UCS "Wrap Up": Highlights from 2018 and Prospects for 2019
•
0 likes•301 views
Erik Damrose and Arvid Requate from product development summarize the most important technical innovations from 2018 and give an outlook on 2019. The presentation focuses on the changes in the basic distribution, extensions of the UCS portal, new and improved functions of the UMC, new possibilities for developers of apps and new features for users of the self service app.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to UCS "Wrap Up": Highlights from 2018 and Prospects for 2019
Similar to UCS "Wrap Up": Highlights from 2018 and Prospects for 2019 (20)
More from Univention GmbH
More from Univention GmbH (20)
Recently uploaded
Recently uploaded (20)
UCS "Wrap Up": Highlights from 2018 and Prospects for 2019
- 1. UCS Wrap-up What happened in 2018 and what is next? Erik Damrose & Arvid Requate Univention Product Development {damrose,requate}@univention.de
- 3. UCS 4.3 Release in March 2018 ● Based on Debian 9 (stretch) ● Uses upstream packages where possible, e.g. Linux-Kernel ● Simplification of user account objects, auto conversion during update ● New features for UCS Portal, e.g. visual composer ● Supports SAML Single sign-on with Kerberos ● New installations use the memberOf extension by default
- 5. UCS Wrap-up: Samba in UCS 4.3 ● Samba 4.7.5 - shipped with UCS 4.3-0 ● Samba 4.7.8 - update in August 2018 ● Security update, finally deactivate NTLMv1 by default ● Backported security patches from Samba 4.7.12
- 6. UCS Wrap-up: Security ● Debian security updates pulled semi-automatically (started August 2018) ● Quicker delivery to customers, covering also less critical vulnerabilities ● UCS: Avoid leaking admin password from joinscripts to process list ● Debian release 9.6 imported in November
- 8. Errata Update statistics – Automation & CI-Tests Covered by Continuous Integration Tests
- 9. UCS Wrap-up: Meltdown, Spectre, Foreshadow/L1TF issues ● 2018, the year of Speculative Execution issues ... ● Fixed or mitigated: ● Meltdown ● Spectre variants 2, 3a & 4 (Kernel & Intel+AMD Firmware update) ● L1 Terminal Fault (L1TF) variant OS/SMM & VMM – Kernel update ● General industry wide issues with speculative execution – to be continued (Hard & Software: Firmware, Kernel, KVM, Apps) ● Status in UCS: https://help.univention.com/t/7678
- 10. UCS 4.3-2 – Maintenance Mode ● Simple view when installing updates, improved stability
- 11. New in August: UCS Dashboard ● Lets administrators easily assess the state of the domain and all servers ● Integrates Prometheus for metric collection ● Grafana is used to display the Dashboards
- 12. UCS Dashboard
- 13. App Center – News for ISVs ● Apps can now deploy multiple Containers ● Maintainers can use the standard docker-compose syntax ● New Listener API for dockerized apps ● App Center Documentation for App Providers is now maintained on https://docs.univention.de
- 14. UCS App News ● Office365 and G-Suite connector apps now available for DC Backups ● Let‘s Encrypt App ships separate VirtualHost configuration ● OpenID Connect ● First Multi-Container App:
- 15. UCS Wrap-up: UVMM Improvements ● Support for post-copy migration. ● Show CPU and memory usage of KVM hosts ● Target hosts for migrations can now be configured ● Add Hyper-V Enlightenments for Windows VMs ● Detect incompatible CPUs before migrating VMs
- 16. Simple UDM API ● Introduced mid November with UCS 4.3-2 ● Simplifies development of code that handles UDM objects ● Less pitfalls for everybody from univention.udm import UDM user_mod = UDM.admin().get("users/user") # load module obj = user_mod.get(dn) # get object by DN obj.props.firstname = "foo" # modify property obj.position = "ou=dev,cn=example,dc=com" # move LDAP object obj.save() # apply changes
- 17. Ongoing improvements of Documentation
- 18. UCS Wrap-up: Improvements of the UCS System Diagnostic module ● UMC Module to do a quick health check for any UCS system
- 19. UCS Wrap-up: Improvements of the UCS System Diagnostic module ● UMC Module to do a quick health check for any UCS system ● More helpful messages and links to SDB articles ● Elimination of false positives (error alerts) ● Logging of actions ● Additional checks (SAML certificates, filesystem permissions)
- 20. UCS 4.4 Feature Highlights ● Codename Blumenthal ● Release in Q1/March ● No new Debian base (Debian 10 still frozen..) ● And now… let's dive into it
- 21. UCS 4.4 Feature Highlights – Self Service ● Right now: Set recovery mail address, recover and change password
- 22. UCS 4.4 Feature Highlights – Self Service
- 23. UCS 4.4 Feature Highlights – User Invitation Workflow
- 24. UCS 4.4 Feature Highlights – Portal improvements
- 25. UCS 4.4 Feature Highlights – Portal improvements
- 26. UCS 4.4 Feature Highlights – Portal server
- 27. UCS 4.4 Feature Highlights – App Center ● Increase visibility of relevant information in the App Center UMC Module ● Vote for Apps in the UMC App Center Module ● Support for App install permissions ● New interface to simplify user activation for apps on one tab
- 28. UCS 4.4 Feature Highlights – App Center
- 29. UCS 4.4 Feature Highlights – Admin Diary ● Problem: reconstruct changes in the UCS domain across servers ● e.g. User modification, App installation, Server password change ● Solution: Admin Diary ● Backend collects high-level events accross all domain servers ● Admin Diary frontend shows the domain wide changes in a UMC module ● View, filter and annotate events
- 30. UCS 4.4 Feature Highlights – Admin Diary
- 31. UCS 4.4 Feature Highlights – Admin Diary
- 32. UCS 4.4 Feature Highlights – Improved Radius domain integration ● Merge of UCS@School and UCS Radius packages into one single app ● Simplified adding of access points to Radius via UMC computer module ● Replication of config to all Radius servers in the domain
- 33. UCS 4.4 Feature Highlights – Samba 4.10 ● Performance: New GUID Index mode in sam.ldb for the AD DC ● Hardware accelerated AES-NI crypto instructions on 64bit CPUs ● Activation of new KCC implementation – replication topology shaping ● Improved Audit support (Fileserver, AD-DB) ● Fine-Grained Password Policies (FGPP) ● Improved support for trusted domains
- 34. What‘s next after the UCS 4.4 Release ● Continuation of patchlevel releases about every 3 months ● Patch collection, new install media ● Allows to implement small API changes ● Steps to continuously improve the security of UCS: Classify all UCS-specific security vulnerabilities according to CVSS
- 35. What‘s next after the UCS 4.4 Release – REST-ful Web-API ● REST-ful Web-API for UCS ● Simplify provisioning and automation for DevOps by standard interfaces ● UCS@School project proved use case for user provisioning ● Currently we have two prototypes
- 36. Ideas for post UCS 4.4 – Improve Univention Domain Join Client ● Tool to simplify joining Ubuntu clients to the UCS domain ● Added support for Linux Mint ● Add support for Kerberos based SAML-SSO ● Check compatibility for upcoming Ubuntu releases ● Check demand for other Desktop Linux Distributions
- 37. Points of Contact: ● GitHub - https://github.com/univention/ ● Bugzilla - https://forge.univention.org/bugzilla/ ● Community - https://help.univention.com/
- 38. Vielen Dank für Ihre Aufmerksamkeit Kontakt Erik Damrose & Arvid Requate Univention Product Development {damrose,requate}@univention.de https://www.univention.com