Tags:
create new tag
view all tags

LCFG Annual Review 2016

On Thursday 1st December 2016 instead of our normal monthly Deployers Meeting we will be holding our traditional Annual Review session. This will start at 2pm and we aim to be finished by 5pm. It will be held in room 1.07 of the George Square Library (note that this is NOT the usual room).

All users of LCFG are encouraged to attend this meeting to hear about what has been happening over the last year and what developments they can look forwards to in the next year. This is also an excellent opportunity to raise issues that are important to you, put forward ideas for future developments you would like to see and chat about all things LCFG!

As is traditional the meeting will be followed by a social event and we will go for dinner somewhere. Even if you cannot attend the meeting in the afternoon you are very welcome to join us for the social event in the evening.

If you have any topics you are particularly keen to have discussed then please edit this page and add them to the General Discussion section below with a brief summary.

Upstream Report

Compiler

Various new features have been added to the LCFG compiler this year.

  • Support for mIFNULL and mIFNULLQ mutators.
  • ACL template support which controls how the .htpasswd file is generated for each host. This is controlled using the server.acltemplate resource which defaults to apache_legacy.tt for SL6 servers and apache.tt otherwise. This also allows sites to create completely different local configs. Also tightened up the file system access permissions.
  • The ΒΆ (pilcrow) character is now replaced with a newline in resource values to make it easier to generate multi-line data for any component.

Component Changes

There has been a lot of work to add support for SL7 and, in particular, to improve how the components behave in the world of Systemd. Here are a few of the highlights:

apacheconf
Updated to support apache 2.4, also many improvements as proposed at the 2015 Annual Meeting. We now have some documentation: ApacheConf and ApacheConfModules.
autofs
Now co-operates with systemd
cosign
New support for apache 2.4
dns
New 'configureserver' type which co-operates with systemd.
fstab
Support for encrypted partitions
inifile
Now fully sub-classable (e.g. by sssd and sysconfig components)
lvm
SL7 support
multipath
SL7 support
mock
Improved support for Fedora and Centos chroots including the centos 7 i686 alternate arch.
ngeneric
New try_restart method which will restart a component which is already started but otherwise is a no-op. Ideal when one component needs to restart another.
rpmaccel (squid)
Overhauled to support SL7 and squid 3.3
sysconfig
Reworked to be an inifile sub-class

SL6

We are currently putting a lot of effort into upgrading all our machines to SL7. As the number of SL6 machines in Informatics dwindles so does the level of support we are able to provide for this platform. As of 24th November we have slightly over 300 machines still running on SL6, they are nearly all servers so although we are still doing weekly testing for desktop style profiles there is a chance that problems which only affect those machines may not be spotted. Depending on progress it's possible that we will drop support for SL6 as early as Easter 2017. Unless a major issue crops up with LCFG support for SL6 we are unlikely to be doing much in the way of further development work for this platform.

The platform was updated to SL6.8 in August. We do not intend to do any further minor updates for this platform.

SL7

This is our primary platform, in Informatics there are currently slightly over 900 machines running on SL7. Looking ahead, this will continue to be our desktop platform for the academic year 2017/2018. We have now ported the majority of our services to SL7 and we expect our servers to be running on this platform for quite a while.

There was a certain amount of upheaval related to a belated decision to switch to the "modern" network interface naming style, see ConsistentNamingSchemeByModel for full details.

The platform was updated to SL7.2 in the first half of 2017. RHEL7.3 was released in November and we expect SL7.3 within the next month or so. Hopefully this will fix support for Intel Skylake based systems (e.g. the HP EliteDesk 800 G2).

RHEL8

Looking at the dates for previous Redhat releases it looks likely that RHEL8 (at least the beta) will arrive in the first half of 2017.

RHEL 4 GA 2005-02-15
RHEL 5.0 2007-03-15
RHEL 6.0 2010-11-09
RHEL 7.0 Beta 2013-12-11
RHEL 7.0 GA 2014-06-09
RHEL 8.0 beta ?? Spring 2017 ??

We hope to begin investigating LCFG support for EL8 as soon as the beta is available, hopefully the scale of the changes between 7 and 8 will be an order of magnitude smaller than that between 6 and 7...

There is considerable uncertainty about the future of the Scientific Linux project. At the SL7 stage CERN dropped out of the project leaving only Fermilab, could we see them deciding to merge with Centos? Or become a Centos SIG? We will have to consider the possibility of being forced to switch to Centos. This could lead to some major changes in the way we manage our support for the platform. In particular, unlike SL the Centos project does NOT provide security support for earlier minor releases

Given the huge effort required to upgrade all of our servers we might focus on desktops for this release.

IS Report

macOS

There will be no further releases of the LCFG packages for Apple macOS. The last supported release was for OS X 10.11 which will be maintained until at least summer 2017.

IS has moved a member of staff into Desktop Services to run a new service based on JAMF Casper.

ITI Enterprise Services

Over the last year our focus has continued to shift from desktops to servers, with a growing number of our infrastructure servers managed by LCFG

  • EASE KDCs
  • Central Authorisation LDAP
  • Shibboleth IdPs
  • Devolved LCFG
  • IS Jabber
  • Internal Mail Relays
  • EdUni Certificate Authority

and with plans for more this academic year

  • EASE and Staffmail Databases
  • DNS
  • External and Bulk Mail Relays
  • Sympa Mailing Lists

Some of these servers are supporting services that are managed outside of LCFG but take advantage of the managed platform it provides.

Placing services behind the load balancer introduces new challenges - for example cannot rely on DNS to provide a mapping between services and servers.

Although IS have chosen Puppet for its preferred configuration management technology, the conversion of existing services to the mature, full featured and supported LCFG platform captures and codifies our local patches and configurations ready for reimplementation if required. We will likely attempt dual managed hosts in the coming year.

Linux desktop package requests are now processed the same as those for MS Windows and Apple macOS. However, there is no new effort in IS to perform the actual packaging and so continues to be a limited service.

Statistics

School Linux Macs
ace 19 198
biolsci 54 165
epcc 68 0
geos 155 72
isfm 0 75
isd 31 1102
isg 64 1
maths 142 9
phys 424 0
see 349 0

OS Count
sl 1309
sl6 518
sl66 374
sl68 144
sl7 790

OS Count
osx 1655
osx6 4
osx7 60
osx8 96
osx9 110
osx10 931
osx11 453

We now have 18002 RPMs in our devolved repositories and 821 package recipes.

Upcoming Developments

  • LCFG client v4
  • network component rewrite

General Discussion

  • Future platform support
  • Support for the latest hardware, UEFI
  • Dell System Update - interaction with updaterpms? Local mirror?
  • Multistage components - Use systemd to call different methods before and after the third party service is started, e.g. cups, mariadb
  • What small improvements would you love to see?
  • Macros documented in man pages

fstab v network component

Would it actually be better to prioritise a rewrite of the fstab component rather than the network component?

There is a need for proper support for LVM and also we would like full disk encryption. There are also more bugs filed against fstab than then network component. Several people noted that they would like to have a way of forcing the component to overwrite the /etc/fstab file when resources change.

Alastair noted that the network component needs a test suite adding first so that we can ensure that any rewritten version generates correct configurations. That should be easy enough since it's only generating text files.

SL6 timescales

Informatics is aiming to be finished with SL6 by Easter. For other schools it might be the summer, not everyone has started scheduling their upgrades yet. Informatics will support SL6 as long as it doesn't require too much work. Support is likely to disappear when we get to a point of having no way to test the weekly release on SL6 machines, particularly if a huge backported set of security updates were to suddenly appear.

Package List tools

As not all package providers have rsync support we would like to add support for mirroring package repositories over http using wget or reposync.

Kenny noted that sometimes packages have invalid RPM filenames which do not conform to the name-version-release.arch.rpm format. Stephen said that we could add a tool which generates a hardlink with the correct filename based on the values in the RPM header.

Small Improvements

  • openssh component bug - [[https://bugs.lcfg.org/show_bug.cgi?id=930][Test sshd config validity]
  • Would be nice if the server logfile showed the full path for the changed files.
  • Add docs to lcfg-systemd man page for standard macros.
  • Add an lcfg-profile man page which includes details of the mutator macros.
  • Better docs for lcfg-ngeneric and lcfg-om
  • Can lcfg-authorize support unix groups as well as netgroups?
  • Add support for cgroups to provide greater control than can be achieved through pam_limits

-- Main.squinney - 2016-10-07

Topic revision: r10 - 2017-02-03 - squinney
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback