Tags: view all tags

LCFG Annual Review 2016

On Thursday 1st December 2016 instead of our normal monthly Deployers Meeting we will be holding our traditional Annual Review session. This will start at 2pm and we aim to be finished by 5pm. It will be held in room 1.07 of the George Square Library (note that this is NOT the usual room).

All users of LCFG are encouraged to attend this meeting to hear about what has been happening over the last year and what developments they can look forwards to in the next year. This is also an excellent opportunity to raise issues that are important to you, put forward ideas for future developments you would like to see and chat about all things LCFG!

As is traditional the meeting will be followed by a social event and we will go for dinner somewhere. Even if you cannot attend the meeting in the afternoon you are very welcome to join us for the social event in the evening.

If you have any topics you are particularly keen to have discussed then please edit this page and add them to the General Discussion section below with a brief summary.

Upstream Report

Compiler

Various new features have been added to the LCFG compiler this year.

Support for mIFNULL and mIFNULLQ mutators.
ACL template support which controls how the .htpasswd file is generated for each host. This is controlled using the server.acltemplate resource which defaults to apache_legacy.tt for SL6 servers and apache.tt otherwise. This also allows sites to create completely different local configs. Also tightened up the file system access permissions.
The ¶ (pilcrow) character is now replaced with a newline in resource values to make it easier to generate multi-line data for any component.

Component Changes

There has been a lot of work to add support for SL7 and, in particular, to improve how the components behave in the world of Systemd. Here are a few of the highlights:

apacheconf: Updated to support apache 2.4, also many improvements as proposed at the 2015 Annual Meeting. We now have some documentation: ApacheConf and ApacheConfModules.
autofs: Now co-operates with systemd
cosign: New support for apache 2.4
dns: New 'configureserver' type which co-operates with systemd.
fstab: Support for encrypted partitions
inifile: Now fully sub-classable (e.g. by sssd and sysconfig components)
lvm: SL7 support
multipath: SL7 support
mock: Improved support for Fedora and Centos chroots including the centos 7 i686 alternate arch.
ngeneric: New try_restart method which will restart a component which is already started but otherwise is a no-op. Ideal when one component needs to restart another.
rpmaccel (squid): Overhauled to support SL7 and squid 3.3
sysconfig: Reworked to be an inifile sub-class

SL6

We are currently putting a lot of effort into upgrading all our machines to SL7. As the number of SL6 machines in Informatics dwindles so does the level of support we are able to provide for this platform. As of 24th November we have slightly over 300 machines still running on SL6, they are nearly all servers so although we are still doing weekly testing for desktop style profiles there is a chance that problems which only affect those machines may not be spotted. Depending on progress it's possible that we will drop support for SL6 as early as Easter 2017. Unless a major issue crops up with LCFG support for SL6 we are unlikely to be doing much in the way of further development work for this platform.

The platform was updated to SL6.8 in August. We do not intend to do any further minor updates for this platform.

SL7

This is our primary platform, in Informatics there are currently slightly over 900 machines running on SL7. Looking ahead, this will continue to be our desktop platform for the academic year 2017/2018. We have now ported the majority of our services to SL7 and we expect our servers to be running on this platform for quite a while.

There was a certain amount of upheaval related to a belated decision to switch to the "modern" network interface naming style, see ConsistentNamingSchemeByModel for full details.

The platform was updated to SL7.2 in the first half of 2017. RHEL7.3 was released in November and we expect SL7.3 within the next month or so. Hopefully this will fix support for Intel Skylake based systems (e.g. the HP EliteDesk 800 G2).

RHEL8

Looking at the dates for previous Redhat releases it looks likely that RHEL8 (at least the beta) will arrive in the first half of 2017.

RHEL 4 GA	2005-02-15
RHEL 5.0	2007-03-15
RHEL 6.0	2010-11-09
RHEL 7.0 Beta	2013-12-11
RHEL 7.0 GA	2014-06-09
RHEL 8.0 beta	?? Spring 2017 ??

