MPU Meeting Wednesday 8th January 2020

Inventory

The data protection documents have been produced and accepted. It only remains to finish the final report.

Profile Security

Stephen has written the final report.

A couple of actions remain: Stephen will talk to Toby about a security peer review; and while he's there, Toby will hopefully be able to assess the adequacy of the technical documentation. (The APIs are all documented.)

Alternative Desktop Platform

Stephen has spent a lot of time getting the Package Forge build service running for .deb packages.
  • There's now a utility which manages the pbuilder configuration (it's roughly equivalent to the SL mock stuff), and the build daemons are running. They can build for Ubuntu 19.10 and Ubuntu 20.04. The latter is currently just a proof of concept as we don't yet have all of the 20.04 packages to build against.
  • There's now more documentation.
  • The Package Forge web site has been improved.
  • You can now pkgforge submit to "all Ubuntu" or "all Red Hat".
The LCFG Client can now attempt to use debconf to initialise the configuration for the install process.

User Security Training Materials

Nothing this week.

Misc Development

  • Stephen has improved the file component:
    • You can now run one or more specified actions after a managed file has been changed. You can have multiple actions. Also, if multiple files have changed and they have the same action, the component knows to just run the action once.
    • The schema has been reworked to make subclassing work properly. Previously, components which subclassed the file component were getting not only the resources which they were meant to get, but also resources which were intended just for the file component itself. The subclassed components' schemas now need to be changed. Stephen has redone the mailcap schema as an example.
  • As previewed last time, Stephen has made a kernel configuration change which will hopefully stop rpcbind from stealing ports.
  • We're now taking our python3 packages from SL instead of EPEL. This means that we'll get security updates, and that package building will become simpler.
  • mock has been updated.
  • R has been updated. We'd like to thank GeoSciences, who did most of the (monumental amount of) rebuilding.

Operational

  • We discovered that removing the dracut-config-generic package switches machines to using a host-specific initramfs, and that this means that they read modprobe.conf and add extra kernel modules reliably. Until now, a machine would get its requested extra kernel modules if it used desktop packages, but it wouldn't if it didn't!
  • We've updated the firmware on some servers: banjo, girassol, vega, jubilee, canopus and archlute.
  • Lots of EPEL packages have been updated.
  • Stephen has updated the NVidia drivers.
  • The Virtual DICE images have been updated and re-released.

This Week

  • Alastair
    • Inventory project
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
      • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • Xmas 2019 - delete old ordershot 'nerano'
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Look at using php-5.6 on computing.help
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Check file permissions on tartarus and computing.help (can non privileged users access stuff (including backups))
    • Go through non MPU RT tickets
    • Purge REMINDERS
    • Inventory - fix API bug wrt editing items with no serial numbers. RT #99548

  • Chris
    • User training materials project #403
    • Look at updating 'DSU'
    • Tidy up unused LVM volumes on Forum KVM servers

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
      • Report on AMT being enabled/disabled
    • Labcheck - add report on which machines have AMT enabled
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Security week page
    • Re-survey our servers wrt hyperthreading status
    • Ask Toby to security review LCFG Profile security project

-- AlastairScobie - 08 Jan 2020

Edit | Attach | Print version | History: r7 | r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 13 Jan 2020 - 11:46:40 - ChrisCooke
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies