LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SafeDesk Puts Bounties on STS Open-Source Development

SafeDesk Puts Bounties on STS Open-Source Development

Posted May 27, 2006 11:29 UTC (Sat) by ledow (guest, #11753)
Parent article: SafeDesk Puts Bounties on STS Open-Source Development

To be honest, I'm surprised how LITTLE interest this is generating and I assume it's down to some technical reason. The forums are almost empty and there's no comments on LWN.net about it despite it appearing twice on the frontpage.

This project is a good way to get a PC-independent PXE-booting Linux system up and running quickly but it has some flaws. It uses Samba instead of NFS (the initrd's etc. have been edited to load the cifs modules rather than nfs) which gives it quick access and boot times comparable if not better than NFS. However, this involves running Samba on the server machine as root (albeit read-only shares), a hideous hack that I assume is the main cause people are not using this software.

I have set this up on a spare network and the configuration instructions hold your hand all the way, but because of the Samba issue (guest logins are mapped to root), it's unnerving to use the server for any other task (you can't really have read-write shares on the same machine, for example). However, it does boot any PXE-based PC into a full linux desktop over the network without using the local hard disk but taking full advantage of local hardware (USB drives, video cards, sound cards etc.)

It works by incorporating the CIFS modules into a kernel delivered by PXE. This then mounts a read-only samba share over which it then lays a RAM read-write unionfs - that read-only share is basically an ordinary directory containing Debian with all the correct permissions (which is why I assume it needs root on Samba, because it has to read files with any permission), so effectively it's using the Samba share as a liveCD over which it lays any changes.

Any changes to the setup are simply a matter of chroot'ing to that directory on the server and making changes as root. This includes adding users, software etc. in the standard ways. When the clients next access the share, the underlying filesystem to their unionfs reflects the changes.

From a users point of view, any PXE boot results in a fully accelerated Linux desktop with whatever logins are available in the chroot environment's passwd file. Default permissions are all in place and they can't change anything on the server because it's a read-only share. Therefore, changes made by the clients (which are restricted by the permissions anyway) do not affect other clients or survive a reboot. It's as if they just booted from a liveCD containing the Debian folder. They are able to use all their local hardware (which is autodetected of course), it uses X and Gnome by default but that can easily be changed.

It comes with OpenOffice.org installed and programs load quickly once the desktop is showing. You can save to local USB disks (which I assume is supposed to be the primary method) but with a little work, you could set up a secondary Samba server and have the chroot environment modified to mount that from all the clients for saving work.

Properly seperated, this is a good project for, say, a small office or home LAN. However, the security issue prevents it being immediately used for "major" tasks. For instance, with the server running with the guest account as root and the chroot directory shared out to any SMB client that wishes to connect, it's trivial to find a way to read critical information even if you couldn't compromise the server itself or change the contents of the chroot directory shared out to client.

However, for administrators, the ease of changing the chroot environment means that you could authenticate against a different server which could store passwords and other critical information and treat the PXE-chroot environment as a quicker way of using a virtual "LiveCD" to boot the clients into a known configuration, from where you could authenticate against trusted servers and retrieve and store user files etc.

(Log in to post comments)

proprietary? anti-free? hmmm...

Posted May 28, 2006 20:34 UTC (Sun) by jabby (guest, #2648) [Link]

My guess as to why the STS "products" haven't captured a wave of interest is that they are commercialized versions of Free and Open Source Software. Of course, I know that there's nothing inherently anti-commercial about FOSS. The problem is that there's something inherently anti-free about commercialism, particularly the way it's being practiced here...

Allow me to quote from an article in eWEEK from May 30, 2005 (http://www.eweek.com/article2/0,1759,1822061,00.asp):

"SafeDesk Solutions' updated SafeDesk Server is a thin-client software package that has modest system requirements, low licensing costs and lightweight architecture."

"SafeDesk Server Standard supports as many as 30 users and can be downloaded for free... Sites that must support more than 30 users or companies that need to integrate SafeDesk with existing domain controllers can purchase the $99-per-user SafeDesk Server Enterprise edition, which runs on SuSE Linux Enterprise Server 9 and comes with the same client application package as the Standard version."

"SafeDesk Server Standard edition LTSP models do not have built-in support for integration with other thin-client solutions. In contrast, the SafeDesk Server Enterprise edition provides built-in support for RDP (Remote Desktop Protocol) and Citrix Systems Inc.'s ICA (Independent Computing Architecture) protocol..."

"SafeDesk Solutions works with customers to provide the proprietary hooks that allow LTSP to work with Microsoft's or in-house applications that would normally be difficult to configure. For example, SafeDesk Server can be deployed with CodeWeavers Inc.'s Wine applications for Windows-centric organizations."

"SafeDesk can run on most Intel Corp. x86 hardware, but we recommend a fairly robust server with capacious memory. For a 30-user environment, the company recommends that a server have at least one Intel Xeon-based processor, 2GB of memory, three 36GB SCSI hard drives with RAID 5 and dual Gigabit Ethernet."

I've included these excerpts in the order in which they appear in the article. Note the conflict between the first excerpt and the last ("modest" requirements?!). Note that the "Standard" edition is hobbled and you have to pay more for what we are led to believe are "Enterprise" features, like RDP support.

By the way, links to this article and another paired article were posted to the LTSP-discuss mailing list by a Curt Craig of SafeDesk Solutions on 6/7/2005:

http://marc.theaimsgroup.com/?l=ltsp-discuss&m=111816...

So, to pull all of the strings together, it appears to me that for all their talk of being complementary to LTSP, SafeDesk Solutions is actually using it to support a business model that peddles hobbled versions of Free Software to the uninitiated. These people who could be freely using LTSP itself and joining the wider community are instead encouraged to pay money to SafeDesk Solutions and pay no attention to that community behind the curtain. Moreover, SafeDesk Solutions seems to have no compunction about using the tactics of "proprietary hooks" and a tiered structure to divide and conquer their user base.

SafeDesk Solutions may offer something that people want, but they do not offer freedom. Like proprietary video drivers that rub Free Software advocates the wrong way, the proprietary BitKeeper that threatened to hold Linux kernel development hostage, and all proprietary, vendor lock-in-based "solutions", they may be flashy and shiny but they are not the way to freedom.

Supposed "improvements" like CIFS instead of NFS (if they truly are improvements in the eyes of the users) will make their way into the true LTSP to benefit everyone, not just those who can afford them. Wine integration shouldn't require proprietary glue... I'm sure the community can figure it out (probably already have). Basically, SafeDesk would draw people away from the community and that's bad for everyone.

The lack of a wild response to this "gift" suggests to me that the target audience for this software is savvier and smarter than was anticipated. They have learned not to settle for "not quite free"... not to settle for an x86-only, hobbled, put-up-or-shut-up environment. I say, more power to them!

I worked with LTSP for a while in its earlier versions (over 4 years ago). I haven't been involved (on the mailing list) in a long time, but I've followed the release announcements and cheered on Jim McQuillan and his cohorts with every successful release and advance. They recently released version 4.2 with redesigned local device support, swap over NBD (instead of NFS), udev, initramfs, and multi-head X support:

http://ltsp.org/

And they're not resting on their laurels... Last I heard, the current big initiative (Project MueKow) is to make LTSP more distribution-centric. It's hard to describe, so I direct people to their wiki:

http://wiki.ltsp.org/twiki/bin/view/Ltsp/MueKow

Oh, and LTSP is now part of Ed/K/Ubuntu, the most popular distribution(s) on the planet. Good luck getting people to pay for LTSP now...

http://www.edubuntu.org/UsingEdubuntu

Maybe SafeDesk should read up on the meaning of the word "ubuntu" and re-examine their relationship with their customers and the community.

proprietary? anti-free? hmmm...

Posted May 31, 2006 2:13 UTC (Wed) by jclinton (guest, #38092) [Link]

Um, did you read the comment to which you replied?

This announcement has absolutely nothing to do with LTSP, at all. We used to sell an LTSP product based on SuSE 9.3 but it is now retired. (It had an open source and an enterprise edition -- the later with a GUI management tool that I wrote through hours of tearing my hair out in the horrid YCP YaST scripting language.)

The announcement you are replying to is related to our Safedesk Terminal Server which is an entirely new "distribution" which runs on Debian Live; we extended Debian Live to support network booting and the patches were submitted back to the project freely. And, if you had read the announcement, you would have seen that we are PAYING the open source community to develop new features to be released BACK to the open source community: the so-called "bounty".

And yes, there are indeed two versions. As I say on the web site and in the included readme.txt file, the only differences between the open source and the enterprise versions is a GUI installer, management tool, and bundled VMWare Player (which is proprietary). Both the installer and management tool were written by me without links to ANY GPL software of any kind. They are available for purchase for the guys whom want to pay someone to do the hard work for them. If you know what you're doing, you're more than welcome to use the open source version. All the software included is EXACTLY THE SAME. The features are EXACTLY THE SAME. The only difference is that you can pay us to do the heavy lifting for you.

Also, commercial(ism) support is available for both version. But if you don't believe in commercial(ism) support, then I guess you can't take advantage of that ...

sorry! unclear PR?

Posted May 31, 2006 15:02 UTC (Wed) by jabby (guest, #2648) [Link]

I did read the comment to which I replied, and the press release above it, but apparently not closely enough. I did not follow the link in the press release to read about the product. That would have changed everything.

I had heard about SafeDesk recently somewhere else (can't recall where... probably LXer). I searched for relevant articles and found some. I made the wild leap that "SafeDesk Server", "SafeDesk Terminal Server", and "STS" were all the same thing. I didn't immediately see anything indicating that the new product was *not* based on LTSP. Being based on Debian Live does not preclude using LTSP. LTSP can do PXE booting, SMB, local USB, sound, and local apps, so none of that suggested that this was anything different from the earlier product. The "streaming video" claim made me suspicious of hype. If I had read the comment a little closer I might have realized that the whole unionfs thing implies something very different.

I concluded that these bounties were an attempt to get people to voluntarily hack on the hobbled open source version of a closed source product. I apparently made some hasty assumptions and I apologize for that.

Perhaps my misunderstanding is a better clue as to why people aren't singing and clapping over these bounties. The press release doesn't effectively distinguish this from the earlier product. (It also contains two grammatical and one spelling error which made me want to stop reading.) Including a couple of paragraphs from the website would have gone a long way to explaining what the "STS Open-Source Project" is. This might be a good way to make people more aware of your goals.

It would also be nice to employ consistent terminology. I see "STS Open-Source Project", "STS Project", "STS project", "Open Source Thin-Client Project", and "STS Open-Source Development" all in this short press release. The press release and the website also use the terms "Debian Live", "Debian Live Net", and "Debian Net Live" interchangeably. This kind of inconsistency makes it harder to follow and understand.

Now that I've reread the press release and the informative comment and skimmed your website, I think I'm starting to understand what exactly your project is. It is definitively *not* LTSP and it *does* sound like something novel and something that people would want. Since it is like booting a liveCD and runs everything locally to the client, it could indeed do fully accelerated and streaming video! Impressive...

Sorry for the unwarranted flame.

sorry! unclear PR?

Posted May 31, 2006 16:57 UTC (Wed) by jclinton (guest, #38092) [Link]

Thank you very much for your compliment. I agree that we need to be clearer about what we're doing and we'll try harder to do that in the future; thank you for that suggestion.

Much thanks,

SafeDesk Puts Bounties on STS Open-Source Development

Posted May 31, 2006 1:57 UTC (Wed) by jclinton (guest, #38092) [Link]

Thank you for your compliments, ledow, you are mostly correct on your criticisms. However, it's unfair to say that this is worse than NFS. As a point of comparison, consider the LTSP case:

clients NFS mount as root read-only with no authentication the /opt/ltsp/i386 directory as their root file system

Now consider the Safedesk STS case:

clients CIFS mount as root read-only with no authentication the /var/live/chroot directory as their root file system

As you can see, they are virtually identical.

However, I 100% agree that the need to put the "map to guest =" in the [global] section is a sad limitation of Samba and I hope that version 4 will solve this problem and allow the administrator to do such a change on a share-wise basis.

Jason Clinton
Designer/Programmer/Support for Safedesk Terminal Server

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds