MPU Meeting Wednesday 5th February 2020


Alastair has produced the final report.

Any items remaining on the todo list which won't be done soon will be converted into bug entries so they don't get forgotten.

Need to finish the DPIA statement. Also need to regularly run a script (from cron?) to clean out old users in the database.

Profile Security

Nothing happened.

Alternative Desktop Platform

Lots of work has been done on the installer, this is driven by the LCFG install component. A new lcfg/defaults/install-debian.h header has been added to hold all the Debian/Ubuntu specific configuration.

It seems that there is a difference of opinion between Redhat and Debian over whether the /etc/hostname file contains the short or fully-qualified name for the host. This changes what the hostname command returns by default. All shell scripts should be explicit and use --short or --long but most just assume the long form will be returned. More annoyingly the Sys::Hostname Perl module doesn't provide functions to explicitly request the two different forms, we probably need to add some helper functions into LCFG::Utils for this purpose. For now the installer updates the contents of the /etc/hostname file to be the FQDN so that we get the same behaviour as Redhat.

The rsyslog component now works, the resources have been configured to match the Ubuntu default configuration as closely as is sensible.

The kerberos component has been ported.

kernel component
This has been ported. Some functionality is not supported, in particular the management of symlinks to kernel and initrd files which isn't required for Debian. There are now separate LCFG::Component::Kernel::Redhat and LCFG::Component::Kernel::Debian modules which inherit common functionality from LCFG::Component::Kernel

The component has been ported. The systemd configuration required some heavy modification to make it use the openafs component rather than the debconf-managed files.

Local software
Various local software has been ported, notably the Tartarus clientreport modules now work.

Package lists
A start has been made on the package lists.

User Security Training Materials

Chris has been working out his plan of attack and prioritising the work which needs to be done. Alastair and Chris will discuss separately and produce some milestones for the project.

There was a discussion on how much we care about making the advice generic or whether it can just be specific to Informatics.

Misc Development

Tartarus DB
Alastair has enabled statement logging in the postgres DB to help debugging any issues.

File access
Non-privileged user file access has been checked on the and tartarus servers. There was a question about the best way to control access to the postgres DB from CGI scripts.

The packages need for LVM support have been added to the SL7 installroot and installbase.

The limit on the number of open file descriptors for rsyslog has been increased to 16384. This matches with the setting on Ubuntu. Hopefully this will help with journald related problems.

remctl and xinetd
It is now possible to enable/disable xinetd support for remctld. For details see bug#1192.

lcfgscripts directory
The new LCFG scripts directory path is now accessible via the sysinfo.path_lcfgscripts resource (on SL7 that is /usr/lib/lcfg/scripts).

Operational pages
MPU pages have been reviewed.

SSL certificates
The wake.inf service and now have SSL certificates from Let's Encrypt

SL6 schemas
Lots of old schemas that were only required for SL6 profiles have been removed.

Some tidying has been done to clear out old SL7.5 package lists

log cabin
The SSL certificate has been corrected (was meant to have switched to Let's Encrypt).

Some DBs were reconfigured to use peer rather than trust for local users.

-- StephenQuinney - 06 Apr 2020

Topic revision: r1 - 06 Apr 2020 - 08:57:59 - StephenQuinney
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies