MPU Meeting Tuesday 7th August 2012

Simple KVM Service

The monitoring script now uses the lvm tools so the volume usage statistics are much more accurate. This causes some annoying warning messages like File descriptor 11 (/dev/console) leaked on vgs invocation., it would be good to work out where these are coming from and whether they can be avoided.

When we get SL6.3 we should look at using auditd for logging libvirt events (such as domain creation).

It is not possible to bridge to the same VLAN multiple times with different names. That's a pain as it makes standardising configurations more difficult.

CPU pinning has now been documented.

Support for automatic location of domains has been added to kvmtool and it is now available for playing with, we should get this shipped to develop machines. The rvirsh command was not changed.

The question of storing the domain console logs into files was raised, this would be useful for investigating security issues. Stephen also noted that it is not possible to have multiple users on the same console (even in read-only mode) which is a pain for debugging problems remotely. A simple workaround would be to have read access through a file.

This project will now be submitted for closure, any further work will come under "misc devel".

Server Upgrades

Chris is looking at bugzilla, the version in epel6 is too old, there is a version 4.0 available in Fedora. Stephen suggested looking at koji.fedoraproject.org for the latest SRPM. There is a 4.2 SRPM available, it would be good to use this version if we can get the various dependencies built.

Server Hardware

The script now writes all the collected bios and firmware information into an SQL DB. It now needs to be switched to writing into the orders database.

It seems that different hardware returns rather different strings for the same queries. The script will need a bit more work to handle these variety of results and standardise it all.

Security Enhancements

The syslog event collection code is now ready for deployment and there is now an LCFG component for configuring the importer script. This will go onto the loghost after the stable release on Wednesday 8th August.

Stephen is now working on completing the documentation of the report generation code and adding support to the component for configuring the reports. This should be finished fairly soon.

Miscellaneous Development

gnome-disk-utility
This is now available again, the .desktop which causes the monitoring gnome applet to run has been removed from the package.

ps_acct
Process accounting has been enabled on all servers, this will reach the stable release on Wednesday 15th August. This will be very useful for quick status checks, there should not be any performance impact.

auditd
This has been enabled everywhere for a while but we are not currently adding any local rules. The LCFG component has now been added for all servers which will add various local rules (e.g. monitoring attempts to alter the kernel modules). Currently the monitoring of suid root executable files is not enabled. The list of files to be monitored is generated by scanning the local filesystem which can be a very long process. Previously it would scan from the top-level / directory but avoid crossing file-system boundaries. Support has now been added for specifying a list of directories to be monitored. This means a smaller set of files can be scanned and also directories which were previously missed due to the partition layout can be checked if necessary.

Operational

AMD catalyst driver
It's become clear that in many cases the support for the AMD/ATI graphics card in the HP DC7900 is now better with the open-source driver rather than the Catalyst driver. In particular support for dual-head configurations is much better, it allows the user to just plug in an extra monitor and do the configuration through the standard gnome applet. When we move to SL6.3 we should consider dropping the catalyst driver from the default configuration for these machines. This will involve some means of removing the /etc/x11/xorg.conf file which was generated by the xfree LCFG component. Possibly a cron entry for reboot time?

VMWare usage
We should nag RAT and Services units about moving their VMs off the VMWare servers.

HP DC7900 and sleep
If we don't get anymore freezes we should re-enable sleep on the HP DC7900 machines. We think the problems were related to the recent xorg security updates but sleep was disabled to help simplify tracing of the problem. The machines have all now rebooted and acquired the necessary xorg-x11-drv-ati-firmware update.

Server reboots
We need to reboot various MPU servers. Chris will send around a list of what still needs doing.

Server packages
Ian asked about having telnet and ftp in the standard server install. Neil had mentioned the rcs package. We think that having telnet and rcs available is a good idea, we're more wary of ftp since it makes it easier for attackers to pull down software, it should probably only be installed where necessary. Stephen will add telnet and rcs.

tobermory file component
Chris noted that there is a problem on tobermory with the LCFG file component. Alastair will fix.

This Week

  • Alastair
    • Spare moment - investigate LVM leaky descriptors problemWorked around for kvmtool, but it looks like perl components leak 11 and 12 to forked daemons
    • Ship and document new kvmtool - but also need to implement shutdown/destroy
    • Document cold migration
    • Close KVM project
    • Work through LCFG bugs
    • Fix tobermory file component problem - shipped new version of dice-orders.
    • Code review Roger's package search tool
    • Check USB key under installroot under SL6 (udev now deprecated) USB keys work fine in installroot (even when inserted post boot). udev code is correct (in lcfginstall). rc_install is SL5 legacy.
    • Add stuff (scp, rsync, ftp, lastcomm) to the installroot
    • Investigate console logs for KVM Non trivial, even with conserver. See http://wiki.libvirt.org/page/LibvirtConsoleManagement
    • Personal development topics

  • Chris
    • Look at shoe-horning Fedora Bugzilla 4 onto SL6 (try SRPMs from koji)
    • Complete hardware monitor data -> orders database. Propose a manual process for using this information
    • Produce list of servers to reboot
    • Chris to check for MPU documentation in docproj
    • Publish doc on investigating intrusions
    • Personal development topics

  • Stephen
    • Security project
    • Add telnet and rcs to base SL6 platform
    • Add a disable macro to the external access headers.
    • Report to EdCERT today
    • Report to rest of Ed community
    • Report to School
    • Personal development topics

-- AlastairScobie - 07 Aug 2012

Topic revision: r12 - 17 Aug 2012 - 11:17:21 - AlastairScobie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies