Scalable SOE deployments

Who am I?

Matthew Cengia <mattcen@gmail.com>, @mattcen on Twitter and elsewhere
Primary PrisonPC (http://www.prisonpc.com) Engineer at Cyber IT Solutions (http://www.cyber.com.au)

SLIDE NOTES:
Timing: 00:30

Matthew Cengia, from Cyber IT Solutions (Melbourne), where I'm one of their primary PrisonPC engineers.
Here to talk about building Scalable SOE Deployments

What is PrisonPC?

A server appliance designed to allow inmates limited and monitored access to PCs and the Internet.

PrisonPC's only relevance here is that it is built on Trimclient (similar to thin client).
Trimclient is a solution to build network-bootable SOEs which run all apps on the local desktop to:

Reduce server load
Improve desktop application performance (by taking advantage of commodity desktop hardware)
Increase security

SLIDE NOTES:
Timing: 01:30

Trimclient use-cases

Any medium-to-large desktop deployment:

Correctional Facilities (prisons etc.)
Schools
Offices
Call centres
Any centrally managed and distributed desktop environment

SLIDE NOTES:
Timing: 03:30

Homogeneous environments with large groups of PCs with similar or identical configurations

How does network booting work?

BIOS attempts to boot off network card's PXE (Pre-installation Execution Environment) ROM
PXE ROM requests DHCP
DHCP server sends IP, netmask, TFTP server, and TFTP boot file path (pxelinux.0, in our case)
PXE ROM retrieves and runs boot file

SLIDE NOTES:
Timing: 4:30

Possibly skip this slide

How does network booting work?

pxelinux.0 attempts to retrieve boot config file

pxelinux.cfg/00020003-0004-0005-0006-0007-0008-0009
pxelinux.cfg/01-88-99-aa-bb-cc-dd
pxelinux.cfg/C000025B
pxelinux.cfg/C000025
pxelinux.cfg/C00002
pxelinux.cfg/C0000
pxelinux.cfg/C000
pxelinux.cfg/C00
pxelinux.cfg/C0
pxelinux.cfg/C
pxelinux.cfg/default

pxelinux.0 uses retrieved config file to possibly display a menu and ultimately retrieve a kernel and initial RAM disk via TFTP, which it then loads
Kernel loads initrd, which then takes over and hands off to live-boot

SLIDE NOTES:
Timing: 5:30

Possibly skip this slide

pxelinux.0 attempts to retrieve boot config file based on this desktop's GUID, MAC address, and then its IP, split into individual nibbles (4 bits, or 1 hex digit), and repeatedly stripped off until a matching file is found.

Building SOEs

Bootstrap

Relatively short Bash script
Performs base installation via debootstrap
Installs other required packages and performs scripted configuration
Boots via live-boot (Debian's live boot solution)

SLIDE NOTES:
Timing: 06:30
Trimclient has been through several iterations. This is current state.

What does live-boot do?

Find and mount root file-system, in our case exposed as a squashfs or standard directory over NFS
Set up a COW (copy-on-write) file-system on top so temporary changes can be made. Currently uses AUFS
Pivot root and start /sbin/init from new root
Other stuff (out of scope)

SLIDE NOTES:
Timing: 7:30

Possibly skip this slide

Trimclient Admin (TCA)

In-house set of scripts
Keeps 3 tables:
- Images (SOEs): A list of SOEs available for booting
- Realms: Logical groups of PCs (E.g: "classroom 1", "cells") to which SOEs are assigned
- Hosts: Individual desktop PCs, with its MAC, IP/netmask, and realm
Allows for trivial grouping of hosts in realms and immediate re-assignment of entire realms to new SOEs. Upgrades then only require a reboot of each desktop, and can be tested thoroughly beforehand.

SLIDE NOTES:
Timing: 8:30
Instant rollback of realm SOEs if necessary
Realms can also be associated with timeslots (to correspond with school periods for example): switching SOE during recess/lunch

Conclusion

Matthew Cengia <mattcen@gmail.com>, @mattcen on Twitter and elsewhere
Medium-to-large desktop deployments
Live netboot SOE (built with bootstrap and live-boot)
Hosts grouped into realms
Realms each assigned an SOE
SOEs can be reconfigured instantly, applied on desktop reboot
Questions?

SLIDE NOTES:
Timing: 9:30