German Foreign Ministry Migrates Desktops To OSS 147
ruphus13 writes "Here's another example of 'German Engineering' — The Foreign Ministry in Germany is migrating all of its 11,000 desktops to GNU/Linux and other open source applications. According to the article, 'this has drastically reduced maintenance costs in comparison with other ministries. "The Foreign Ministry is running desktops in many far away and some very difficult locations. Yet we spend only one thousand euro per desktop per year. That is far lower than other ministries, that on average spend more than 3000 euro per desktop per year ... Open Source desktops are far cheaper to maintain than proprietary desktop configurations," says Rolf Schuster, a diplomat at the German Embassy in Madrid and the former head of IT at the Foreign Ministry ... "The embassies in Japan and Korea have completely switched over, the embassy in Madrid has been exclusively using GNU/Linux since October last year", Schuster added, calling the migration a success.' The Guardian has additional coverage of the move."
GNU/Linux (Score:2, Interesting)
They know what GNU is, or at least use it by name. That's really the biggest story here.
Re:Thats bloody beautiful (Score:5, Interesting)
Can we get a special tag for this. I mean it's getting to where this type of headline is more abundant than anything needing the suddenoutbreakofcommonsense tag. Perhaps that is the tag that needs to be applied? Well, maybe not. We could at least start tagging them with OSSWindowsSmackDownScore or something, right?
I don't know who is keeping score between Windows and F/OSS anymore, but it seems like newsworthy events when entire government branches, or governments, or countries smack down Windows in favor of F/OSS. Funny, I've not heard any stories that amount to "throwing the baby out with the bathwater" after any of these announcements. Does anyone know of such a story where switching caused great harm or fiscal problems?
Re:Why this will never happen in other countries (Score:1, Interesting)
> They have a politician who knows what he's
> talking about, and doesn't pander to the whims
> of industrial lobbyists.
Ehm, let's just say some are less clueless. It might seem from 'the outside' that Germany politicians are not that driven by lobbyists but in fact they are. It's just that the German government cares very little about an American Cooperation.
In fact German politics are heavily influenced by German cooperations, for example in the energy or pharmaceutic politics.
Re:so.. (Score:5, Interesting)
Self-updating is not problem, apt-cron etc will handle that.
The problem is, I have new software which I need to deploy to 4000 machines overnight.
Do I really have to reimage 4000 machines to achieve that goal?
What about user files on those desktop machines? Reimaging would wipe them clear. (ok, home directory on separate partition/on network would fix this)
Having something automatically installed/uninstalled on machines centrally deployed is the problem here.
Re:Why this will never happen in other countries (Score:2, Interesting)
Well Otto Schily is not the Interior Minister anymore, since 3 years actully.
And now he is on the board of a biometric security company. As the Minister he pushed for biometric details in passports. That should cover the lobbying part.
The open source thing is more liky to be a case of what we call in German: A blind chicken sometimes finds a grain, too.
Re:so.. (Score:3, Interesting)
Is the only alternative to write shell script to ssh into every machine and do the install?
Back in the day, I had a text file with the names of all of our machines. for name in `cat machinlist.txt`; do ssh $name yum install -y software; done
You don't even need a script.
Don't bother pointing out all the problems with that, I know. But it does work (once you fix the syntax errors).
Re:so.. (Score:5, Interesting)
I know microsoft ripped kerberos and ldap to ad and crippled them while doing so.
Since this has been done years on unix systems, care to link a howto / etc documentation on deploying such system?
No, I don't mean guides explaining how to install kerberos and ldap.
I haven't been able to find guide on deploying active directory-like system with free software which would offer group policy features. When I already have groups deployed in LDAP, why do I need to script installers instead just defining policy to install software to that group?
Has this anything to do with the Green Party? (Score:4, Interesting)
The german Green Party has a tradition of rather sane maxims regarding IT. In late 1998 Germany elected a Social Democrat / Green Party coalition and 2001 seems like a reasonable date for the implementation of descisions made shortly after 1998.
This, of course, is pure conjecture, i'd be grateful if anyone from Germany had any background information on the reasons for the switch.
Re:so.. (Score:1, Interesting)
So what you're saying is that LInux isn't viable for small/medium sized businesses.
Re:so.. (Score:3, Interesting)
Well, stick with the custom repository, add your apps to it, and make sure that your update scripts also support retrieving a list of mandatory packages that need to be installed, so that anything new gets installed at the same time as any updates.
Re:so.. (Score:3, Interesting)
Only if small and medium businesses are restricted to hiring learning-impaired boneheads for all of their IT needs. A competent Linux admin can keep a far larger number of small businesses operational because as a reward for all the effort he spent learning how to do it he gets to automate and make reliable a far larger number of diverse systems then a Windows admin can, not to mention that his task is in the long run far less labour intensive (although there is a steep learning curve and up-front investment in good configurations and scripts).
I know this for a fact because I make a good living doing just that, having replaced a veritable horde of MSCEs over the years.
Thus it was (Score:4, Interesting)
Jorge was explaining how to handle my new role ...
"So when the updates come in, Karl looks at them and if they look sticky he applies them to the VM and runs the unit tests. As we update applications from our upstream providers, we test them against the same VMs. Our in-house developers write to the same VMs, and when they implement new features or use new libraries, they have to include unit tests to test the interfaces to validate that they work in the required ways. Each night the system builder builds a new VM from the latest updates. All you need to do is check the unit tests reports and make sure Karl knows right away if something goes wrong - just put the error report in the trouble ticket. The trouble ticket system will also notify the advocate teams for the specific package that fails. Usually it doesn't and we push the patch a few minutes after it comes in."
I wanted be mindful of security: "But Jorge" I said, "what if a horrid exploit happens overnight?"
"We're partnered with five other trusted NOCs that give us 24 hour coverage. We share unit tests so that if a patch has to be included any hour of the day, it's morning somewhere. We don't even come in anymore.
We used to have to come in on weekends too, but this new system doesn't have exploits as often so it's been a couple years since that happened."
Thinking to show I was interested in the long term, I asked "What do you do when you get new hardware?"
"It's weird. Once upon a time, the virtual machines were there to simulate the physical machines. Now it works out that the new hardware is just physical hardware to implement the virtual machine. We get samples, build the image from the VM and run the unit tests on them. If we can't make our software pass the tests, or we can't get our required upstream packages validated, we don't buy the hardware. If the vendor won't sell us hardware that works, we get a new vendor. If somebody wants to advocate some special hardware, they're responsible for maintaining the software for it, maintaining the fixes, and of course pushing them back upstream so that everybody can have them. The desktops sync to the user accounts on the server continuously so if they remote into their desktop from the road or from a thin client, they get the whole deal with all their preferences, email, files, desktop items and shortcuts intact.
Once a quarter we get together and compare the pots and pans of new hardware. That gets pretty lively. Wait 'til I show you my USB device collection. Did you know they made oscilloscopes?
Anyway, You wouldn't believe the system we had before. It was horrid. Applications didn't even come with the source code."
"What was it?"
"At the end, the very worst one was called Vista. They probably didn't even mention that one in school, it came and went so fast. When it was clear that this was as good as that software vendor was ever going to get, we had no choice but to change. I fought it at first but now I'm glad. The new system is, well, rational. I don't know how we survived before.
Now let me show you the cafeteria. We have our own Starbucks..."
Re:Thats bloody beautiful (Score:3, Interesting)
Re:so.. (Score:4, Interesting)
Yep. Absolutely true.
One of the main difference between the Windows admins at work, and me, the Linux/Unix admin, is that when any big changes need to be done in off-hours, is that the Windows admins run around at work pointing and clicking and re-checking settings at night or on the weekend, while I just SSH into work and fire of the script I wrote and tested during work hours.
If the script takes longer sometimes because it has to change a lot of machines or a lot of data, I just keep an eye on it while watching TV or do games, or have some friends over.
In *nix, once you have figured out how to do something, you basically know everything you need to know to script and automate it.
In Windows, it is a huge additional step to figure that out and implement it, and it's not even possible all the time.
So on *nix you need to spend a lot more time learning stuff, but you spend a lot less time doing repetitive boring stuff.
For example, one Windows admin spend about six ours on a weekend at work to change the EmployeeID in AD to a new numbering scheme. Now I'm PRETTY shure that could have been scripted some way, even in Windows, but he rather did it by hand than try to figure out how to script it. Weird people. ;-P
Re:so.. (Score:3, Interesting)
Self-updating is not problem, apt-cron etc will handle that.
The problem is, I have new software which I need to deploy to 4000 machines overnight. Do I really have to reimage 4000 machines to achieve that goal?
Re-imaging is not a solution--because like you said, it would wipe all the files on the machines and remove the customization, etc...
The same would happen with windows.
In a Microsoft environment, the easiest way (and cheapest way I've found) is to get an MSI package. Deploy it with group policy.
Use a similar packaging system in debian-like distros. Create a deb. Add it to the software repository for users to download--or use something like 'cssh' to issue the command 'apt-get install mypackage' on a bazillion machines.
I suppose if you wanted it more automated, you could create a virtual package (in the same vein as ubuntu-desktop or whatever) and just update the package to include your new package. Then the nightly apt-cron jobs would update the systems.
I have yet to find a free tool, operating system, and/or packaging format that makes deploying software to a ton of machines easy.
Although since I don't have too many linux desktops to manage, it's not worth too much of my time to go searching...