Installation on a large, specific structure

[Benjamin]

Good morning,

I apologize in advance for the length of the post.

Situation :
I work for the regional government in IT administration and maintenance for high schools. In order to simplify application maintenance and updates, to allow centralized management of applications available to high schools, and to replace WPKG which is limited and only works (in our case) on workstations connected to SE3, I would like to implement Wapt, but with specific constraints.

So I'm going to explain what kind of operation it would need to be and the constraints in order to know if it's feasible (if not how to get as close as possible) and to get advice on the steps to take for the most optimized operation.

What I would like to do (but is it possible?):

• A central server (or repository, I'm not entirely sure) to host all the applications made available to all the high schools.
  A central console for an overview of the software and to manage package groups, updates, and deployments for all the high schools.
  A local server in each high school (or repository, I'm not sure) that retrieves all the software from the centralized application database to manage only the school's machines.
  A console in each high school so that local administrators can manage installations on specific workstations with a simple click, without any further action required, and (if possible) automatic installation of updates without intervention from local administrators.

Constraints:

• I don't think I can use a single centralized server with repositories at each high school because:
  Firstly, all 28,000 workstations would end up on the server, and managing deployment to individual schools would be complicated (no workstation groups). Secondly
  , access to the console must be granted to local administrators at the high schools, and they must not be able to install software at any school other than their own.

I hope my explanations are understandable

Thank you in advance for your help.
Sincerely,

Benjamin

[Floflobel]

Hello,

For me, the simplest solution is to create a WAPT server at each high school.
I currently have 1000 workstations on a single console, and the latency is noticeable when updating the list of workstations. So, with 26,000 workstations, I can't even imagine.

Each repository would be replicated every night, for example, from a main repository.
Then, it would simply be a matter of assigning the software to the desired workstations from the console.

My console is organized by group, which greatly simplifies deployment; I simply assign the software to the group, and updates are performed automatically when the workstation is shut down using waptexit.

You could connect to each WAPT console at each high school to verify that the deployments are working correctly.
Unfortunately, I don't have a solution for a centralized console.

Do you have an Active Directory in place?

[sfonteneau]

Hello,

I apologize in advance for the length of this post.

Situation:
I work for the regional government in IT administration and maintenance for high schools. To simplify application maintenance and updates, enable centralized management of applications available to high schools, and replace WPKG, which is limited and only works (in our system) on machines connected to SE3, I would like to implement WAPT, but with specific constraints.

Therefore, I'm outlining the required functionality and constraints to determine if it's feasible (and if not, how to best approach it) and to get advice on the steps to optimize its operation.

What I would like to do (but is it possible?):
A central server (or a repository, I'm not entirely sure) to consolidate all the applications made available to all high schools.
A central console for an overview of the software and to manage package groups, updates, and deployments for all high schools.

Yes, it's possible

A local server in each high school (or repository, I don't know) that retrieves all the software from the centralized application database to manage the machines of the high school only.

Yes, basically a secondary depot in addition to the central depot --> Yes, it's possible

A console in each high school so that local admins can manage installations on any given workstation simply by clicking, without any further action required, and (if possible) automatic installation of updates without intervention from local admins.

Yes, it's possible!

Constraints:
I think I cannot use a single centralized server with repositories on each high school because:
All 28,000 workstations would arrive on the server and managing deployment in one establishment or another would be complicated (no workstation groups) on the one hand.

Only the wapt server of each establishment would download from the central repository, therefore the central repository would not be overloaded.

On the other hand, access to the console must be given to local administrators in high schools and they must not be able to install the software in a high school other than their own.

Since only soft access is provided, there is no risk at this level as users will not be able to modify the central repository

I hope my explanations are understandable.

Thank you in advance for your help.
Sincerely,

Benjam

Okay, so I pretty much see what you want to do, and yes, that's a feature that was designed by tranquil.it. I tested it and wrote some documentation about it:

I invite you to read here about "Remote Repositories" and "Multi-Repo Wapt":
https://wiki.lesfourmisduweb.org/index.php/Serveur_WAPT

But I think the best thing is for you to take a WAPT training course precisely to master the tool.
But having done tests, yes, it's possible

[Benjamin]

Hello and thank you for your replies.

I would like Wapt (and Samba4) training, but unfortunately my employer doesn't agree
It reassures me to know that what I want to do seems possible

Regarding the first answer, ADs are present in rare cases, no servers in rare cases either, and in the vast majority of cases they are SE3 (therefore "basic" domains)
I came across the documentation in the previous post yesterday and indeed the solution is there (thanks to the ants)

Just a few clarifications to make sure I've understood the answers correctly; it would be something like this:

• 1 central Wapt server that serves as a general repository for everyone;
  1 central console that sees all the software (and groups) but without any machines;
  1 local Wapt server in each high school that synchronizes its repository with the central one;
  1 console in each high school for deploying applications in the high schools and which references the workstations in the high school
  (this is where I don't quite understand: should we synchronize the remote repository with the local one? or declare the central repository first and the local repository second (or the other way around)?)
  Access for local admins is only given on the Wapt server of their high school.

Does that seem consistent to you?

I'm going to read the documentation in detail and start doing tests in virtual machines.

Thank you again
Benjamin

[sfonteneau]

Hello and thank you for your replies.

I would like to take Wapt (and Samba4) training, but unfortunately my employer doesn't agree.
It's reassuring to know that what I want to do seems possible.

Regarding the first answer, ADs are present in rare cases, no servers in rare cases either, and in the vast majority of cases they are SE3 (therefore "basic" domains)
I came across the documentation in the previous post yesterday and indeed the solution is there (thanks to the ants)
Just a few clarifications to make sure I've understood the answers correctly; it would be something like this:

• 1 central Wapt server that serves as a general repository for everyone;
  1 central console that sees all the software (and groups) but without any machines;
  1 local Wapt server in each high school that synchronizes its repository with the central one;
  1 console in each high school for deploying applications in the high schools and which references the workstations in the high school
  (this is where I don't quite understand: should we synchronize the remote repository with the local one? or declare the central repository first and the local repository second (or the other way around)?)
  Access for local admins is only given on the Wapt server of their high school.

Does that seem consistent to you?

I'm going to read the documentation in detail and start doing tests in virtual machines.

Thank you again
Benjamin

I see two solutions:

The first option is very simple. You install a WAPT server in each high school and provide a public repository so the schools can duplicate packages from it (as is currently the case with tranquil.it). However, with each update, intervention from a school staff member will be required to initiate the package duplication in the local repository

The second solution is to implement multiple storage facilities in each high school:

Basically, for the WAPT client, two repositories are available: the central repository and the school's internal repository. This will allow for greater flexibility for the network administrator. For security reasons, the private key of the central repository must not be disclosed.

You can already do the test with this: https://wiki.lesfourmisduweb.org/index. ... -Repo_Wapt with tranquil.it to understand it properly

And so, once you've tested to avoid overloading the main repository, you'll need to replicate the central repository to the private repository. So, for the client, we can do something like this;

The customer will have a deposit:

https://ipdudepotdulycee/wapt/
https://ipdudepotdulycée/repliquedudepotwapt/

So, for replication, here's a tutorial:
https://wiki.lesfourmisduweb.org/index. ... ts_remote

I know it's not clear, but I don't know how to explain it any better than that

[Benjamin]

Good morning,

A huge thank you for these answers which allow me to properly lay out the project in my mind before putting it into testing (I am preparing a virtual test environment; it takes a little time on my machine...lol).

The second solution corresponds to what I would like to do because, depending on the establishment, local managers sometimes have only limited knowledge of IT (and not necessarily the desire to get more involved).

The second solution is to use multiple repositories in each high school:

Basically, for the WAPT client, two repositories are available: the central repository and the school's internal repository. This will allow for flexibility for the network administrator. For security reasons, the private key of the central repository must not be disclosed.

You can already test it with this: https://wiki.lesfourmisduweb.org/index. ... -Repo_Wapt using tranquil.it to understand it better.

And then, once you've tested it, to avoid overloading the main repository, you'll need to replicate the central repository to the private repository. So, for the client, we can do something like this:

The client will have the repository:

https://ipdudepotdulycee/wapt/
https://ipdudepotdulycée/repliquedudepotwapt/

And for the replication, here's a tutorial:
https://wiki.lesfourmisduweb.org/index. ...ts_distant

I know it's not clear, but I don't know how to explain it better than that

Yes, it's clear, with just two or three minor exceptions:

• If I set up a WAPT server and a console on the main repository to get a better view of the available software and to allow other authorized users to easily upload it, will that cause any problems?
  With this method, the local repository on each school's server is empty unless a school has specific needs? Only the secondary repository (the central one, https://ipdudepotdulycée/repliquedudepotwapt/) is used in principle? Is that correct?
  Just to be sure, both repositories are indeed on the local server? And not declared individually on the clients? So all the applications are visible on each school's local console?

Other questions:

• I think so, but perhaps under certain conditions: are we allowed to retrieve (or even synchronize) the Fourmis and Tranquil.it repositories to our own repository to have a starting software base that we can then supplement with our own? If so, is Rsync possible without SSH access?
  Can the end user (student or teacher) see the list of software installable on their machine and install it themselves? (I believe so)

THANKS,
Benjamin

[sfonteneau]

Good morning,

A huge thank you for these answers which allow me to properly lay out the project in my mind before putting it into testing (I am preparing a virtual test environment; it takes a little time on my machine...lol).

The second solution corresponds to what I would like to do because, depending on the establishment, local managers sometimes have only limited knowledge of IT (and not necessarily the desire to get more involved).

The second solution is to use multiple repositories in each high school:

Basically, for the WAPT client, two repositories are available: the central repository and the school's internal repository. This will allow for flexibility for the network administrator. For security reasons, the private key of the central repository must not be disclosed.

You can already test it with this: https://wiki.lesfourmisduweb.org/index. ... -Repo_Wapt using tranquil.it to understand it better.

And then, once you've tested it, to avoid overloading the main repository, you'll need to replicate the central repository to the private repository. So, for the client, we can do something like this:

The client will have the repository:

https://ipdudepotdulycee/wapt/
https://ipdudepotdulycée/repliquedudepotwapt/

And for the replication, here's a tutorial:
https://wiki.lesfourmisduweb.org/index. ...ts_distant

I know it's not clear, but I don't know how to explain it better than that

Yes, it's clear, with just two or three minor exceptions:
If I put a Wapt server and a console on the main repository to have a better view of the available software and to allow other authorized people to easily upload it, will that cause any problems?

No worries

With this method, the local server repository for each institution is empty unless a particular institution has specific needs? Only the secondary repository (the central one, https://ipdudepotdulycée/repliquedudepotwapt/) is used in principle? Is that correct?

There will still be the groups and the host packets in http://wapt/wapt-host/

Just to be sure, both repositories are indeed on the local server? And not declared individually on the clients? So all the applications are visible on the local console of each high school?

Both repositories will be declared on each client and in the console's configuration file. The public key of the central repository must also be copied to each client ---> see documentation

Other questions:
I think so, but perhaps under certain conditions, are we allowed to retrieve (or even synchronize) the Fourmis and Tranquil.it repositories to our own repository to have a starting software base that we can then supplement with our own? If so, is Rsync possible without SSH access?

Regarding replication without SSH access, I created a script that doesn't require SSH or any other access, only HTTP access and a crontab command: https://github.com/sfonteneau/wapt-repo ... ion-script

Can the end user (student or teacher) see the list of software that can be installed on their computer and install it themselves? (I think so)
Benjam

Yes, it's self-service under wapt, it can be configured.

[Benjamin]

Good evening,

Thanks for your reply, that's nice of you.

There will still be the groups and the host package in http://wapt/wapt-host/

I hadn't thought of that, but it makes sense.
I haven't quite grasped the role of host packages compared to software packages yet, but since I haven't had much time to delve into it, that's normal

Just to be sure, both repositories are indeed on the local server? And not declared individually on the clients? So all the applications are visible on the local console of each high school?

Both repositories will be declared on each client and in the console's configuration file. The public key of the central repository must also be copied to each client ---> see documentation

I misspoke on this point; my question is whether the second repository needs to be manually configured on the clients? Or does the custom Wapt installer do it automatically? (I think it's the second case, but I want to be sure).
And I imagine both repositories can ultimately be on the same local WAPT server of the institution?

Regarding replication without SSH access, I created a script that doesn't require SSH or any other access, only HTTP access and a crontab: https://github.com/sfonteneau/wapt-repo ... ion-script

Great, it's fantastic for getting the classics and only having to create the specific packages

Can the end user (student or teacher) see the list of software that can be installed on their computer and install it themselves? (I think so)

Yes, it's self-service under wapt, it can be configured.

That's great.


Ultimately, in theory, it's a brilliant solution and perfectly matches what I'd like to implement.
Now I need to find some time (not easy right now with the start of the school year) to set up a demo to "sell" this system to my superiors.
I'm still going to request training to master the tool as much as possible, but it's not a sure thing.


Another small question, more on the equipment side:
What hardware configuration is needed for the WAPT server in the establishments, depending on the number of workstations, given that our networks have between 150 and 1500 PCs depending on the establishment?
What configuration is needed for the central server/repository knowing that it will be synchronized by approximately 150 establishments (not all at the same time, but necessarily several at the same time if we want availability for the next day everywhere)?
For the console, I imagine an "office" machine (W7, 2 to 4 GB RAM, Dual-core) is sufficient?


Thank you so much again for your help and advice.
I will not hesitate to come back to ask questions and keep you informed of progress as soon as I have been able to start testing.

Good evening,

Benjamin

[sfonteneau]

I misspoke on this point, my question is whether the second repository needs to be manually configured on the clients? Or does the custom Wapt installer do it automatically? (I think it's the second case, but I want to be sure).

You can indeed integrate it into the installer, but you can also create a package that will do it automatically. (That way, the local repository won't be empty anymore.)

And I imagine both repositories can ultimately be on the same local WAPT server of the institution?

Yes, that's how I did it:
local wapt database: http://wapt/wapt
base host wapt: http://wapt/wapt-host
additional deposit: http://wapt/wapt_repocentral (replicated with my script)

Ultimately, in theory, it's a brilliant solution and perfectly matches what I'd like to implement.
Now I need to find some time (not easy right now with the start of the school year) to set up a demo to "sell" this system to my superiors.
I'm still going to ask again for training to master the tool as much as possible, but it's not a sure thing.

The best thing would be for you to contact tranquil.it to get a quote for "training/setup" (they would train you and help you set up the project)

Another small question, more on the hardware side:
What hardware configuration is needed depending on the number of workstations for the WAPT server in the establishments, knowing that our networks have between 150 and 1500 PCs depending on the establishment?

To give you an example, at my place wapt has 2 giga of RAM for 150 workstations and it runs well.

What configuration is needed for the central server/repository, given that it will be synchronized by approximately 150 establishments (not all at the same time, but necessarily several simultaneously if we want availability everywhere for the next day)?
For the console, I imagine a standard office machine (Windows 7, 2 to 4 GB RAM, dual-core) is sufficient?

It's like having 150 PCs, but it's mainly your internet connection that's going to suffer, do you have fiber?
When setting up crontabs, try to stagger the schedules.

[Benjamin]

You can indeed integrate it into the installer, but you can also create a package that will do it automatically. (That way, the local repository won't be empty anymore.)

Cool; the idea was just to check that there was no need to act on each client other than to deploy the service.

[/quote]

Yes, here's how I did it:
local wapt database: http://wapt/wapt
host wapt database: http://wapt/wapt-host
additional repository: http://wapt/wapt_repocentral (replicated with my script)

Re-cool I suspected as much, but I wanted confirmation

The best thing would be for you to contact tranquil.it to get a quote for "training/setup" (they would train you and help you set up the project)

That's what I just did, and once the quotes are done, I hope to get approval from my superiors for training for myself and my colleagues

To give you an example, at my place wapt has 2 GB of RAM for 150 machines and it runs well.
It's like having 150 PCs, but it's mainly your internet connection that's going to suffer. Do you have fiber?
When setting up the crontabs, try staggering the times.

Okay, the required configuration seems reasonable.
There is fiber optic internet available in about half of the establishments at the moment, but they will all be connected in the coming months/years.


Thank you again for your invaluable help.
With that, I'm going to bed because I have to work very early tomorrow.

Benjamin