You no longer have to be an uber-geek to run a Linux server. With the release of SUSE Linux Enterprise Server 10, Novell has at last put out a product that's as easy to install, administer and use as a Windows server--in some cases, even easier. And if you're looking for more reasons to make the move, consider the OS' wide range of free development tools, applications for everything from mail to office software, a wide choice of distributions and source code that's freely available. Most important, the OS provides a solid foundation for a vast array of enterprise-level systems--app servers, database servers and file servers, to name a few.
Linux has come in a neat package for years, but only Red Hat and Novell provide enterprise-level support. With this distribution, Novell emphasized SUSE's superior security, thanks to its AppArmor application-level security service, virtualization with Xen 3.0 and improved software and system management, using the YaST management tool.
YaST Eases Setup
If you can install Windows, you can install SLES 10. Linux first-timers will find only a few unfamiliar tasks, such as configuring swap space and having to choose between file systems such as ReiserFS and ext3. In most cases, using the default values is enough. But if you want to change the defaults--say, to tweak performance based on the types and sizes of files a machine serves--help is available during installation. Novell also made sure SLES 10 integrates well with Windows; the server can be set up to authenticate against Microsoft Active Directory (and OpenLDAP and eDirectory), and it supports Samba file shares.
SLES 10 vs. Windows
Click to enlarge in another window
We encountered only two minor disappointments during setup. First, the installer took nearly two minutes to boot and presented an empty blue screen rather than an indication of what was loading. Second, after the installer found a conflict between packages selected (a plus), the error message was longer than the window in which it appeared.
As with earlier SLES versions, YaST (Yet another Setup Tool) is SUSE's system administration tool, and it has no Red Hat equivalent. YaST's behavior is similar to Microsoft's Control Panel and the Microsoft Management Console combined: a graphical tool with many administration tools, such as Novell's ZENWorks (sold separately), that can be plugged into it. There's also a command-line version of YaST, an Ncurses-based app that has all of the same categories and tools as the GUI version, though not all of the same options for each tool.
Virtually every aspect of system administration can be done through the YaST GUI. All the main administration items found in Windows' Control Panel, such as user management, installing and configuring hardware, and service management, have YaST plug-ins that any Windows admin could understand intuitively.
The Quirkiness of Xen
SLES 10's server applications include mail server software, the popular Apache HTTP server and Xen virtualization software. Novell provides all these applications on the installation CD, and supports them in the enterprise--a major convenience that Windows doesn't provide.
The open-source Apache HTTP server is part of the Web and Linux, Apache, MySQL, PHP (LAMP) package we selected during installation. SLES 10 makes setting up and using Apache very easy--since Apache was installed during the OS installation, we went into YaST and simply turned Apache on. With a few clicks, we changed the setting for Port 80 from blocked (the default) to open on the firewall; Apache was running and we could hit our Web site's default page.
Though Novell is serious about its intent to simplify virtualization, the mere inclusion of Xen is not enough to make it ready for prime time. True, there's no free counterpart in the Windows world--you'll have to shell out extra money for programs such as VMware and their support. However, we noticed several quirks when we tested Xen. Besides some minor installation problems (such as Xen's failure to initialize a sound card and a network card), we found that when we ran the Xen-enabled kernel, the host system could not see the full 1 GB of ram that's installed. The system reported 962 MB, whereas the non-Xen kernel reported 1,035 MB. In addition, virtual machines take their allotted memory when started: The host system no longer sees the RAM used by the virtual machine. Worse, after stopping the virtual machine, the host system did not get back the memory taken by the virtual machine until the host was rebooted.
Despite these kinks, we were able to set up Apache on our virtual machine and it worked as expected.
AppArmor Secures SuSE
Novell secures SLES 10 with AppArmor, a brilliantly easy-to-use application-level intrusion-prevention system. AppArmor has many features found in Security Enhanced Linux, but is far simpler to use. Unlike SELinux, Novell's distribution lets you create profiles with a few clicks. Windows has no comparable built-in protection; you'd need to buy, install and administer a separate host IPS to get this level of security.
AppArmor protects the server by giving specific programs access to designated resources only. Programs can be granted access to files and directories, and they can be given specific capabilities such as "chroot" (to change the root directory) and "reboot." Programs also can inherit permissions from other programs. Even if an exploited program is running as root, the attacker gains access to only those resources assigned to the exploited program, rather than the whole system.
SLES 10 also comes with a firewall and a System Update feature much like Windows' AutoUpdate--and it's just as easy to run. The program can be configured to automatically check for, download and install updates and patches. Unfortunately, Novell only allows updates to be downloaded for as long as your license is valid--and, in fact, Novell would not let us test the feature on our review copy. Microsoft allows all systems to be patched (albeit grudgingly). To be secure, everyone must be secure.
Though SUSE does not allow users with expired licenses to use this feature, users can patch their systems through other means, like downloading patches from Apache's Web site or kernel patches from kernel.org, for example.
SLES 10's firewall has everything blocked by default. Some 28 preconfigured services can be enabled, including HTTP, HTTPS, LDAP and IMAP. Though the firewall is only slightly more useful than port blocking in Windows, it's enough, considering the rest of the security provided. Besides, a full-featured firewall on a basic server inside the network would be overkill.
Ben DuPont is a systems engineer for WPS Resources in Green Bay, Wis. He specializes in software development. Write to him at [email protected].