MESSAGE
DATE | 2004-05-24 |
FROM | Ruben I Safir
|
SUBJECT | Subject: [hangout] Free Software Desktops in the news for Business: Fedora Core evaluation
|
State of Play: Linux on the Desktop for an ordinary Business Posted 23 May 2004 by lkcl (Master)
Recently I began a process to convert a small office of ten staff over to Linux, after implementing two servers and a shop floor machine for over a year. Three desktop machines are in use already, one is ready to swap over, and two Windows machines remain to be done.
This article describes my experiences, decisions so far, the issues the users faced, and how and why I chose the default Window Manager (KDE 3.2.2) and Display Manager (wdm). Also described is why I have removed OpenOffice in favour of Crossover Office (Wine) and Microsoft Office.
The article may be of use to people considering converting a company to Linux, and also to those people who believe Linux to be "ready for the desktop".
How I got Involved, and What They Had
When I knocked on this company's door two years ago looking for a metal-working shop a few doors down, they had Windows 95 machines and a Windows NT File Server that nobody had the password to, files everywhere, no Internet Access, no web site: basically they were living in the Dark Ages of the early 1990s, where the computers were glorified calculators.
The users' attitude was, and to some extent still is, that each machine was (is) "owned" by the person using it, and therefore in order to access the machine you have to give your username and password to your colleague in order for them to use your machine. They were (are) afraid of the server, and, incredibly, despite having a network and a file server, still pass files around between members of staff on floppy disks (!!).
Migrating to Linux
The decision to install Linux on the Desktop stemmed from a "Because I Can" attitude and also because I had heard of CrossOver Office from a friend. Without the possibility to migrate the users via Microsoft Office I simply could not take the risk of making two distinct and radical operational changes. With CrossOver Office I can at least say "hey, you're running Word and Excel, what more do you want?" but more on that later.
I have had two servers plus a shop floor machine running at this company for eighteen months now. One server is the email (Exim4, Cyrus21, SpamAssassin, SA-Exim) server, firewall (hand-built rules), Internet Proxy (Squid, Frox); the other is the File Server (Samba, NFS), Login Server (Samba, NIS), Sales/Ordering and Web Server (Custom), and Print Server (lprng). Other than a complete reinstall on both these machines due to them both being rootkitted last year - by a rootkit that ISN'T on the detected list (chrootkit) - these two machines, both approximately Pentium III 400s with 128mb RAM and 20gb drives - have been very reliable.
So why am I putting an office full of incredibly stupid and bigotted users onto Linux? Why am I putting up with the hate phone calls and having to hunt the warehouse for a machine that I was taking away for the weekend for a Linux install, which one of the users had hidden so that when I left he could put it back on the network?
There are several reasons. The first is because it is convenient to me. The second is cost of licensing. The third is easy roll-out. The forth is policy enforcement.
Administrative Convenience
By introducing NIS and Samba onto the File and Print Server, I can remotely log in, add a new user account, then I can ssh tunnel X-windows back over to my machine at home (edit my x-windows config to allow TCP connections; ssh -v -R 6001:127.0.0.1:6000 gavinpc; set DISPLAY=localhost:1.0), run an xterm and from in that xterm, then run any programs that need configuring, such as kmail and mozilla. Over an ADSL connection, it's a little slow - but I can live with it, especially as the site is 90 minutes drive away.
This is compared to having to maintain several different machines: some Windows 95, some Windows 2000 where the Administrator Password has been forgotten. Each time a new member of staff joins, or even if someone wants to use someone else's computer, it's a nightmare. I have to configure the Mozilla settings PER COMPUTER, PER PERSON, and on some of the machines, that's not even an option without a reinstall of Windows (yes I know about the Linux boot floppy which can edit the SAM database). Yes, I also know about how to set up Samba as an NT Domain Controller and then have the machines join the domain, and No, Windows 95 and Windows 2000 profiles are NOT compatible, so it still wouldn't solve the problem.
Plus, I would have to ask them to pay for Terminal Server Licenses in order for me to Remote Desktop login. Plus, I would have to work out how to ssh tunnel that because I wouldn't trust it. Plus, I would have to deal with my own psychological sickness of remotely managing a Windows Machine on my Linux laptop, and that's NOT a prospect i fancy greatly.
In other words, I know full well what the options are for Windows Setup and Administration, and I'd rather learn how to replace that same functionality with Linux Software and tools rather than face dealing with my own resentment and guilt at having forced a company to fork out money and then STILL have to learn how to work the Microsoft tools, knowing FULL well that if it didn't work, the chances of fixing it myself are ZERO, and the chances of _microsoft_ fixing it are very very slim.
