MPU Meeting Wednesday 25th September 2019


  • Alastair has been working on the documentation.
  • A few more minor features have been implemented.
  • clientreport now gets run at boot time, using a systemd timer. This should make it easier for User Support to deploy new machines.
  • When a machine stops being a DICE machine, its client report is removed.
  • The final report has been started!

Profile security

Develop machines will get their profiles via GSSAPI from Thursday. Once that's happening, Stephen will assess its impact on the LCFG servers before making the same change for other machines, as it's expected that Apache will have to do more work.

SL 7.6 upgrade

This just needs a final report and sign-off.

Alternative DICE desktop

  • Stephen has written a simple proof-of-concept package tool for Debian/Ubuntu. There will eventually be an "apt" component, equivalent to updaterpms, but for now the tool takes a YAML package list and installs the packages listed there, plus any dependencies. It doesn't have bells and whistles yet - for instance it doesn't handle version numbers; it doesn't send mail; there's no facility for the installation of a package to trigger the running of a component.
  • The pam configuration has been developed some more. Physics is using pam_sss, which supports GSSAPI, and we should probably move to using this instead of pam_krb5. The default configuration which lcfg-pam generates now more closely matches the stock Ubuntu configuration.
  • The default configuration which lcfg-openssh generates now more closely matches the stock Ubuntu configuration.
  • Stephen is now working on inf level support. He's starting this by clearing out a lot of old crap from the inf level, such as SL5 support.

SL7 server upgrade coordination project (project 362)

This just needs a snapshot of the project webpages and an SQL dump of sl7rt, then it can go to sign-off.

Miscellaneous development

  • Virtualbox is provoking newer Macs to crash (RT:97679) which isn't really ideal.
  • Following the guest additions problems which Alastair and Chris have encountered (RT:97681) Alastair has tried the guest additions from Virtualbox 6.0.13 and they compile cleanly. We are therefore hoping for great things from the next public version of Virtualbox which we expect will be 6.0.14. All being well, when that comes out Chris will re-image the current Virtual DICE VMs with the new version.
  • Student lab disk space issues: the LCFG checks page for the student labs now tells you if a machine's root partition is too small and if it's too full.
  • At the time of the meeting 100-150 student lab machines still needed a reinstall, including 20 new G4 GPU machines. As before, when a lab is being reinstalled en masse, Stephen can tweak its PXE config to make things slightly easier.


  • Stephen has had a chance to try out a new HP G5 desktop. He found that with a standard DICE install it would fail to reboot after the first pass, because of an incorrect grub configuration. This was traced to HP's Sure Recover feature - which, if it can't find a boot target on the machine's storage, helpfully tries to download and install Windows! Once this has been turned off, the machine can successfully detect and fix its broken UEFI boot menu and get past the problem (and subsequently fix it).
  • Chris has shuffled server disks at KB such that vermelha now has 1TB of scratch and tmp space for its new XRDP role, and amarela now has plenty of spare disks to help it in its new role as the KVM server for student project VMs.
  • Alastair is decommissioning ordershost.

This Week

  • Alastair
    • Inventory project
      • Documentation - end user
      • Documentation - code
        • clientreport (eg how to add modules)
        • order sync code
        • HPreport processing script
        • link in from MPU top page
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • need to replicate kvmreport mechanism on Tartarus (or somewhere) De-scoping as not used in last month
          • submit data via clientreport mechanism
        • take snapshot of files (no need to take snapshot of SQL as this is automatically recreated from orders files)Now in AFS mp-unit group space
        • 01/10/19 - poweroff old ordershost 'nerano' (ie once KVM servers have stopped submitting kvmreport data to the database)
        • Xmas 2019 - delete old ordershot 'nerano'
      • Document Tim's theon old inv snapshot and what its purpose now is. Also modify invquery to remark that data is historical only.
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Continue with RT ticket tidy up as per 04/09/19
      • 90028

  • Chris
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • 'amarela' -> user KVM
    • Produce home snapshot of SL7 project
      • including pg_dump of SL7 RT instance and then can the SL7 RT VM

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Write SL7.6 final report
    • Security week page
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • Decommission hare
    • Force 'noht' on KVM servers in relevant header - hasn't been supported since SL5
    • 'vermelha' -> Distance Learning XRDP server
    • Review 'gnome logout' page

-- AlastairScobie - 25 Sep 2019

Topic revision: r5 - 02 Oct 2019 - 15:35:32 - ChrisCooke
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies