MPU Meeting Wednesday 13th March 2019

Inventory

Alastair has been investigating using the LCFG installer patch mechanism to provide a simple solution for querying the hardware serial number. This requires the addition of dmidecode to the standard installroot, thankfully it doesn't pull in any dependencies. We need to change the default patch source location to something which we manage, e.g. http://groups.inf.ed.ac.uk/mp-unit/patches/

LCFG Profile Security

Nothing happened.

SL7.6 Update

Some of the hidden platform headers for EL/SL 7 were updated for 7.6.

Alternate Desktop Platform

Platform headers have been added for Debian and Ubuntu releases. Where possible the lcfg-level headers have been made more platform-independent by replacing hardwired paths to any lcfg resources with the equivalent in sysinfo resources, this avoids the needs for lots of #ifdef conditionals throughout the headers. It looks like we will need to add support for some more paths, in particular the paths to the lib directories (.e.g /usr/lib64 and /usr/lib) as there are significant differences between Redhat and Debian distributions.

A lot of work has been done on Debian packaging of LCFG components with the aim of getting to the point where the file component can be installed and run. This is leading to lots of changes in how the components are packaged, in particular there are now separate defaults and doc sub-packages. The =doc package provides the files stored in /usr/share/lcfg/doc which aren't that useful on client machines but could be used on the LCFG website to provide easy access to all the documentation.

Stephen has also installed Ubuntu on a desktop machine with the intention of making it an apt package repository where all the locally built packages can be hosted.

Miscellaneous Development

systemd component config
The REGISTER_COMPONENT_WITH_SYSTEMD macro has been tweaked to use mutations for all resources, this means it can be called multiple times. It also now sets the StandardOutput option to be journal+console in readiness for a change to the default setting.

lcfg checks
There is a new https://lcfg-checks.inf.ed.ac.uk/ service where COs can access the daily lab check reports. Access is controlled using the lcfg/checks/read capability. Student helpers don't currently have that capability, for ease of management we probably want to add a studenthelper role which includes the capability, User Support will get that organised. To make this all possible the standard subversion webdav header had all the cosign support removed, this was never used for that service and caused other units some difficulties so it's good to get it simplified.

Operational

Package service and IPv6
Enabling IPv6 addresses for all servers in the Forum lead to a few problems with the package service. The rpmaccel config needed ACL rules adding for "edlan" IPv6 access (equivalent to what we already had for IPv4). Also the apache virtualhost configuration on deneb did not work, it's very unclear why this broke, it seems to fit with the manual page description of how it should work. The solution was to have all virtualhosts listening on all interfaces.

xrdp service
The new servers are installed. Stephen will look at the haproxy configuration. Chris will ensure only COs can login for now, he will also check the correct certificates are in place ready for deployment.

This Week

  • Alastair
    • Inventory project
      • continue working through InvProjectWorkFlow
      • Document clientreport (eg how to add modules)
      • Document order sync code
      • Document hpreport processing script
      • Start work on final report!
      • and give details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Look at postgresql replication (do after shipping)
      • Add tartarus info to SwitchToSelfManaged
      • Need tests for API /orders and need new tests to check for correct authorisation
      • Make lcfg header generation live (need to check what will be deleted when we do this - big discrepancy between old inventory and new)
      • Look at user support form - how does that lookup hostname?
      • Look at whether there is an easy library way for Chris to grab the macaddr of a machine given the hostname
      • Add dmidecode to installroot, fixup install.patchurl and locate the serial number grabber appropriately and then document process for machines with multiple serial numbers.
    • Schedule MPU meeting to discuss systemd ordering
    • Take a look at RT #78875
    • Look at /etc/hosts - dns issue (IPV6?)
      • work out what we need to fix current problem
    • Implement change to kvmtool to allow KVMs to be marked as disabled
      • looked at this - looks like the metadata tag isn't passed through libvirt (prior to 4.0.0), so can't be read/written by kvmtool
      • put on activities list to do once upgrade to libvirt-4.0.0
    • Look at Stephen's 'Thoughts on shell components'
    • Start looking at https and computing.help (remove assumption that https means want cosign login)
      • wait on Neil's efforts with EdWeb
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • configure live server to run the user expiry script
      • Fixup email domains for existing accounts and check fix for domain setting to inf.ed.ac.uk is in place on live service
      • need to ship fixed cosign module on live service
    • Inventory stuff re GDPR
    • Check with Tim / George about capability for login to student machines - where are we
      • Tim says that we should create a capability that is given to the base cohort and set that capability to no-grace
    • Useful? - a script which checks how fast a machine's console log is growing (eg huge number of dbus problems on hammersmith)
      • suggest to Ian D
    • Blog on projects
    • KVM pcid
      • Investigate spectre / meltdown wrt VMs
      • Which CPU is needed for each group..
Following config worked on 'brent' (hosted on vermelha). We might need to consider whether we want "match='exact'" wrt migrations.
<cpu mode='host-model' match='exact'>
<model fallback='allow'>IvyBridge</model>
<vendor>Intel</vendor>
<feature policy='require' name='pcid' />
</cpu>
      • Update: looked at this. We should be safe to set CPU model to host-model on clusters where the CPU is identical across the cluster (KB and AT). However we can't where the CPU's aren't identical (IF) - here we should be able to set a base minimum machine (SandyBridge ?). We'd need to check that migration works. Recent versions of virsh allow you to specify the hosts in the cluster and ask for a CPU model description which will work across all the cluster. Setting the base minimum to SandyBridge on 'oyster' fixed one of the Spectre flaws, but not all. It looks like we need a more up-to-date qemu-kvm to fix all the remaining flaws. * Wait until 7.6ish is settled re KVM software versions and try above again * Need to disable hyperthreading on all KVM servers
    • Move IBM disk array to B.03 and mark as junk
    • Produce some notes from OSS
    • Read George's mail of 8th November wrt DPIA
    • Try latest VDICE on Windows 10 machine at home (research guest login delays)
    • Review the three encryption computing.help pages
    • Produce an Legitimate Interest Declaration and Privacy Statement for tartarus
      • consider what can be removed once a user has left the University

  • Chris
    • Inventory project
      • Continue work on clientreport modules for replacing firmwarereport
    • Look at MPUActivitiesList
    • Look at RT
    • Continue work on SL7 coordination final project report (currently pending other units completing)
    • User training materials project #403
    • Continue with RT ticket clearout as discussed in October
    • Produce a 'guest only' version of Virtual DICE
    • Install certificates on new XRDP servers

  • Stephen
    • submit polkit bug to redhat - with Alastair (still exists under 7.3)
    • Produce some text for systemd mount bug (to submit to RH)
    • Take issue of disable per user journald logs on certain servers to OPS
    • Consider PD work for after LCFG client ...
      • looking at Ceph
    • Look at where we're using ALL in access.conf
    • Finish off NX replacement project (#389)
    • Continue with RT ticket clearout as discussed in October
    • Read George's mail of 8th November wrt DPIA
    • Firmware update - deneb and steen
    • Reboot staff.ssh (hare)
    • clientreport
      • Complete module errors report
      • Add a 'df' module
      • Add an 'old locks' report
    • Update Pandemic pages - Security, LCFG
    • Move afsbuild server (juice) from Forum to AT
    • Discuss how deploy two general purpose XRDP servers (with LCFG community)
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Increase standard desktop root partition to 120GB
    • Manage change to systemd.defaultstdout being journal
      • including raising at LCFG deployer meeting

-- AlastairScobie - 13 Mar 2019

Topic revision: r5 - 21 Mar 2019 - 09:57:32 - StephenQuinney
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies