LCFG Annual Review 2015
On Thursday 3rd December 2015 instead of our normal monthly Deployers Meeting we will be holding an Annual Review session.
All users of LCFG are encouraged to attend this meeting to hear about what has been happening over the last year and what developments they can look forwards to in the next year. This is also an excellent opportunity to raise issues that are important to you, put forward ideas for future developments you would like to see and chat about all things LCFG!
If you have any topics you are particularly keen to have discussed then please edit this page and add them to the General Discussion section below with a brief summary.
This will start at 2pm and we aim to be finished by 5pm. It will be held in room 2.33 of the Informatics Forum (note that this is NOT the usual room).
The rough outline agenda is:
14:00 - 14:30 |
Upstream review from Informatics |
14:30 - 14:50 |
Downstream review from IS |
14:50 - 15:15 |
The challenges of managing MacOSX using LCFG |
15:15 - 15:45 |
Tea break (mince pies if you're lucky!) |
15:45 - 17:00 |
General Discussion |
After the meeting there will be an informal gathering in a local pub (some IS folk might wish to go to Teviot for the second half of the IS Festive Celebration), followed by some food, everyone is welcome to come along.
Upstream
Component Changes
New components:
- lcfg-sssd
- sub-class of inifile component for managing the System Security Services Daemon
- lcfg-runner
- replaces boot.run facility in SL7 for running daily jobs. See TaskRunner for full details.
- lcfg-baseinstall
- Supports calling install methods from within the newly installed system immediately prior to the first reboot. This is used in Informatics for running kdcregister and restoring ssh keys from our wallet server. See BaseInstall for full details.
Notable changes:
- ngeneric environment plugins
- The ngeneric framework now provides an environment initialisation system for component methods with support for plugins which mean it is fully extensible. The default plugins support setting environment variables and acquiring Kerberos credentials. See EnvInit for details.
- sysinfo features
- The sysinfo component now supports a features list which can be used to associate arbitrary labels with a profile. This is useful for describing particular aspects of a system. See SysInfoDevel for details on how to query this information.
- Component sub-classing
- It is now possible to sub-class a component written in Perl (e.g. sssd sub-classes inifile) to allow code reuse.
- fstab disk encryption support
- The fstab component now supports the encryption of tmp and swap partitions.
- kernel component
- The kernel component has improved support for rebuilding initramfs files.
SL7
We finally got the SL7 desktop platform ready for deployment. Informatics have now deployed approx 580 SL7 machines. We have also upgraded to SL7.1. Work is progressing on the server platform.
So far have verified support for:
- Networking - Old-style scripts still work for bonding (issues with anything other than NIC1/NIC2 pairs), bridging and VLANs. Still need to begin looking at native networkmanager support.
- IPMI
- Monitoring with nagios
- LVM
Ongoing:
- RAID - common hardware controllers done
- apacheconf - fairly high priority, needs overhaul and support for 2.4
- DNS server - gets killed at startup, further investigation required
- Multipath support
LCFG Client Update
Work to improve the long-term maintainability is still ongoing. We are working on creating a new set of platform-independent libraries, written in C, which can be used to handle the processing of resources, contexts and package specifications along with the reading of XML profiles. Built on top of this will be a set of Perl libraries which represent the profile, components, resources and packages as objects. This will provide a new API which can be used in the client, individual components and other utilities such as qxprof and qxpack.
General Discussion
- Thoughts on how the apacheconf component can be improved, and cosign client. See ApacheConfIdeas for current ideas.
- Standard paths, now that osx11 has denied us our current ones.
- Release management - use of git?
- Priorities in package specs and updaterpms - getting OS security fixes out quickly. Cron job running high priority updaterpms frequently. There's a bug
with more details.
- Managing cgroups. In particular, restricting the amount of memory individual users can use on shared compute systems.
- Lightweight client
- Improving security.
- Enhancing the client status feedback process.
Notes
kenny didn't like including every file in lcfg.sites.d. shane agreed. squinney
says don't use the file component for writing files in that dir because it
can't delete them. use the apacheconf component instead! gdutton suggested not
using the default of Include conf.d/* and having apacheconf write appropriate
include statements instead.
it's worth having the apacheconf automatically output the include directive
with an easy mechanism to turn off a virtualhost.
kenny suggested it would be handy to put a comment in config files to make it
clear that they are disabled.
each vhost has an ssl flag which should feed back to the top level for turning
on ssl globally.
there was a long discussion about using \n in verbatim lines, but the solution
is to solve the problem at a higher level in lcfg rather than separately in
each component
matthew suggested pulling vhost macros into the lcfg layer, squinney agreed.
not so much luck with bringing x509 into the mix, though!
geoff's favourite bug was running multiple ssl instances in one virtualhost.
on the topic of cgroups:
graeme mentioned that the syntax is quite horrible, consensus was that the
simple, common things should be made easy and the rest hidden in a template.
it's worth keeping lcfg running on other distributions, made easier with
systemd, and saves a lot of development time by keeping lcfg up to date with
changes being made in fedora. it's worth checking whether lcfg works on
debian/ubuntu/others.
security: k5login paths are in users home directories by default which is bad.
krb5.conf can specify a central path.
squinney: we need to get away from the old single-template method and move to
using a directory with a set of templates per component.
matthew suggested looking at things like puppet to see what we should be doing
in lcfg. squinney said that looking at ansible would be more instructive since
redhat has recently bought ansible and it's much closer to what lcfg already
does.
back to security: need to improve client/server relationship security. client
doesn't verify ssl certificate at all. would be nice to have encryption and
integrity. would also be nice to have secrets passed around properly using
e.g. wallet.
kenny is keen to shorten the release latency between RH security updates being
released and appearing on machines. there are problems with just using the
distro provided packages but there's also a lot of human effort required in
filtering the package updates. kenny is happy to patch updaterpms to do
security updates on a threshold on a regular basis.
-- Main.squinney - 2015-11-13