MPU Meeting Wednesday 20th November 2019


Nothing happened.

Profile Security

  • Profile fetching using GSSAPI became the default this week. Mostly this has been a big success ...
  • ... but it caused a problem for users of the install CD image. These users should now append lcfg.kauth=1 to their choice from the LCFG install CD menu - for example instead of just pressing Return they should now type auto lcfg.kauth=1 and instead of typing serial they should now type serial lcfg.kauth=1. Stephen will document this on the install CD boot screen, and he'll add a hidden inftest option to provide an easier-to-type way to opt for Kerberos authentication.
  • The GSSAPI change (above) made the Apache error logs on the LCFG servers rather noisy - an error was being logged at every Nagios check. This was because the Nagios request was dropping through the first "require" group into a subsequent one, and Apache thinks that this is log-worthy. However Stephen found out that multiple requires can be combined into a single statement, and that this prevents the extra warnings. He's made that change on the LCFG servers (by changing the Template Toolkit template which ships with the LCFG compiler).

Alternate Desktop Platform

  • Stephen has written a component to configure dput, a utility for uploading package files on Debian. We can now submit packages! He's added this to co-desktop.h. While he was there he restructured the header so that SL-specific things were in a separate section. He also added a Package Forge wrapper for dput to add support for submitting packages once they've been built there.
  • The support for actually building packages on Package Forge isn't yet there, though. pbuilder (Debian wiki, Ubuntu wiki) looks promising. It uses a shell script which can be configured by defining environmental variables. It can support every active Debian or Ubuntu distribution. There are still lots of details to work out, and it'll need an LCFG component and a wrapper script.
  • He's made more improvements to the Debian metadata in LCFG buildtools.
  • There's a Debian-specific packages server now - capella, a VM. It's being backed up every night, to disk and to tape. Ultimately we'll need to have the same sort of continual backup to lcfg-dr that we have for SL packages, but for now this is an improvement. We might need to stop carrying SL6 packages to make room for Debian ones; this will involve archiving the SL6 packages to tape first.
  • There was a meeting with GeoSciences. We gave them some ideas, and we're hoping that they'll contribute a Debian utility akin to their very useful yummy.
  • Alastair has made progress with FAI. The main hurdle overcome this week was to find out how a Debian box can be configured to have two functioning network interfaces, and to do DHCP. If we ultimately can't make use of FAI, we can always port our own utilities instead.

User Security Training Materials

This hasn't really started yet, but Chris has been learning Learn and has enlisted the willing help of Alex, our Learn expert.

Miscellaneous Development

  • Alastair has improved updaterpms (RT:98490, Bug:994). The hash table was getting full (about 90%) so he doubled its size and added a warning which triggers when it's more than 75% full. He also added a new -p option which outputs profiling information, so that you can find out what's taking all the time. Each updaterpms run is now 3 seconds faster!
  • LCFG buildtools now supports git (Bug:1179) - thanks to Justin Kasin and Kenny MacDonald for the code! Stephen took the opportunity to refactor the code for version control systems, so that it should be easier to add another one in the future.
  • Stephen has added support for USB serial consoles (one of our awful Novatech servers needs one).
  • Engineering have maxed out the bash environment space in their use of the x509 component (Bug:1180). The ultimate solution to this is to rewrite the component in Perl, but for the moment, Stephen has created some breathing room by adding an option to qxprof to turn off resource metadata. This reduces the number of variables by about 500.


  • Stephen has updated some more Software Collections - rh-php70, rh-php71 and rh-php72 have security updates, and rh-nodejs10 is new. This latter collection includes only the core, because there are no modules with it as yet.
  • The schema for the sssd component has been updated to take advantage of last week's update of the inifile component schema.
  • Stephen updated the firmware on altair.
  • There's a new kernel which needs to be shipped to desktops before tomorrow's change freeze hits.
  • Chris and Alastair will be updating kernels, firmware and BIOS on the packages servers tomorrow morning.
  • Our attention has been drawn to a handy nvmecli utility, which spits out information about NVME disks. Stephen will add it to clientreport.

This Week

  • Alastair
    • Inventory project
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • Xmas 2019 - delete old ordershot 'nerano'
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Look at using php-5.6 on
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Check file permissions on tartarus and (can non privileged users access stuff (including backups))
    • Go through non MPU RT tickets
    • Purge REMINDERS
    • Firmware - deneb (need to do during day and announce that no installs during process) - sync with Chris re regulus and maia

  • Chris
    • User training materials project #403
    • Firmware - regulus and maia - sync with Alastair wrt deneb

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
      • Report on AMT being enabled/disabled
    • Labcheck - add report on which machines have AMT enabled
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Security week page
    • Upgrade banjo
    • Announce Distance Learning XRDP server (first check ACLs all correct)
    • firmware - vega
    • Produce final report for LCFG profile security
    • Add an 'inftest' to CD install to enable GSSAPI profile fetch

-- AlastairScobie - 20 Nov 2019

Topic revision: r2 - 21 Nov 2019 - 14:37:28 - ChrisCooke
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies