Import substitution in practice. Part 1. Options

Introduction

Due to the fact that 2020 is approaching and “hour he”, when it will be necessary to report on the implementation of the order of the Ministry of Telecommunications and Communications on the transition to domestic software (as part of import substitution), it’s not a simple task , but from the registry of the Ministry of Telecom and Mass Communications , the task of developing a plan came in fact, according to the execution of the order of the Ministry of Communications and Mass Media No. 334 of 06/29/2017. And I began to understand.

The first article was about how Russian Helicopters did not have to . And she called so much hype, so many comments were written under her that, frankly, I was a little shocked ...

So, as promised, the time has come to begin "a series of articles on how we executed the order and fought circumstances." I don’t know how long this cycle will be, but there is a desire to describe the whole process from beginning to end, but there is not enough time for it, because writing articles takes up a lot of time, and you need to feed your family =)

The first article will be devoted to studying existing options and their superficial analysis to chart the study of options in practice. For before you assemble a test bench, you need to understand what to test on it.
So, please, under cat.

Chapter 1. As is

In order:

Hyper-V, ESXI as virtualization platforms. Why both? Because one is in the parent company, the other in the branch. This has historically happened (c)

Windows Server 2012 R2 \ 2016 and CentOS 7 as server

Windows 7 OS as client OS

1c at the implementation stage based on MSSQLServer Standard

TECTON on Firebird 1.5 (Don’t even ask ... But you still ask, yes ? .. Well, this is someone’s Promotion project, which was bought by our Enterprise at the turn of 2005, it seems, for reasons unknown to me. And now we are unsuccessfully trying to switch from it to 1s ..)

OASISon the same MSSQLServer Standard as reporting software in the

Zabbix FIU on MariaDB

Exchange and Zambra OSE . Why both this and that? Because we have 2 network circuits. One of which is in no way connected with the outside world and the second circuit ... well, IS believes that this is necessary, and does not allow us to configure routing and do everything right, but who are we to argue with IS? In a word, it has historically happened (c) (2)

IFS on Oracle , CompanyMedia on IBM Domino. The first one is for pre-contractual activities, the second is a “working” document flow ... Why is CompanyMedia on a file database in 2019? Do not believe me, I asked them the same question - they did not come up with an answer. Why is a monster like IFS needed for pre-contractual activities? Yes.

Microsoft Office. Here it is necessary to clarify. In addition to the standard user set, we have from time immemorial (read before I came here) we have been drawn to a database written in Access. What is in it and why - I don’t have the slightest idea, but “we really need it sooooo, we won’t be able to work without it!”, And on Excel we have soooooo ... It’s impossible to figure out how it works, and how it works to leave is also unknown. A huge number of macros are wound there, which pull data from the darkness of files and do something with them. How this works, even the author of this creation does not know. To rewrite this is akin to redesigning the database ... In a word, we simply won’t be able to take and leave MS Office.

Satellite as an Internet browser recently

OpenFire + Pidgin as a chat

Consultant +and TechExpert

Veeam Backup & Replication and Veeam Agent for Windows in their free version.

Well, a bunch of Windows server chips, such as AD, DNS, DHCP, WDS, CS, RDP, Remote App, KMS, WSUS and more on the little things.

All this rose almost from scratch, then with blood, suffering and googling. And now it's time to destroy it all. There should be an offscreen homeric laughter, and in the eyes of the protagonist, read me, tears should well come up ...

But is it all terrible? Let's watch the options.

Chapter 2. How it should be

You can follow the path of Russian Helicopters, that is, try to completely reject enemy Windows-based systems, and switch to 100% "domestic" (quotation marks are not random) software. The "hardcore" option is supposed to be fun to demolish all Windows, put any OS you like from the registry of the Ministry of Communications with MyOffice or LibreOffice wrapped in it, and see which user comes up. Fun? Of course. Is it productive? Not at all.

To understand further considerations, I will give the contents of the software in Astra Linux SE 1.6, from which it follows that the entire infrastructure, which is now based on Microsoft products, can be replaced with software within Astra. It is possible - does not mean it is necessary. I have not tried all this in a test environment with at least a couple of dozens of nodes, I just deployed a test bench, and even then I looked superficially. But there are tools.


On the OS site in the release description there is a tale that Zabbix is ​​present in the composition. But if you rummage through the Wiki, there is an article on how to install Zabbix ... from which we can conclude that Apache, Postgre, php - all this is installed from the repository. And we said above that only what is part of the package is legitimate ... And this confusion pisses me off !!!! 11 Well, in the sense that it is not clear what is possible and necessary, and what is impossible and "it will not work". It appears that packages from the repository are also legitimate. But is it? It seems that - yes, but ...

As a result, we have to assume that everything that is in the OS repositories can be called domestic software. We turn off the logic and just do as everyone does. We put, use and report on import substitution.In the end, we all know why all this was invented ..

You can also upgrade the entire infrastructure based on ROSA Linux Enterprise Server . I have not tried this either. (All tests and results will be published in the next article of this series, if everything goes as planned.)


And you can take free Calculate Linux and build the entire infrastructure on its basis. The list of Calculate Linux packages can be found here .

It follows from the above that it is possible to raise all the necessary infrastructure, in fact, from scratch. This will require enormous resources, tons of administrators nerves, tons of coffee and a lot of time for debugging. The entry threshold will be sooooo hard to overcome. But you can. But difficult. But it will work. But difficult. But ... But ...

Another option is to leave everything as it is, and hope that there will be no checks and they will simply forget about us. But we need to report to the ministry on the transition to domestic software for each year. So also not an option.

Therefore, I propose to approach from the side of common sense.

There is such a plate:



Further, in essence, extensive reasoning follows, so who is not interested, you can immediately proceed to the resulting plate (Chapter 2.1.). And those who love mnogabukaff - welcome.

So here. We need to bring the indicators to the established limits. In fact, this means that we must replace the existing OS with products from the registry of the Ministry of Communications and Communications and bring the number of replaced operating systems to 80%. Moreover, no distinction is made between server and client OSes. This gives us room for maneuver. Which one? We can stupidly supply users with OS-based thin clients from the registry, and drive them all into RDP. In our case, when the number of employees is about 1500 people, we get 1200 “pieces” (actually more, since we have not only user OSs, but server ones as well, but now the article is not about exact calculations), and 300 remains on those the most 20%, which can not be changed. And what, 300 servers under Windows will not be enough for us to normally build the familiar architecture? This also includes specific software, which does not know how to work on anything other than Windows, and often also on Windows XP. But 300 cars. Will not be enough? Seriously?

Here it should also be noted that the best practice in this case will be early training for employees to work with new software. Without this, there is a huge risk of simply kneeling the entire production, and paralyzing the work of the entire enterprise for an indefinite period. For if everything is not so scary with the OS, the user often does not need anything from it except launching the Office application \ browser \ 1s, searching for the necessary file and launching the solitaire. But in Office \ 1s they work constantly (we don’t take into account design engineers yet - about CAD there is a footnote in Chapter 2.1. - production, etc.), all reporting goes through Excel filters, etc. Well, for those who, for one reason or another, cannot work in free software, welcome to RDP.

So, we can safely leave the cluster on Hyper-V, since we have it and we like it, it's 12 nodes in our case, we will have to leave ESXI . Plus, it needs an “iron” domain controller + virtual domain controller. Total 14. Well, or leave ESXi, leaving Hyper-V, as you like, the numbers will still be the same. On domain controllers we will have AD, DNS, DHCP, CS . With a small number of screw machines WSUS can be neglected. KMS can also be screwed onto a domain controller. WDS is no longer needed. Of the Windows services, there are still RDP servers. Well, we still have in stock 286 unused potential "pieces" under Windows. The RDP farm will occupy another 8-10 Windows OS. A total of 276 units we have left for specific software for scientific departments and CAD.

Chapter 2.1. Mixing

As a result, I got such a plate with options, on the basis of which conclusions will be drawn and plans will be made:


Which is logical - if there is still a need to switch from a Windows domain to Astra or Rosa, or whatever, it makes sense to translate client machines on a product of the same manufacturer, so you can reduce the number of errors when trying to "make friends" with one another.

In relation to PostgreSQL and PostgreSQL PRO, you need to understand that they have significant differences , including speed. The PRO version is more productive. For the “normal” operation, the same 1s free version is most likely not enough.

Astra Linux SpecialEdition and ROSA DX "NICKEL" are protected systems certified for work with the state secret, secret, etc.

Regarding CAD : In the comments on the previous article, these questions were raised. ROSA Linux has the following packages in the repositories :

• Freecad
• Kicad
• Librecad
• Opencascade
• QCAD
• QCAD3d

Naturally, all this is free software. But, since CAD packages are not indicated in the registry of the Ministry of Communications, this type of software will most likely fall into the “indispensable” category, and it can be purchased or used under existing licenses by writing the corresponding paper to the ministry.

The same is true with other highly specialized software, which, at our Enterprises, unfortunately, is a lot. We'll have to write papers and beg to not tear down a tear, and provide an opportunity to continue to work. Most likely they will give permission.

PS:

I will not be original. All this "fuss" with import substitution looks extremely strange if you choose soft expressions. In fact, our software only produces Yandex , Acronis , Kaspersky , 10-Strike (with a stretch), 1s , Ascon , Abby , Dr.Web. Well, and a bunch of small companies. But all this is so narrow niche development (with the exception of Yandex, perhaps) that we can say that we almost do not have software. And all that is offered to us within the framework of the import substitution program is simply “proven” software of foreign development. That is, in fact, we are offered for money (and considerable) the same software that we could download and use for free. ROSA is based on Mandriva, Astra - Debian GNU. Astra can connect the Debian repository and upgrade. An interesting thing is the result. All packages for the same DNS, DHCP, ALD, ROSA Domain, Dovecot and everything else are nothing more than open source packages, some of which were “tinted and plastered” a little, and the rest were not touched at all, they were just “checked” on the availability of bookmarks. What kind of "domestic software" is in question is unclear.

On the other hand, Linux admins will be accustomed to working with already familiar software, which will slightly lower the entry threshold. But be that as it may, all industry-controlled enterprises under control will have to switch to this "domestic" software. So, "see you in the next article," if they don’t put me in this one and do not fire me =)

Further on, you can read:

An article about choosing a domestic hypervisor.

An article about "domestic" operating systems.

An article about systems and services.

And about the QP OS in addition.