MPU Meeting Wednesday 23rd August 2019


Nothing this week.

LCFG Profile Security

Next week, LCFG client GSSAPI will be enabled for machines on the develop release.

SL 7.6 Upgrade

More package conflicts have surfaced and been fixed:
  • A missing dependency in kvm-rhev.h (Bug:1151)
  • An issue with Libre Office which upset a few RAT machines.

Alternative Desktop Platform

  • Non - Red Hat machines now get a yaml configuration file containing a list of packages to be installed. The file can be read and handled properly by qxpack.
  • GPG signing of metadata has been added to the package repository. This is needed because apt wants packages to be signed by a key which it trusts. However, it's also fussy about how files are signed, and when it objects to a signed package, it doesn't provide an adequate explanation. The moral is don't sign packages with SHA1.
  • As a result it's now possible to simply download a GPG key onto a running machine; install the key; then install LCFG packages using apt.
  • To start with, packages have been built for Ubuntu 19.04.
  • The current prototype systemd config mirrors SL7 DICE behaviour as far as possible.
  • Next:
    • Stephen will put together a tool to manage what software is installed on a machine.
    • and a VM image for the folks at the next LCFG Deployers Meeting to play with.

Miscellaneous Development

Chris has been working on Virtual DICE.
  • A VM which lacks the large RAT packages will probably be sufficient for first and second year undergrads.
  • By far the easiest way to make the large RAT packages available to Virtual DICE users is to also offer a VM with those packages, so Chris has now made two test VMs, little and large, which are identical except for the absence or presence of these packages.
  • He's spent some time trying to enable autologin but hasn't yet cracked it.


  • dice/options/ksm.h has been added to live/mpu-kvm-server.h so all of them should have KSM enabled after their next reboot.
  • The new KVM servers at KB, with system disks on RAIDed SSDs, are already using the most appropriate IO scheduler ("deadline"). This happens by default. However, either because of the SSDs themselves or because of the RAID controller, the kernel does not know that they are not rotational devices. Chris has set the "rotational" kernel parameter for their system disks to 0; this eliminates some seek-reducing logic from the IO scheduler, for a possible minor performance increase.
  • Stephen has scheduled an intrusion debrief session for after the next Operational meeting.
  • Stephen has reviewed and updated pretty much all of our pages on which needed it, except for the Virtual DICE ones, which Chris will do.
  • staff.ssh has now moved to steen. Its old host hare will be powered off soon.
  • It's KVM Server Upgrade season once again. Stephen will tackle banjo and mandolin, Chris azul and gaivota and Alastair will do girassol. The idea is to:
    • Upgrade to SL 7.6
    • Disable hyperthreading, where this hasn't already been done
    • Start KSM (this should now happen automatically at the reboot).
  • Stephen is testing Toby's latest fail2ban, the one which handles IPv6, on steen. Stephen needed to rebuild it for python 3.6 rather than 3.4. If all is well it'll go onto the other ssh server soon.

This Week

  • Alastair
    • Inventory project
      • Documentation - end user
      • Documentation - code
        • clientreport (eg how to add modules)
        • order sync code
        • HPreport processing script
        • link in from MPU top page
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Add requirement to project stuff to reimplement new computing help form using REST API
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • need to replicate kvmreport mechanism on Tartarus (or somewhere)
          • submit data via clientreport mechanism
        • take snapshot of files (no need to take snapshot of SQL as this is automatically recreated from orders files)
        • power off for 3 months prior to deleting to see if anything breaks
      • Document Tim's theon old inv snapshot and what its purpose now is. Also modify invquery to remark that data is historical only.
      • client report to take 'sysinfo.manager' and populate item.manager from this
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • Apply Stephen's code cleanup patches
    • Take a look at RT #78875
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until August 2019 and if no problems configure to run automatically
    • Check with Tim / George about capability for login to student machines - where are we
      • Tim says that we should create a capability that is given to the base cohort and set that capability to no-grace
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on
    • Check with Tim whether we still need service catalogue entry (eg for XRDP service) as part of project deliverables
    • Read SL7 coordination project final report
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Look at low hanging fruit re pages that need refreshed
    • Check spending plan
    • Upgrade girassol (remembering hyperthreading)

  • Chris
    • Look at RT
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • Package up Virtual DICE images and update help pages
    • - virtual dice, remote wipe, ssh on ios
    • Upgrade azul and gaivota (remembering hyperthreading)

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Continue with RT ticket clearout as discussed in October
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Write SL7.6 final report
    • Security week page
    • Check spending plan
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • Decommission hare

-- AlastairScobie - 21 Aug 2019

Edit | Attach | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 27 Aug 2019 - 17:05:23 - StephenQuinney
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies