MPU Meeting Thursday 21st March 2019

Inventory

Done:
  • You can now search logbook entries - for instance, to get a list of all the machines which have had a certain name.
  • The setting of names from the clientreport data hadn't been implemented. It has now, so hostname entries have now been added to logbooks.
  • All of the originally promised functionality has now been delivered.
Next:
  • Check for any "To Do"s not yet implemented
  • More documentation
  • clientreport will report on GPUs.

LCFG Profile Security

Stephen has altered the software which fetches LCFG XML profiles for Nagios, so that it will continue to work when we switch our XML profile fetching to GSSAPI. At the same time he took the opportunity to standardise its LCFG profile fetching and cacheing code. The result is still under test, but when it's pronounced OK, we'll move Nagios to it. This effort should help us to make analogous changes to other profile-fetching code, for instance in Prometheus.

SL 7.6 Update

The LCFG level is complete. The DICE level will be done later.

Alternate Desktop Platform

Stephen has been looking into the best way to configure LCFG component packages for Debian. The convention is for package install scripts to enable and start systemd services automatically - but we want them enabled but not started. We also want control over restarting after package upgrades. All of these preferences are now set.

The LCFG client perl libraries can now be installed independently of the client daemon software, so that (for instance) resource values can be queried.

Last week the LCFG file component was installed on Debian, and worked.

Miscellaneous Development

Chris is looking into how we might automatically impose cgroup-based user resource limits using systemd. So far it's looking as if most of the work done on this by systemd developers has happened after our systemd version (219 = antideluvian).

Stephen has set up haproxy for the new xrdp.inf.ed.ac.uk servers. It uses a round robin DNS entry, currently test.xrdp.inf.ed.ac.uk. It uses a cookie hashed to send you to the host you're already logged into. One peculiarity: the Mac client sends empty cookies, so all Mac users will go to the same host! Nevertheless we'll try this and see how we get on. haproxy has a lot of configuration possibilities, but the cleverer we make it, the more complex it will be to set up, and the less reliable it's likely to be.

Stephen met with Kenny MacDonald, Magi Hagdorn and Matthew Richardson to talk about PXE booting. They came up with an improved system which should be easier to use.

  • PXE now ignores the client's boot mode and puts the configuration file in all possible places (the config file location differs with the boot mode).
  • Kenny's systems now use a client's IP address for PXE instead of its MAC address. This is supported by a new pxeclient.id resource. Its value defaults to that of pxeclient.mac but it can be set to anything, including an IP address. There's no restriction on the content of pxeclient.id.
  • PXE uses different binaries for Legacy and UEFI booting.
  • DHCP can detect boot mode. So, the DHCP configuration can point to the correct PXE binary, instead of that being hardwired for each client.

Chris has been working on a Virtual DICE VM that's free of DICE user info.

Operational

Some users are still running qemu virtual machines on the XRDP servers, using images and software from AFS. This loads the servers unfairly (and will presumably be tediously slow for the VM users, too).

Stephen has checked and updated the pandemic page on security. The LCFG page still needs attention.

In response to RAT's plea, the new standard size for DICE desktop root partitions will be 120GB.

This Week

  • Alastair
    • Inventory project
      • Documentation - end user
      • Documentation - code
        • clientreport (eg how to add modules)
        • order sync code
        • HPreport processing script
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Need tests for API /orders and need new tests to check for correct authorisation
      • Look at user support form - how does that lookup hostname?
        • Uses LCFG::Inventory so well behaved wrt. Tartarus for DICE machines
          • won't work for non DICE machines, but hasn't for ages
      • Look at whether there is an easy library way for Chris to grab the macaddr of a machine given the hostname
        • no, but could be produced if required
      • Add dmidecode to installroot, fixup install.patchurl and locate the serial number grabber appropriately and then document process for machines with multiple serial numbers.
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field could be deleted by a periodic script. Arguably 'category' could be set to NULL where 'upstream' is false?
    • Schedule MPU meeting to discuss systemd ordering
      • DO WE STILL NEED ?
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE
    • Look at /etc/hosts - dns issue (IPV6?)
      • work out what we need to fix current problem
      • WHAT WAS THE PROBLEM?
    • Look at Stephen's 'Thoughts on shell components'
    • Start looking at https and computing.help (remove assumption that https means want cosign login)
      • wait on Neil's efforts with EdWeb
      • PROPOSE: address this problem when upgrade to Drupal 8
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • configure live server to run the user expiry script
        • PROPOSE: do this as a manual periodic operation for a few runs to check not causing problems
      • Fixup email domains for existing accounts and check fix for domain setting to inf.ed.ac.uk is in place on live service
      • need to ship fixed cosign module on live service
    • Check with Tim / George about capability for login to student machines - where are we
      • Tim says that we should create a capability that is given to the base cohort and set that capability to no-grace
    • Move IBM disk array to B.03 and mark as junk
    • Read George's mail of 8th November wrt DPIA
    • Try latest VDICE on Windows 10 machine at home (research guest login delays)
      • PROPOSE: wait until Chris has produced a guest-login only VDICE image
    • Review the three encryption computing.help pages

  • Chris
    • Inventory project
      • Continue work on clientreport modules for replacing firmwarereport
    • Look at MPUActivitiesList
    • Look at RT
    • Continue work on SL7 coordination final project report (currently pending other units completing)
    • User training materials project #403
    • Continue with RT ticket clearout as discussed in October
    • Produce a 'guest only' version of Virtual DICE
    • Continue investigating cgroups wrt XRDP

  • Stephen
    • submit polkit bug to redhat - with Alastair (still exists under 7.3)
    • Produce some text for systemd mount bug (to submit to RH)
    • Take issue of disable per user journald logs on certain servers to OPS
    • Consider PD work for after LCFG client ...
      • looking at Ceph
    • Look at where we're using ALL in access.conf
    • Finish off NX replacement project (#389)
    • Continue with RT ticket clearout as discussed in October
    • Read George's mail of 8th November wrt DPIA
    • Firmware update - deneb and steen
    • Reboot staff.ssh (hare)
    • clientreport
      • Complete module errors report
      • Add a 'df' module
      • Add an 'old locks' report
    • Update Pandemic pages - LCFG
    • Move afsbuild server (juice) from Forum to AT
    • Discuss how deploy two general purpose XRDP servers (with LCFG community)
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Manage change to systemd.defaultstdout being journal
      • including raising at LCFG deployer meeting
    • Continue with nagios wrt LCFG profile security

-- AlastairScobie - 21 Mar 2019

Topic revision: r6 - 23 Sep 2019 - 13:33:42 - AlastairScobie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies