schily said the move was motivated by a desire to improve security in the nation's computer networks as well as to save public money. 'We are raising computer security by avoiding a monoculture,' he said, 'and we are lowering dependence on a single supplier. And so we are a leader in creating more diversity in the computer field.'

(emphasis mine)

And this is why, ladies and gentlemen, we won't be seeing this in many countries outside Germany. They have a politician who knows what he's talking about, and doesn't pander to the whims of industrial lobbyists.

Never underestimate foreign ministries

In Europe, these have traditionally been where the most intelligent graduates went. They wrote the book on security. They are bright enough to realise that if they open a branch office in Obscuristan it is going to be easier to get a version of OO customised for the Obscuristani dialect than persuade MS to do it, and know their successors in 100 years time will still be able to read the files. And perhaps they have the smallest concern that the CIA might be able to get information via Windows backdoors.

The real story would be if they got the Interior Ministry to convert. In Europe, that (and the Agriculture Ministry) is usually where the deadbeats end up.

2008

Das Jahr des Linux Desktop-Computer.

Has this anything to do with the Green Party?

I wonder if this has anything to do with the (then, 2001, when this started) german Foreign Minister (Secretary of State) Joschka Fischer being a member of the Green Party.

The german Green Party has a tradition of rather sane maxims regarding IT. In late 1998 Germany elected a Social Democrat / Green Party coalition and 2001 seems like a reasonable date for the implementation of descisions made shortly after 1998.

This, of course, is pure conjecture, i'd be grateful if anyone from Germany had any background information on the reasons for the switch.

Re:Yes.

Dear Sir,

The chronometer in your time machine appears to be off by a few decades.

You apparently landed in the early 21st century, instead of the mid 20th.

I'm afraid a time machine repair shop won't be available for another 200 years. But hey, we have cable TV!

Re:

Yeah. Did you read The Guardian article (actually The Observer)? It's dated June 22nd. Of 2003. Two Thousand And THREE.

Re:so..

Managing software installs, at least in Red Hat, is just a matter of setting up a local Red Hat Satellite repository. In Fedora, there is also Cobbler, which lets you spin a Fedora installer with customized software packages.

As for logins, there are a variety of mechanisms. You can go with old school NIS, or even just use Samba, which can be especially useful during migration when you will probably have a heterogeneous environment (assuming the migration is away from Windows). Also, there is autofs, which can automatically mount a network mapped home directory when a user logs in...

Thus it was

Jorge was explaining how to handle my new role ...

"So when the updates come in, Karl looks at them and if they look sticky he applies them to the VM and runs the unit tests. As we update applications from our upstream providers, we test them against the same VMs. Our in-house developers write to the same VMs, and when they implement new features or use new libraries, they have to include unit tests to test the interfaces to validate that they work in the required ways. Each night the system builder builds a new VM from the latest updates. All you need to do is check the unit tests reports and make sure Karl knows right away if something goes wrong - just put the error report in the trouble ticket. The trouble ticket system will also notify the advocate teams for the specific package that fails. Usually it doesn't and we push the patch a few minutes after it comes in."

I wanted be mindful of security: "But Jorge" I said, "what if a horrid exploit happens overnight?"

"We're partnered with five other trusted NOCs that give us 24 hour coverage. We share unit tests so that if a patch has to be included any hour of the day, it's morning somewhere. We don't even come in anymore.

We used to have to come in on weekends too, but this new system doesn't have exploits as often so it's been a couple years since that happened."

Thinking to show I was interested in the long term, I asked "What do you do when you get new hardware?"

"It's weird. Once upon a time, the virtual machines were there to simulate the physical machines. Now it works out that the new hardware is just physical hardware to implement the virtual machine. We get samples, build the image from the VM and run the unit tests on them. If we can't make our software pass the tests, or we can't get our required upstream packages validated, we don't buy the hardware. If the vendor won't sell us hardware that works, we get a new vendor. If somebody wants to advocate some special hardware, they're responsible for maintaining the software for it, maintaining the fixes, and of course pushing them back upstream so that everybody can have them. The desktops sync to the user accounts on the server continuously so if they remote into their desktop from the road or from a thin client, they get the whole deal with all their preferences, email, files, desktop items and shortcuts intact.

Once a quarter we get together and compare the pots and pans of new hardware. That gets pretty lively. Wait 'til I show you my USB device collection. Did you know they made oscilloscopes?

Anyway, You wouldn't believe the system we had before. It was horrid. Applications didn't even come with the source code."

"What was it?"

"At the end, the very worst one was called Vista. They probably didn't even mention that one in school, it came and went so fast. When it was clear that this was as good as that software vendor was ever going to get, we had no choice but to change. I fought it at first but now I'm glad. The new system is, well, rational. I don't know how we survived before.

Now let me show you the cafeteria. We have our own Starbucks..."

Re:so..

puppet http://reductivelabs.com/projects/puppet/ [reductivelabs.com]

Re:so..

Self-updating is not problem, apt-cron etc will handle that.

The problem is, I have new software which I need to deploy to 4000 machines overnight.
Do I really have to reimage 4000 machines to achieve that goal?
What about user files on those desktop machines? Reimaging would wipe them clear. (ok, home directory on separate partition/on network would fix this)

Having something automatically installed/uninstalled on machines centrally deployed is the problem here.

Re:so..

At least the debian / ubuntu system easily support this, using meta packages.

you have an empty package, leys say blah-desktop-graphics that all employees working with graphics have installed. You want to install graphics program Foobar. You add Foobar to your local repository, and release a new version of the metapackage that depends on Foobar. So package manages sees "oh, new version of blah-desktop-graphics. Great, lets grab that. Hm, for that I need Foobar too, so lets grab that one, and install it."

Exactly how apt deals with new dependencies under updates can be configured, from ignore, to ask, to install automatically. Since you're deploying a default image, and have already pointed that image to your internal update server, it would just be a small additional step to set that option correctly. As a bonus you have 100% control over what gets pushed to your machines.

Re:so..

How do you centrally manage software installs and permissions on thousands of machines with oss?

This is a joke, right?

Where the fuck do you think Microsoft stole Kerberos and LDAP for their AD from?! We've been using the stuff AD is made of years before it was even a wet dream in Microsoft's diseased minds.

As to automated installs, every damn Linux distro has a package management system capable of being remotely scripted, and designed for mirroring via localized caches!

What a dork.

Re:so..

I know microsoft ripped kerberos and ldap to ad and crippled them while doing so.

Since this has been done years on unix systems, care to link a howto / etc documentation on deploying such system?
No, I don't mean guides explaining how to install kerberos and ldap.

I haven't been able to find guide on deploying active directory-like system with free software which would offer group policy features. When I already have groups deployed in LDAP, why do I need to script installers instead just defining policy to install software to that group?

Re:so..

I haven't been able to find guide on deploying active directory-like system with free software which would offer group policy features. When I already have groups deployed in LDAP, why do I need to script installers instead just defining policy to install software to that group?

That is because of fundamental differences in the entire philosophy of Linux/FOSS vs. that of Microsoft. Microsoft aims to provide cookie-cutter, one-size-fits-all "solutions" whereby some doofus MSCE can read "AD for Dummies" and then click his way through system administration. It works, to a degree, in homogeneous environments which do not deviate in any way from "Microsoft Approved" designs.

Linux on the other hand is built around small, specialized components out of which a competent admin is supposed to construct a solution tailored to a specific environment. And the glue which links all of these components, which can be combined in a very large number of ways, is scripting.

That is why one cannot be a competent Linux admin without being also competent with a number of scripting languages. That is the price, but it is also the advantage as more demanding the deployment parameters grow, the more such approach becomes superior over the one-size-fits-all method.

So in effect you are asking for Linux to abandon all of its advantages and become "like Windows" just because you are too lazy to learn how to deploy it properly. And by this I do not mean reading some idiotic 20-step "how to" which cannot cover even a fraction of the possible configurations. By "learning" I mean understanding all the fundamentals of the system operation, learning all the involved scripting languages and being able to modify all the essential system scripts with thorough understanding of all the involved components.

And that is why such "how tos" are of a very limited use. There are "shortcuts", some of which were already pointed out to you - such as Samba, but they are intended for simplified scenarios whereby the scope of possible configurations is very narrow.

Once any serious sized Linux deployment is considered, a huge number of possible scenarios exists, beginning with basic considerations such as if to run the client systems via network mounted root file systems (in which case no home directory "roaming" exists) or if to deploy terminal servers or X-terminals etc and so on, all of which have impact on how users are authenticated and how their resources are allocated on the network, not to mention that LDAP and Kerberos are amongst many other ways of maintaining centralized user information. No "how to" guide is going to cover all of these complexities.

Re:so..

Yep. Absolutely true.

One of the main difference between the Windows admins at work, and me, the Linux/Unix admin, is that when any big changes need to be done in off-hours, is that the Windows admins run around at work pointing and clicking and re-checking settings at night or on the weekend, while I just SSH into work and fire of the script I wrote and tested during work hours.

If the script takes longer sometimes because it has to change a lot of machines or a lot of data, I just keep an eye on it while watching TV or do games, or have some friends over.

In *nix, once you have figured out how to do something, you basically know everything you need to know to script and automate it.

In Windows, it is a huge additional step to figure that out and implement it, and it's not even possible all the time.

So on *nix you need to spend a lot more time learning stuff, but you spend a lot less time doing repetitive boring stuff.

For example, one Windows admin spend about six ours on a weekend at work to change the EmployeeID in AD to a new numbering scheme. Now I'm PRETTY shure that could have been scripted some way, even in Windows, but he rather did it by hand than try to figure out how to script it. Weird people. ;-P

Re:Thats bloody beautiful

Can we get a special tag for this. I mean it's getting to where this type of headline is more abundant than anything needing the suddenoutbreakofcommonsense tag. Perhaps that is the tag that needs to be applied? Well, maybe not. We could at least start tagging them with OSSWindowsSmackDownScore or something, right?

I don't know who is keeping score between Windows and F/OSS anymore, but it seems like newsworthy events when entire government branches, or governments, or countries smack down Windows in favor of F/OSS. Funny, I've not heard any stories that amount to "throwing the baby out with the bathwater" after any of these announcements. Does anyone know of such a story where switching caused great harm or fiscal problems?

Re:Thats bloody beautiful

Well, no one suffered great harm but some of the early switchers might have. IBM for example failed in being able to switch, they couldn't get their divisions coordinated well enough. Sun (which switched to Sun desktop) had problems with customers and file formats as well as secondary software (much to their embarrassment).

The most successful switchers were companies like PitBoys and Burlington Coat Factory that were SCO / Solaris shops and weren't on Windows to bgin with. Windows lock-in seems to work.

What is unique about Munich is that they have remained focused year after year on this goal. They missed their early deadlines but they kept funding the project and kept moving forward. They were determined to make it happen, they had problems and (and possibly still have) but they addressed them. So this isn't a "just another example" test case but rather the best example we have of a very large organization with a huge range of needs and without a high level of technical expertise in their staff that was determined to make the switch.

Re:Thats bloody beautiful

Short answer: yes.
Long answer: They paid much more than they expected and got more than they originally planned. Being on the bleeding edge is expensive. On the plus side Munich's development is now plugged in to the broader community so they are able to take advantage of open source in the "if you don't like it change it" sort of way. Moreover, Munich has become a test case for lots of open source software so many other cities will end up having to do "Munich's way".

Comment: Once Munich finishes the big issue will be the rest of Germany switching over. That should take much less time and cost less per head.

Re:Only Desktops?

I don't think laptops existed when this story was new.