MPU Meeting Tuesday 12th June 2018

Inventory

There's no need to implement ii dispose as disposals can be handled by ii edit.

The lcfg-generated inventory files now contain about 2000 fewer per-host headers than before. Alastair will check whether such headers are being generated for static self-managed hosts.

There's now a link to the client reports on the front page of the web interface and from the ii detailed view.

There's still a lot of tidying up to do.

Virtual Desktop

Stephen has used the iptables component to set up rate-limiting for new connections.

The Linux client documentation is finished. We recommend the Vinagre client.

All of the Remote Desktop pages have now been published.

Users are finding that keyboard mapping is wrong, particularly when connecting from Windows or Mac clients. Once we get that sorted we intend to ditch staff.nx and convert the host to the RDP service. This should free up metropolitan.

24 bit connections are pretty slow. 16 bit connections no longer work at all. 8 bit is fast and reliable though.

LCFG Profile Security

Stephen has moved his new profile security settings from the dice to the lcfg layer where possible, and has added support for using kdcregister in the lcfg installer. For more details see his blog at https://blog.inf.ed.ac.uk/squinney/2018/06/12/lcfg-profile-security-project-7/.

Support for the new profile security features is already there in the develop release, but they haven't yet been enabled.

At some point we'll switch from retrieving profiles via http to getting them via https, with GSSAPI authentication.

There's also the question of how to secure access to resources on the computer itself. This can be done partly by stopping the status files from being publicly readable, but mainly by controlling access to the database. It had been suggested that scripts accessing the database could use a setuid wrapper but it seems cleaner and more reliable to control database readability using Unix file permissions. However, the interaction of this with Ian's sysman permissions scheme needs to be considered.

UEFI Boot Support

Stephen has been implementing support for booting via UEFI rather than "legacy" BIOS. This is getting urgent:
  • We have a server with a 10TB RAID disk which doesn't boot via BIOS.
  • The new SelectPC model will be UEFI-only
  • We're getting more and more PCs whose storage is PCIE NVME SSDs, which don't support BIOS booting.
The support is in several parts:
  • In fstab the current grub partition is replaced by a FAT32 partition. The minimum suggested size is 256MB so that's the size we're using.
  • Our HP G2 and G3 models have the PMBR flag set on disk. This makes them invisible to UEFI! Unsetting the flag fixes this though.
  • The fstab component runs as lcfg, and with the VFAT filesystem this gives a single UID and GID for all files on the volume. In addition, no links are possible with VFAT. Stephen had to go through the grub code to check that it would still function properly with these limitations.
  • Configuration of grub turns out to be far more straightforward with UEFI than with BIOS: just install UEFI and a suitable grub config file and the machine will boot.
  • We won't use Secure Boot since that would take away our ability to boot local kernels. We don't generally do this but we'd like to keep the option available.
  • To get PXE working Stephen updated pxelinux to the most recent version. initrd can no longer be downloaded over tftp but it can now go over http instead, and this turns out to be a lot faster.
  • We don't have an EFI bootable ISO, but we won't need one since VMs use BIOS rather than EUFI.

Misc development

Stephen has disabled user switching in lightdm. MATE still has a "switch user" button but this now does nothing.

ngeneric now logs who runs a method.

Some extra sysconfig variables have been added for Graham.

You can now manage simple apache groups with apacheconf, and Stephen has improved the apacheconf nagios translator. More details of his recent apacheconf improvements are in a blog post at https://blog.inf.ed.ac.uk/squinney/2018/06/01/lcfg-apacheconf-improvements/.

The v4 lcfg client will become the default in this week's release. It's been the default on our office desktops for a while so we don't expect any problems as a result of this change.

Operational

staff.ssh has moved to hare.

brendel and wildcat have been wiped and junked.

VirtualBox 5.2 is now the default in the develop release.

When the nightly updaterpms runs moved from the boot component to the runner component with the advent of SL7, we forgot to carry over the spreading of the load through the night, so all updaterpms runs have been happening in a single hour. This recently overloaded the package servers. The load spreading has now been reintroduced.

Another way to decrease the load on the package server would be to cache the rpmlist files. This would have to be done with a very short timeout, say 20 seconds.

The replacement KVM servers for AT have been ordered.

This Week

  • Alastair
    • Inventory project
      • continue working through TartarusWorkFlow
      • Document clientreport (eg how to add modules)
      • Document order sync code
      • Document hpreport processing script
      • Start work on final report!
      • Consider what else needs done other than docs and tidying and backups
      • Blog something....take dev meeting talks
      • and give details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Look at postgresql replication (do after shipping)
      • Add tartarus info to SwitchToSelfManaged
      • Complete removal of non authenticated access to API and web
      • Need tests for API /orders and need new tests to check for correct authorisation
      • Need to check that LCFG header generation is generating stuff for static self-managed machines (as need for DHCP)
      • Make lcfg header generation live (need to check what will be deleted when we do this - big discrepancy between old inventory and new)
      • Deploy rt ticket field versoin (where RT ticket links to RT) - do for purchase as well as item view

    • Schedule MPU meeting to discuss systemd ordering
    • Take a look at RT #78875
    • Look at /etc/hosts - dns issue (IPV6?)
      • work out what we need to fix current problem
    • Circulate info on RH7.3 systemd changes we may wish to consider
    • RT actions (as agreed)
    • Implement change to kvmtool to allow KVMs to be marked as disabled
      • looked at this - looks like the metadata tag isn't passed through libvirt (prior to 4.0.0), so can't be read/written by kvmtool
      • put on activities list to do once upgrade to libvirt-4.0.0
    • Look at Stephen's 'Thoughts on shell components'
    • Look at MPUActivitiesList
    • Start looking at https and computing.help (remove assumption that https means want cosign login)
      • wait on Neil's efforts with EdWeb
    • Chase Alison about LCFG check monitoring ( start doing again )
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • Report on this at next ops meeting that have changed journald configuration (MPU report)
    • Discuss with Neil - drupal username collection re GDPR
      • write a script to remove users who haven't used computing.help in, say 30 days (except COs) - and fix the email address issue (currently defaults to umich.edu)
    • Inventory stuff re GDPR
    • Check with Tim / George about capability for login to student machines - where are we
    • Add %slaac to hulp and lagun after 21/02/18
    • Useful? - a script which checks how fast a machine's console log is growing (eg huge number of dbus problems on hammersmith)
      • suggest to Ian D
    • Blog on projects
    • KVM pcid
      • Created MPUSpectreMeltdown
      • Put detection script somewhere for people to use
      • Which CPU is needed for each group..
Following config worked on 'brent' (hosted on vermelha). We might need to consider whether we want "match='exact'" wrt migrations.
<cpu mode='host-model' match='exact'>
<model fallback='allow'>IvyBridge</model>
<vendor>Intel</vendor>
<feature policy='require' name='pcid' />
</cpu>
    • Look at why kvmtool doesn't work on circle (running libvirt 4.0.0)
    • Read and comment on Stephen's notes on the LCFG security project
    • Remove IBM disk array from stack * First ask RAT whether they might find the array useful
    • Read Chris's blog on ThoughtsOn403
    • Chase Tim about starting SL7.5 project
    • Look at moving stuff from the immediate todo back to the main Todo list and then we can prioritise that list

  • Chris
    • Inventory project
      • Continue work on clientreport modules for replacing firmwarereport
    • Look at MPUActivitiesList
    • Look at RT
    • Continue work on SL7 coordination final project report (currently pending other units completing)
    • libvirt - test for memory leaks (wrt console servers) Ian will test it for memory leaks after the 17 January stable release
    • User training materials project #403

  • Stephen
    • RT actions (as agreed)
    • submit polkit bug to redhat - with Alastair (still exists under 7.3)
    • Produce some text for systemd mount bug (to submit to RH)
    • Take issue of disable per user journald logs on certain servers to OPS
    • Consider PD work for after LCFG client ...
      • looking at Ceph
    • Look at MPUActivitiesList
    • On metropolitan, find fastest baud rate we can drive the real physical consoles. (This so we can decide whether to use physical consoles for KVM servers).
    • Look at where we're using ALL in access.conf
    • Agree with RAT how software package requests are handled - waiting on Graham documenting
    • Finish off NX replacement project (#389)
      • Fix the keyboard mapping issue
      • Roll out

-- AlastairScobie - 12 Jun 2018

Topic revision: r5 - 23 Sep 2019 - 13:33:41 - AlastairScobie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies