Import substitution in practice. Part 1. Options



    Due to the fact that 2020 is approaching and “hour he”, when it will be necessary to report on the implementation of the order of the Ministry of Telecommunications and Communications on the transition to domestic software (as part of import substitution), it’s not a simple task , but from the registry of the Ministry of Telecom and Mass Communications , the task of developing a plan came in fact, according to the execution of the order of the Ministry of Communications and Mass Media No. 334 of 06/29/2017. And I began to understand.

    The first article was about how Russian Helicopters did not have to . And she called so much hype, so many comments were written under her that, frankly, I was a little shocked ...

    So, as promised, the time has come to begin "a series of articles on how we executed the order and fought circumstances." I don’t know how long this cycle will be, but there is a desire to describe the whole process from beginning to end, but there is not enough time for it, because writing articles takes up a lot of time, and you need to feed your family =)

    The first article will be devoted to studying existing options and their superficial analysis to chart the study of options in practice. For before you assemble a test bench, you need to understand what to test on it.
    So, please, under cat.

    Chapter 1. As is

    In order:

    Hyper-V, ESXI as virtualization platforms. Why both? Because one is in the parent company, the other in the branch. This has historically happened (c)

    Windows Server 2012 R2 \ 2016 and CentOS 7 as server

    Windows 7 OS as client OS

    1c at the implementation stage based on MSSQLServer Standard

    TECTON on Firebird 1.5 (Don’t even ask ... But you still ask, yes ? .. Well, this is someone’s Promotion project, which was bought by our Enterprise at the turn of 2005, it seems, for reasons unknown to me. And now we are unsuccessfully trying to switch from it to 1s ..)

    OASISon the same MSSQLServer Standard as reporting software in the

    Zabbix FIU on MariaDB

    Exchange and Zambra OSE . Why both this and that? Because we have 2 network circuits. One of which is in no way connected with the outside world and the second circuit ... well, IS believes that this is necessary, and does not allow us to configure routing and do everything right, but who are we to argue with IS? In a word, it has historically happened (c) (2)

    IFS on Oracle , CompanyMedia on IBM Domino. The first one is for pre-contractual activities, the second is a “working” document flow ... Why is CompanyMedia on a file database in 2019? Do not believe me, I asked them the same question - they did not come up with an answer. Why is a monster like IFS needed for pre-contractual activities? Yes.

    Microsoft Office. Here it is necessary to clarify. In addition to the standard user set, we have from time immemorial (read before I came here) we have been drawn to a database written in Access. What is in it and why - I don’t have the slightest idea, but “we really need it sooooo, we won’t be able to work without it!”, And on Excel we have soooooo ... It’s impossible to figure out how it works, and how it works to leave is also unknown. A huge number of macros are wound there, which pull data from the darkness of files and do something with them. How this works, even the author of this creation does not know. To rewrite this is akin to redesigning the database ... In a word, we simply won’t be able to take and leave MS Office.

    Satellite as an Internet browser recently

    OpenFire + Pidgin as a chat

    Consultant +and TechExpert

    Veeam Backup & Replication and Veeam Agent for Windows in their free version.

    Well, a bunch of Windows server chips, such as AD, DNS, DHCP, WDS, CS, RDP, Remote App, KMS, WSUS and more on the little things.

    All this rose almost from scratch, then with blood, suffering and googling. And now it's time to destroy it all. There should be an offscreen homeric laughter, and in the eyes of the protagonist, read me, tears should well come up ...

    But is it all terrible? Let's watch the options.

    Chapter 2. How it should be

    You can follow the path of Russian Helicopters, that is, try to completely reject enemy Windows-based systems, and switch to 100% "domestic" (quotation marks are not random) software. The "hardcore" option is supposed to be fun to demolish all Windows, put any OS you like from the registry of the Ministry of Communications with MyOffice or LibreOffice wrapped in it, and see which user comes up. Fun? Of course. Is it productive? Not at all.

    To understand further considerations, I will give the contents of the software in Astra Linux SE 1.6, from which it follows that the entire infrastructure, which is now based on Microsoft products, can be replaced with software within Astra. It is possible - does not mean it is necessary. I have not tried all this in a test environment with at least a couple of dozens of nodes, I just deployed a test bench, and even then I looked superficially. But there are tools.

    Software Included Astra Linux Special Edition 1.6
    • Fly-wm
    • PostgreSQL
    • Libreoffice
    • Apache2
    • Firefox
    • Exim4
    • Docot
    • Thunderbird
    • Gimp
    • alsa
    • VLC
    • Cups
    • Bind9
    • Iscdhcpserver
    • SAMBA

    On the OS site in the release description there is a tale that Zabbix is ​​present in the composition. But if you rummage through the Wiki, there is an article on how to install Zabbix ... from which we can conclude that Apache, Postgre, php - all this is installed from the repository. And we said above that only what is part of the package is legitimate ... And this confusion pisses me off !!!! 11 Well, in the sense that it is not clear what is possible and necessary, and what is impossible and "it will not work". It appears that packages from the repository are also legitimate. But is it? It seems that - yes, but ...

    As a result, we have to assume that everything that is in the OS repositories can be called domestic software. We turn off the logic and just do as everyone does. We put, use and report on import substitution.In the end, we all know why all this was invented ..

    You can also upgrade the entire infrastructure based on ROSA Linux Enterprise Server . I have not tried this either. (All tests and results will be published in the next article of this series, if everything goes as planned.)

    ROSA Enterprise Linux Server bundled software
    • IPA domain implementation tools (similar to Microsoft Active Directory)
    • Nginx and Apache
    • MySQL and PostgreSQL
    • Zimbra, Exim, Postfix and Dovecot
    • pacemaker, corosync
    • DRBD
    • Bacula
    • ejabberd
    • CIFS, NFS, Bind, DHCP, NTP, FTP, SSH
    • Zabbix
    • ROSA Chattr Advanced Attribute Management Tool
    • ROSA Crypto Tool Information Encryption Tool
    • ROSA Memory Clean
    • guaranteed removal of rosa shred files

    And you can take free Calculate Linux and build the entire infrastructure on its basis. The list of Calculate Linux packages can be found here .

    It follows from the above that it is possible to raise all the necessary infrastructure, in fact, from scratch. This will require enormous resources, tons of administrators nerves, tons of coffee and a lot of time for debugging. The entry threshold will be sooooo hard to overcome. But you can. But difficult. But it will work. But difficult. But ... But ...

    Another option is to leave everything as it is, and hope that there will be no checks and they will simply forget about us. But we need to report to the ministry on the transition to domestic software for each year. So also not an option.

    Therefore, I propose to approach from the side of common sense.

    There is such a plate:


    Further, in essence, extensive reasoning follows, so who is not interested, you can immediately proceed to the resulting plate (Chapter 2.1.). And those who love mnogabukaff - welcome.

    So here. We need to bring the indicators to the established limits. In fact, this means that we must replace the existing OS with products from the registry of the Ministry of Communications and Communications and bring the number of replaced operating systems to 80%. Moreover, no distinction is made between server and client OSes. This gives us room for maneuver. Which one? We can stupidly supply users with OS-based thin clients from the registry, and drive them all into RDP. In our case, when the number of employees is about 1500 people, we get 1200 “pieces” (actually more, since we have not only user OSs, but server ones as well, but now the article is not about exact calculations), and 300 remains on those the most 20%, which can not be changed. And what, 300 servers under Windows will not be enough for us to normally build the familiar architecture? This also includes specific software, which does not know how to work on anything other than Windows, and often also on Windows XP. But 300 cars. Will not be enough? Seriously?

    Here it should also be noted that the best practice in this case will be early training for employees to work with new software. Without this, there is a huge risk of simply kneeling the entire production, and paralyzing the work of the entire enterprise for an indefinite period. For if everything is not so scary with the OS, the user often does not need anything from it except launching the Office application \ browser \ 1s, searching for the necessary file and launching the solitaire. But in Office \ 1s they work constantly (we don’t take into account design engineers yet - about CAD there is a footnote in Chapter 2.1. - production, etc.), all reporting goes through Excel filters, etc. Well, for those who, for one reason or another, cannot work in free software, welcome to RDP.

    So, we can safely leave the cluster on Hyper-V, since we have it and we like it, it's 12 nodes in our case, we will have to leave ESXI . Plus, it needs an “iron” domain controller + virtual domain controller. Total 14. Well, or leave ESXi, leaving Hyper-V, as you like, the numbers will still be the same. On domain controllers we will have AD, DNS, DHCP, CS . With a small number of screw machines WSUS can be neglected. KMS can also be screwed onto a domain controller. WDS is no longer needed. Of the Windows services, there are still RDP servers. Well, we still have in stock 286 unused potential "pieces" under Windows. The RDP farm will occupy another 8-10 Windows OS. A total of 276 units we have left for specific software for scientific departments and CAD.

    It does not matter what operating system it will be - the Astra , ROSA , of Calculate , Alteros , LOTUS , of Halo OS , Alt Linux , the QP OC . You need to choose what will satisfy users. I can’t say how to choose, these are very subtle matters. In fact, all of them are at least similar in appearance (and this is only important for the user because it looks and how convenient it is to use). I just install a couple of each OS and ask the least busy bukh for half an hour or an hour to use. They will probably dance from that.
    AlterOS and Halo OS are not on open sale. So I won’t consider them, because this “not quite business” doesn’t attract me at all.

    Regarding OS OS
    The license agreement says:

    1.4 The license agreement does not provide an exclusive right to the Software Product, but only the right to use one copy of the Software Product for non-commercial purposes in accordance with the conditions specified in Section 2 of the License Agreement.

    2.4 Licensee has the right to non-commercial use of the Software Product on an unlimited number of servers and workstations.

    Thus, we cannot use it at the Enterprise, although it is included in the register of the Ministry of Communications. This is sad for the reason that it is free. But the developers have something with the site, because for several weeks now I can’t download the distribution kit, and I didn’t receive a reply to the letters of support. What? Why? I do not know.

    Office Packages
    The situation is the following - we also need to bring the number of domestic “offices” to 80%, which also amounts to 1200 “pieces”. These 1200 pieces are already included in the Linux-based OS, which we will install for users. It doesn’t matter, all distributions have a free office suite. Most often it is LibreOffice . But on the RDP servers we can safely put the package from Microsoft, since we do not want users to get out of work for an indefinite period of time (at least before undergoing training to work with new office software), because they cannot be found in the new spreadsheet your favorite button. It also has a separate plus - backing up employees' documents, which will lie in one place, and the death of the hard drive is no longer terrible.

    Will have to be demolished. Unfortunately, there is no way around this figure of 80%, since the order states “the number of users”, and not% of the number of mail servers at the Enterprise. And since we need to replace it with something from the registry of the Ministry of Communications and Mass Media, our choice is not very large. This is either CommuniGate Pro , or MyOffice Mail , or P7 Office. Server . And you can put ROSA in both networks, which has Zimbra, and rejoice, because for my taste Zimbra is much more convenient and enjoyable than MyOffice Mail, which is a little more awful than completely, and I didn’t like CommuniGate Pro either. Plus Zimbra can easily grab all the mail with Exchange if necessary to save users the history of correspondence. Btw, on Zimbra OSE I wrote a couple of articles on Habr ( deployment and configuration , backing up and restoring and creating and updating AD-based mailing lists ) But, it tastes and color, as they say.

    Legal reference systems
    If they were, then most likely this is some kind of Guarantor , Consultant + , TechExpert and others like them. That is, they are Russian-made. If not, there is a choice =)

    Antivirus software
    Also, 100% should be domestic. Well, they can’t entrust the defense of the national defense to bourgeois programs ... Kaspersky , Dr.Web , Nano can choose .

    Veeam BackUp and Replication . The situation with him is strange. It has a version certified by the FSTEC, but there are no products from Veeam in the register of the Ministry of Communications. On the other hand, the order of the Ministry does not include the column “Software for backup”. So the situation is twofold. In case we leave Windows-based services, and especially Hyper-V, Veeam greatly simplifies the backup of virtual machines, it is very convenient and unpretentious, and Veeam agent for WindowsIt allows you to backup file garbage, it has a very simple setup and convenient interface, there is an automatic detection of data duplication and their clipping, etc. In a word, if we leave the Microsoft hypervisor, we can try to write a piece of paper stating that Veeam has no analogues and that we really need it. The attempt is not torture, but I won’t say what comes of it.

    Here the questions begin, as they seem to have a version for Linux. And it seems that even it works. But in reality no one uses it. Therefore, we will have to send another Windows machine for server 1s. And even two. Total 274 left. DBMS - PostgreSQL , of course. Despite the fact that he is not domestic, but he is in the register of the Ministry of Commerce and Industry. 1s knows how to work with it, and the DBMS itself is very good. It’s not easy to set up, but it’s not bad at all. In addition, it easily gets up on any Linux distribution, and as part of the same Astra is generally supplied.

    Well, with IFS it’s clear that you will have to leave 100%. Company Media - questions remain. Domestic software, is in the register of the Ministry of Communications, all matters. But. IBM Domino is licensed and purchased separately, and therefore cannot be used. Company Media , on the other hand, has a version for PostgreSQL . But we implemented exactly IBM Domino . Yes, I have a persistent negative to this “product” of the Intertrust company with the name Company Media, it starts to bomb me from just mentioning it. But this is not the case. So either we are moving CM to PostgreSQL, or we are looking for another workflow system. In the registry there is somethingselect. But at this stage I will not dwell on this issue, since a lot of money has been spent on Company Media, and its further fate is not yet clear, but I want to believe in common sense and just transfer the system to PostgreSQL. So just leave the list of software from the registry.

    Multimedia tools
    I do not consider. Not only are they narrowly applicable, but at Enterprises covered by the import substitution program, if they are used, they are only used to bookmark postcards by February 23 by accounting staff. And “essential goods” are present in the OS.

    Internet browsers
    Allowed by Yandex.Browser , Sputnik . At the same time, Mozilla Firefox is present in almost all OS from the registry. I think this is just no problem. And for applications that can only in InternetExplorer, we left a loophole in the form of RDP servers.

    Naturally, we refuse. Why? Because we need to implement 1s Bitrix24 ! In fact, we do not refuse for this, but because it is not in the registry, but in general we replace the chat with a portal that has a chat service, so ... well ... this is ... you understand. Here. Yeah. Yes. Or you can use ejabberd as a jabber server as part of ROSA Linux. There is also a chat client, if not mistaken - Mirka. This is in case you do not have 1s Bitrix24.

    Of course, it is not represented in the register of the Ministry of Communications. But. The Astra Linux 1.6 release states that it includes Zabbix version 3.4. So if we want to get a “legitimate” Zabbix, then we need at least one copy of this OS.

    Mail client
    Thunderbird is introduced in the package of almost all OS from the registry. If he is not happy, then you will have to buy separately, as part of the same MyOffice , for example, or “P7-Office. Organizer . " To be honest, I no longer found individual mail clients in the registry of the Ministry of Communications. Thunderbird made me happy too. If you write in comments - I will add here.

    Bank customers
    It is necessary to test. In theory, Cryptopro can do Linux, but in fact, I have not personally tested it. It should work in theory, but if something goes wrong, then we have an option with an RDP server.

    Chapter 2.1. Mixing

    As a result, I got such a plate with options, on the basis of which conclusions will be drawn and plans will be made:

    Which is logical - if there is still a need to switch from a Windows domain to Astra or Rosa, or whatever, it makes sense to translate client machines on a product of the same manufacturer, so you can reduce the number of errors when trying to "make friends" with one another.

    In relation to PostgreSQL and PostgreSQL PRO, you need to understand that they have significant differences , including speed. The PRO version is more productive. For the “normal” operation, the same 1s free version is most likely not enough.

    Astra Linux SpecialEdition and ROSA DX "NICKEL" are protected systems certified for work with the state secret, secret, etc.

    Regarding CAD : In the comments on the previous article, these questions were raised. ROSA Linux has the following packages in the repositories :

    • Freecad
    • Kicad
    • Librecad
    • Opencascade
    • QCAD
    • QCAD3d

    Naturally, all this is free software. But, since CAD packages are not indicated in the registry of the Ministry of Communications, this type of software will most likely fall into the “indispensable” category, and it can be purchased or used under existing licenses by writing the corresponding paper to the ministry.

    The same is true with other highly specialized software, which, at our Enterprises, unfortunately, is a lot. We'll have to write papers and beg to not tear down a tear, and provide an opportunity to continue to work. Most likely they will give permission.


    I will not be original. All this "fuss" with import substitution looks extremely strange if you choose soft expressions. In fact, our software only produces Yandex , Acronis , Kaspersky , 10-Strike (with a stretch), 1s , Ascon , Abby , Dr.Web. Well, and a bunch of small companies. But all this is so narrow niche development (with the exception of Yandex, perhaps) that we can say that we almost do not have software. And all that is offered to us within the framework of the import substitution program is simply “proven” software of foreign development. That is, in fact, we are offered for money (and considerable) the same software that we could download and use for free. ROSA is based on Mandriva, Astra - Debian GNU. Astra can connect the Debian repository and upgrade. An interesting thing is the result. All packages for the same DNS, DHCP, ALD, ROSA Domain, Dovecot and everything else are nothing more than open source packages, some of which were “tinted and plastered” a little, and the rest were not touched at all, they were just “checked” on the availability of bookmarks. What kind of "domestic software" is in question is unclear.

    On the other hand, Linux admins will be accustomed to working with already familiar software, which will slightly lower the entry threshold. But be that as it may, all industry-controlled enterprises under control will have to switch to this "domestic" software. So, "see you in the next article," if they don’t put me in this one and do not fire me =)

    Further on, you can read:

    An article about choosing a domestic hypervisor.

    An article about "domestic" operating systems.

    An article about systems and services.

    And about the QP OS in addition.

    Also popular now: