MPU Meeting Wednesday 13th November 2019


Nothing happened.

Profile Security

Still planning to switch clients to GSSAPI authentication next Monday.

Alternate Desktop Platform

There are now docs on the LCFG wiki -, still need to add docs for the apt component.

Stephen has been working on adding systemd service files for the various daemons. For Informatics these need an AFS wrapper script which uses pagsh to create a new PAG and run k5start before launching the daemon. Support has been added for platform tags (e.g. ubuntu or redhat) which will make it easier to target a number of related platforms (e.g. Ubuntu 19.10 and 20.04) for users who aren't sure what versions are supported. Associated with the work on adding support for tags was a reworking of how platforms are selected for each individual build job to make the code easier to understand and maintain. The next step is to work on the code for submitting built packages using dput. After that Stephen will think about how to actually build the packages...

Alastair has been battling the "Getting Started" documentation and trying to get it to work in a VM on Ubuntu and Debian. He's been having some trouble with the networking config.

User Security Training Materials

This project will be starting soon.

Miscellaneous Development

Ian reported a cpp warning on many LCFG profiles related to a macro in the virtualbox-puel.h header being redefined ([[]RT[#98821]]). Chris has tweaked the header to make the warning go away.

Stephen has updated this to the latest in epel (5.43), this means we no longer get a warning on the unlock screen.

The schema and component have been updated in the lcfg-layer for Shane.


Chris moved this in the rack to help the Services Unit fit in some new kit. At the same time he upgraded the firmware and switched it to SL7.6.

Stephen has updated the firmware.

Firmware updates
Chris and Alastair will coordinate the downtime for the package service machines (deneb, maia and regulus). They are all best done during the day when it is unlikely that updaterpms will be running automatically. We will have to warn about installs not working whilst they are being upgraded.

Software Collections
Stephen has applied updates to the devtoolset 7 and 8, httpd24 and nodejs8 software collections.

This Week

  • Alastair
    • Inventory project
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • Xmas 2019 - delete old ordershot 'nerano'
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Look at using php-5.6 on
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Check file permissions on tartarus and (can non privileged users access stuff (including backups))
    • Go through non MPU RT tickets
    • Purge REMINDERS
    • Firmware - deneb (need to do during day and announce that no installs during process) - sync with Chris re regulus and maia
    • UpdateRPMs - bump up cache size, add check when cache size > some threshold, and add some monitoring
    • Box ticking for SL7.6 project

  • Chris
    • User training materials project #403
    • Firmware - regulus and maia - sync with Alastair wrt deneb

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
      • Report on AMT being enabled/disabled
    • Labcheck - add report on which machines have AMT enabled
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Security week page
    • Upgrade banjo
    • Announce Distance Learning XRDP server (first check ACLs all correct)
    • firmware - vega, altair
    • Produce final report for LCFG profile security

-- AlastairScobie - 13 Nov 2019

Topic revision: r3 - 20 Nov 2019 - 09:24:52 - AlastairScobie
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies