Possible 'sysadmin' additions to software installed on servers

Re the following 'topic for discussion' tabled at the Operational Meeing of 27th March 2013:

Many devices (e.g. network switches, fiber switches, disc arrays, printers, HP BMCs, etc.) offer a useful web interface - but some of those devices might also be on unrouted subnets accessible only from their associated servers. Our pared-down server installs (which are a great idea) currently omit a web browser - which means that these interfaces can be awkward to get at. Would we like to revisit this? I would like to have Firefox (or similar; as well as whatever's necessary of X etc. to support it), available on servers. Are there other tools that others might want? XEmacs ...?

If you have any suggestions regarding the above (e.g. suggestions for software that you would like added to servers; or a comment that this whole thing is a bad idea), please add them below. Thanks.


"... apart from a web browser and XEmacs, the only other thing is enough stuff to let "ksysguard" work (it's useful for load monitoring) ..."
- from Neil via email


I really don't like the idea of adding the whole KDE stack, never mind X, to a server when none of these packages are part of its normal operation. In particular I take exception to massive exploit-vectors like web browsers. That said I think it can all be very useful on a temporary basis, and have some small requests of my own. I'll flesh this out later.

edit, 2013-04-10: so, things that would be generally useful, to my mind, would be shell and management utilities. So helpful stats utilities and helpers such as tree, htop, iftop, dstat; basic functions like finger; low-risk, low-overhead web browsing via w3m or similar. It also makes no sense to exclude svn (or even git) when CVS (which we are trying to deprecate) is available everywhere. I'm sure I'll think of more...

- gdutton


There are probably a bunch of small utilities that are missing (I miss finger for one thing) rather than have individual folk asking for individual tools it might be better to generate a semi definitive list of sysadmin tools as there are bound to be tools that some people are using that others haven't come across.

I'd concur with Graham about adding whole chunks of kde just to get a kde version of top or htop.

TBH I'm not convinced that the concept of sshing onto the one routable machine on an unroutable subnet to then run a web browser is good practice particularly if you're doing it for routing admin. I'd rather go with some kind of secured portal that was accessible from a browser on a CO machine. We could use secondary auth if we felt security was an issue.
- iainr


The thing that worries me about web browsers running on servers in particular is the possibility of someone forgetting that they are running it on a sensitive server and then browsing away across the wider web. Web browsers are probably the most common way in which users are attacked (via flash, java plugins, etc).

And which ones do we choose? Do we mandate firefox or do we also install chrome, opera, etc? Each package probably pulls in a fair chunk of libraries, (I think firefox adds about 50MB). That's all going to add up when we would like to keep installs small, particularly on the KVM servers. Plus web browsers can require a fair amount of resources (cpu and memory) if left running for a while.

I am all in favour of making an admin's life easier but I don't think installing web browsers all over the place is the best strategy. I would much prefer a technical solution which provides access for whatever browser I choose to run on my desktop. Could we have a secure authenticated proxy running somewhere which has access to all the necessary subnets? It's easy enough with most browsers to configure them to access certain sites via proxies whilst doing everything else directly.
- squinney


For me at least, as most servers have local home dirs, it's pretty obvious if I'm running a local web browser, verses my network home dir browser, and so I know not to go off to the big bad world of the web.

One problem with the authenticated web proxy solution, is that for some services, eg plone/zope, they only listen on localhost:8080. It's not insurmountable, I can just use a local ssh tunnel. It's just a matter of me learning a different way of working.

I'd be happy to use an alternative to ksysguard, again it was just that it "just worked" in the SL5 server world.
- neilb


wireshark
- gdmr


Presumably including wireshark-gnome and any X dependencies.
- idurkacz


-- IanDurkacz - 29 Mar 2013

Topic revision: r11 - 23 Apr 2013 - 22:16:54 - IanDurkacz
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies