LCFG Annual Review 2014

On Thursday 4th December 2014 instead of our normal monthly Deployers Meeting we will be holding an Annual Review session.

All users of LCFG are encouraged to attend this meeting to hear about what has been happening over the last year and what developments they can look forwards to in the next year. This is also an excellent opportunity to raise issues that are important to you, put forward ideas for future developments you would like to see and chat about all things LCFG!

If you have any topics you are particularly keen to have discussed then please edit this page and add them to the General Discussion section below with a brief summary.

This will start at 2pm and we aim to be finished by 5pm. It will be held in room 2.33 of the Informatics Forum (note that this is NOT the usual room).

The rough outline agenda is:

After the meeting there will be an informal gathering in a local pub followed by some food, everyone is welcome to come along.

Upstream

Component Changes

New components:

• lcfg-alf - MacOSX application firewall
• lcfg-dconf - (replaces lcfg-gconf in EL7)
• lcfg-grub2 - (replaces lcfg-grub in EL7)
• lcfg-jenkins - Continuous integration service
• lcfg-mongodb - NoSQL document database
• lcfg-polkit - PolicyKit authorization framework (for EL7)
• lcfg-snort - network intrusion prevention system
• lcfg-systemd - Systemd - (replaces lcfg-boot in EL7)
• lcfg-uchiwa - dashboard for the Sensu monitoring framework

Particular updates:

• lcfg-authorize - Now with support for checking membership of netgroups
• lcfg-hardware - rewritten into Perl for EL7 along with new features for SystemD
• lcfg-nsswitch - rewritten into Perl and templates now use TT
• lcfg-rpmaccel - now supports proxying of multiple sites
• lcfg-tcpwrappers - rewritten into Perl and templates now use TT

We are now down to 7 core components still using bash (client, fstab, mail, network, openssh, rsyslog and updaterpms).

LCFG Client Update

This year saw the release of the v3 client. This was a much needed update that fixed many annoying bugs, it has also been particularly useful for those with roaming machines which do not have a fixed IP address.

We have also made a lot of progress on the v4 client. This involves the use of an entirely new object-oriented Perl API (based on the Moo framework) to represent the entire LCFG profile. A new XML profile parser has been written in C which uses the libxml2 xmlreader streaming API to minimise memory usage and processing time. The aim is that this work will be completed in the first half of 2015. See ProfileAPI for a few examples of how to use the new API.

Platform Independence

As part of the project to add EL7 support we have done a considerable amount of work on the ngeneric framework (both Shell and Perl) to improve the platform-independence of our code. In particular we have focussed on:

Removal of hard-wired paths

LCFG components now either use SysInfo or query the LCFG client code directly via the LCFG::Client::FileLocator module to avoid bootstrapping issues

New IsStarted method

It is now possible to discover whether a component is started by calling the isstarted method via om (e.g. om foo isstarted), the state is represented in the exit code of zero (true) or one (false).

New Service function

It is now possible to call any method on a daemon via a standard function. This completely hides the details of whether the system uses SysVinit, SystemD (or even launchd on MacOSX). For example Service openssh restart. See ControllingDaemons for more details.

lcfg-build-deps

There is a new RPM which can be used as a build-dependency in a specfile which guarantees that everything necessary for the standard LCFG build environment will be installed. This package currently contains no files, it just depends on different sets of packages depending on whether you are building on SL6 or SL7. This should improve the efficiency of future porting to new platforms. See BuildDependencies for more details.

SL7

This is a rather epic project to port the LCFG ecosystem to RHEL7. Informatics has committed the 948 hours of effort this year (135 days or 27 weeks) on the SL7 project and 139 hours (20 days or 4 weeks) separately on Systemd.

Some of the larger items of work have included:

• Reworking of the ngeneric framework to enhance platform-independence
• Replacement of the boot/init components with Systemd
• Replacement of the bootloader
• Support for the new polkit authorization system
• Large changes to the package repository infrastructure and the way we manage package lists.
• New graphical environment and login manager

Still need to resolve:

• Replacement of network subsystems with networkmanager
• Default partition layout
• Configuration support for udev

General Discussion

• Parallelising profile compilation --gdutton
  • it seems as if precompiling CPP - and writing XML - could be parallelised without any fundamental architectural changes and could bring big gains in LCFG slave server performance.

• lcfg-yummy - sdlaw
  • We use lcfg-yummy a lot to produce additional package lists. I wonder if it might be possible to enhance it to produce three output lists:- the requested package(s), a list of new dependencies and a list of dependencies that are already in the existing package list file (either the same version or an older version).

• Reboot flag - sdlaw
  • We used to use a small package that flagged up a required reboot on the user's console. I wonder if it might be possible to resurrect this for sl6 ?

• updaterpms authorization for end users - "allocated" group for desktops? - kenny

• Mozilla component - kenny
  • Rewrite ffox component as mozilla component instead?

• Mobile Clients - kenny
  • Full Disk Encryption
  • Everything over HTTPS
  • SSSD on Linux
  • DataSync

• Could it be made possible for 'roaming' clients to send acks back to the server? (geoff)

• Propagating configuration upstream from the DICE layer - Bruce Duncan

-- Main.squinney - 2014-11-26

• MDP_Review_and_Preview_2014.pdf: IS Devolved LCFG Service Review and Preview 2014