MPU Meeting Wednesday 11th September 2019


Alastair fixed a bug whereby the system hadn't alerted anyone to the fact that the supplier reports (from Dell, HP, etc.) hadn't been being processed properly for some time due to a change in the format of the input. If this happens again, the module will fail, triggering a notification.

A bug meant that some MAC addresses were being set as blank. This has been fixed. CSOs now have earlier access to MAC addresses.

Profile security

There's now Nagios and monitoring code for using GSSAPI authentication.

SL 7.6 upgrade

Nothing this week.

Alternative DICE desktop

Lots of components have now been ported. The hardware component has been updated.

The pam component and resources now support an alternative root directory, for testing configurations. In order to make it possible to compare pam configurations - for instance to compare the Debian or Ubuntu standard configuration with the DICE one - Stephen has written a tool which tidies a pam configuration into a standard order.

The LCFG level headers will now create a default Debian/Ubuntu configuration.

There's support for Kerberos authentication and AFS at the LCFG level.

You can login using the Informatics KDC. You also need to configure sssd.

Stephen has sanitised our authentication and authorisation headers. One big header has been split out into logical units.

There's no DICE level pam configuration yet.

Polkit is the same as on EL7, so that's easy to do.

auditd and a few others have been done too. The aim is to get LCFG to recreate a standard install.

Stephen has been learning how to package perl modules, and he can now paclage (for example) buzzsaw and package forge and other things which use (for example) Catalyst, Moose and DBIx::Class. Mostly this is very straightforward because most of it is already there.

One obvious packaging difference is that Debian has static dependency lists rather than automated dependency discovery, so Stephen has written a tool to discover dependencies.

The components which haven't been done are the ones we'll need to replace or improve, or which are big and mostly used on the DICE level, such as the kerberos component.

Stephen will organise a meeting of interested parties for a status report. We can then make decisions about what needs porting, what won't be ported, what'll need work, what'll be difficult, what'll need replacing, and so on.

Miscellaneous development

The Virtual DICE images are almost ready. A thought: we could offer to distribute the images via a memory stick from the Support desk? Maybe with e.g. a 5 deposit? Support could reimage them after each use, for example with dd. Chris will look into this idea.

Last week Chris got a sample GPU desktop working with GNOME and KDE. However it was found this week that CUDA didn't work with that configuration, so Stephen has changed things further. They'll all be fine for the start of labs on Monday.

The latest version 435 nvidia driver is needed by and installed on the Novatech CDT machines, and seems to be working there.


The backported 7.7 -> 7.6 security updates are now in the stable release, along with a new kernel, version 1062.1.1.

Stephen has reviewed the MPU's nograce capabilities - specifically those associated with ordershost, lcfg and om, and didn't find any big problems. There was an old capability which conferred the ability to login to lcfgsvn. It's out of auth.users. This capability will be removed. The lcfgsvn group is no longer needed but is still associated with some files on local disk. It no longer has any members but the group will be kept until the files can be reviewed and tidied.

We should delay the rest of the KVM server upgrades until after the first few weeks of the session.

We'll get the rest of the KB-based VMs onto the new servers, then move the old KVM servers there to their new duties: amarela will become a KVM server for user VMs, and vermelha will become a remote desktop server for distance learning students.

In clientreport, sync_kvm_guest now times out after 30 seconds. (It uses the handy timeout command.)

Almost all of the MPU's page reviews are now done.

This Week

  • Alastair
    • Inventory project
      • Documentation - end user
      • Documentation - code
        • clientreport (eg how to add modules)
        • order sync code
        • HPreport processing script
        • link in from MPU top page
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Add requirement to project stuff to reimplement new computing help form using REST API
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • need to replicate kvmreport mechanism on Tartarus (or somewhere)
          • submit data via clientreport mechanism
        • take snapshot of files (no need to take snapshot of SQL as this is automatically recreated from orders files)
        • power off for 3 months prior to deleting to see if anything breaks
      • Document Tim's theon old inv snapshot and what its purpose now is. Also modify invquery to remark that data is historical only.
      • client report to take 'sysinfo.manager' and populate item.manager from this
        • should change go 'Modify /usr/lib/tartarus/bin/load_make_model to set item.manager to sysinfo.manager where item.managed_type=dice
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on
    • Check with Tim whether we still need service catalogue entry (eg for XRDP service) as part of project deliverables
      • We don't need to create an entry in the old service catalogue entry, but we do need to create an entry in the Register of Services, when it is produced. Particularly important for services with data.
    • Read SL7 coordination project final report
      • Need a project home snapshot
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Continue with RT ticket tidy up as per 04/09/19
      • 96250,90028

  • Chris
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • Package up Virtual DICE images and update help pages
    • - virtual dice
    • Upgrade gaivota (remembering hyperthreading)
    • Final migration of VMs to new KVM servers
    • 'amarela' -> user KVM
    • Continue with RT ticket tidy up as per 04/09/19

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Write SL7.6 final report
    • Security week page
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • Decommission hare
    • Force 'noht' on KVM servers in relevant header
    • 'vermelha' -> Distance Learning XRDP server
    • Continue with RT ticket tidy up as per 04/09/19

-- AlastairScobie - 11 Sep 2019

Topic revision: r7 - 23 Sep 2019 - 13:33:42 - AlastairScobie
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies