What is Fleet Commander? Fleet Commander is a tool for helping with large network deployments. It give control over user profiles to sysadmins. With Fleet Commander, you can define the desktop settings for every user in your network and make them available for everyone in any machine they log into. This makes sysadmis life way easier, especially because they don't need to prepare every user laptop with an specific configuration based on the user. The sysadmin just dumps the disk image for that laptop, configures it for the enterprise identity system and that's it. Next time the user logs into that laptop, Fleet Commander will apply the user specific desktop settings without any sysadmin intervention. In addition, Fleet Commander has been designed to make the process of selecting the settings to be applied a very user friendly task. Using a live session in a template virtual machine with the same configuration of your enterprise workstations, it can show you a list of configuration changes you made during this session so you can select the ones you want to include in the profile. How does it work? Fleet commander is divided into 3 pieces of software that have different functions in the whole process. On one hand we have the Fleet Commander Admin. This is the main interface you will use to create and manage profiles. From here you can define every profile, what users/groups/hosts/host groups will apply each and the settings that need to be applied to them. Fleet Commander Admin is a Cockpit plugin, so you can access it by using a browser, making it very easy to access from any machine. It works tightly with FreeIPA identity management system to store profile data so it can be made available to the enterprise network. Also, in every machine on your network, you will need the Fleet Commander client to be installed. As every machine in the enterprise network is connected to FreeIPA, SSSD manages the client side identity system related operations and will get the profile data that applies to the user when he/she logs in. Then the Fleet Commander client applies that configuration for the user and you are done. The third piece of software is called the Fleet Commander logger. This is a helper software that runs on the template machine so it can log the changes you made to configuration during the live session. It only needs to be installed in the template machine, and it is only activated when you open a live session from Fleet Commander admin. Now you have my attention. How can I test it? Fleet Commander packages are included in Fedora, so you can install them using gnome-software or via dnf, but, since Fleet Commander is intended to be used in large network environments, it needs a minimal infrastructure to test it. The easiest way to have this environment prepared is to install some virtual machines to replicate the services we need, but thanks to Fabiano Fidêncio and a fork of Christian Heimes pki-vagans FreeIPA environment, we have a ready to use environment called fc-vagans where you can test Fleet Commander. Preparing the test environment To test Fleet Commander you will need to clone the fc-vagans project: git clone https://github.com/fleet-commander/fc-vagans.git Once the repository has been cloned, you just need to run ./setup.sh This will take care of installing the packages you will need to bring up the virtual machines and setup them to work as a Fleet Commander environment. When the command finish it will ask you for your password to update your hosts file to make you easier to access the VMs in the environment. Let us explain what requirements are needed for each part for you to know what is fc-vagans setting up under the hood. Fleet Commander Admin Fleet Commander Admin has some requirements in order to work properly: * You will need a FreeIPA server to to store profile information. That information can be stored, thanks to a plugin developed specifically for desktop profile storage by Alexander Bokovoy, that is called freeipa-desktop-profile. * The machine on which you execute Fleet Commander admin needs to be part of the enterprise network. * In order to login into the Cockpit in that machine, the user needs to have administrator rights to be able to store profile data in FreeIPA. Fleet Commander client A client machine must be part of the enterprise network and to have Fleet Commander client installed to apply profile configuration at login time. The template machine This is the only thing fc-vagans does not set up for you. You will need a virtual machine (a Fedora one for the sake of simplicity) where you will need to install the Fleet Commander Logger package. This virtual machine will be used during Live Session to configure the settings we want for a desktop profile. To install the logger package just run: sudo dnf install fleet-commander-logger If you install Fleet Commander Logger in a normal machine, it will not be executed because it checks if it is running in a Fleet Commander Live Session, and if not, it just bails out. Enable SSH in the host machine If you want to use the live session feature (believe me, you want to!) you will need to enable the SSH service in your host machine, so Fleet Commander can use libvirt to access the template machine we have previously created. To enable it just execute the following commands sudo systemctl enable sshd sudo systemctl start sshd And now we are ready to go ahead and test fleet commander. Fasten your seatbelts! Connecting to Fleet Commander The first step is to login in cockpit. As we told before, you will need to open a browser and head to http://master.ipa.example:9090 where we will be asked for a user and a password. We will need to use the following credentials: Username: admin Password: Secret123 Once we have logged in, we can click in Fleet Commander link, on the left sidebar (it is a paper plane icon). The first time you open Fleet Commander you will see a dialog where you will need to setup the virtual environment host. We will be using our own host machine so we can use the template virtual machine we created in previous steps. Configure the dialog with the following data: Make sure you replace MY_USER with your own username. Then click in the “Install public key” button. That will ask us for our user’s password to install the SSH public key to allow fleet commander to connect to your libvirt system through SSH. Then save the configuration. Creating your first desktop profile To create our first profile click the “Add profile” button. It will show a form where you can name the profile and specify the users/groups/hosts/hostgroups the profile will apply to. Name it “Test Profile” and type “admin” in the field Users. Then click the “Save” button. You will see our newly created profile in the profile list now, but we need to add the settings we want to the profile. To do that, click the “Edit” button, and now you will see several buttons at the bottom of the form. Click the “Live session” button. Once you click it, you will get a dialog with the list of virtual machines you have configured. Select the client machine we created in the previous steps and it will boot until it reaches the desktop. Using the live session to configure profile settings Now you have booted the template machine, you can start configuring whatever application that uses GSettings to save its preferences. Fleet Commander also supports saving preferences for LibreOffice, NetworkManager (so you can configure WiFi, VPNs), Firefox and Chromium/Chrome. We are working everyday to add support to other applications and configurations. Then, if you press the Review button in fleet commander you should see that changes you have done in the review list. Just select the changes you want to add to the profile and press the Deploy button. That will store the settings into your profile, ready to be applied in your client machine at login time. Getting the configuration applied We have created a test profile that will apply to “admin” user and we set some configuration settings we want to be applied to that user at login time. So, we will login with the admin user into out client machine. On the login screen select the option “not listed here?” and use the admin user credentials: Username: admin Password: Secret123 The login process will start and when you get into GNOME desktop, you can check your settings had been applied to the applications. What happened here? Having a more in depth look to the process we can resume what has happened with the following graphic: These are the things happening under the hood: 1. Fleet commander initiates an SSH session with the mathine that contains the libvirt virtual environment with our template machine 2. The template machine is cloned in a temporary VM and we start a SPICE session to that temporary copy. All the changes we do during the session are logged by Fleet Commander Logger and transmitted to Fleet Commander Admin through an special SPICE channel 3. Once we reviewed all the changes, we save the profile with all the settings into the FreeIPA server. The profile is formatted by Fleet Commander Admin and then stored using the FreeIPA desktop profiles plugin. 4. When a client logs in our large network, SSSD asks using LDAP for the profiles that apply to the user that is logging in right now 5. SSSD downloads the applicable profiles to an special directory 6. SSSD Fires Fleet Commander Client using dbus to tell it the profiles are ready for beign applied. 7. Fleet Commander Client compiles the profiles resolving basic conflicts in configuration and generating and placing the files needed by services like dconf to read the profiles configuration for the user. Conclusion Fleet Commander is a powerful tool for sysadmins that will help for sure in large desktop deployments. In this article, most of the things we had to do were to setup a base infrastructure to work with, but in real life scenarios, that infrastructure already exists usually, so if we focus in specific fleet commander installation and workflow, it is really easy to install and to use. On the other hand, Fleet Commander is a very new project that needs your help to grow. We want to hear your thoughts, feedback and contributions to make it a better tool. Project urls Fleet Commander: http://fleet-commander.org Cockpit: http://cockpit-project.org/ LibVirt: https://en.wikipedia.org/wiki/Libvirt SPICE: https://www.spice-space.org/ FreeIPA: https://www.freeipa.org/page/Main_Page FreeIPA desktop profile plugin: https://github.com/abbra/freeipa-desktop-profile SSSD: https://pagure.io/SSSD/sssd/