Management Ubuntu Landscape Lead image: Lead Image © Kitsadakron Pongha, 123RF.com
Lead Image © Kitsadakron Pongha, 123RF.com
 

Canonical's Landscape tool maintains Ubuntu environments

Landscape Gardening

Manually maintaining large IT infrastructures almost inevitably leads to errors. Enter Canonical's Landscape, a commercial tool that uses a web interface and an API to gather information, render it graphically, and complete maintenance work. By Carsten Schnober

Monitoring and maintenance are important topics for anyone who needs to manage multiple machines. For Ubuntu environments, Canonical offers Landscape (Figure 1) as a useful service.

Landscape [1] manages any number of clients – provided that you have enough licenses. The client always makes the first move: It logs in to the server and proactively supplies information. The server processes whatever it gets and queues the administrator's commands for the clients to pick up.

Landscape manages Ubuntu machines via a web interface.
Figure 1: Landscape manages Ubuntu machines via a web interface.

Joining In

To add an Ubuntu machine to your own Landscape account, you first need to install the landscape-client package. Among other things, it contains the landscape-config command-line program, which is used to set up Landscape. Simply input the computer name and your Landscape account information.

The landscape configuration tool also asks whether you want to let Landscape run arbitrary shell scripts (Enable script execution?). This is optionally followed by the details of the user account whose permissions the programs can use when they run; by default, these are nobody and landscape. Administrators can use scripts to perform remote queries via Landscape.

To complete the configuration, the client sends a registration request to the specified Landscape account. In the web interface, you just click to approve. Following this, the new client locally collects all the relevant system information, such as the hardware configuration and the installed packages and sends it to Landscape. A little patience is required here, however, because it can take up to an hour and a half for all the information to upload.

Core Functions

From now on, the Landscape clients regularly tell the server about their health state. The web interface provides the admin – or, optionally, several admins in various roles with different permissions – this information in different forms.

The reports summarize the states of the monitored computers (Figure 2). They visualize the overall condition of all or individual monitored computers; the underlying data is also available for download. If so desired, computers can be organized into groups using tags so that all monitoring functions can be applied to arbitrary subsets. In the same way, the admin can create group-specific profiles so that the servers receive, or do not receive, different packages and updates.

Landscape reports provide an overview of the states of the monitored computers.
Figure 2: Landscape reports provide an overview of the states of the monitored computers.

Package management is one of the main benefits of the Landscape service. New installs and uninstalls are done for whole groups at the push of a button, as are updates. Updates, in turn, can be selected individually; Landscape displays and installs security updates separately. If so desired, the selection can also be made at the individual package level (Figure 3). Landscape also supports upgrades to new versions of Ubuntu. However, it does not have an option for manually configuring the package sources.

Landscape installs and updates packages individually or in groups.
Figure 3: Landscape installs and updates packages individually or in groups.

The monitoring function provides an overview of the workload on the Landscape clients; again, they can be grouped if necessary. By default, Landscape plots graphs for the average RAM usage, disk space usage, and network load (Figure 4). You can create your own shell scripts to add arbitrary evaluations to this directory, provided you have allowed script execution in the client configuration.

The monitoring function displays the computer and network workload.
Figure 4: The monitoring function displays the computer and network workload.

The main requirement for your own script is that it outputs a number when run; Landscape then collects and visualizes the number. Negative and decimal numbers are allowed, but the number must be written to standard output. Landscape notices the script's exit code: If it is not zero, it returns an error. The same goes for short programs with an excessively long running time: After 10 seconds, Landscape suspends execution, again outputting an error message. Furthermore, Landscape outputs information about the processes running on the clients and existing user accounts and keeps track of completed activities.

With all of these basic functions, Canonical's Landscape lets admins perform most of their everyday maintenance regardless of location. All you need is Internet access. Admins who hoped for – or feared – the option of completing their first tasks on their way to work are in for a disappointment, however; the Landscape web interface does not offer a smartphone-optimized screen layout.

Connections

To prevent Landscape from tearing holes in your infrastructure's safety measures, only clients can initiate communication with the Landscape server. They use the typical HTTP or HTTPS ports 80 and 443, which are open for outbound connections anyway on most networks and firewalls.

Every 30 seconds, the Landscape client sends an unencrypted HTTP request to the server. On one hand, it thus signals that the computer is still running; on the other, it gives the server the opportunity to trigger an event. Any messages from the server are retrieved via the encrypted HTTPS port.

Apart from these communications with the Landscape server, Landscape clients only send queries to package repositories. This behavior helps them keep their sources up to date and provides the server with information about updatable packages. Landscape loads and installs these packages on request; it does not interfere with other tools or accounts that call the apt-get package management tool directly.

Programmable Interface

Landscape doesn't just provide a convenient web interface for managing computers. Using an API, admins also can access the information and functions offered by Landscape directly with their own programs and scripts. Ubuntu provides the Ubuntu landscape-api package in the Landscape repository for this purpose. The following command adds the repository:

sudo add-apt-repository \
  ppa:landscape/landscape-api

You can then install the landscape-api package, which contains the command-line client of the same name and a Python library for direct access to Landscape.

The command-line program accesses the LANDSCAPE_API_KEY, LANDSCAPE_API_SECRET, and LANDSCAPE_API_URI variables to authenticate; you need to export them in the shell before calling landscape-api. The first two are user-specific and can be looked up or generated in the API access key and API secret key fields of the web interface's user settings.

The Landscape URI is generally https://landscape.canonical.com/api, unless you take up Canonical's offer of an on-site Landscape installation. The documentation recommends storing these variables in ~/.landscape-api.rc and parsing them as follows before calling landscape-api:

source ~/.landscape-api.rc

A complete list of available commands is output with:

landscape-api help

For the most part, the functions provided by the API correspond to those of the web interface. However, the API fills a gap in package management, by allowing you to add and delete package sources – also on the basis of computer groups.

The Python library that comes with the API package offers the same functionality. After importing landscape_api, this command in the Python interpreter creates an API object:

api = new landscape_api.base.API(\
  uri,key,secret)

The values of the uri, key, and secret variables match the Bash variables of the same names. The new api object in turn handles the same queries as its shell counterpart – as in api.get_computers(), for example.

Alternatively, access can be handled directly via the HTTP interface using GET and POST. The action parameter here contains the function, for example, GetComputers. The online instructions [2] describe how to generate a valid signature for authentication.

Prices

Landscape is useful for managing servers and desktop systems alike. Especially in the latter case, it's useful for admins to be able to queue tasks, such as package updates, initially so that the clients can process them at the earliest opportunity. This approach prevents problems if desktop computers happen to be switched off.

However, Canonical only offers Landscape as a part of its Ubuntu Advantage packages. These packages include, in all available variants, comprehensive support and a legal guarantee, which is intended to protect Ubuntu users from patent lawsuits. Optionally, Landscape can be installed on your own server (on-site), so that the communication between clients and servers can take place entirely on your own intranet.

Ubuntu Advantage for the desktop is available in two variants: Standard and Advanced. A Standard pack of five costs EUR 473 per year and Advanced EUR 1,014 per year. For servers, Canonical offers an Essential version in addition to Standard and Advanced; the three variants cost EUR 248, 542, and 930 per server, respectively, and yearly discounts are available in all cases for three- and five-year contracts. However, if you would like to familiarize yourself with Landscape first, you can do so for 30 days – with up to 50 computers and five administrators.

Homogeneous

The obvious drawback of the Landscape service is its restriction to Ubuntu machines. Although other Debian derivatives use the same package management system and thus work well with Landscape, no official support is available from Canonical, and this setup is not really acceptable for a paid service. Other distributions (e.g., Red Hat and SUSE) are completely ignored, so the offering reeks of vendor lock-in: Changing to a different operating system  – even just some of your own computers  – makes Landscape worthless.

Furthermore, it is hardly worth buying an Ubuntu Advantage package just for the Landscape functionality, especially considering that free tools exist that at least partially cover the functionality, such as Puppet and Foreman [3] or Chef [4]. For Red Hat-based distributions, the free Spacewalk [5] tool, on which the commercial Satellite [6] is based, is also an option. Thus, Landscape unfortunately can only be recommended for those who want to use other Ubuntu Advantage services. It's a pity Canonical has such restrictive licensing in this case.