MPU Meeting Thursday 3rd October 2019


Nothing happened

Profile Security

Nothing happened

Alternate Desktop Platform

The apt component has been reworked to massively improve the way it works in manual mode where it drives the apt tool directly via the shell. It can now be used in a similar manner to the unattended-upgrades tool.

Stephen has been working on the new package manager, named apteryx, written in python which uses the apt_pkg modules. As with updaterpms this is designed so that it can be run manually in a standalone fashion. So far it can handle installing packages by name and architecture. There is currently no support for controlling the precise package version. It also lacks support for removing packages. Stephen has added support to the apt component for configuring the tool via the standard apt.conf.d configuration directory.

The mailcap component has had some attention to make it work correctly on Debian/Ubuntu platforms. We still need some way of triggering the update-mime tool from the file component after the file changes. This would be a popular new feature with many LCFG users.

Stephen has packaged the Tartarus clientreport for Ubuntu. It mostly works after some tweaking to the paths to some tools. The df output parser isn't quite working, it looks like it gets slightly confused by all the loopback-mounted snap filesystems.

Miscellaneous Development

LCFG server file permissions
Neil noticed that the file permissions on the LCFG slave servers were upsetting one of his scripts. On checking the situation Stephen noticed that many of the directories containing profiles, headers and generated data files (e.g. DBs and XML profiles) were not adequately secure. The server component has been modified to set a tight umask before launching mkxprof and the rsync command now has gained --chmod=D750,F640. On the LCFG master the rfe directory access has been tightened. Some of the changes broke rsync mirroring to the DR server, the rsyncd module options were tweaked to allow access. This has all been tested on the LCFG test slave, as it needs a full profile rebuild Stephen will do the main slaves out-of-hours to avoid disruption.

LCFG component scripts
After some discussion on the COs chatroom Stephen has added support for a new per-component scripts directory. On Redhat this is /usr/lib/lcfg/scripts/<compname>/ Previously some components have been including static scripts in /usr/lib/lcfg/conf/<compname>/scripts/ which doesn't really seem correct. There is a new build tools CMake macro - lcfg_add_script() - which can be used to put scripts into the directory.


dban and UEFI
The dban disk wipe tool does not boot in UEFI mode so, to avoid confusion, it has been removed from that version of the PXE menu.

DL XRDP service
This is ready other than needing a decision on which roles/capabilities to use to control access.

IF KVM servers
Chris has reorganised the network cabling to improve resilience
User KVM service
The KVM server amarela is now available for user guests.
The noht kernel command line option does not work. There are ways to workaround that but they are not portable between different machines so could be fragile. We will stick with disabling hyperthreading in the BIOS.
pkgforge builder
Stephen has reinstalled shrew so that it has more disk space, more memory and another CPU. He will do badger next.

This Week

  • Alastair
    • Inventory project
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • 01/10/19 - poweroff old ordershost 'nerano' (ie once KVM servers have stopped submitting kvmreport data to the database)
        • Xmas 2019 - delete old ordershot 'nerano'
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Check file permissions on tartarus and (can non privileged users access stuff (including backups))
    • Go through non MPU RT tickets

  • Chris
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • Delete SL7RT tracker VM
    • Test cross-site KVM cold migration
    • Go through non MPU RT tickets

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Write SL7.6 final report
    • Security week page
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • Decommission hare
    • 'vermelha' -> Distance Learning XRDP server
    • Look at whether 'inv' profile and 'inv' resources are still required
    • Go through non MPU RT tickets

-- AlastairScobie - 03 Oct 2019

Topic revision: r9 - 17 Oct 2019 - 10:32:54 - StephenQuinney
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies