MPU Meeting Wednesday 6th November 2019


No activity.

Profile Security

From Monday 18th November, machines will use GSSAPI to authenticate when fetching their LCFG profiles. This has been tested on the develop release for some weeks.

Alternate Desktop Platform

Stephen has been working on apteryx (source repository), his equivalent of updaterpms for apt-based systems.
  • It can now downgrade packages to lower versions.
  • Full logging support has been added. (Python has good logging frameworks.) It logs to console and to file as appropriate, and also to syslog if enabled. However, it's not yet logging everything that it should. Stephen's going to look into the logging facilities provided by the apt libraries.
  • It remembers whether or not each package was installed at boot time, so that it can remove it at boot time.
  • It remembers or detects packages which were installed but which have dropped out of the LCFG profile packages list.
  • Look for forthcoming blog posts.
He's also been working on the (complementary) lcfg-apt component (source repository):
  • It's been getting its finishing touches - for example, it can now send mail if there's an error.
  • It can run in upgrades only mode (like running the apt command line tool) or it can impose full scale control of a machine's packages.
  • It needs a timeout added.
  • It needs lots of testing.
  • There's now support for user verification.
He's also been looking into Package Forge and whether it can build packages for Ubuntu.
  • How can you submit a job to it, given that apt doesn't have an equivalent of the source RPM? Stephen has added Package Forge support for a subsidiary job with a list of extra files - a source control file has a list of the extra files, with checksums, so all can be checked.
  • Build daemon support has to be added. To start with this will be a no-op.
  • Currently the startup scripts for Package Forge build daemons are still in System V form. This won't work on Ubuntu, so they'll need to be converted to systemd form. (And having said that, there's an added complication: systemd has moved on a lot from the version used in RHEL 7.)
  • there's a problem with its use of pagsh. The Kerberos support has been separated out. The credentials cache code also needs to be pulled out.

Miscellaneous Development

  • Virtual DICE has been updated to use VirtualBox 6.0.14. This fixes problems with the guest additions in the previous Virtual DICE images.
  • Stephen has improved the installroot so that it looks up the Kerberos realm in the approved manner. It was always fine for us but this fixes it for several other Schools whose Kerberos realm doesn't match their default domain as ours does.
  • There's a new utils script, tiny but useful, called leash. Give it a process ID as an argument and it'll limit that process's entire user session to a maximum of 50% of one CPU. It's useful for quickly reining in disruptive processes on xrdp servers, for instance.


  • Chris has upgraded VirtualBox (on the develop release only) to 6.0.14. (VirtualBox is not upgraded on stable machines during teaching periods.)
  • PHP has been upgraded.
  • Flash has been upgraded.
  • Stephen culled his reminders.
  • Chris has checked the latest Dell firmware and BIOS updates. This month's batch has quite a few Urgent updates; he's mailed a list round MPU. We decided to concentrate on those machines needing BIOS and iDRAC updates.
    • Chris: maia, regulus
    • Stephen: vega, altair, salamanca.
  • AMT: we could do with:
    • clientreport saying whether or not AMT is enabled.
    • labcheck to flag up that AMT is enabled.

This Week

  • Alastair
    • Inventory project
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • Xmas 2019 - delete old ordershot 'nerano'
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Check file permissions on tartarus and (can non privileged users access stuff (including backups))
    • Go through non MPU RT tickets
    • Purge REMINDERS
    • Firmware - deneb (need to do during day and announce that no installs during process)

  • Chris
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • Purge REMINDERS
    • Firmware - regulus and maia

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
      • Report on AMT being enabled/disabled
    • Labcheck - add report on which machines have AMT enabled
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Security week page
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • Announce Distance Learning XRDP server (first check ACLs all correct)
    • firmware - salamanca, vega, altair
    • Produce final report for LCFG profile security
    • xscreensaver upgrade

-- AlastairScobie - 06 Nov 2019

Topic revision: r7 - 14 Nov 2019 - 11:49:10 - ChrisCooke
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies