MPU Meeting Wednesday 5th February 2020

Inventory

Alastair has produced the final report.

Any items remaining on the todo list which won't be done soon will be converted into bug entries so they don't get forgotten.

Need to finish the DPIA statement. Also need to regularly run a script (from cron?) to clean out old users in the database.

Profile Security

Nothing happened.

Alternative Desktop Platform

installer

Lots of work has been done on the installer, this is driven by the LCFG install component. A new lcfg/defaults/install-debian.h header has been added to hold all the Debian/Ubuntu specific configuration.

hostname

It seems that there is a difference of opinion between Redhat and Debian over whether the /etc/hostname file contains the short or fully-qualified name for the host. This changes what the hostname command returns by default. All shell scripts should be explicit and use --short or --long but most just assume the long form will be returned. More annoyingly the Sys::Hostname Perl module doesn't provide functions to explicitly request the two different forms, we probably need to add some helper functions into LCFG::Utils for this purpose. For now the installer updates the contents of the /etc/hostname file to be the FQDN so that we get the same behaviour as Redhat.

rsyslog

The rsyslog component now works, the resources have been configured to match the Ubuntu default configuration as closely as is sensible.

kerberos

The kerberos component has been ported.

kernel component

This has been ported. Some functionality is not supported, in particular the management of symlinks to kernel and initrd files which isn't required for Debian. There are now separate LCFG::Component::Kernel::Redhat and LCFG::Component::Kernel::Debian modules which inherit common functionality from LCFG::Component::Kernel

openafs

The component has been ported. The systemd configuration required some heavy modification to make it use the openafs component rather than the debconf-managed files.

Local software

Various local software has been ported, notably the Tartarus clientreport modules now work.

Package lists

A start has been made on the package lists.

User Security Training Materials

Chris has been working out his plan of attack and prioritising the work which needs to be done. Alastair and Chris will discuss separately and produce some milestones for the project.

There was a discussion on how much we care about making the advice generic or whether it can just be specific to Informatics.

Misc Development

Tartarus DB

Alastair has enabled statement logging in the postgres DB to help debugging any issues.

File access

Non-privileged user file access has been checked on the computing.help and tartarus servers. There was a question about the best way to control access to the postgres DB from CGI scripts.

lvm2

The packages need for LVM support have been added to the SL7 installroot and installbase.

rsyslog

The limit on the number of open file descriptors for rsyslog has been increased to 16384. This matches with the setting on Ubuntu. Hopefully this will help with journald related problems.

remctl and xinetd

It is now possible to enable/disable xinetd support for remctld. For details see bug#1192.

lcfgscripts directory

The new LCFG scripts directory path is now accessible via the sysinfo.path_lcfgscripts resource (on SL7 that is /usr/lib/lcfg/scripts).

Operational

computing.help pages

MPU pages have been reviewed.

SSL certificates

The wake.inf service and computing.help now have SSL certificates from Let's Encrypt

SL6 schemas

Lots of old schemas that were only required for SL6 profiles have been removed.

SL7.5

Some tidying has been done to clear out old SL7.5 package lists

log cabin

The SSL certificate has been corrected (was meant to have switched to Let's Encrypt).

postgres

Some DBs were reconfigured to use peer rather than trust for local users.

-- StephenQuinney - 06 Apr 2020