MPU Meeting Wednesday 28th August 2019

Inventory

Alastair has applied the patches from Stephen's review of the Tartarus code. Some weird behaviour was found involving given/when and the default variable $_. The perlsyn manpage describes given as highly experimental and this is a bug which is fixed in perl 5.18 (we have 5.16.3 on SL7). The solution was to refactor the code to use a good old-fashioned if/elsif/else block. This demonstrates the benefits of having a comprehensive test suite.

LCFG Profile Security

Nothing happened.

SL 7.6 Upgrade

Nothing happened. Still need to write the final report.

Alternative Desktop Platform

All component packages now have a debian sub-directory which means it should be possible to build most of them as Debian packages. Stephen is planning to do the usual auto-build process at some point soon. This should make it easier for other schools to test components they care about and give feedback/bugs.

Stephen has been helping Barry o'Rourke from the School of Physics get an LCFG-managed Ubuntu machine up and running.

Miscellaneous Development

virtual dice
Chris is preparing the new image for Semester 1. This will be guest-login only, he's trying to get it to autologin to make it even easier to use. There are two images: small which is 11GB and large which is 20GB. He has been investigating how to give the user root access, Stephen suggested looking at polkit.

Operational

7.6 backports
A large number of security updates have been backported from SL7.7. This has brought it with it various python package upgrades which have been awkward to manage. The plan is that these updates will go out in the stable release on 11th September which is (just) before the start of Semester 1.

New kernel
Along with the rest of the security updates there will also be a upgrade to the latest kernel (based on the 1062 series).

virtualbox
The default virtualbox series has been changed from 5.2 to 6.0, currently we're using 6.0.10.

nvidia
There are updates for the 390 and 430 series of the nvidia driver.

nograce
We need to review our nograce entitlements, Alastair will check that all the orders roles are marked as nograce.

capabilities for student labs
Stephen is proposing to introduce new capabilities which can be used to control access to the lab machines. These would be something like login/studentlab/console and login/studentlab/remote. We probably also need to think about how to control access to the student compute facilities to stop it being abused.

capabilities for public machines
Currently many of the public machines in the Forum have lists of permitted users in their profiles. It would be better to introduce a new login/public/console capability which can be given to the relevant users.

This Week

  • Alastair
    • Inventory project
      • Documentation - end user
      • Documentation - code
        • clientreport (eg how to add modules)
        • order sync code
        • HPreport processing script
        • link in from MPU top page
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Add requirement to computing.help project stuff to reimplement new computing help form using REST API
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • need to replicate kvmreport mechanism on Tartarus (or somewhere)
          • submit data via clientreport mechanism
        • take snapshot of files (no need to take snapshot of SQL as this is automatically recreated from orders files)
        • power off for 3 months prior to deleting to see if anything breaks
      • Document Tim's theon old inv snapshot and what its purpose now is. Also modify invquery to remark that data is historical only.
      • client report to take 'sysinfo.manager' and populate item.manager from this
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom)
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until August 2019 and if no problems configure to run automatically
    • Check with Tim / George about capability for login to student machines - where are we
      • Tim says that we should create a capability that is given to the base cohort and set that capability to no-grace
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on computing.help
    • Check with Tim whether we still need service catalogue entry (eg for XRDP service) as part of project deliverables
    • Read SL7 coordination project final report
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Look at low hanging fruit re computing.help pages that need refreshed
    • Upgrade girassol (remembering hyperthreading)
    • Re: "Review roles re nograce for ordershost/tartarus etc"

  • Chris
    • Look at RT
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • Package up Virtual DICE images and update help pages
    • Computing.help - virtual dice, remote wipe, ssh on ios
    • Upgrade azul and gaivota (remembering hyperthreading)
    • Create dedicated header for the teaching GPU desktops (to pull in the relevant software/drivers/config etc)

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Continue with RT ticket clearout as discussed in October
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Write SL7.6 final report
    • Security week page
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • Decommission hare
    • Check whether we have any roles which should be "nograce"

-- AlastairScobie - 28 Aug 2019

Topic revision: r7 - 23 Sep 2019 - 13:33:42 - AlastairScobie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies