Fedora Core 6: Beauty or Beast? (Part 2)
Part two of our look at Fedora Core 6 considers virtualization, smart cards and eyecandy before rendering judgment on whether this bleeding-edge distro belongs on a production system.
Last week I left off with installing Fedora Core 6 and actually booting it up on my test PC. It was a heroic struggle, and I persevered and triumphed. Today I'll review some of FC6's enterprise-worthy features.
"Triumphed" isn't strictly true. Selecting Xen as an installation option presents some traps for anyone who is inexperienced with using it. The first post-installation glitch was networking was all confused because of Xen. Shutting down Xen brought networking back. Then Xen borked multi-booting. So I says to myself, I says <censored>. Ah well, that's life on the bleeding edge. After spending a satisfying minute pointing the finger of blame at both of them, I took the easy way out and copied the relevant lines from the Fedora boot menu to the Debian boot menu. I love when copying a few lines into a text file fixes things.
To dodge Xen pitfalls, make the Fedora Xen Wiki
your first stop. This tells you everything you need to know to get started.
Xen can be installed with the operating system or you can add it later. FC6 makes it easy to install separately:
# yum install kernel-xen xen virt-manager
It even creates a GRUB boot menu entry. While we're on the subject of bootloaders, GRUB is required if you want to run Xen. Sorry about that, LILO fans.
Networking must be configured individually for every host and guest operating system separately. Xen uses bridged virtual interfaces, which adds to the fun.
The graphical virt-manager, or Applications -> System Tools -> Virtual Machine Manager, is impressive for a youngun. I was able to easily install a guest FC6 system, though I was lucky in one respect: It only supports network installations, and I just happened to have an installation server leftover from another project.
Pup Gets Lost
Ok, enough with Xen and boot issues already. Pup the package updater informed me there were 72 updates available. I pointy-clicked to download and install the updates. Pup failed because it couldn't find any download repositories. Yet somehow it knew I needed 72 updates. At this point I was totally not in the mood to troubleshoot and fix Yet One More Stupid Thing, so I left it broken and moved on.
Let's see what FC6 has done to make SELinux easier to administer. It's done a lot. Under System -> Administration -> Security Level and Firewall you'll find a nice gaggle of checkboxes for managing SELinux policy. It's tedious, but that comes with the territory – SELinux is designed to give more fine-grained control than the old Unix-style file permissions.
Troubleshooting SELinux denials has driven more than one user to despair. Usually all you get is something not working with no way to figure out why. To help with this, try installing the setroubleshoot utility. This is a slick little application that reports via email or desktop popup when SELinux denies access to a file. It tries to give you enough useful information to figure out what went wrong and how to fix it. This is a huge step up from turning off SELinux entirely, which requires a reboot, to see if SELinux is the problem. See Dan Walsh's Livejournal page for a nice introduction.
CoolKeys is Fedora's built-in support for smart cards and PKI (Public Key Infrastructure.) I prefer the concept of an actual physical key, whether it's the traditional metal kind that jangles on a ring, or these newfangled plastic smart cards that users swipe through card readers, rather than relying on thumbprints or retina scans. Because I'd rather give up a key to some bad guy than an eyeball or other body part.
Smart cards can be provisioned for all kinds of uses: physical access privileges, computer network privileges, and all manner of data storage. Card scanners are dirt cheap anymore – why not incorporate them into keyboards? Then you could store your personal data on a smart card, and swipe the card to authenticate yourself. It would make shopping online and all online transactions easier. I don't dare say more secure, because that's a question of implementation. But it's a lot more attractive to keep the information under the control of the individual, rather than trusting some remote central identity-management and authentication system like Passport. (Trust? Ha! As if.)
FC6 includes a graphical smart card manager, System -> Administration -> Smart Card Manager. While CoolKeys is a standalone module, it's also integrated into Fedora Directory Server, so theoretically you could provision your smart cards entirely from FDS.
Fedora has always been a good desktop Linux. With Kickstart it's easy to create and replicate a completely customized installation. While Fedora is friendliest to GNOME, you can use any desktop environment or window manager you like, just like on any other Linux.
It still has some weaknesses. Configuring video cards is still a big fat pain– you have to edit xorg.conf if the installer didn't get it right because the graphical configurators just plain don't do the job. Not GNOME's, not KDE's, not any one I have tried.
Some nice features are easy remote desktop, either for helpdesk or roaming users; the printer configuration tool finally does some server configurations; easy simple file sharing for users; a nice graphical network authentication tool that supports Kerberos, LDAP, Smart Cards, Samba, Winbind, and NIS; and bales of themes, eye candy, and the new whiz-bang Compiz desktop. While stern old network and system administrators might consider eye candy and fancy desktops to be frivolous, I think they're just as important as decorating and arranging your physical work environment. People spend way too much time at work, so they might as well customize their virtual work environment as well.
Dare you trust Fedora Core 6 to production servers or desktops? Yes. If they are not mission-critical systems and you can tolerate downtimes, if you are diligent about keeping security patches applied, and if you are willing to trade extra work in exchange for getting your hands on enterprise-worthy bleeding-edge applications. Nothing beats a production environment for testing- no test lab can possibly duplicate all the factors real users will inflict on your innocent computers. If you want something that Just Works, don't use early Fedora releases.
Be sure to read the release notes and other documentation. The Fedora project is absolutely dripping with good documentation.
Please keep in mind that you can contribute by posting good bug reports and helping other users on the mailing lists, support forums, and Wikis. You don't have to make it your life's work- a little bit from everyone adds up to a lot.