MPU Meeting Wednesday 9th May 2018



User Security Training


Virtual Desktop


LCFG Profile Security

  • An updated installer has been shipped.
  • Context handling has been tightened up and made more secure in the v4 version of the LCFG client - contexts are not applied when using another machine's profile. An unwanted result was that contexts were not being applied in the installbase - specifically the install context (this is used to exclude a few packages from being installed at install time). The fix was to add a new rdxprof command line option which asks for contexts to be applied even when the machine's own profile is not the one currently in use. This version will not be deployed until the new installer has been fully deployed.

Misc development

Stephen has fixed several LCFG bugs:

  • It turned out that the LCFG client and associated programs do after all need to be restarted when the LCFG core libraries are updated. (Bug:1064)
  • Lists of client debug flags are now properly sanitised before being used in a command line. Lists can now safely be either space- or comma-delimited. (Bug:1062)
  • A couple of sysinfo resources were missing. (Bug:1063)


  • Alastair has wiped all of the disks in the IBM SAN. It's still in the rack. Alastair will ask RAT if they could use it. (6TB but lots of spindles.)
  • Chris has been able to migrate guests with single virtual disks of any size; the migration failures only seem to happen with guests with multiple virtual disks. He'll ask Matthew Richardson for help.
  • SL7.4 has had a large batch of fixes back-ported from SL7.5. They've been tested for a week so will probably go out in next week's testing release.
  • Wayland has appeared. Rumours suggest that the main supported windowing environment for RHEL8 is intended to be GNOME on Wayland (but that X will still be supported).
  • SL7.5 is due out this week. We plan to make it available on DICE in June, and perhaps deploy it to the labs in August.
  • There is no more support for SL7.2.
  • There will be no more security updates for SL7.3.
  • A kernel upgrade goes out tonight. It's the last 7.4-derived kernel, and it's been in develop for a while so should be safe to deploy.
  • A new kernel security update has been announced, but this has been back-ported from SL7.5 so we should treat it with caution as it will probably break much of the usual vulnerable software - NVidia, AMD, VirtualBox.
  • To take advantage of the reboots for the kernel update, Stephen has updated the NVidia drivers and has taken VirtualBox to 5.1.36 and 5.2.10. We'll probably move our standard VirtualBox version from 5.1 to 5.2 with our update to SL7.5.

This Week

  • Alastair
    • Inventory project
      • continue working through TartarusWorkFlow
      • Document clientreport (eg how to add modules)
      • Document order sync code
      • Document hpreport processing script
      • Start work on final report!
      • Consider what else needs done other than docs and tidying and backups
      • Blog something....take dev meeting talks
      • and give details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Look at postgresql replication (do after shipping)
      • Add tartarus info to SwitchToSelfManaged
      • Complete removal of non authenticated access to API and web
      • Need tests for API /orders and need new tests to check for correct authorisation
    • Schedule MPU meeting to discuss systemd ordering
    • Take a look at RT #78875
    • Look at /etc/hosts - dns issue (IPV6?)
      • work out what we need to fix current problem
    • Circulate info on RH7.3 systemd changes we may wish to consider
    • RT actions (as agreed)
    • Implement change to kvmtool to allow KVMs to be marked as disabled
      • looked at this - looks like the metadata tag isn't passed through libvirt (prior to 4.0.0), so can't be read/written by kvmtool
      • put on activities list to do once upgrade to libvirt-4.0.0
    • Look at Stephen's 'Thoughts on shell components'
    • Look at MPUActivitiesList
    • Start looking at https and (remove assumption that https means want cosign login)
      • wait on Neil's efforts with EdWeb
    • Chase Alison about LCFG check monitoring ( start doing again )
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • Report on this at next ops meeting that have changed journald configuration (MPU report)
    • Discuss with Neil - drupal username collection re GDPR
      • write a script to remove users who haven't used in, say 30 days (except COs) - and fix the email address issue (currently defaults to
    • Inventory stuff re GDPR
    • Check with Tim / George about capability for login to student machines - where are we
    • Add %slaac to hulp and lagun after 21/02/18
    • Useful? - a script which checks how fast a machine's console log is growing (eg huge number of dbus problems on hammersmith)
      • suggest to Ian D
    • Blog on projects
    • KVM pcid
      • Created MPUSpectreMeltdown
      • Put detection script somewhere for people to use
      • Which CPU is needed for each group..
Following config worked on 'brent' (hosted on vermelha). We might need to consider whether we want "match='exact'" wrt migrations.
<cpu mode='host-model' match='exact'>
<model fallback='allow'>IvyBridge</model>
<feature policy='require' name='pcid' />
    • Look at why kvmtool doesn't work on circle (running libvirt 4.0.0)
    • Read and comment on Stephen's notes on the LCFG security project
    • Remove IBM disk array from stack * First ask RAT whether they might find the array useful
    • Read Chris's blog on ThoughtsOn403
    • Chase Tim about starting SL7.5 project
    • Bring forward the AT KVM server replacements

  • Chris
    • Inventory project
      • Continue work on clientreport modules for replacing firmwarereport
    • Look at MPUActivitiesList
    • Look at RT
    • Continue work on SL7 coordination final project report (currently pending other units completing)
    • libvirt - test for memory leaks (wrt console servers) Ian will test it for memory leaks after the 17 January stable release
    • User training materials project #403
    • Schedule AT KVM server reboots
    • Hunt down Spending plan for 2017 (and update to match reality) Made a 2018-21 plan instead.

  • Stephen
    • LCFG client refactor stage 2
      • Bring LCFG v4 client project to closure
    • RT actions (as agreed)
    • submit polkit bug to redhat - with Alastair (still exists under 7.3)
    • Produce some text for systemd mount bug (to submit to RH)
    • Take issue of disable per user journald logs on certain servers to OPS
    • Consider PD work for after LCFG client ...
      • looking at Ceph
    • Look at MPUActivitiesList
    • On metropolitan, find fastest baud rate we can drive the real physical consoles. (This so we can decide whether to use physical consoles for KVM servers).
    • Look at where we're using ALL in access.conf
    • Agree with RAT how software package requests are handled - waiting on Graham documenting
    • Start off NX replacement project (#389)
      • Complete Documentation
      • Introduce test service for staff users on metropolitan
    • Check whether websites are still using Allow/Deny configuration
      • Check individual .htaccess files

-- AlastairScobie - 09 May 2018

Topic revision: r6 - 23 Sep 2019 - 13:33:41 - AlastairScobie
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies