Introduction
Due to the fact that 2020 is approaching and the “hour he”, when it will be necessary to report on the execution of the order of the Ministry of Telecom and Mass Communications on the transition to domestic software (as part of import substitution), and not simple, but from , I received the task of developing a plan, in fact, for the execution of the order of the Ministry of Communications and Mass Media No. 334 of 29.06.2017/XNUMX/XNUMX. And I began to understand.
The first article was about . And she caused so much hype, so many comments were written under her that, to be honest, I was a little shocked ...
So, as promised, the time has come to start "a series of articles on how we carried out the order and struggled with the circumstances." I don’t know how long this cycle will be, but there is a desire to describe the whole process from beginning to end, but there is not enough time for this, because writing articles takes a mountain of time, and you have to feed your family =)
The first article will be devoted to the study of existing options and their superficial analysis in order to chart the study of options in practice. For before assembling a test bench, you need to understand what to test on it.
So, I ask under cat.
Chapter 1
In order:
Hyper-V, ESXI as virtualization platforms. Why both? Because one is in the parent company, the other is in the branch. This is how it happened historically
Windows Server 2012 R2 2016 и 7 CentOS as server OSes
Windows 7 as client OS
1s at the stage of implementation based on MS SQL Server Standard
TECTON on Firebird 1.5 (Don’t even ask… But you’ll ask anyway, right?.. Well, this is someone’s graduation project, which was bought by our Enterprise at the turn of 2005, apparently for reasons unknown to me. And now we are unsuccessfully trying to switch from it to 1s..)
OASIS on the same MSSQLServer Standard as PFR reporting software
Zabbix on MariaDB
Exchange и ZambraOSE. Why this and that? Because we have 2 network circuits. One of which has nothing to do with the outside world and the second circuit ... well, IS thinks that it is necessary, and does not allow us to set up routing and do everything right, but who are we to argue with IB?.. In a word, it happened historically (s) (2)
IFS on Oracle, CompanyMedia on IBM Domino. We have the first one for pre-contractual activities, the second one is a “working” document flow… Why is CompanyMedia on a file database in 2019? Believe me, I asked them the same question - they did not come up with an answer. And why is such a monster like IFS needed for pre-contractual activities? Yes.
Microsoft Office. Here it is necessary to explain. In addition to the standard user set, we have had a database written in Access since time immemorial (read before I came here). What is in it and why - I don’t have the slightest idea, but “we really need it, we won’t be able to work without it!”, And on Excel we have such a thing ... It’s impossible to figure out how it works, and how leaving is unknown. There are a huge number of macros that pull data out of the darkness of files and do something with them. How it works, even the author of this creation does not know. Rewriting this is akin to redesigning the database ... In a word, we can’t just take and leave MS Office.
Satellite (Sputnik) as an internet browser recently
OpenFire + Pidgin as a chat
Consultant+ и TechExpert
Veeam Backup & Replication и Veeam Agent for Windows in their free version
Well, a bunch of screw server chips, like AD, DNS, DHCP, WDS, CS, RDP, Remote App, KMS, WSUS and further on trifles.
All this was raised almost from scratch, with sweat and blood, suffering and googling. And now it's time to destroy it all. There should be off-screen Homeric laughter, and in the eyes of the main character, read me, tears should well up ...
But is it really that terrible? Let's look at the options.
Chapter 2
You can follow the path of "Russian Helicopters", that is, try to completely reject the enemy Windows-based systems, and switch to 100% "domestic" (quotes are not random) software. The “hardcore” option involves having fun demolishing Windows for everyone, installing any OS you like from the registry of the Ministry of Telecom and Mass Communications with MyOffice or LibreOffice screwed on it, and watching which user comes up. Funny? Undoubtedly. Productive? Not at all.
To understand further reasoning, I will give the content of the software in OS Astra Linux SE 1.6, from which it follows that the entire infrastructure, which is now based on Microsoft products, can be replaced with software as part of Astra. Possible - does not mean necessary. I have not yet tried all this in a test environment with at least a couple of dozen nodes, I just deployed a test bench, and even then I looked superficially. But the tools are there.
Software included with Astra Linux Special Edition 1.6
- Fly wm
- PostgreSQL
- LibreOffice
- Apache2
- Firefox
- exim4
- Dovecot
- Thunderbird
- GIMP
- alsa
- VLC
- CUPS
- bind9
- Iscdhcpserver
- SAMBA
On the OS website, in the release description, there is a tale that Zabbix is present in the composition. But if you dig into the Wiki, there is an article on how to install Zabbix ... from which we can conclude that Apache, Postgre, php - all this is installed from the repository. And we said above that only what is included in the package is legitimate ... And this confusion drives me crazy !!!!11 Well, in the sense that it is not clear what is possible and necessary, and what is impossible and "it will not work". It turns out that the packages from the repository are also legitimate. But is it? It seems that yes, but...
As a result, one has to assume that everything that is in the OS repositories can be called domestic software. Turn off the logic and just do as everyone else does. We install, use and report on import substitution. In the end, we all know why all this was invented ..
You can also raise the entire infrastructure and on the basis ROSA Linux Enterprise Server. I haven't tried this yet either. (All tests and results will be published in the next article in this series if everything goes as planned.)
Software included with ROSA Enterprise Linux Server
- means of implementing the IPA domain (similar to Microsoft Active Directory)
- nginx and apache
- MySQL and PostgreSQL
- Zimbra, Exim, Postfix and Dovecot
- pacemaker, corosync
- DRBD
- bacula
- ejabberd
- CIFS, NFS, Bind, DHCP, NTP, FTP, SSH
- Zabbix
- advanced attribute management tool ROSA Chattr
- information encryption tool ROSA Crypto Tool
- ROSA Memory Clean
- file deletion tool ROSA Shred
Can you get free Calculate Linux and build the entire infrastructure on its basis. The list of Calculate Linux packages can be viewed .
From the above, it follows that it is possible to raise all the necessary infrastructure, in fact, from scratch. This will require a huge amount of resources, tons of admin nerves, tons of coffee and a lot of debugging time. The threshold of entry will be sooooo hard to overcome. But you can. But it's difficult. But it will work. But it's difficult. But... But...
Another option is to leave everything as it is, and hope that there will be no checks, and they will simply forget about us. But we also need to report to the ministry on the transition to domestic software for each year. So that's not an option either.
Therefore, I propose to approach from the side of common sense.
There is this board:
What follows is, in fact, lengthy reasoning, so for those who are not interested, you can immediately proceed to the resulting table (Chapter 2.1.). And those who love multi-bukuff - you are welcome.
So. We need to bring the indicators to the established limits. In practice, this means that we must replace existing operating systems with products from the register of the Ministry of Telecom and Mass Communications and bring the number of replaced operating systems to 80%. And no distinction is made between server and client OSes. This gives us room for maneuver. Which? We can stupidly put OS-based thin clients from the registry to users, and drive them all into RDP. In our case, when the number of employees is approximately 1500 people, we get 1200 “pieces” (actually more, since we have not only custom OSes, but also server ones, but now the article is not about exact calculations), and 300 remains for those the most 20%, which can not be changed. And what, 300 servers under Windows will not be enough for us to normally build the usual architecture? This also includes specific software that cannot work on anything other than Windows, and often also on Windows XP. But 300 cars. Will not be enough? Seriously?
Here it should also be noted that the best practice in this case will be early training of employees to work with new software. Without this, there is a huge risk of simply bringing the entire production to its knees, and paralyzing the work of the entire Enterprise for an indefinite period. For if everything is not so scary with the OS, the user often does not need anything from it, except for launching the Browser1c Office Application, searching for the desired file and launching the solitaire. But in Office1s they work all the time (we don’t take design engineers into account yet - there is a footnote about CAD in Chapter 2.1. - production, etc.), all reporting goes through Excel filters, etc. Well, for those who, for one reason or another, cannot work in free software, welcome to RDP.
So, we can safely leave the cluster for Hyper-V, since we have it and we like it, this is 12 knots in our case, from ESXi will have to leave. Plus, it needs an "iron" domain controller + virtual domain controller. Total 14. Well, or leave ESXi, leaving Hyper-V, as you like, the numbers will still be the same. On Domain Controllers, we will have AD, DNS, DHCP, CS. With a small number of windows machines WSUS can be neglected. KMS it is also possible to screw on the domain controller. WDS is no longer needed. From Windows services remain RDP servers. Well, we still have 286 unused potential "pieces" under Windows left in stock. The RDP farm will take another 8-10 Windows OS. In total, we have 276 units left for specific software for scientific departments and CAD.
OSIt doesn't matter what OS it is - , , , , , . You need to choose what will satisfy users. How to choose - I can’t say, these are very subtle matters. In fact, all of them are at least similar in appearance (and the only thing that matters to the user is how it looks and how convenient it is to use). I'll just install a couple of each OS and ask the least busy boos for half an hour to an hour to use. What they say - from that we will dance, probably.
AlterOS and Halo OS are not available for public sale. So I won’t consider them, because this “not quite business” doesn’t attract me at all.
About OS OSThe license agreement says:
1.4 The License Agreement does not provide an exclusive right to the Software Product, but only the right to use one copy of the Software Product for non-commercial purposes in accordance with the conditions specified in Section 2 of the License Agreement.
2.4 The Licensee has the right to non-commercial use of the Software Product on an unlimited number of servers and workstations.
Thus, we cannot use it at the Enterprise, even though it is included in the register of the Ministry of Communications. It's sad because it's free. But the developers have something with the site, because I have not been able to download the distribution kit for several weeks, and I have not received a response to letters in support. What? Why? Don't know.
Office packagesThe situation is as follows - we also need to bring the number of domestic "offices" to 80%, which also amounts to 1200 "pieces". These 1200 "pieces" are already included in the Linux-based OS that we will install for users. It doesn't matter, all distributions include a free office suite. Most often this . But on RDP servers, we can safely put a package from Microsoft, since we do not want users to drop out of work for an indefinite period of time (at least until they are trained to work with new office software), because they cannot find in the new spreadsheet editor your favorite button. It also has a separate plus - backup of employee documents that will lie in one place, and the death of a hard drive is no longer terrible.
ExchangeWill have to demolish. Unfortunately, there is no way to get around this figure of 80%, since the order indicates the “number of users”, and not% of the number of mail servers in the Enterprise. And since we need to replace it with something from the register of the Ministry of Telecom and Mass Communications, we don’t have much choice. It's either or , or . Or you can install ROSA in both networks, which has , and rejoice, because for my taste Zimbra is much more convenient and pleasant than MyOffice Mail, which is a little more than completely terrible, and I also did not like CommuniGate Pro. Plus, Zimbra can easily grab all mail from Exchange if necessary, save users the history of correspondence. Btw, on Zimbra OSE, I wrote a couple of articles on Habr (, и ) But, the taste and color, as they say.
Reference legal systemsIf they were, then most likely it is some , , and others like them. That is, they are Russian-made. If not, there is a choice =)
Antivirus softwareAlso 100% must be domestic. Well, they cannot entrust the protection of the domestic defense industry to bourgeois programs ... The choice is , , .
VeeamVeeam BackUp and Replication. His situation is strange. It has a version certified by the FSTEC, but there are no products from Veeam in the register of the Ministry of Telecom and Mass Communications. On the other hand, the order of the ministry does not contain the column “backup software”. So the situation is twofold. If we leave Windows-based services, and especially Hyper-V, Veeam greatly facilitates the backup of virtual machines, it is very convenient and unpretentious, and Veeam agent for Windows allows you to back up file trash, it has a very simple setup and user-friendly interface, it has automatic detection of data duplication and its pruning, etc. In a word, if we leave the Microsoft hypervisor, we can try to write a piece of paper stating that Veeam has no analogues, and that we really need it. An attempt is not torture, but what will come of it, I can’t say.
1sThis is where the questions begin, since they seem to have a version for Linux. And it looks like it even works. But in reality, no one uses it. Therefore, we will have to detach another screw machine for the 1c server. And then two. Total 274 left. DBMS - PostgreSQL, of course. Despite the fact that it is not domestic, but it is in the register of the Ministry of Communications. 1c knows how to work with it, and the DBMS itself is quite good. Not easy to set up, but very, very good. In addition, it easily gets up on any Linux distribution, and as part of the same Astra it is generally supplied as a kit.
Document managementWell with IFS Clearly, 100% will have to go away from him. Company Media questions remain. The software is domestic, it is in the register of the Ministry of Telecom and Mass Communications, all the cases. But. IBM Domino is licensed and purchased separately and therefore cannot be used. On the other hand, have Company Media there is a version for PostgreSQL. But we implemented exactly IBM Domino. Yes, I have a strong negative attitude towards this “product” of Intertrust company called Company Media, it starts to bomb me from just mentioning it. But this is not relevant to the case. So either we are moving CM to PostgreSQL, or we are looking for another workflow system. The register contains choose. But at this stage, I will not dwell on this issue, since a lot of money was spent on Company Media, and its further fate is not yet clear, but I want to believe in common sense and simply transfer the system to PostgreSQL. So I'll just leave the list of software from the registry.
Multimedia toolsI do not consider. Not only are they narrowly applicable, but at enterprises that fall under the import substitution program, if they are used, then only for collaging postcards by February 23 by accountants. And "essential goods" are present in the composition of the OS.
Internet browsersAllowed , . At the same time, Mozilla Firefox is present in almost all operating systems from the registry. I don't think there will be any problem with this. And for applications that can only InternetExplorer we left a loophole in the form of RDP servers.
OpenfireNaturally, we refuse. Why? Because we need to inject 1s Bitrix24! In fact, we refuse not because of this, but because it is not in the registry, but in general we are replacing the chat with a portal that has a chat service, so ... well ... that’s the most ... you understand. Here. Yeah. Yes. Or you can use ejabberd as a jabber server as part of ROSA Linux. There is also a chat client, if I'm not mistaken - Mirka. This is in case you do not have 1s Bitrix24.
ZabbixNaturally, it is not represented in the register of the Ministry of Telecom and Mass Communications. But. IN it is stated that Zabbix version 3.4 is included in it. So if we want to get a "legitimate" Zabbix, then at least one copy of this OS will be required.
Mail clientSubmitted by Thunderbird included with almost all operating systems from the registry. If he does not suit you, then you will have to buy separately, as part of the same My officeFor example, or "P7-Office. Organizer». To be honest, I no longer found individual mail clients in the register of the Ministry of Telecom and Mass Communications. Yes, Thunderbird worked for me too. If you write in the comments, I will add it here.
Bank customersNeed to test. In theory, Cryptopro knows how in Linux, in fact, I personally did not check it. In theory, it should work, but if something goes wrong, then we have an option with an RDP server.
Chapter 2.1. Mixing
As a result, I got such a plate with options, on the basis of which conclusions will be drawn and plans will be made:
Which is logical - if there is still a need to switch from a Windows domain to Astra or Rosa, or some other, then it makes sense to transfer client machines to a product of the same manufacturer, so you can reduce the number of errors when trying to “make friends” with one another.
In relation to PostgreSQL и PostgreSQL PRO you have to understand what they have. , including speed. The PRO version is more productive. For “normal” work, the same 1c free version is most likely not enough.
Astra Linux SpecialEdition and ROSA DX "NICKEL" are secure systems certified to work with state secrets, secrets, etc.
Concerning CAD: These questions were raised in the comments to the previous article. ROSA Linux has the following in its repositories :
- freecad
- KiCAD
- FreeCAD
- opencascade
- QCAD
- QCAD3d
Naturally, all this is free software. But, since CAD packages are not indicated in the register of the Ministry of Telecom and Mass Communications, most likely this type of software will fall under the category of “indispensable”, and it can be purchased or used under existing licenses by writing to the ministry the appropriate paper.
The same is true with other highly specialized software, which, unfortunately, is quite a lot at our Enterprises. We'll have to write papers and tearfully beg not to destroy, and provide an opportunity to continue working. Most likely they will give permission.
PS:
I won't be original. All this "fuss" with import substitution looks extremely strange if you choose mild expressions. In fact, our software produces only Yandex, Acronis, Kaspersky, 10-strike (with a stretch) 1s, Askon, Abby, Dr.Web. Well, and a bunch of small companies. But all these are such narrow niche developments (with the exception of Yandex, perhaps) that we can say that we almost do not make software. And everything that is offered to us as part of the import substitution program is just “tested” foreign-developed software. That is, in fact, we are offered for money (and a lot) the same software that we could download and use for free. ROSA is based on Mandriva, Astra is based on Debian GNU. Astra, you can connect the Debian repository and upgrade. An interesting thing turns out in the end. All packages for the same DNS, DHCP, ALD, ROSA Domain, Dovecot and everything else are nothing more than open source packages, some of which were slightly “tinted and plastered”, while the rest were not touched at all, they were simply “checked” on availability of bookmarks. What kind of "domestic software" in question is unclear.
On the other hand, Linux admins will be accustomed to working with already familiar software, which will slightly lower the entry threshold. But be that as it may, all controlled industry enterprises will have to switch to this “domestic” software. So “see you in the next article”, if I don’t get jailed or fired for this one =)
Source: habr.com