MPU Meeting Thursday 24th October 2019

Inventory

Nothing happened.

Profile Security

Nothing happened.

Alternate Desktop Platform

Schema changes

Stephen has been modifying lots of LCFG component schemas to remove build-time macros which result in platform-dependent default values. In most cases they can be easily replaced with references to sysinfo resources. He will ship the new packages in batches over the next few weeks.

Ubuntu 19.10

Development has switched to the 19.10 release. Mostly this was a straightforward rebuild of the packages but a problem was found in the lcfg-core code. The context handling part of the lcfg-core libraries uses bison and flex, there is a major new version (3.4.1 replacing 3.0.4) which removes some deprecated features and also modifies the behaviour of some other features in ways which break our code (in particular the replacement of the name-prefix option with api.prefix). It has proved too tricky to come up with a solution that builds correctly on both EL7 and Ubuntu 19.10 so the code has been forked for now, if that causes issues we can revisit the problem later.

apteryx

It is now possible to install/upgrade specific versions of packages, downgrades still don't work, Stephen will try asking for advice on the python-apt project mailing list. Some work has also been done to support LCFG package flags.

Miscellaneous Development

KVM migration

Chris has been testing migrating KVM VMs between sites in preparation for moving all the student VMs to amarela.

Operational

libwbclient alternatives

The libwbclient package has a bug in the install scripts which mean that the update-alternatives script fails to set the correct symlinks (Redhat bug#1737888). This breaks, at least, gnome-control-center, see RT#98354 for details.

SL7 RT

This has been turned off.

submit command problems

There were some problems with the submit command not having the necessary setgid permissions. This turned out to be mostly due to a mistaken use of the LCFG boot context when it should have been the :B flag on the package specification. Stephen discussed the problem in more detail with Graham and it was agreed that the package should use numeric GID rather than a name given the group is specified in LDAP rather than the local file.

virtual dice

Chris will update the VM to use the 6.0.14 additions now they have been released.

This Week

• Alastair
  • Inventory project
    • Start work on final report!
    • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
    • Produce an Legitimate Interest Declaration and Privacy Statement
      • contains a list of every user and their status
      • records machine to user allocation (with their UUN, cname, sname, user category)
      • records who requests which order (usually just uun, but can be cname+sname)
      • records who makes a change in inventory (just uun)
      • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
      • consider what can be removed once a user has left the University
        • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
    • Decommission ordershost
      • Xmas 2019 - delete old ordershot 'nerano'
  • Additional Tartarus work - non project
    • Create an entry in the new Services register once that is in service
    • client report to flag when hyperthreading disabled or not (in CPU report)
    • client report to take 'ipfilter.export'
    • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
  • Take a look at RT #78875
    • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
  • Look at Stephen's 'Thoughts on shell components'
  • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
  • drupal username collection re GDPR
    • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
    • Run 16/09/19
  • Meet Tim with Chris to review RAT involvement
  • Look at using php-5.6 on computing.help
  • Have a look at how APT / DPKG works, particularly wrt API
  • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
  • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
  • Upgrade girassol (remembering hyperthreading)
  • Check file permissions on tartarus and computing.help (can non privileged users access stuff (including backups))
  • Go through non MPU RT tickets

• Chris
  • User training materials project #403
    • complete and then publish ThoughtsOn403 - and ask for comments
  • Meet Tim with Alastair to review RAT involvement
  • Move student VMs to 'amarela'
  • Go through non MPU RT tickets
  • Update guest additions in Virtual DICE

• Stephen
  • Take issue of disable per user journald logs on certain servers to OPS
  • Look at where we're using ALL in access.conf
  • Read George's mail of 8th November wrt DPIA
  • clientreport
    • Complete module errors report
    • Add an 'old locks' report
    • 'Old kernels' report
    • Report on core files in / directory
  • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
  • Write SL7.6 final report
  • Security week page
  • Upgrade banjo and mandolin (remembering hyperthreading)
  • 'vermelha' -> Distance Learning XRDP server

-- AlastairScobie - 24 Oct 2019