(r8) MPunitMeeting20191205 < DICE

DICE Web>ManagedPlatformUnit>MPUnitMeetings>MPunitMeeting20191205 (revision 8) (raw view)~~EditAttach~~
---+ MPU Meeting Thursday 5th December 2019

---++ Inventory

Nothing happened. 

---++ Profile Security

Just need to write up final report, planning to get that done before Christmas.

---++ Alternate Desktop Platform

Stephen has been working on adding support to !PkgForge for building Debian packages. This uses pbuilder for building packages in chroots, there is a new component which manages the configurations for all the required chroots. With a few extra packages installed it is now possible to generate a Debian source package on SL7 using the LCFG build tools and submit it to pkgforge for building without needing any direct access to a Debian/Ubuntu machine.

Another large set of component schemas have been updated to remove hardwired paths to lcfg directories, these will go through in the stable release on 11th December.

---++ User Security Training Materials

Nothing happened. 

---++ Miscellaneous Development 

   $ Local ports being stolen by rpcbind : Stephen has come across a Linux kernel feature which might be useful for protecting the LCFG client against rpcbind stealing the network port. There is a sysctl option - =net.ipv4.ip_local_reserved_ports= - which takes a comma-separated list of ports that are reserved for local daemons. We need to do some investigating to check this solves our problem with rpcbind.

   $ Hyperthreading : Stephen will produce a summary of MPU machines with hyperthreading enabled.

---++  Operational

   $ Kernel update : There is a new kernel - =1062.4.3= - for SL7.6, this will go out in the next stable release along with an update to openafs 1.8.4. We had planned to roll this out earlier to the student labs but it was held back to avoid disrupting the online exams.

   $ Dell hardware headers : Stephen added new headers for the Dell R640 and T640 server models.

   $ postgres 9.6 problems : There were problems with the MPU postgres DBs on tartarus, buzzsaw and pkgforge due to the introduction of a configuration option that is only supported in version 11 onwards. This prevented the DBs from restarting. Stephen modified the LCFG profiles to drop the problematic option until the proper fix reaches us in the next stable release. We really ought to look at upgrading to a newer version of Postgres when we have the time...

   $ Package service reboots : Alastair and Chris rebooted the package servers - _deneb_, _regulus_ and _maia_ - for firmware and kernel updates.

   $ KVM server upgrades : We will try to get the remaining two servers upgraded before Christmas. Stephen will do _banjo_ next week and Chris will do _girassol_ the week after.

---++ This Week

   * *Alastair*
      * Inventory project
         * Start work on final report!
         * Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
         * <strike>Produce an Legitimate Interest Declaration and Privacy Statement 
            * contains a list of every user and their status
            * records machine to user allocation (with their UUN, cname, sname, user category)
            * records who requests which order (usually just uun, but can be cname+sname)
            * records who makes a change in inventory (just uun)
            * records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
            * consider what can be removed once a user has left the University</strike>
         * any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
         * Decommission ordershost
            * Xmas 2019 - delete old ordershot 'nerano'
      * Additional Tartarus work - non project
         * Create an entry in the new Services register once that is in service 
         * client report to flag when hyperthreading disabled or not (in CPU report)
         * client report to take 'ipfilter.export' 
         * modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
      * Take a look at RT #78875
         * WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
      * Look at Stephen's 'Thoughts on shell components'
      * Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
      * drupal username collection re GDPR
         * Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
         * Run 16/09/19
      * Look at using php-5.6 on computing.help
      * Have a look at how APT / DPKG works, particularly wrt API
      * Look at KVM / host-model issue on oyster (See my actions from 13/03/19) 
      * Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
      * Upgrade girassol (remembering hyperthreading)
      * Check file permissions on tartarus and computing.help (can non privileged users access stuff (including backups))
      * Go through non MPU RT tickets
      * Purge REMINDERS

   * *Chris*
      * User training materials project  #403
         * complete and then publish ThoughtsOn403 - and ask for comments
      * <strike>Upgrade girassol (remembering hyperthreading)</strike>
      * Look at updating 'DSU'

   * *Stephen*
      * Take issue of disable per user journald logs on certain servers to OPS
      * Look at where we're using ALL in access.conf
      * Read George's mail of 8th November wrt DPIA
      * clientreport
         * Complete module errors report
         * Add an 'old locks' report
         * 'Old kernels' report
         * Report on core files in =/= directory
         * Report on AMT being enabled/disabled
      * Labcheck - add report on which machines have AMT enabled
      * Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
      * Security week page
      * <strike>Upgrade banjo</strike>
      * <strike>Announce Distance Learning XRDP server (first check ACLs all correct)</strike>
      * <strike>firmware -  vega</strike>
      * <strike>Produce final report for LCFG profile security</strike>
      * <strike>Add an 'inftest' to CD install to enable GSSAPI profile fetch</strike>
      * <strike>Survey our servers wrt hyperthreading status</strike>


-- Main.AlastairScobie - 05 Dec 2019
Topic revision: r8 - 08 Jan 2020 - 14:18:37 - AlastairScobie
DICE
This is WebLeftBar
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies