On May 9, 2008, at 12:49 PM, Aaron Rosenblum wrote:
Let me just play devils advocate here. I think this is an
interesting topic to discuss and I'd like to get other people's
opinion on it. It seems like the main advantage of what you are
trying to accomplish with VMs in this situation is administrative.
Yes, though "administrative" here would be broadly defined. I would
consider security, especially physical security, to be lumped into the
benefits package. For example, I know of a department that has an
Xserve sitting on top of a bookshelf in the administrative assistant's
office. We really want them to move it (as does she -- it's horribly
noisy) but they haven't the space and can't afford for us (central
services) to take it over and move it into the data center.
Why would running a different VM OS instance for each dept be better
technically than just loading up the server with more users?
You don't need a new OS instance to add 15 more AFP/SMB accounts, in
fact the overhead of doing so is probably much higher than just
assigning each dept a share on a server that isn't virtualized and
then assigning them rights to manage it. (Assuming the server has
capacity) Thoughts?
Probably because we would want the departments to delegate Workgroup
Manager privileges -- account provisioning, for example (so I don't
have to be involved when someone new is employed -- the admin could
fire up a local copy of WGM on her Mac). I don't know of a great way
to allow "Jane Doe" from Classics to add a user to a group in
LDAPv3/127.0.0.1 without her being able to also see/manage/manipulate,
say, Archeology's user groups, too. And if something went awry, the
pool of responsible parties would be uncomfortably large.
Also one VM-per-department permits more generous delegation of admin
privileges overall. And, on some VMs, we may elect only to allow VPN
connections for off-campus AFP access, while other VMs may not need
that extra level of security. We may want to allow only Kerberized
AFP connections on one VM, but not necessarily with other VMs. Per-
dept VMs just offer a higher level of granularity. I want them to be
the primary admins, with us (central services) offering more like "on
call" services if they need a hand, perhaps on a per-incident basis.
And then there's portability. With the tools now, I think we can put
an agent on their current, live server and make a VM with some ease
(though I haven't tried that out). Presumably, the same would work in
reverse, when a department outgrew their VM and wanted their own
hardware to manage in-shop.
Noah
-------------------
Noah Abrahamson
Stanford University
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
