MPU Meeting Wednesday 15th January 2020

Inventory

Alastair tweaked the API so that it is not possible to edit information for machines without serial numbers.

There is a need for some authorization improvements so that it is possible for HR to check any kit will be orphaned when the owner leaves. Stephen suggested using netgroups to check for user capabilities, he will send a pointer to the Perl module he uses.

The old ordershost server has been decommissioned.

Profile Security

Still need to ask Toby to do the code review.

Alternative Desktop Platform

The focus has been on getting the new preseed installer to work. This is based around a CGI script which runs on the LCFG server. This uses the XML LCFG profile and a set of templates to generate the required preseed files and shell scripts.

User Security Training Materials

Misc Development

bugzilla

Chris has done a security update.

mock changes

The recent upgrade to mock broke the createrepo_hack script which is a shell wrapper around the upstream createrepo tool that fixes up some file permissions. The way it is called by mock has changed so that there are more command-line arguments. Stephen has hacked around it some more so that it works again.

Operational

computing.help

We need to upgrade drupal. We will look into converting to Let's Encrypt for the SSL cert in early March.

SL7 build host

procyon needs a reinstall as the root partition is no longer large enough.

twiki

We need to upgrade to the latest version of Twiki for lcfg.org

Log cabin

This is now using a Let's Encrypt SSL certificate which is managed via the x509 component using DNS. This was very easy to do, we should convert any remaining quovadis certificates to this system as they come up for renewal (e.g. XRDP services).

R packages

Stephen had to split the R packages list into two files to resolve some complicated package version conflicts.

LVM volumes

Chris tidied the unused LVM volumes on the Forum KVM servers.

This Week

• Alastair
  • Inventory project
    • Continue work on final report
    • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
    • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
    • Decommission ordershost
      • Xmas 2019 - delete old ordershot 'nerano'
  • Additional Tartarus work - non project
    • Add netgroup support to API authorisation
    • Create an entry in the new Services register once that is in service
    • client report to flag when hyperthreading disabled or not (in CPU report)
    • client report to take 'ipfilter.export'
    • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
  • Look at Stephen's 'Thoughts on shell components'
  • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
  • drupal username collection re GDPR
    • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
    • Run 16/09/19
  • Look at using php-5.6 on computing.help
  • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
  • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
  • Upgrade girassol (remembering hyperthreading)
  • Check file permissions on tartarus and computing.help (can non privileged users access stuff (including backups))
  • Go through non MPU RT tickets
  • Purge REMINDERS
  • Inventory - fix API bug wrt editing items with no serial numbers. RT #99548 .. but not yet live
  • Upgrade computing.help drupal
  • Create bugzilla ticket from RT#98932

• Chris
  • User training materials project #403
    • complete and then publish ThoughtsOn403 - and ask for comments
  • Look at updating 'DSU'
  • Look at bugzilla upgrade
  • Reinstall/repartition SL7 build host
  • Look at letsencrypt for computing.help

• Stephen
  • Take issue of disable per user journald logs on certain servers to OPS
  • Look at where we're using ALL in access.conf
  • Read George's mail of 8th November wrt DPIA
  • clientreport
    • Complete module errors report
    • Add an 'old locks' report
    • 'Old kernels' report
    • Report on core files in / directory
    • Report on AMT being enabled/disabled
  • Labcheck - add report on which machines have AMT enabled
  • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
  • Security week page
  • Re-survey our servers wrt hyperthreading status
  • Ask Toby to security review LCFG Profile security project
  • Look at upgrading wiki.lcfg.org
  • Logcabin upgrade cert to LetsEncrypt

-- AlastairScobie - 15 Jan 2020