MPU Meeting Wednesday 29th August 2012

Server Upgrades

Chris has been making good progress on getting the Fedora packages for bugzilla 4.2 (and dependencies) into an installable state for SL6. Stephen suggested pushing them all into pkgforge as single job so that we have them built for both architectures. Chris mentioned that there are some bootstrapping issues with certain packages depending on each other at build time. These are likely to be caused by the cpanspec script adding in optional build dependencies which are only necessary for a few tests and it might be possible to tweak the specfiles to avoid the dependency problems.

The potential difficulties of upgrading the DB schema from 3.0 through to 4.2 were also raised, it might be that we have to upgrade to each intermediate major release in turn.

Server Hardware

All the MPU servers on the develop release are now feeding the hardware information into the development version of the database. It's all looking good so the next step is to move onto the real database. If that doesn't cause any problems then it can be widened to involve all DICE servers.

Security Enhancements

The log parsing and report generation part of the project is now complete and the code is active.

Stephen has been working on a new LCFG component to configure and manage the rkhunter (rootkit hunter) tool. It's mostly complete but lacks any documentation and needs lots of testing. Getting the best configuration for the SSH servers is going to take some experimentation, currently it is just running on the test SSH server shrew. It has raised a few interesting issues with programs holding onto deleted files when they shouldn't, particularly the lcfg logserver has a weird issue with not releasing a file handle for the first temporary file it uses (subsequent files are not a problem).

Miscellaneous Development

LCFG logserver
Stephen has done a big cleanup of the code which handles temporary files. This was an attempt to fix an issue with a file handle not being released after a temporary file was deleted. This cleanup does not fix that issue, it's clearly a much deeper bug, but it should make it easier to find the real cause. This code needs revisiting at some point, for now there is an rkhunter exception in place so that it doesn't get reported as a security problem.

All the preparations for SL6.3 have been done as far as MPU is concerned. It doesn't look like we will be going ahead with rolling this out before Semester 1. This gives us a window from Friday 21st December 2012 until Monday 14 January 2013 to deploy the update otherwise it will have to wait until the end of Semester 2 on Friday 24th May 2013. This really only gives us about 1 week after Christmas in which to test things which is going to be rather tight... We need to discuss at the next LCFG Deployers meeting in September whether we will shift the LCFG-level to 6.3 before that date (we can hold DICE back as long as we like).

LCFG installroot
Alastair has removed the legacy install script from the installroot to avoid confusion

Alastair has added more features to kvmtool and improved the documentation

KVM serial consoles
It turns out that you cannot get the Linux kernel to log to multiple devices concurrently. There is however a possibility of using conserver and the socat tool to give the VMs "real" consoles instead of using virsh.

PostgreSQL authorization issue
Alastair raised the issue of users being allowed to create tables in PostgreSQL DBs which they do not own. Tim couldn't see why the ACLs were not working, we need to check with Graham when he returns from holiday.

Alastair has reviewed the pkgsearch code which was developed by Roger. It needs some work to bring the Perl DBI usage up-to-date so that we can avoid the potential for SQL injection attacks.

dban PXE option
Chris has added a new "fast wipe" option for dban in the PXE menu. Stephen noted that if wanted to support more than a couple of dban wipe modes we probably ought to investigate using PXE sub-menus to avoid the interface becoming too cluttered.


glibc update
Stephen pushed out the latest glibc security update to the SSH servers via a live header. The servers were not rebooted it so this only avoids issues with newly launched processes. The risk level probably doesn't warrant a reboot right now. This update will reach all the other DICE machines in the stable release on Wednesday 5th September. We will need to send out an email to sys-announce explaining why all the desktops will start requesting a reboot. If Stephen isn't around then Chris will do this.

Chris has fixed the dr.pkgs virtualhost so that it works with updaterpms

AFS & Kerberos conference
The conference registration is now open and we have had some bookings.

This Week

  • Alastair
    • Discuss kvm and conserver with Ian D - Ian D investigating
    • nag Graham about ordershost permissions issueFound problem
    • Work through LCFG bugs
    • Personal development topics
    • Document ssh keys mgmt - home page and windows

  • Chris
    • try out bugzilla 4.2 now that rpm dependencies have been fixed - throw bugzilla pkgs at pkgforge
    • server hardware - switch to using live ordershost and bring in rest of hosts
    • Chris or Stephen - issue message to sys-announce about latest glibc reboot
    • Look at whether one LCFG at forum and one LCFG at KB is viable (speed of compilation)
    • Look at migrating metropolitan VMs to central
    • Personal development topics
    • Document ssh keys mgmt - macos

  • Stephen
    • finish off rkhunter
    • Chris or Stephen - issue message to sys-announce about latest glibc reboot
    • Personal development topics
    • Document ssh keys mgmt - linux

-- AlastairScobie - 29 Aug 2012

Topic revision: r9 - 07 Sep 2012 - 09:00:10 - StephenQuinney
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies