MPU Meeting Tuesday 17th March 2015

systemd LCFG component

Port LCFG to RHEL7 and friends

• Stephen has put the grub2 password into place.
• Stephen has replaced all SL7 header references to boot.run with references to runner.
• Chris will add a reference to providing live emergency headers and package lists to the MPU DICE section of the project plan, so we remember to do that next time.
• Barry has noticed that aulast doesn't work on SL7, and Stephen discovered a reference to the problem on Red Hat's linux-audit mailing list.
• Stephen noticed another auditd problem: its configuration file has been replaced by a directory into which files can be dropped. This is unacceptable to us as LCFG must have complete control over the audit configuration; we don't want packages to drop in bits of additional configuration in the usual manner. There's a way to switch the audit system back to using a single configuration file so Stephen will implement that.
• Alastair has slightly changed the logging configuration (and has blogged about it) so that log messages will now be available to journald and in /var/lcfg/log files as before. He will produce (or link to!) some notes on how to use journalctl.
• Alastair has documented internet-online.target in the systemd cookbook (and has blogged about it).
• Chris has documented the unhelpful behaviour of virt-manager on SL7.
• Chris has built kvmtools for all DICE platforms and added it to the KVM package lists.
• Chris has started off the project's final report.

Miscellaneous Development

• Iain has asked Chris to add some simple GPU support to the toohot component.
• Alastair has found that his recent network tweaks are not needed after all if we remove the "tx off" and "rx off" network settings. These were added years ago for VirtualBox. He'll ask Tim about them. Since these network settings were added using the file component we'll have to be careful how we remove them.

Operational

• The bingbot crawler has recently been getting so stuck on wiki.lcfg.org that it's provoked the oom-killer. Chris has added lines to robots.txt to exclude irrelevant parts of the wiki site.
• We've asked for several more Comodo certificates for MPU sites. However we understand that getting the certificates is a horribly manual and time-consuming process for IS so we may have to wait, as renewals will understandably be prioritised over new certificate requests.
• Chris has added hardware headers (and toohot support) for the Dell PowerEdge R730. He'll check for any resulting rootmail messages from R730s (done: there's nothing bad there).
• Chris has documented the results of fail2ban for users, and User Support has been reminded how to unban users. Stephen will add an Operational meeting discussion topic on just how many failures people should be allowed before the banning process kicks in.

This week

• Alastair
  • EL7 project
    • Flesh out FinalProjectReport296
    • Cook book entry
      • component need to start after daemon in certain cases ..... eg ssh where component will start daemon if daemon isn't already started.. - given an example of how to do this
    • some quick notes on using journalctl (or link to somebody else's) Added to SL7 project page
    • check installroot stuff same version across SL6 and EL7
      • it isn't. The changes made for EL7 break SL6. Have added a lookup to sysinfo to get target os_base - need to make some code conditional on this. Shipped for both sl6 and el7
      • and pull out old SL5 stuff
    • Try a DIYDICE SL6_64 install
  • Ship gso/tso fix at LCFG level (with network component) - ?? gso/tso not required if tx off and rx off removed - but tx off and rx off may still be needed when running virtualbox ??
    • remember can't simply remove file component config - will have to do "delete" type first.
  • RT 65774 - try two identical monitors on my machineIainR has two identical monitors on his SL6 box and doesn't encounter the problem
  • Need to remove default bridge from kvmtool create
  • Consider more cores as default for KVM guests
  • Look at KVM server loading
  • Schedule firmware upgrade for DS3254
  • Check scans - computing.help loads of high impact/high likely. (devproj and www.lcfg.org are ok)
    • Discuss with Neil
    • Look at creating another similar computing.help server and add in extra modules to tickle the problem
  • Look at SL6 KVM guest reboot hangs - tried reboot of brent and hjaelpe (both have local homedir) with no problems, but zipvm1 (AFS homedir, virtualbox) did hang for a couple of minutes
  • Read KVM enhancement project proposal - DISCUSS

• Chris
  • EL7
    • Flesh out FinalProjectReport296
    • Add requirement for live override headers - to MPU DICE specific section of porting project
  • url shortener
  • Add GPGPU support to "toohot"

• Stephen
  • LCFG client refactor stage 1
    • schedule debrief meeting
  • EL7
    • document lcfg-runner
    • Flesh out FinalProjectReport296
    • Fixup auditd config
  • Look at 32 bit libraries mock issue (LCFG deployer)
  • Test northern's SAS disks in metropolitan
  • Junk central
  • Think about PD - Interested in ZeroMQ
  • Add extra memory to waterloo (and if those work, order up more memory for hammersmith)
  • Review last reviewed date for documentation and MPUhelpReview by 1st March
  • Read KVM enhancement project proposal
  • Check DR server spec
  • Add FailBan issue to operational meeting discussion list
  • Disable 'dmesg' on our external access servers

-- AlastairScobie - 17 Mar 2015