| blob | abbc67ce639ef8146c3de829f21df8fd0980af40 |
1 Ganymede Release 2.0
2 22 January 2013
3 FAQ
4 ---------------------------------------------
6 Questions Answered:
8 1. What is Ganymede?
9 2. Great! Then I can just jump right in and use it, right?
10 3. Who should be thinking of using Ganymede?
11 4. Is Ganymede secure from packet-sniffing?
12 5. What do I need to run Ganymede?
13 6. How scalable is Ganymede, with its memory-based database?
14 7. Why isn't Ganymede LDAP-based? What about replication?
15 8. What's up with DNS management? The current stuff is weak.
16 9. Where's the documentation?
17 10. How can I help?
18 11. Why is it called Ganymede?
19 12. What is Ganymede's development history like?
20 13. When I try to start the Ganymede server, I see a message complaining
21 about the system hostname resolving to the 127.0.0.1 loopback address
22 and the server quits. What's going on?
23 14. Where's the Ganymede web site?
24 15. What's the best way to report bugs? How should I ask questions?
26 --------------------------------------------------------------------------
28 1. What is Ganymede?
30 Ganymede is a system for managing network directories. A network directory
31 is something like NIS, LDAP, or DNS. Ganymede has its own built-in object
32 database that holds authoritative information and which is fed into NIS,
33 DNS, etc., when things change. Unlike stock NIS, DNS, or LDAP, Ganymede is
34 designed to be very smart about what changes are allowed to the network
35 information.
37 Customizers can write Java classes to provide very sophisticated data
38 checking and inter-object relationship maintenance. The Ganymede server
39 does a lot to keep everything sane.. if you delete a user, the user is
40 automatically removed from all groups, email lists, systems, etc., that
41 refer to the user. If any of those secondary changes would violate
42 permissions, the whole operation is refused.
44 With Ganymede's sophisticated permissions system, you can give different
45 levels of authority to different kinds of users, over distinct portions of
46 Ganymede's database, making it possible for administrators to take care of
47 their own portions of your network directories without getting in each
48 others' way. Ganymede logs all changes and has an extensive system for
49 sending email notification to various interested parties when things
50 change. Objects in the database can be set to expire or be removed at a
51 later date, making it possible to create temporary user accounts and so
52 forth.
54 Customizers/adopters can write code to take the data from Ganymede and
55 propagate it into NIS, DNS, or anything else when changes are made in the
56 Ganymede database. At ARL:UT, we take the data from Ganymede and propagate
57 it into NIS, DNS, tacacs+ for router configuration, Samba, Active
58 Directory, Sendmail, OpenLDAP, and more.
60 In addition to maintaining the directory services, Ganymede also triggers
61 external scripts to create users' home directories, handle user rename,
62 NFS volume creation, etc. Having a central point through which all network
63 information changes go through before fanning out to all of your network
64 distribution mechanisms is extremely powerful.
66 Ganymede is much more than a simple directory system like LDAP, NIS, or
67 even DNS. Ganymede is a total system for managing your directory
68 information, and is designed with the goal of making it possible to let
69 even untrained clerical staff handle things like user and DNS record
70 creation and maintenance.
72 2. Great! Then I can just jump right in and use it, right?
74 Um, no. Ganymede itself is an extensible and customizable system that can
75 do a tremendous amount for you, but right now it is not an
76 'out-of-the-box' admin package. In order to make Ganymede useful, you need
77 a schema kit, which consists of a database definition for the network
78 information you want to manage, a set of custom Java plug-in classes that
79 will make the Ganymede server smart about how your information is supposed
80 to be connected together, and a set of classes and scripts that will take
81 information from Ganymede and propagate it into your network.
83 Ganymede comes with a few demonstration schema kits, and one very complex
84 schema kit that manages the ARL laboratory environment, but if you are
85 serious about Ganymede you're going to need to do some work to design your
86 network environment management system.
88 Hopefully as time goes on, people will produce a variety of schema kits
89 that will be useful for a variety of common scenarios (like managing DNS
90 at an ISP, for instance), but whenever you get into an environment as
91 complex as Ganymede is designed to be able to handle, you're likely to get
92 a lot of details that will be different for each network.
94 3. Who should be thinking of using Ganymede?
96 From reading the above, you can tell that Ganymede is probably overkill
97 for a small network. If you start getting hundreds of users and/or
98 hundreds of systems, Ganymede will make your life a lot better, but for
99 less than a couple dozen systems or users, you may find that Ganymede is a
100 bit much. Ganymede is not at all a good fit for managing things on a
101 single system.. the Ganymede server takes up a lot of memory and you just
102 wouldn't need its features for something so small.
104 4. Is Ganymede secure from packet-sniffing?
106 Yes. The Ganymede 2.0 server opens two TCP ports for communication with
107 the Ganymede client and admin console. Communications to the first port
108 (the RMI registry) is unencrypted, but the only traffic to that port is
109 the server telling the clients where to find the second port.
111 The second port is what the clients use to log in and talk to the server.
112 Communications to and from this port are protected with SSL. The Ganymede
113 client and server are cryptographically mated. The server contains a
114 private key that is generated when you build the software, along with a
115 matching public key certificate. This certificate is incorporated into the
116 client so that the client can validate the server's identity.
118 In addition to protecting the data communications with SSL, the server is
119 configured to cryptographically randomize the RMI-level object
120 identifiers, to prevent attackers from attempting to inject commands to
121 objects on the Ganymede server that are published for someone else's
122 client.
124 5. What do I need to run Ganymede?
126 Ganymede has very few prerequisites. You'll need to have Java 6 installed,
127 but otherwise everything you'll need for basic operations is included in
128 the Ganymede download.
130 We do expect that you have a Unix-like system to run the server on,
131 however. You can use Mac OS X, Linux, FreeBSD, Solaris, or any other
132 Unix-like system that has Java 6, Bourne Shell, and Perl 5. Cygwin on
133 Windows might even work, though we haven't tested that.
135 The Ganymede client and admin console require Java 6 and a GUI
136 environment. You can run the client and admin console remotely from
137 Windows, Linux, Mac, or whatever you have, if your Unix server doesn't
138 have GUI support on it.
140 The Ganymede server can be memory intensive, as all data registered in
141 Ganymede is kept in an in-memory database backed by disk. A 64 meg system
142 dedicated to Ganymede is adequate to run a lab like ours, with DNS for a
143 couple thousand systems, and user, group, and email records for around
144 1000 users. More memory is better. You'll probably want a Pentium 200 or
145 better for good performance on something like Linux. JITs are great,
146 anything with a good generational garbage collector like Sun's HotSpot VM
147 are super-great.
149 (The above paragraph is pretty old, obviously, but it's still true, so I'm
150 perfectly happy leaving it as it is. ;-)
152 The best way to launch the Ganymede clients is to use Sun's Java Web Start
153 product, which comes with Sun's Java environment. Mac OS X ships with very
154 good Java Web Start support, as well.
156 6. How scalable is Ganymede, with its memory-based database?
158 Fairly scalable. At ARL:UT, we use Ganymede to manage a rather complex NIS
159 domain containing around 800 users and our DNS domain with over 2500
160 system records defined. During execution our Ganymede server takes up only
161 about 25 megabytes of JVM heap space, or about 100 megabytes in total
162 counting shared libraries, etc., for the JVM.
164 During development of Ganymede 2.0, we test-loaded the Ganymede server to
165 250,000 users and 250,000 groups of random data, using the userKit. At
166 those crazy levels, the Ganymede server balloons up to 600 megs of RAM,
167 but it still works fine.
169 So we feel very confident in saying that the Ganymede server should be
170 able to scale up to handle just about as large a set of data as you'd ever
171 want to manage on a single server.
173 The server should degrade gracefully if the heap usage gets to be too
174 much. As the amount of data loaded into the server increases towards the
175 upper limits that can be held in the the JVM's maximum allocated heap,
176 garbage collection activity will increase significantly. If there is
177 simply too much data to fit into the set heap size, an OutOfMemoryError
178 will eventually be thrown and the server will be unable to handle new
179 logins, new object creation, and such. With the current design an
180 OutOfMemoryError would not cause precipitous data loss. At the worst, the
181 server would have to be shut down, the amount of heap dedicated to the jvm
182 increased, and the server re-started. If the heap size is bumping up
183 against the maximum available on a given machine, it would be necessary to
184 export the server's data to XML, split the data, and create separate
185 Ganymede servers for separate subdomains or separate object types.
187 The final word on scalability remains that you should be sure and test
188 with a representative dataset before committing to Ganymede, and if you
189 find that it doesn't scale adequately, report your findings to the
190 Ganymede forums.
192 7. Why isn't Ganymede LDAP-based? What about replication?
194 For a number of reasons, most having to do with the fact that development
195 on Ganymede started in early 1996, before LDAP was as prominent as it is
196 today. Ganymede provides a lot of intelligence and customizability that
197 you don't get with a stock LDAP solution, and its transaction and
198 permissions models are superior to that of LDAP.
200 The point of Ganymede is as much intelligent management of changes and
201 relationships as it is mass storage of data. Because Ganymede has a richer
202 data model in some ways (object id's, symmetrical object pointers,
203 explicit representations of IP address data types), and poorer in others
204 (Ganymede's current lack of support for an object type hierarchy),
205 reworking Ganymede on-top of LDAP would be difficult. A lot of the
206 intelligent management of Ganymede would have to be sacrificed in such a
207 move, although the resulting system would probably be more scalable and
208 would have higher performance at the high end.
210 Going to a multi-server Ganymede system, a la Active Directory and NDS and
211 LDAP servers generally might be interesting, but that would be Hard. All
212 of the namespace indices used for unique-value management and object
213 locking would have to be coordinated across servers, and in such a way
214 that a server could go down and be brought back up without losing such
215 run-time state. Also, the scripts to emit data from Ganymede server's into
216 local DNS, NIS, and the like would be complex.
218 Generally speaking, Ganymede is not intended to be the service that
219 operating system (PAM) and/or application code consults directly. Instead,
220 Ganymede is intended to feed things like NIS, DNS, and LDAP, which have
221 their own means of doing replication and redundant servers for backups.
223 In Ganymede 2.0, we have a new Synchronization system based on XML deltas
224 which we use at the laboratory to manage Active Directory and OpenLDAP
225 servers. The external code we use to do this is Deepak Giridharagopal's
226 excellent but cryptically named 'SyncUtils' package for Python.
228 8. What's up with DNS management? The current stuff is weak.
230 Yes, that's true. Our use of Ganymede to manage DNS is limited to only
231 that which we need in our environment, and it's part of the larger GASHARL
232 schema kit, which is partially shipped with Ganymede 2.0. If you want a
233 more full featured DNS management kit built on top of Ganymede, and you
234 can speak German, take a look at DoctorDNS, at
235 http://www.fg-networking.de/index.php/spektrum/forschung-a-entwicklung/doctordns.
237 9. Where's the documentation?
239 What documentation do you want? I know more and better docs are needed,
240 but feedback is pretty scarce. Are the current docs adequate at all? Where
241 does it break? Ask questions, post in the Ganymede forums. Code
242 development is like a child's brain, it needs input.
244 If you haven't seen it, look on the Ganymede web page
245 (http://www.arlut.utexas.edu/gash2/) for the 1998 LISA paper we wrote on
246 Ganymede. It provides a very good conceptual and technical overview. It's
247 not so good as an operational manual, but we're struggling to get more
248 operational documentation written.
250 10. How can I help?
252 Post in the Ganymede forums. Post about problems and please post success
253 reports. If you are having problems or see an issue, it's likely other
254 people on the forum will be interested and have something to say about it
255 as well. If you find bugs or want something enhanced, file a bug report in
256 our Bugzilla database.
258 Help is always welcome. Ganymede is designed to be a generic engine that
259 can be customized with schema kits for differing environments.. if you
260 want to work to customize Ganymede for some environment, let the forums
261 know. If you see things in the basic engine or client that you think you
262 could contribute to improving, let me know.
264 11. Why is it called Ganymede?
266 It's actually an acronym, standing for GAsh Network Manager, Deluxe
267 Edition. I wanted a name that connected this project to GASH, and I just
268 couldn't come up with any great names that involved GASH in some fashion
269 (I did come up with a lot of really bad names, though...)
271 12. What is Ganymede's development history like?
273 Ganymede is the successor to GASH, the Group Admin Shell, which was
274 developed at ARL starting in early 1993, and which was presented at the
275 USENIX LISA VIII conference in San Diego, CA in September, 1994.
276 Refinements and further development of GASH continued into mid-1995,
277 before we decided that the GASH design wouldn't carry us much further
278 without massive pain and effort.
280 Initial work on spec'ing Ganymede started in late 1995. After several
281 months of planning on pen and paper, active code development started
282 around June 1996. In March 1998, the first binary developer's pre-release
283 was put on the ftp site. In December 1998, we presented Ganymede at the
284 USENIX LISA XII conference in Boston, MA. The first full source
285 distribution, under GPL licensing, was sent out in January, 1999.
287 Work on Ganymede 2.0 began in earnest in 2004 when the release of
288 Subversion made it feasible to really move things around and start
289 breaking things in the source tree. Since then, we've made continual
290 refinements and improvements, some quite extensive.
292 We've recently moved to GIT, and that has accelerated our work even
293 further.
295 At this point, Ganymede proper has been under development for seventeen
296 years, and in 24/7 production use for thirteen.
298 13. When I try to start the Ganymede server, I see a message complaining about
299 the system hostname resolving to the 127.0.0.1 loopback address and the server
300 quits. What's going on?
302 The Ganymede server is trying to protect you from a misconfiguration of
303 your system.
305 In order for the Ganymede server to work, it needs to pass a URL to the
306 rmiregistry process describing the network name that the Ganymede server
307 wants to be known by. This will look like
308 rmi://myhost.domain.com:1099/ganymede.server. When the rmiregistry on the
309 server system receives a network call asking to talk to the Ganymede
310 server, it will return an IP address and TCP port number that the client
311 should use to talk to the server.
313 On some systems, the 'hostname' command returns a name that is associated
314 with the 127.0.0.1 loopback address in /etc/hosts. On such systems, the
315 rmiregistry will get the idea that the I.P. address that the client should
316 talk to in order to find the server is 127.0.0.1. 127.0.0.1 is a 'magic'
317 address, which is always interpreted to mean 'myself'. Remote Ganymede
318 clients obviously won't find the server on their own system, so you'll
319 experience mysterious failures when the clients try to talk to the server.
321 To prevent this problem, the Ganymede server checks the system's idea of
322 its name against the 127.0.0.1 address. If it finds that the systems'
323 hostname would cause the rmiregistry to provide the unhelpful 127.0.0.1
324 address, it tries instead to use the system name provided by the user when
325 the Ganymede server was installed. If that name also resolves to
326 127.0.0.1, the server prints the error message and exits, rather than
327 confusing you with an inability to talk to remote clients.
329 If you experience this problem, edit the server's ganymede.properties file
330 and change the ganymede.serverhost definition to something that will
331 resolve on the server to something other than 127.0.0.1. This can even be
332 the server's network accessible I.P. address, if you like.
334 Hopefully a future version of the Java rmiregistry utility will have
335 smarter behavior regarding the loopback address. If you do find that you
336 need to override this check, you can edit the server's runServer script
337 and add the -forcelocalhost option to the Java invocation line.
339 14. Where's the Ganymede web site?
341 The Ganymede web site is located at http://www.arlut.utexas.edu/gash2/.
343 15. What's the best way to report bugs? How should I ask questions?
345 We have a bugzilla database running at the Ganymede web site. You should
346 visit the bugzilla database and report bugs there.
348 If you want a more interactive experience, or if you want to ask
349 questions, you should participate in the Ganymede forums, where other
350 Ganymede users (present or future) can benefit from the discussion.
352 If you want to send mail to the developers, you can send mail to
353 ganymede_author@arlut.utexas.edu. You could also participate in the
354 GitHub copy of the Ganymede repository, if you like, at
355 https://github.com/jonabbey/Ganymede
357 We also have forums on the our web site, little used though they are.
359 Thanks!
361 --------------------------------------------------------------------------
363 Authors: ganymede_author@arlut.utexas.edu ARL