MPU Meeting Wednesday 28th March 2018


Alastair has added cosign authentication for the html view, he has also dropped the unauthenticated access to the REST API. He has also been tidying the LCFG headers by moving the config from live into the core headers.

User Security Training

Virtual Desktop

There are still issues with clients not accepting the SSL certificates on first connection. Stephen wonders if possibly he does not have the complete chain in the .pem file he generated. Currently waiting on George to offer some advice on how to add the RDP connection rate limiting into the standard dice iptables config (or whether we should just ignore that and just have something simpler). Stephen has decided to document the Vinagre Gnome RDP client instead of Remmina since it works better on his Debian machine at home.

LCFG Profile Security

Stephen has been blogging regularly on progress: 13/03/18, 21/03/18, and 28/03/18.

Miscellaneous Development


  • New disks : We have new disks for the Forum KVM servers - girassol and gaivota, this will allow us to retire the IBM SAN storage pools.
  • SL7.4 : We need to finish the SL7.4 upgrade for servers. Stephen will announce a final date to COs. We only have the staff NX server - jubilee and some KVM server remaining, Stephen will do jubilee next week.
  • Dead disks : Disks have recently been replaced in circle (out of warranty) and amarela. We should look at what spare disks we have sat in the KVM servers at KB which can be used to cover for out of warranty disks in other machines.
  • AT servers and printing : There was an ACL that prevented printing from servers based in AT, this has been fixed by Neil.
  • drupal update : We decided to turn off our drupal servers overnight and apply the update the following morning.
  • Server room power outages : We need to plan for power outages at both KB and the Forum, Stephen will make a start.
  • journalctl vacuum : Stephen will add a cron job to vacuum all old logs with journalctl

This Week

  • Alastair
    • Inventory project
      • continue working through TartarusWorkFlow
      • Document clientreport (eg how to add modules)
      • Document order sync code
      • Document hpreport processing script
      • Start work on final report!
      • Consider what else needs done other than docs and tidying and backups
      • Blog something....take dev meeting talks
      • and give details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Look at postgresql replication (do after shipping)
      • Add tartarus info to SwitchToSelfManaged
      • Complete removal of non authenticated access to API and web
      • Need tests for API /orders and need new tests to check for correct authorisation
    • Schedule MPU meeting to discuss systemd ordering
    • Take a look at RT #78875
    • Look at /etc/hosts - dns issue (IPV6?)
      • work out what we need to fix current problem
    • Circulate info on RH7.3 systemd changes we may wish to consider
    • RT actions (as agreed)
    • Implement change to kvmtool to allow KVMs to be marked as disabled
      • looked at this - looks like the metadata tag isn't passed through libvirt (prior to 4.0.0), so can't be read/written by kvmtool
      • put on activities list to do once upgrade to libvirt-4.0.0
    • Look at Stephen's 'Thoughts on shell components'
    • Look at MPUActivitiesList
    • Start looking at https and (remove assumption that https means want cosign login)
      • wait on Neil's efforts with EdWeb
    • Chase Alison about LCFG check monitoring ( start doing again )
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • Report on this at next ops meeting that have changed journald configuration (MPU report)
    • Discuss with Neil - drupal username collection re GDPR
    • Inventory stuff re GDPR
    • Check with Tim / George about capability for login to student machines - where are we
    • Add %slaac to hulp and lagun after 21/02/18
    • Useful? - a script which checks how fast a machine's console log is growing (eg huge number of dbus problems on hammersmith)
      • suggest to Ian D
    • Blog on projects
    • KVM pcid
      • Created MPUSpectreMeltdown
      • Put detection script somewhere for people to use
      • Which CPU is needed for each group..
Following config worked on 'brent' (hosted on vermelha). We might need to consider whether we want "match='exact'" wrt migrations.
<cpu mode='host-model' match='exact'>
<model fallback='allow'>IvyBridge</model>
<feature policy='require' name='pcid' />
    • Look at why kvmtool doesn't work on circle (running libvirt 4.0.0)
    • Read and comment on Stephen's notes on the LCFG security project

  • Chris
    • Inventory project
      • Continue work on clientreport modules for replacing firmwarereport
    • Look at MPUActivitiesList
    • Look at RT
    • Continue work on SL7 coordination final project report (currently pending other units completing)
    • libvirt - test for memory leaks (wrt console servers) Ian will test it for memory leaks after the 17 January stable release
    • User training materials project #403
      • complete and then publish ThoughtsOn403 - and ask for comments
      • Blog
    • Complete deployment of new disks in girassol and gaivota
    • Check that disks on KB KVM servers that aren't under warranty aren't available for others to use (they're there just for our internal use when shifting VMs around)
    • Read and comment on Stephen's notes on the LCFG security project

  • Stephen
    • LCFG client refactor stage 2
      • Bring LCFG v4 client project to closure
    • RT actions (as agreed)
    • submit polkit bug to redhat - with Alastair (still exists under 7.3)
    • Produce some text for systemd mount bug (to submit to RH)
    • Take issue of disable per user journald logs on certain servers to OPS
    • Consider PD work for after LCFG client ...
      • looking at Ceph
    • Look at MPUActivitiesList
    • On metropolitan, find fast baud rate we can drive the real physical consoles. (This so we can decide whether to use physical consoles for KVM servers).
    • Look at where we're using ALL in access.conf
    • Agree with RAT how software package requests are handled - waiting on Graham documenting
    • Start off NX replacement project (#389)
      • Complete Documentation
      • Introduce test service for staff users on metropolitan
    • Upgrading MPU servers to 7.4
      • NX servers - jubilee (and move to SOL)
    • Check whether websites are still using Allow/Deny configuration
      • Check individual .htaccess files
    • Summarise power down plan (for Friday 30th)
    • Add cron job to journalctl vacuum

-- AlastairScobie - 28 Mar 2018

Topic revision: r6 - 23 Sep 2019 - 13:33:41 - AlastairScobie
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies