[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-get for users

Thomas Petazzoni wrote:
> [...reordered last one first...]
> I think it would be possible to have a installed package database per
> user, and allow packages to be installed in the $HOME of the
> users. The system administrator would have statistics about the
> softwares installed by the users, and if a package is installed by
> many users, he can decided to install it system-wide, and remove it
> from the $HOME of the users.

That is an interesting idea.  I like it in theory.  But I think it
would be too hard to pull off at this time.  The only way to do that
would be if each user had their own chroot area.

> to compile it by himself. My idea is to allow the user to use the
> packaging system.

What I do on my site is allow users 'sudo apt-get'.  ...Pause for
thought...  It works well for me.  YMMV.

I have a few hundred people who all have desktop workstations which
are primarily theirs alone.  [We also queue jobs on their machines
during idle times.]  As long as everything works in general then both
the users and myself are happy.  The user perodically wants to install
different new software on their machine.  They could bother an admin
or they could do it themselves.  I make 'sudo apt-get' available to
the desktop users and they can do it themself.  Life is good.  The
users love this capability.

What is the worst that can happen?  Seriously, as long as they are
using the package system they are in pretty good hands and it is
difficult to break things in really bad ways.  Remember that 'sudo
apt-get' does not allow them to edit their sources.list file.  (Well,
yes there are ways, but users who know that already have full root.)
So they can only get packages from known good repositories.  This
keeps them from pinning, pulling from sid, pulling from other
back-port areas, etc.  For that they have to talk to an admin and the
needs get evaluated on a case by case bases.  But generally the ten
thousand packages in the main repositories keep them very happy.

It is still possible that they will break their system.  But then they
have broken only their own system and not anyone else's system.  They
know they did it and so they have only them self to blame.  This means
the problem is self-correcting.

Usually problems that do arise are easy to fix by using apt again to
correct the problem.  It is one of knowledge and not really one of a
broken system.  A few minutes from an admin and the machine is back in
good shape again.  Those problems are so easy to fix.

What would we do in the extreme case where they have broken something
so bad that we can't figure it out?  Well, when that happens I will
let you know.  But my standard answer is that we would reflash their
machine back to the standard image and restore their home directory
from the daily backup and they would be back and running again in a
few minutes.  Using systemimager we can reflash a machine in around
five minutes.  Typing in the commands to restore their home directory
takes another few minutes.  But in around a half hour of wall clock
time they can have a completely restored machine.  You don't really
want to make it easier than this or they would break things just
because there was absolutely no penalty.

Note that /var/backups has the current state of the machine by cron
every night.  This can be used to know what things the user has
installed over and above your standard image.  Although it is probably
easier to install your own cron which dumps the package list directly
and then just diff between it and your standard list.


Attachment: pgpRnV0YgIjFo.pgp
Description: PGP signature

Reply to: