MPU Meeting Wednesday 2nd December 2020

Ubuntu Focal Port of LCFG Platform

New network component

Ready for use
Stephen has been getting the new network component ready to use on Ubuntu. It's already active on develop machines, and this week's release will enable it by default in the testing and stable releases too. However it will then need to be started in order to take effect. Stephen plans to start it in a small lab as a test, then if that goes well, start it on all the other Ubuntu machines.

Note that once that's been done, Ubuntu servers will start to nag us about bonding. We intend to fix bonding on Ubuntu as soon as possible.

Package services

DR service
We now have a DR package service for Ubuntu, and a test server was able to use it as its package repository.

Cache service
The package cache service is not yet available for general use - it has been tested but more testing will be needed, not least with installs, before it can be declared safe to use. Stephen plans to use it actively for a few weeks, then make it the default on the develop release in the new year.

Move to master server
The master copies of our Ubuntu packages and mirrors are in the midst of being moved from their temporary home nessie to the main package master server deneb. This is a fiddly and repetitious job, and Stephen is taking time over it to get it right.

All package servers can now be accessed by https (instead of just http).

Installer borkage

Our Ubuntu installer mechanism broke recently, but was made to work again by preventing the installer from using IPv6. The Informatics IPv6 infrastructure has not changed in any way recently so the fault seems to lie outside of the School.

As a side-effect, newly installed machines seem to come up with IPv6 still disabled. To override this and have the necessary control over the kernel command line, we may need to re-deploy the grub2 component. This deployment would need lots of testing.

Move websites from HTTP to HTTPS

Neil has been busy on Chris's copy of He has it configured so that:

  • https gives non-authenticated access to the pages.
  • http redirects to https.
  • An https visit to a new DNS alias - with "edit." added to the front of the name - triggers Cosign authentication. This permits access to those facilities which need authenticated access: restricted pages, page editing and site configuration.
  • Attempts to access a restricted page while not authenticated lead the user to a custom 403 page. This suggests that the user try the authenticated version of the restricted page.

We like this a lot - thanks Neil! However, as Neil suggested, we'll use "auth." for the authenticated version rather than "edit.".

Chris will integrate Neil's improvements into the configuration of the computing help servers.

User Security Training Materials

Chris has sorted the material into a dozen categories, each of which should make a small web page. Next he'll write up the dozen little pages. After that the rough plan is to move these to Learn, then to tackle the quiz.

PGR computing

This project is looking at computer provision for postgraduate research students from next year, when it's expected that the new intake will have shared desks rather than their own desks.

Alastair attended the PGR staff/student liaison committee last week, and it was very helpful. The clear message seemed to be that no one solution would suit everyone, or even the majority - we'll need to provide a menu of options which (a) suit people and (b) we can afford. The options we'll look at will include such things as personal laptops, personal desktops for use at home, a custom remote desktop solution, and an extension of our existing XRDP remote desktop service. We hope to decide this in early January.

Miscellaneous Development

logind configuration added to systemd component
The recent networking snafu, and the subsequent need to reboot all of the lab desktops, exposed the fact that the desktops' power buttons trigger a shutdown when pressed briefly. We'd much rather such a press triggered a reboot. Stephen has worked out that this can be accomplished with some logind configuration, so he's added the ability to do this to the systemd component. It's just a simple tag list and literal configuration lines, rather than a blizzard of specific resources. This new support isn't yet enabled across the board, but when it is, we'll be able to configure the lab machines' power buttons to trigger a reboot. Rather astonishingly, restarting logind makes it forget all existing login sessions, so to get the new configuration into place, the configuration file is rewritten immediately the resources change, but the new configuration is applied at the next reboot.

configuring mount options
/proc mount options need to be tweaked to make SL7's single user limitation apply to Ubuntu as well. For now we're doing this by creating a proc.mount file using the file component. In the longer term we may revive the fstab component to make mount files.

access to dmesg
Stephen fixed a umask setting to prevent unauthorised access to dmesg logs.

Virtual DICE
The "teaching" and "basic" versions of Virtual DICE are ready, as are the user doc pages and the USB key distribution arrangements. All that remains are the "full" version and some sort of announcement.

KVM charges
Chris has been tinkering with a spreadsheet which works out what we might charge if we were to adopt some variant of what IS charges for hosting virtual machines. It's in the MPU sharepoint area. Our full KVM server costs turn out to be less than what would be notionally raised by charging for VMs, so our charges could be less.


dsu on Ubuntu
It's recently lost its ability to download updates - perhaps related to the IPv6 borkage that's hit the Ubuntu installer? - so it can now only be used to identify what needs updating. However that's still a big time-saver, so Chris has documented the tedious new way to update firmware and BIOS levels on Ubuntu servers. It's written up on our DSU page.

PostgresQL 12 encryption snafu
Stephen's attempt to upgrade Package Forge to PostgreSQL 12 failed because of the problem described here.

apparmor disabled
because it only causes problems.

server firmware updates
Our servers need to be updated again. We'll start with the simple ones - LCFG slaves and the like.

Holiday reduction in XRDP service
Next week we'll discuss reducing the number of XRDP servers operating over the holiday closure period, to save electricity. This would probably not start before 22 December.

Staff XRDP
Stephen will move it tomorrow from waterloo to archlute.

-- ChrisCooke - 04 Dec 2020

Topic revision: r1 - 04 Dec 2020 - 15:57:11 - ChrisCooke
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies