MPU Meeting Tuesday 11th September 2012

Server Upgrades

Chris got Bugzilla 4.2.2 up and running on DICE (at testzilla.inf.ed.ac.uk). Once that was done it turned out to be easy to upgrade to 4.2.3, just a matter of getting the latest SRPM from koji.fedoraproject.org, converting the RPM 4.9 format dependency filters in the spec file to RPM 4.8 format (both documented here), rebuilding and installing. These points should be noted:

  • The LCFG bugzilla component didn't quite manage to automatically create the bugzilla instance; if we want to continue to have the ability to drive Bugzilla configs from LCFG we'll need to update the component.
  • We'll need an LCFG theme for Bugzilla 4. This is the first priority.
  • We'll need to port the data from the current Bugzilla. This should just be a matter of applying the successive changes to the database schema (documented in successive Bugzilla release notes) to a copy of the existing database, then moving the data.
  • Bugzilla can now support multiple separate instances, with separate authentication/databases/configuration, running from the same code base on the same host, so:
    • We may easily be able to host both the LCFG and the DICE Bugzillas on the same host.
    • It could be possible in the future to offer automatically generated bugzilla instances to Informatics people.
    • The final installation should be compatible with the notion of future multiple instances.

Server Hardware

All physical servers are now reporting their firmware and BIOS versions daily to the orders database. Chris will next implement a web query page for this data and a web report page which compares versions against known good versions. The known good versions will be held separately, probably in an rfe-editable file. Stephen pointed out the need to allow for multiple good versions rather than just one.

Security Enhancements

  • Stephen has finished the rkhunter LCFG component. It's been running on the test/offsite ssh server for about a week now, and will go on the main ssh servers in this week's stable release. It's in a testing phase and will probably take a few weeks to settle down to giving predictable usable reports.
  • He's now looking at AIDE, a filesystem intrusion detection tool. It has simple but very powerful configuration rules so it may take a while to refine our configuration. The idea is to do as wide a filesystem scan as possible and take regular snapshots. It should prove to be a useful source of evidence.

Inventory Improvement

This is a CEG project rather than an MPU one but we'll track its progress here. Alastair has begun by analysing the current inventory system. He's logging progress on the InventoryImprovements146 page. It's expected that discussions on the current system's shortcomings, and on what should replace it, will continue for the rest of this year. A project to develop a replacement will then be proposed for T1 2013.

Miscellaneous Development

syslog
It was pointed out at the September LCFG Deployers meeting that the LCFG level still uses the syslog component rather than rsyslog, and that it no longer works with the latest rsyslog software. Alastair has fixed the syslog component. We will look at moving the LCFG level to the rsyslog component.
SL 6.3
SL 6.3 has been rolled out. It's available at the LCFG level and is the default at the DICE level. The installroot and PXE images are now based on 6.3. It's still possible to install 6.2 machines with them though. Kenny has made it possible to test 6.3 on MDP machines but the LCFG level will stay at 6.2 until they're ready to upgrade. The support unit is upgrading the AT student lab machines to 6.3 this week.
Sleep on SL 6.3
Chris will check that it's OK.
Catalyst
Stephen has set up the student lab machines to safely move from the catalyst driver to the default driver at the same time as the 6.3 upgrade. A safe upgrade involves deleting /etc/X11/xorg.conf provided the xfree component is no longer present; this is done at boot time with a @reboot cron job.
LCFG::Component
Shell components can find out the method they were called with, but perl components have lacked this capability until now. Stephen has added it by modifying the LCFG::Component module.
Juice and auditd
The spare HP juice is now acting as a temporary log host for auditd data. A large change such as a 6.3 upgrade generates so much auditd data that not all of it could be recorded (there's an auditd event for every file change), but most of it was still logged and the remote logging should still be useful.
KVM consoles
Alastair discussed the KVM console issue with Ian, who is going to look into ways of accessing KVM consoles with conserver.
Postgres
It turned out that Alastair was restricting access to the default database rather than the orders database. He's put this right now.

Operational

metropolitan
It has only two VMware guests left on it and with luck these should be gone within a day.
IBM array warranty
Alastair has put the warranty information for the IBM array into the MPU's AFS group space for safety.
Package refresh
Alastair has successfully refreshed our package mirrors and updated our OS package lists using Stephen's instructions. He has minor changes to make to the instructions but basically it went well.
Nelson / not-a-service
It now lives in the server room on the Dexian shelving.
LCFG slaves
Chris has made two virtual LCFG slaves, metsu and bol. He's been monitoring their profile processing speed and they're not too dissimilar, despite metsu being hosted on a faster machine. He will move us to them.

This Week

  • Alastair
    • Work through LCFG bugs
    • Document ssh keys mgmt - home page and windows
    • Personal development topics
    • Have a look at "nelson" to scope problem
      • git and gerrit both being used for prometheus and teaching - services unit installing a new service
      • wordpress - services unit imminently producing an official service
      • openid - possibly Dave Aspinall using?
    • Meet with Chris
    • Systems blog article on the KVM Service
    • Look at KVM for use by normal user
      • doesn't look possible. easiest solution is to add individual users to a libvirt managing group, but nothing to stop individuals meddling with other guests. Openstack etc better?
    • Report libvirt empty LVM group issue to Redhat, unless fixed in 6.3

  • Chris
    • Continue working on bugzilla
    • Server hardware project - create rfe-editable "current versions" table and a report to compare with subunit table reports
    • Make new KVM based LCFG servers live
    • Document ssh keys mgmt - macos
    • Personal development topics
    • Fixup kvm documentation wrt rvirsh
    • Meet with Alastair

  • Stephen
    • Security project - keep working on aide
    • Document ssh keys mgmt - linux

-- AlastairScobie - 11 Sep 2012

Topic revision: r4 - 27 Sep 2012 - 13:51:54 - AlastairScobie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies