MPU Meeting Wednesday 5th February 2020
Inventory
Alastair has produced the
final report.
Any items remaining on the todo list which won't be done soon will be converted into bug entries so they don't get forgotten.
Need to finish the DPIA statement. Also need to regularly run a script (from cron?) to clean out old users in the database.
Profile Security
Nothing happened.
Alternative Desktop Platform
- installer
- Lots of work has been done on the installer, this is driven by the LCFG install component. A new
lcfg/defaults/install-debian.h
header has been added to hold all the Debian/Ubuntu specific configuration.
- hostname
- It seems that there is a difference of opinion between Redhat and Debian over whether the
/etc/hostname
file contains the short or fully-qualified name for the host. This changes what the hostname
command returns by default. All shell scripts should be explicit and use --short
or --long
but most just assume the long form will be returned. More annoyingly the Sys::Hostname
Perl module doesn't provide functions to explicitly request the two different forms, we probably need to add some helper functions into LCFG::Utils
for this purpose. For now the installer updates the contents of the /etc/hostname
file to be the FQDN so that we get the same behaviour as Redhat.
- rsyslog
- The rsyslog component now works, the resources have been configured to match the Ubuntu default configuration as closely as is sensible.
- kerberos
- The kerberos component has been ported.
- kernel component
- This has been ported. Some functionality is not supported, in particular the management of symlinks to kernel and initrd files which isn't required for Debian. There are now separate
LCFG::Component::Kernel::Redhat
and LCFG::Component::Kernel::Debian
modules which inherit common functionality from LCFG::Component::Kernel
- openafs
- The component has been ported. The systemd configuration required some heavy modification to make it use the openafs component rather than the debconf-managed files.
- Local software
- Various local software has been ported, notably the Tartarus clientreport modules now work.
- Package lists
- A start has been made on the package lists.
User Security Training Materials
Chris has been working out his plan of attack and prioritising the work which needs to be done. Alastair and Chris will discuss separately and produce some milestones for the project.
There was a discussion on how much we care about making the advice generic or whether it can just be specific to Informatics.
Misc Development
- Tartarus DB
- Alastair has enabled statement logging in the postgres DB to help debugging any issues.
- File access
- Non-privileged user file access has been checked on the computing.help and tartarus servers. There was a question about the best way to control access to the postgres DB from CGI scripts.
- lvm2
- The packages need for LVM support have been added to the SL7 installroot and installbase.
- rsyslog
- The limit on the number of open file descriptors for rsyslog has been increased to 16384. This matches with the setting on Ubuntu. Hopefully this will help with journald related problems.
- remctl and xinetd
- It is now possible to enable/disable xinetd support for remctld. For details see bug#1192.
- lcfgscripts directory
- The new LCFG scripts directory path is now accessible via the
sysinfo.path_lcfgscripts
resource (on SL7 that is /usr/lib/lcfg/scripts
).
Operational
- computing.help pages
- MPU pages have been reviewed.
- SSL certificates
- The wake.inf service and computing.help now have SSL certificates from Let's Encrypt
- SL6 schemas
- Lots of old schemas that were only required for SL6 profiles have been removed.
- SL7.5
- Some tidying has been done to clear out old SL7.5 package lists
- log cabin
- The SSL certificate has been corrected (was meant to have switched to Let's Encrypt).
- postgres
- Some DBs were reconfigured to use
peer
rather than trust
for local users.
--
StephenQuinney - 06 Apr 2020