UCS 4.1 – Status and Roadmap

I already reported on the status of UCS and the roadmap back at the Univention Summit in January. Since then, however, there have been a number of developments. After we recently reported on UCS 4.1-1, the first point release of Univention Corporate Server 4.1, it is high time that we provide an overview of what will be happening in the near future.

The fourth generation of UCS performs three functions at the same time: It serves as a runtime environment for apps, as an app management system, and, finally, as a solution to simply set up servers in on-premise and cloud environments.

The most important element are the apps. Our App Center opened its virtual doors three years ago, and we now have 81 applications in the catalog. Our dream of making the App Center available to third parties has come true in an impressive fashion: There are already 56 apps from external developers available, and it’s growing. More on growth coming up.

81 Apps – Focus on Enterprise Applications

The focus is – and will remain – on enterprise applications. For example: the App Suite from Open-Xchange and Zarafa web meetings. However, the catalog also features a range of infrastructure apps such as the client management system opsi and Kaspersky Security for Mail Server. 25 of the apps are Univention developments or applications that we maintain and which function as components of UCS, including Virtual Machine Manager and the Active Directory-compatible, Samba 4-based domain controller.

The latter is implemented in UCS 4.1 in its latest version (Version 4). In this context, we currently examine how Microsoft Exchange 2013 can be integrated into a UCS 4.1 domain. More on this topic will follow in this blog soon. Virtual Machine Manager can already be used to administrate virtual machines in the local domain (based on KVM), in Open Stack and in Amazon Web Services (AWS) – all that with a single solution, scalable from a few virtual machines right up to multi-server environments with several hundred virtual machines. We intend to update the KVM packages with the update to UCS 4.2.

In Addition: Mail Servers and Monitoring

More on apps: 2015 saw the adoption of the mail server Dovecot in UCS. We are now developing a simple configuration wizard for mail server setup, improving the Fetchmail integration, and implementing safety features such as SPF, DKIM, and DANE.

Action is required in the field of monitoring: We integrated Nagios in UCS  a long time ago and Icinga 1, a fork of Nagios, is also available in the App Center.  Both packages are outdated, so we need to do something here. Which of the two solutions we will be choosing in the future is largely dependent on additional investigations into compatibility and sustainability. More as it comes…

There are 81 apps in total today and this number is set to grow further and further, as a large selection of innovative applications represents a lot of value for enterprise customers. However, this is a challenge for Univention which must not be underestimated. After all, not all apps are running in the same environment. As such, when creating dynamic websites, the pretty certain result is that different PHP versions need to be run. And that’s just one example: the maintenance efforts also increase incessantly with each new app and each UCS update.

App Eco System Grows With Docker

Docker is the solution. We’re sure of this, which is why we integrated Docker into UCS 4.1’s App Center. The software can be used to package applications into containers and thereby keep them isolated both from each other and from the system as a whole.

Admittedly, we were only able to choose this path because we are aware of the security challenges. When scanning Docker images in November 2015, the developers identified that, among other things, 80% of the containers were potentially vulnerable to Heartbleed attacks – a year and a half after this gap in OpenSSL had already been fixed. For this reason, we paid special attention to the ability to update Docker containers easily.

Docker allows us to prevent apps from influencing each other and triggering critical system situations during UCS updates. The concept is a step towards completely secure encapsulation – not only of the respective apps from each other, but also from the system as a whole. In this respect, we are currently involved in a joint research project with the German Research Center for Artificial Intelligence (DFKI).

We will both include new applications in the App Center as containers and transfer already installed apps to Docker. Especially for new apps, we are maintaining close contact with the developers. The first release of a Docker-based app (TecArt) was right on time for the Univention Summit at the end of January. Work is currently under way on the project management tool Jira and the  multi-platform administration tool FileWave. More to come…

Assistance with Migration to Docker for Third Parties

With regard to the conversion of already installed apps into Docker containers, we have started with smaller apps: the collaboration editor Etherpad and the scheduling solution Dudle. More complex apps will follow as soon as we have gathered sufficient experience. What we have already noticed: Conversion is no mean feat. However, we remain confident that we will make considerable progress this year.

When the time comes, software developers have the choice between developing Docker containers for the App Center themselves or providing us with Debian packages, which we then use to create containers at no extra cost. Ultimately, the openness that Docker brings with it conceptionally will put us in a position to expand our App Center beyond the UCS world and include apps which do not support UCS natively. A few days ago, we released the first native Docker app in the App Center: Jenkins. This was a very important milestone for us and will help us to reduce the efforts required of ISVs for the provision of apps.

And that’s not all: Docker opens up yet another perspective, namely that of microservices, i.e., an architecture comprising predominantly uncoupled, reusable program modules, which can be combined and recombined into complex software applications with the help of language-independent APIs. However, this involves the prerequisite that a single app can start multiple containers simultaneously. That’s what we are hard at work on right now.

That’s not the end of the app news either: We have released app appliances (combinations of a UCS runtime environment and the apps themselves) for VMware, Virtualbox, and KVM. This makes it possible to create very simple test and setup possibilities. This will really boost all apps, once we distribute the appliances across the different clouds automatically, which should be the case this year. The next step is therefore to provide the app developers with the opportunity to incorporate their own branding into their appliances.

UCS Management with SSO and Self Service

As far as apps are concerned, UCS 4.1 functions not only as a runtime environment, but also as an app management system – by the way, one project managed by our Professional Services Team includes 30 million (!) users.

From a user perspective, this offers the convenience of single sign-on for the entire company network, whether on a Windows client, groupware, or ERP system. The management system also offers admins convenience and security: If a user is erased, he is permanently prevented from logging in to any app , irrespective of whether on a local server or in a cloud environment.

The single sign-on is possible thanks to the integration of Security Assertion Markup Language (SAML) in UCS 4.1. ownCloud and Open-Xchange offer SAML support from our App Center, but it can also be used in the proprietary world, for example with Google Apps for Work and Office 365. We are currently working on connectors for both solutions. They should already be available by the end of this month. Just to calm any fears: Passwords and password hashes are of course not synchronized with the proprietary cloud services. Speaking of security: UCS 4.1 now allows two-factor authentication – with interfaces between our management interface and the solution privacyIDEA.

Further improvements in terms of management: UCS 4.1 now features a self-service module allowing users to reset their password autonomously using a stored telephone number or e-mail address. You wouldn’t think it, but that translates to considerable potential savings: The Volkswagen Group spends around one million euros on password resets annually.

Continuous Improvement and UCS 4.2

Continuous improvements in the true sense of the word: Our errata updates also contribute to this idea – for all UCS versions being maintained, not just for the latest 4.1 – and are then, in turn, released in bundles as patch level releases. Improvement of usability also remains incredibly important. There is a distinct demand for continuous improvements, for example for DNS and DHCP administration in the management system or for access via mobile devices.

What’s next after UCS 4.1? 4.2 is set to be released in fall 2016 – it will be based on Debian 8 (Jessie). This change of the distribution base in the scope of a minor release may appear unusual, but as we think there is no alternative, as the software basis would otherwise become outdated too quickly. With the help of Docker, the App Center, and our state-of-the-art update mechanisms, we  ensure that this transition is as smooth as possible.

Speaking of minor releases: With immediate effect, the time frame in which customers need to upgrade to the next one to receive security updates will be extended from 6 to 12 months for customers with a maintenance subscription. In addition, as the rules applies that security and bug fixes are provided for the current and previous release, users of 4.1 will still be safe for one year after the release of 4.2.