LCFG Annual Review 2015

On Thursday 3rd December 2015 instead of our normal monthly Deployers Meeting we will be holding an Annual Review session.

All users of LCFG are encouraged to attend this meeting to hear about what has been happening over the last year and what developments they can look forwards to in the next year. This is also an excellent opportunity to raise issues that are important to you, put forward ideas for future developments you would like to see and chat about all things LCFG!

If you have any topics you are particularly keen to have discussed then please edit this page and add them to the General Discussion section below with a brief summary.

This will start at 2pm and we aim to be finished by 5pm. It will be held in room 2.33 of the Informatics Forum (note that this is NOT the usual room).

The rough outline agenda is:

After the meeting there will be an informal gathering in a local pub (some IS folk might wish to go to Teviot for the second half of the IS Festive Celebration), followed by some food, everyone is welcome to come along.

Upstream

Component Changes

New components:

lcfg-sssd

sub-class of inifile component for managing the System Security Services Daemon

lcfg-runner

replaces boot.run facility in SL7 for running daily jobs. See TaskRunner for full details.

lcfg-baseinstall

Supports calling install methods from within the newly installed system immediately prior to the first reboot. This is used in Informatics for running kdcregister and restoring ssh keys from our wallet server. See BaseInstall for full details.

Notable changes:

ngeneric environment plugins

The ngeneric framework now provides an environment initialisation system for component methods with support for plugins which mean it is fully extensible. The default plugins support setting environment variables and acquiring Kerberos credentials. See EnvInit for details.

sysinfo features

The sysinfo component now supports a features list which can be used to associate arbitrary labels with a profile. This is useful for describing particular aspects of a system. See SysInfoDevel for details on how to query this information.

Component sub-classing

It is now possible to sub-class a component written in Perl (e.g. sssd sub-classes inifile) to allow code reuse.

fstab disk encryption support

The fstab component now supports the encryption of tmp and swap partitions.

kernel component

The kernel component has improved support for rebuilding initramfs files.

SL7

We finally got the SL7 desktop platform ready for deployment. Informatics have now deployed approx 580 SL7 machines. We have also upgraded to SL7.1. Work is progressing on the server platform.

So far have verified support for:

• Networking - Old-style scripts still work for bonding (issues with anything other than NIC1/NIC2 pairs), bridging and VLANs. Still need to begin looking at native networkmanager support.
• IPMI
• Monitoring with nagios
• LVM

Ongoing:

• RAID - common hardware controllers done
• apacheconf - fairly high priority, needs overhaul and support for 2.4
• DNS server - gets killed at startup, further investigation required
• Multipath support

LCFG Client Update

Work to improve the long-term maintainability is still ongoing. We are working on creating a new set of platform-independent libraries, written in C, which can be used to handle the processing of resources, contexts and package specifications along with the reading of XML profiles. Built on top of this will be a set of Perl libraries which represent the profile, components, resources and packages as objects. This will provide a new API which can be used in the client, individual components and other utilities such as qxprof and qxpack.

General Discussion

• Thoughts on how the apacheconf component can be improved, and cosign client. See ApacheConfIdeas for current ideas.
• Standard paths, now that osx11 has denied us our current ones.
• Release management - use of git?
• Priorities in package specs and updaterpms - getting OS security fixes out quickly. Cron job running high priority updaterpms frequently. There's a bug with more details.
• Managing cgroups. In particular, restricting the amount of memory individual users can use on shared compute systems.
• Lightweight client
• Improving security.
• Enhancing the client status feedback process.

Notes

kenny didn't like including every file in lcfg.sites.d. shane agreed. squinney says don't use the file component for writing files in that dir because it can't delete them. use the apacheconf component instead! gdutton suggested not using the default of Include conf.d/* and having apacheconf write appropriate include statements instead.

it's worth having the apacheconf automatically output the include directive with an easy mechanism to turn off a virtualhost.

kenny suggested it would be handy to put a comment in config files to make it clear that they are disabled.

each vhost has an ssl flag which should feed back to the top level for turning on ssl globally.

there was a long discussion about using \n in verbatim lines, but the solution is to solve the problem at a higher level in lcfg rather than separately in each component

matthew suggested pulling vhost macros into the lcfg layer, squinney agreed. not so much luck with bringing x509 into the mix, though!

geoff's favourite bug was running multiple ssl instances in one virtualhost.

on the topic of cgroups: graeme mentioned that the syntax is quite horrible, consensus was that the simple, common things should be made easy and the rest hidden in a template.

it's worth keeping lcfg running on other distributions, made easier with systemd, and saves a lot of development time by keeping lcfg up to date with changes being made in fedora. it's worth checking whether lcfg works on debian/ubuntu/others.

security: k5login paths are in users home directories by default which is bad. krb5.conf can specify a central path.

squinney: we need to get away from the old single-template method and move to using a directory with a set of templates per component.

matthew suggested looking at things like puppet to see what we should be doing in lcfg. squinney said that looking at ansible would be more instructive since redhat has recently bought ansible and it's much closer to what lcfg already does.

back to security: need to improve client/server relationship security. client doesn't verify ssl certificate at all. would be nice to have encryption and integrity. would also be nice to have secrets passed around properly using e.g. wallet.

kenny is keen to shorten the release latency between RH security updates being released and appearing on machines. there are problems with just using the distro provided packages but there's also a lot of human effort required in filtering the package updates. kenny is happy to patch updaterpms to do security updates on a threshold on a regular basis.

-- Main.squinney - 2015-11-13