By contrast, problems reported with Debian's "reportbug" actually stand a chance of being fixed within a couple of months, as long as you ask politely and provide the Debian Maintainer with a really useful report.
As an aside which may be of interest, I did investigate using WinBind instead of NIS. WinBind provides pam_winbind and libnss_winbind which give you, amazingly, a much better "Unified Login" than anything else that is available for Unix. The trouble is that since its initial development in 2000, it hasn't progressed or been properly integrated into Samba. What should have been a trivial setup (especially for someone who used to work on Samba for nearly 10 to 12 hours a day for four years) turned into a really frustrating two-day reminder of why I gave up working on Samba - not least because Winbind (in Samba 3.0) is actually incompatible with the implementation of the NT Domain protocol in Samba 3.0!
In the end, I made one final search on the Internet for NIS and one more apt-cache search nis, and found, after about my tenth attempt to locate it over the past two years, that yes, you CAN do apt-get install nis (duh). Two hours later, I had an operational remote login and, despite the security risks (which, frustratingly, Winbind would alleviate) I have a working and centrally manageable login system.
Cost of Ownership
Every desktop I roll out is one less license fee to worry about. The cost of desktop machines is being kept artificially high by Windows being pre-installed, and I object very strongly to that. Also, Microsoft Office costs a staggering FIVE HUNDRED POUNDS in PC-World. I can buy three NEW machines for the same cost of two Microsoft Office Licenses.
Easy Roll-out
Roll-out is easy. What I've done is to partition the drive into five: hda2 is /, hda1 is /boot, hda3 is swap, hda4 is an extended partition containing hda5 which is /usr and hda6 which is /var. the root partition I make 512mbyte; the boot partition 40mbyte; the /usr partition is 1400mbyte; the /var partition is 512mbytes... and if you add that all up there's approx 200 mbyte left on a 4.3gbyte drive for a small emergency /home partition or extra swap partition, if needed. Ridiculously, I can't even get less than 40gbyte drives these days, so literally 90% of the drive is wasted. MS-Office and CrossOver Office (see later) ended up on the Server, via NFS - an Install Once, Access Many implementation.
Then, on one of the machines on which I performed the first install, I tar'd up each of the partitions (uncompressed), and then booted from David Kimdon's excellent 2.4.18-bf2.4 Debian Network Install, repartitioned each new machine and then untarred the partitions. The two things that got me - several times - was that /dev doesn't tar up: I have to do a cp -a /dev/* into the new root partition. This Is Really Annoying To Forget About :)
Other things to remember, if you too are going to recreate this path, is to remember to do an apt-get clean to remove as much from the /var partition as you can. The size of boot.tar is about 10mbytes; root.tar is 80mbytes; usr.tar is 1gbyte; var.tar is 100mbytes. Compressed, these are definitely small enough to fit onto a CD but I cannot be bothered: the number of machines doesn't fully justify the effort.
On reboot, I then run lilo, edit /etc/hostname, edit /etc/network/interfaces (no, I haven't set up DHCP), edit /etc/hosts (no, I'm not using the full capabilities of NIS or DNS :) to change the name of the machine and its IP address, and then take it down to the customer's site for some test logins and for installation of the user's local DeskJet Printer (CUPS foomatic-gui: the only thing to remember is to make the queue name the same on all machines for all users even if the printer manufacturer or model is different, otherwise users move from machine to machine and find that the printer doesn't work because the queue name is different).
Now, yes I have of FAI (Fully Automatic Install) and yes I have heard of Knoppix and Morphix (Live CD Linux) - but only recently. If this was an Office of twenty members of staff, I'd seriously investigate setting up an FAI server (which the company could likely pay for) and I would seriously investigate setting up a Module for Morphix to do CrossOver Office, and to do various other customisations. I would then be able to order machines with more memory and NO HARD DRIVE. But, I am stuck with 128mb RAM, 4.3gbyte drives in most cases, and to be honest, only seven machines? Not worth the extra effort.
Policy Enforcement
The final reason for installing Linux on the Desktop is easy policy enforcement. These users are genuinely... well... stupid. I tell them till I am blue in the face not to give out their passwords. I tell them to ring me when a new member of staff joins. The Reception PC nobody knows the Administrator password so what do they do? In order for the new receptionist to do some work, they give her someone else's username and password.
They put files on the local drive when I tell them that I am going to be wiping the machine over the next few months. So they put files on floppy disk instead, rather than put them on the server. I tell them that floppy disks and Windows 95 machines I am in no way going to back up, and this makes no difference (well, they get two floppies instead of one).
Now that is all fine and dandy, and quite amusing from a techie point of view, but in light of the UK Data Protection Act, it's not in the least bit funny. If one of those Windows 95 machines with no password protection gets pinched from Reception by either a thief walking in off the street, or by one of the minimum wage part-time members of staff (some of whom cannot read or write), then any customers whose details get made public can result in the Directors - and Managers - being PERSONALLY prosecuted.
In all, this helps determine my strategy for setup and machine purchasing. Firstly, the servers are locked in the Director's office. Secondly, the Linux Desktop machines have an NFS mounted home directory, so that EVEN if they save files on the "Desktop", they are in fact plonking them on the server. Thirdly, I have started ordering machines without a floppy drive. I don't know of a way to get Windows to do the equivalent of an NFS mounted home directory, and I have heard of nightmare management issues by Lehman Brothers in enforcing a ban, by NT Security Descriptors, on write access to the C drive (the problem they then ran into was that Stupid-Applications required write access to C:\windows\system...)
OpenOffice vs CrossOver Office
... which brings me neatly onto installing CrossOver Office and Microsoft Office. Stupidly, I installed MS-Office over an NFS partition, which is something to behold: at a write speed of 20 KILOBYTES per second, you can expect the install to take overnight. But, once achieved, I have banned write access by ordinary users to the entire fake_windows directory. This did initially cause some problems with the Normal.dot template (which didn't exist) on Word, so I reactivated access to that file, created one, and then deactivated write access again: problem solved.
As mentioned once before, the reason why I have kept the users on MS-Office is to make my task of convincing them to use Linux a lot easier. Plus, they use Mail-Merge and I sure as hell ain't gonna get involved in 1) OpenOffice "oh you have to do file save-as and save it as a word document" 2) explaining or supporting OpenOffice mail-merge 3) explaining to some users why the document looks different and why they can't do black backgrounds and borders and boxes).
Not least of all is that on a 128 mbyte of RAM and only a Pentium III 300 machine it takes five seconds to load a Word Document on CrossOver Office, and a full MINUTE to load OpenOffice. Now, I know full well that OO QuickStart cuts that time down to a couple of seconds, but it's at the expense of boot-up time.
All of these reasons lead me to believe that I would be genuinely stupid to make these people swallow two bitter pills at once, especially when one of them would permanently disrupt the day-to-day operation of the company (OpenOffice).
Which Desktop?
The decision on which desktop to use was quite tricky. I have put 60 and 70-year-olds on Fvwm2 only to find that they were perfectly capable of finding the Games menu all by themselves. I have put Fvwm2 onto Compaq Armadas with only 16mbyte of RAM (it takes well over 5 minutes from switch on to actual typing on "ted" - the only editor small enough to fit onto a 1Gbyte hard drive and still leave the machine operational). So my first experiment was to place one particularly low IQ member of staff (don't laugh: she is a GREAT telesales worker, is a genuine and friendly but not very bright individual) on Fvwm2. The other reason for doing this was because KDE and Gnome came up on the screen with Fonts reduced to single pixels! I still, to this day, have not managed to track that one down but I have a vague suspicion that it was to do with there being only 128mb of RAM and me forgetting to add any swap space).
I also placed Wings Display Manager (wdm) on the machine in a desperate attempt to get rid of this font problem (xdm is _too_ basic). Plus, KDM and GDM are too complicated, and they also force a dependency on their respective environments. Both KDM and GDM suffered from this weird font issue: wdm didn't. Issue sorted.
When it came to cloning the machine for another member of staff, they complained bitterly about the lack of desktop. I enabled KDE for them and that complaint stopped (and the fonts were okay, bizarrely enough). I don't know why I picked KDE 3.2.2, but Gnome just didn't seem to cut it. KDE I find painful and over-busy, and it is very difficult to find configuration tools and then even more difficult to use them. I keep looking on the menus for "Email Settings", only to find that it's actually called "Configure Kmail". Only recently did I actually find out how to add a printer - not for lack of looking. I use foomatic-gui instead, even though it depends on Gnome for some bizarre reason, simply because it's REALLY straightforward. Big Stupid Buttons With Really Obvious Words like "Add Printer".
Under KDE, It took ages to work out how to put CD-ROM and Server links onto the desktop: you have to left-click drag-and-drop (I was expecting right) and then a little menu comes up "copy or link". Under Gnome's Oroborus Desktop, you just right-click and select "Drives" from the context menu, or select "Link" to create a shortcut.
I should have installed them on Gnome, because Gnome, by being slightly behind in functionality, is actually easier to use. But KDE 3.2.2 is a lot faster (snappier) than Gnome 2.6, and on these older machines, mostly Pentium 300s, it makes a difference.
I can't really explain it, but I have put my dad's machine on Gnome, and his 55-year-old former business partner on Gnome, but I wouldn't put an Office full of people on Gnome.
So...
Let's recap. I have a bunch of windows-users who think they each own the company machines they use. I have nightmares about how much it would cost this little company to have Windows do all of the things I am doing for them, and how much they would have to pay an MCSE certified person to do it for them. I can sit at home and wait for phone calls. I can remotely log in and sort things out. I have hand-held some of the members of staff through the process of clicking on their desktop in order to access the Server and to work with Excel and Word. I have shown them that printing works. I've stopped them from saving stuff on machines that aren't locked away.
There are things that I could have done differently: there are things that I could have done better. If I had thought in advance about what I wanted to achieve, and had the hindsight of some of my own experiences, I would have done things differently. But instead, I have experimented, and found what works reasonably well - for me - having got there in a roundabout route.
Wish List
What would make my life easier?
Well, Winbind working correctly, for a start. Samba being as easy to configure and set up as a Windows NT Domain Controller is, and a Winbind-enabled system being as easy to configure as a Windows NT Workstation (on installation of Winbind I was never asked to type in the Domain name nor asked for the Administrator username and password, which is all that is required for an NT workstation to join an NT domain).
I must investigate OpenOffice alternatives, or at least it would be great if OpenOffice could actually be a viable alternative. an 80 mbyte download, and all the implications for developers thereof, and it still isn't good enough (makes you wonder why we have commercial software products, doesn't it?) I must try my CorelOffice stuff out on them, and also that port of Office to Linux by a German company, plus there's also a Chinese company that's done an Office Suite written in Java...
Debian running SE/Linux would alleviate some of my fears about the servers, and then consequently the entire network, being rootkitted. Yes I know Redhat do Fedora Core (by way of employing Russell), but I don't like Redhat (the management, the funding, the IPO nor the Package Manager). Yes I know about Gentoo (Hardened by default), but the prospect of downloading everything as source code I can't entirely justify _quite_ just yet :)
KDE having easier-to-look-at configuration options, and having more intuitive use of the Right Mouse Button (it's the one on the right :) for context-sensitive options such as, on the Desktop, pulling up a menu that includes "Mount Drive e.g. CD or Floppy on Desktop" and "Create Link" rather than having to run the file manager.
Gnome and KDE having cross-application support so I can expect to install Evolution or any othe application under any desktop, or I can build myself my own Desktop Manager from the BEST of both environments. I expect to be able to install a Gnome Desktop running Oroborus and to have KDE's Kmail and its better applications, and to have KAddressBook... or vice-versa. I expect to replace Kmail and KAddressBook with Evolution, or vice-versa, and for the configuration setup involved to be ZERO WORK, a confident no-brainer exercise.
In short...
Linux on its own isn't quite ready for the Desktop for Businesses: in key areas, it simply doesn't stack up. That won't stop me from throwing this company in at the deep end and seeing if the staff don't quit in disgust, but I'm definitely NOT prepared to cut the dependency on commercial software completely.
I can't tell you what the best direction to go from here is: all I can really say is that the "Not Invented Here" syndrome of stubborn developers that keeps Linux away from the ordinary Business User has got to go. Mozilla or Konqueror, posted 23 May 2004 by lkcl (Master)
despite being less functional (and not coping with frames that satisfy both IE and Mozilla properly), Konqueror is very snappy. Mozilla takes almost as long as OpenOffice to load on these machines, and I must remember to replace it with Mozilla-Firefox sooner rather than later, because the proxy settings and bookmarks and passwords don't get transferred from Mozilla to Mozilla, which is geniunely stupid.
[ Home | Articles | Account | People | Projects ] -- __________________________ Brooklyn Linux Solutions
So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://fairuse.nylxs.com
http://www.mrbrklyn.com - Consulting http://www.inns.net <-- Happy Clients http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown Brooklyn....
1-718-382-0585 ____________________________ NYLXS: New Yorker Free Software Users Scene Fair Use - because it's either fair use or useless.... NYLXS is a trademark of NYLXS, Inc
|
|