S4E6: "Be a Rancher, Not a Vet"

Posted 2019-05-13 05:21
Modified 2019-05-13 05:35
Comments 0

Paden couldn’t join us, so myself and Jthan talk about enterprise desktop fleet management.

• Just the Tip
• Notes
• 15 Clams
• Errata
• Music

Just the Tip

• Paden’s tip was postponed to next episode (because he wasn’t able to join us), so Jthan and I talk about Nginx optimization/quick Nginx performance improvements.
  • Caching
    • Good for lots of responses.
    • Nginx was primarily and initially designed to be a caching reverse proxy, so there are a lot of resources available on it.
      • This
      • This
      • This
    • Caching technical details can be found in RFC 7234.
  • Gzip compression
    • Good for large responses.
    • The Nginx configuration details can be found here.
    • You can find more details about HTTP gzip (de)compression in RFC 2616 § 3.5.
  • It’s important to really understand location block handling.
    • And test them too! (Nginx also has a built-in configuration validation – nginx -t.)
  • There are also a lot more tricks you can do that we don’t go into.
    • Seriously, their blog is really good.

Notes

Starts at 26m48s.

I was drinking Guinness Extra Stout. Jthan was drinking Hogback rye whiskey.

• Managing enterprise desktop/workstation fleets.
  • Network performance is the most important component to managing enterprise workstations.
    • Your addressing (CIDR) suffix has to be large enough and (if using IPv6) your prefix has to be properly handled (ideally with SLAAC).
    • Cross-site bridging and routing need to be properly set up.
    • Traffic flow/throughput needs to be managed.
  • We didn’t mention it on-air, but VLANing is great for security benefits and department segregation.
  • Hardware profiling/specification.
    • Thin clients, hybrid clients, and “fat” clients.
      • Thin clients are awesome for this, assuming you can use them in their relevant roles.
    • Fat clients are almost never ideal. If anything, hybrid clients are where you’d want to go with this in the event of momentary network outage.
    • Prime takeaway of hardware decision-making is your data should be managed centrally.
  • PXE and/or especially iPXE is fantastic for hybrid and fat clients.
    • Jthan asks about thin-booting.
    • Linux has its own version of terminal services, commonly referred to as LTSP.
      • More updated documentation is on the LTSP wiki.
  • Inventory management/asset tracking is also very important.
    • Ideally this should be managed with QR codes or barcodes and a scanner for quick inventory management, but it should be tied to something in the hardware serial numbers as well so configuration management can access these and hook into your inventory management.
  • Needs/role segregation.
    • Jthan doesn’t know “cattle, not pets” is a thing.
    • It’s key to remember that sometimes you have different “livestock”, depending on the role/department that machine serves within your organization.
  • Centralized user identity management/authentication.
    • Active Directory is ideal for pure-Windows environments. Pure LDAP is ideal for Linux/*NIX-like environments (see our FreeIPA episode, S2E10 and episode S3E1 as well!). Kerberos for mixed-platform environments (though every major platform should work well enough in an AD environment, with various levels of pain and agony).

15 Clams

In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)

Starts at 47m25s.

Jthan revisits S4E5 thanks to a conversation he had with Nosbig.

Jthan ponders how to best manage simultaneous multi-destination backups.

Nosbig performs a local borg backup archive, and then rsyncs his borg repository to a remote location. Jthan worries about bad snapshot propagation. Borg has a verification feature, and rsync is unlikely to corrupt in transfer, but Jthan (and I) agree that ultimately it’s probably better to just have different destinations and creating fresh snapshots in each.

Errata

• Paden was at IBM Tech University and due to hotel networks being terrible was unable to join us.
• The law on home distilling is murky at best and can vary from state to state. But there is one thing clear: I was absolutely wrong and you need a license to home distill beverage alcohol, no matter what quantity (admittedly, the license is easy to get).
• Vault developers don’t like it being reverse-proxied – at least in the past (although it is perfectly possible and possible to do well, and something I do).

Music

Author r00t^2
Categories Season Four