Alexander Kläser, Developer at Univention, presented at the Univention Summit 2017 UCS and its ecosystem, describing how it has evolved in many ways, from small improvements in popular features to major extensions provided in new Apps. The first part of the session highlighted the most popular enhancements and Apps of UCS 4.1 with technical insight and examples from current projects. The second part gave an overview about changes and new features in the upcoming UCS 4.2 in order to prepare you for the upgrade. Finally, he concluded with topics that were currently discussed in the product development.
UCS Product Roundtrip – Highlights 2016 and Look-Out 2017
1. Univention Product Roundtrip
Highlights 2016 and look-out 2017
Dr. Alexander Kläser, Ingo Steuwer
Univention GmbH
klaeser@univention.de / steuwer@univention.de
2. About us
Dr. Alexander Kläser
Since 2010 @Univention
Product Development
Web, UX, App platform, ...
Ingo Steuwer
Since 2003 @Univention
Head of Professional
Services
3. Agenda
(5) Ideas & Vision for 2017+
(4) What else to else to expect in 2017 ?
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
5. UCS 4.1 retrospection – Overview
UCS 4.1-0 Release: 2015/11/17, Highlights:
Docker integrated
SAML as a default
(Password) Self Service
Since then:
Fixes, improvements and extensions in >350 Errata Updates
Upgrades and new features in dedicated Apps
6. New features without new releases? – Challenge: Release cycles
“Classic” linux distribution release policy:
upstream upgrades only in feature releases
“Upstream”:
Debian, Kernel, Samba, Firefox, …
→ Various release cycles
Various maintenance durations, version numbering, ...
One release cycle can’t match all upstream cycles
→ Univention decided to deliver “needed” updates
7. New features without new releases? – Goals
UCS Errata Updates are result of an agile development to
Address security issues
Fix bugs
Improve the usability of the product
„Apps“ deliver dedicated features
Separated environment where possible (Docker)
Individual release process
But: stable APIs
8. New features without new releases? – Content
Ease-of-use is a major focus of UCS:
Usability and user experience of graphical user interfaces
Improvements to make existing functionality better (example: App Center)
Updates of upstream packages that are not maintained anymore or better
the stability or compatibility (example: Samba)
Enhancements in Errata updates introduce a risk
Errata must not break existing functionality!
9. Release process – Automated tests (I)
Automated tests to ensure stability
Each release is undergoing tests
Single instances and full
environments in IAAS
August
September
October
November
December
January
(estimation)
0
5000
10000
15000
20000
25000
30000
35000
instance usage (hours)
UCS-4.2
UCS-4.1
UCS-4.0
UCS-3.3
UCS-3.2
10. Release process – Automated tests (II)
~50 scenarios
~1.500 test cases
~190.000 lines of code
Run for
Errata
Releases
Apps
11. Release process – Docker & Apps
Docker allows individual environments for Apps
No conflicts between App dependencies or UCS
Example: different PHP versions
→ App releases are independent
… of each other
… of UCS
12. Release process – Results
Shorter test periods / quicker releases
Incidents per customer (Support requests) reduced
Growing number of „combinations“ tested
Scenarios (server roles, number of instances)
Releases (Upgrades and mixed environments)
Apps (single Apps and combinations)
13. Agenda
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
14. Highlights – SAML
SAML = Security Assertion Markup Language
Allows Single Sign-on (SSO) for web services
Identity Provider (IdP) = Server for authentication (e.g., UCS)
Service Provider (SP) = Web service (Office 365, GSuite, Salesforce, ...)
IdP's certificate has been registered at the SP
Via browser redirects → Works with IdP accessible only via intranet
Passwords remain at the IdP + can be managed centrally (via UCS)
15. SAML integration in UCS
UCS provides an IdP by default
Access via: ucs-sso.<mydomain>
IdP service runs on DC master + DC backup roles
High availability: SAML sessions are synchronized (via memchache)
Implementation via simpleSAMLphp
Note: DNS needs to be configured for clients
Fallback login without SAML for UCS test instances
18. Highlights – Office 365 / GSuite with UCS
Apps for providing:
Wizard to guide the setup process of establishing a secure connection
Connector = listener module for synchronizing user accounts
What is the connector doing?
Create accounts at Azure/Google when activating access for user
Sync selected attributes of user accounts (configurable via UCR)
Disable/delete accounts at Azure/Google
19. Highlights – Office 365 / GSuite setup process
Common setup steps:
Configure client access to Azure/Google API for connector
Download config data + credentials and pass them to connector
Only Office 365: Upload Manifest file from connector to Azure
Upload IdP certificate:
Office 365: Can only be done via a Windows system
GSuite: Can be done via the browser
23. Highlights – (Password) Self Service
Goal: Save time as users can reset passwords on their own
App allowing to reset a users password via SMS / email address
Custom password recover channels can be configured
"Forgot password?" link can be included by other Apps
Among the top 10 Apps
30. Highlights – French translation
Since UCS 4.1-4
Translations for installation
wizards + web interface
UCS translation tools have been
greatly improved
Installed automatically if French is
chosen in Installer
… or package univention-l10n-fr
31. Highlights – Active Directory Connection password sync (I)
Active Directory Connection: Sync Users, Groups and
other objects between MS Active Directory and UCS
Until mid of 2016: dedicated service for Windows DC
needed to synchronize passwords:
Introduced in 2007 with first UCS AD Connector
Based on old NT “debugging” API
Needed wide permissions, had it’s own TCP port and authentication
→ Installation complicated & security concerns
32. Highlights – Active Directory Connection password sync (II)
App Upgrade in Mai 2016
Password Hashes are now synced based on standard RPC calls
→ No dedicated service on Windows DCs needed!
→ Standard Windows rights management
Compatible to all maintained Windows versions
Easy configuration
Details: https://www.univention.com/2016/05/bye-bye-active-directory-password-service/
33. Highlights – Univention Corporate Client 3 (I)
Easy deployment and integration of Thin and Fat Clients
Image based, including UCS LDAP & Kerberos integration
Core Changes:
Based on Ubuntu 16.04 LTS
Official support for mixed architectures (32bit / 64bit)
Improved tools and integration:
Central reporting of image version
Easier “move” of UCC LDAP objects
34. Highlights – Univention Corporate Client 3 (II)
Major changes Fat Clients:
64bit image
Default Desktop: Unity
Major changes Thin Clients:
Update of RDP and Citrix clients
Improved management & offline
capability for read only clients
Still “Citrix Ready” certified!
35. Highlights – UCS@school 4.1
Feature Release: 2016/06/16
Improved import tool with generation of attributes:
login, mail address, …
API in “classroom” UMC module for 3rd
party integrations
Real “multischool” accounts for teachers and pupils
36. Highlights – UCS@school 4.1 – “multischool” accounts – Old
Creation of one account for each assigned school
School A
School B
User 1
User 1*User 1*
User 2
DC school A
DC school B
37. Highlights – UCS@school 4.1 – “multischool” accounts – New
One account, replicated to each assigned school
School A
School B
User 1
User 2
DC school A
DC school B
38. Highlights – UCS@school 4.1 – Behind the scenes
iTalc improvements
example: better handling of temporary (dis-)connected clients
Large environment improvements
more consistency checks during setup
better conflict handling for sync between schools
Streamline LDAP ACLs (security & performance)
39. Highlights – App Center
market place relaunch in Q4/2016
One place for licenses/maintenance
and support for Apps and UCS
Reachable by App Catalog
(web page) and App Center (UMC)
Buying + selling Apps much easier
Supports Reseller accounts
Register now!
40. Highlights – App Center Provider Portal
Allows App providers to easily manage their Apps
All meta information is edited via form fields
Translations are entered separately
Packages are uploaded / docker images are registered
Logos, screenshots, videos are uploaded and previewed
Changes are synchronized directly to the test App Center
Univention publishes final version to the App Center
47. Agenda
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
48. Annual UCS Minor releases….?
For more than 5 years there was an annual feature release
– why not 2016?
Focus: new Apps & migration to Docker
Prepares a smooth upgrade to UCS 4.2
Features have been delivered
in Apps (and Errata)
No urgent needs
49. Release schedule UCS 4.2
UCS 4.2
Milestones in February
Release Candidates in March
Release in April
3 Patchlevel Releases in 2017
50. UCS 4.2 – Main features: based on Debian 8
Based on current Debian stable “Jessie”
New: no full rebuild but direct use of Debian
upstream packages
Less differences between UCS and Debian
Security updates for "unmaintained" repository
(following Debian updates)
Univention builds for selected packages, examples:
Kernel, OpenLDAP, Samba
51. Debian major release vs. UCS minor release
Including a major upstream release in a minor UCS release…
… a conflict with release policy expectations?
Expectation: stable environment (for Apps)
→ Is given using Docker: Container can stay with UCS 4.1
→ Most Apps will be directly available with the release of UCS 4.2
Expectation: stable APIs
→ Our processes (like automated testing) ensure the
needed stability and compatibility
52. UCS 4.2 – Debian upstream features
Goal: use Debian packages where possible
But newer packages if needed
Changes introduced by Debian upgrade:
Upgrade of core libs (like libc)
systemd to replace “old” init and runsv
KVM upgrade (including challenges like migration of snapshots…)
...
53. UCS 4.2 – Samba upgrade
Goal: Samba 4.6
Improved NETLOGON Performance
Improved Replication Performance and Impact on Receiver
Improved Performance: Add and Delete of Accounts
Fix uploading Point-and-Print printer drivers from Windows 10
54. Samba 4.x upcoming features
Samba 4.7 Roadmap
Improved Samba/AD LDAP performance (multi-process)
Implementation of print server protocol MS-PAR
replacing MS-RPRN
Inter-Domain trust
Windows Search Protocol (MS-WSP)
55. UCS 4.2 – Usability changes
Portal page as central view on the full UCS domain
Overview of all Apps in the whole domain
Entries can be managed and modified / added
Favorites visible after login
Corporate branding: Custom logo / background can be configured
56. UCS 4.2 – Usability changes (2)
Central login page for portal page + UMC
SAML as default authentication process when possible
Fallback to normal login otherwise
More prominent side menu
Mark modules that are not installed yet (DHCP, Printing, Mail etc.)
Usability adjustments for (Password) Self Service
Also better integration (e.g., into side menu)
66. Agenda
(4) What else to else to expect in 2017 ?
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
67. Planned for 2017 – Connector upgrades
Sync more attributes between OpenLDAP and Samba 4
RFC 2307 attributes: uidNumber + gidNumber
Merge improvements implemented in S4 connector to AD connector,
examples:
Improved caching
Differential updates
Error handling, logging
68. Planned for 2017 – Transparent Maintenance
Difference between UCS Core Edition and Subscription:
Core Edition may need to update to the latest release to get all Errata
Maintenance will be more transparent:
Improved "end of maintenance" messages
Guide updating to releases available for current maintenance contract
Same for Apps
Transparent status: free Apps, test periods,
usage / updates that require a charge, ...
69. Planned for 2017 – Simplified App integration
Option for App activation checkbox in user module [UCS 4.1]
Easy way to specify LDAP schema extension [2017]
Extended configuration settings for docker Apps [2017 Q3?]
→ See also expert talk “Make an App” tomorrow
70. Planned for 2017 – Testing UCS
We will continue to write more tests for UCS in 2017
Goal 1: Automate more product release tests
Product release tests are carried out manually before every release
Goal 2: Cover more and more complex scenarios
Goal 3: Automate GUI tests (Debian Installer + setup wizard)
71. Planned for 2017 – Automated browser tests
Working framework and proof-of-concept tests exist
Framework is based Selenium + integrated in Univention test lib
Todo:
Integration into Jenkins
Integration into Selenium grid to test different browser types
More tests
Some aspects of UMC are already tested via scripted HTTP requests
72. Planned for 2017 – Automated GUI installation tests
Test framework using a VNC connection + optical character recognition
(OCR) has been developed
Actions: Wait for text to appear + Click on text
Proof-of-concept tests exist
Allows to fully automate graphical tests
Debian installer + UMC setup wizard
Todo: Integration into Jenkins + more test
74. Debian
Installer –
OCR output
l!‘ univention
Select a language
Choose the language to be used for the installed system. The UCS installer only supports
English and German and will use English as fallback. Similar restrictions apply to other
parts of the installed system which have not yet been localized.
Language.-
Chinese (Simplified) - EPYU’H‘WK) A
Chinese (Traditional) - CPYlSE)
Croatian - Hrvatski
Czech - Cestina
Danish - Dansk
Dutch - Nederlands
Dzongkha - E'Fl
English - English
Esperanto - Esperanto
Estonian - Eesti
Finnish - Suomi
Galician - Galego
Georgian - dafimacgm
German - Deutsch v
Screenshot ‘ Go Back ‘
78. UMC wizard –
OCR output
k
(El univention
Account information
Enterthe name ofyour organization and ' '
an e-mail address to activate UCSi Unlventlon
Organization name
l
E-mail address to activate UCS (more information)
81. Agenda
(5) Ideas & Vision for 2017+
(4) What else to else to expect in 2017 ?
(3) What to expect in UCS 4.2 ?
(2) App & feature highlights in UCS 4.1
(1) What happened in 2016 ?
… things we want to talk about
82. Discussed feature – Separate UMC modules into Apps
Idea: Everything in App Center is accessible as separated App
Goal: Clearer navigation + separation of concerncs
If installed as App, it should be found on the portal
Current counter example: UCS@school, UVMM, UCC
Separated App for all UDM modules
UMC for solely for system administration with fixed set of modules
Maybe as UX concept for UCS 5.0
83. Discussed features – Mail stack
Mail forwarding
Wizard for general mail settings as well as fetchmail
Enforce mail identity when sending mails
Validate incoming emails via Sender Policy Framework (SPF)
Makes sure email arrive from an authorized mail server
Simple monitoring for mail queues
84. More discussed features…
Further integration of the App Center marketplace (look'n'feel)
What about community Apps? Is there an interest?
Monitoring: Nagios vs. Icinga 2
Make AD domain trusts production ready
Various use cases for integrating AD services in UCS (MS Exchange, ...)
More flexibility for working with UCS and AD
85. Need: Get started easier
Some users
struggle to
… decide technical questions (sizing, network, ...)
… get resources (hardware, people, …)
but want to
… start quickly
… avoid long term investments
86. Vision: “UCS as a Service”
Standardized, Cloud based UCS offering
On premise services if needed
“Pay per use”
Full service (deployment, updates, support)
Scalable Apps and services
Customer decides what to use
“UCS as a Service” delivers – technical needs included
87. Need: Deploy Apps in existing environments
Docker is expected to become the
standard IAAS platform for
Private Clouds
Cloud Service Provider
but…
Deployment & Maintenance of Apps is different
Current Container often struggle with updates
Software Vendors may not have the needed knowledge
88. Vision: App Center deploys to Kubernetes
App Center brings everything to deploy and maintain Apps in Docker
Currently: if Docker runs on UCS
Vision:
Enable App Center to also deploy to
non-UCS Docker
Expected “API”: Kubernetes
Hier:
- Paketbau
→ früher war Neubau nötig um Konsistenz sicherzustellen
→ gute Erfahrungen mit UCC
Nächster Slide: Debian Major upgrade in UCS Minor upgrade