We hope to begin investigating LCFG support for EL8 as soon as the beta is available, hopefully the scale of the changes between 7 and 8 will be an order of magnitude smaller than that between 6 and 7...

There is considerable uncertainty about the future of the Scientific Linux project. At the SL7 stage CERN dropped out of the project leaving only Fermilab, could we see them deciding to merge with Centos? Or become a Centos SIG? We will have to consider the possibility of being forced to switch to Centos. This could lead to some major changes in the way we manage our support for the platform. In particular, unlike SL the Centos project does NOT provide security support for earlier minor releases

Given the huge effort required to upgrade all of our servers we might focus on desktops for this release.

IS Report

macOS

There will be no further releases of the LCFG packages for Apple macOS. The last supported release was for OS X 10.11 which will be maintained until at least summer 2017.

IS has moved a member of staff into Desktop Services to run a new service based on JAMF Casper.

ITI Enterprise Services

Over the last year our focus has continued to shift from desktops to servers, with a growing number of our infrastructure servers managed by LCFG

EASE KDCs
Central Authorisation LDAP
Shibboleth IdPs
Devolved LCFG
IS Jabber
Internal Mail Relays
EdUni Certificate Authority

and with plans for more this academic year

EASE and Staffmail Databases
DNS
External and Bulk Mail Relays
Sympa Mailing Lists

Some of these servers are supporting services that are managed outside of LCFG but take advantage of the managed platform it provides.

Placing services behind the load balancer introduces new challenges - for example cannot rely on DNS to provide a mapping between services and servers.

Although IS have chosen Puppet for its preferred configuration management technology, the conversion of existing services to the mature, full featured and supported LCFG platform captures and codifies our local patches and configurations ready for reimplementation if required. We will likely attempt dual managed hosts in the coming year.

Linux desktop package requests are now processed the same as those for MS Windows and Apple macOS. However, there is no new effort in IS to perform the actual packaging and so continues to be a limited service.

Statistics

School	Linux	Macs
ace	19	198
biolsci	54	165
epcc	68	0
geos	155	72
isfm	0	75
isd	31	1102
isg	64	1
maths	142	9
phys	424	0
see	349	0

OS	Count
sl	1309
sl6	518
sl66	374
sl68	144
sl7	790

OS	Count
osx	1655
osx6	4
osx7	60
osx8	96
osx9	110
osx10	931
osx11	453

We now have 18002 RPMs in our devolved repositories and 821 package recipes.

Upcoming Developments

LCFG client v4
network component rewrite

General Discussion

Future platform support
Support for the latest hardware, UEFI
Dell System Update - interaction with updaterpms? Local mirror?
Multistage components - Use systemd to call different methods before and after the third party service is started, e.g. cups, mariadb
What small improvements would you love to see?
Macros documented in man pages

fstab v network component

Would it actually be better to prioritise a rewrite of the fstab component rather than the network component?

There is a need for proper support for LVM and also we would like full disk encryption. There are also more bugs filed against fstab than then network component. Several people noted that they would like to have a way of forcing the component to overwrite the /etc/fstab file when resources change.

Alastair noted that the network component needs a test suite adding first so that we can ensure that any rewritten version generates correct configurations. That should be easy enough since it's only generating text files.

SL6 timescales

Informatics is aiming to be finished with SL6 by Easter. For other schools it might be the summer, not everyone has started scheduling their upgrades yet. Informatics will support SL6 as long as it doesn't require too much work. Support is likely to disappear when we get to a point of having no way to test the weekly release on SL6 machines, particularly if a huge backported set of security updates were to suddenly appear.

Package List tools

As not all package providers have rsync support we would like to add support for mirroring package repositories over http using wget or reposync.

Kenny noted that sometimes packages have invalid RPM filenames which do not conform to the name-version-release.arch.rpm format. Stephen said that we could add a tool which generates a hardlink with the correct filename based on the values in the RPM header.

Small Improvements

openssh component bug - [[https://bugs.lcfg.org/show_bug.cgi?id=930][Test sshd config validity]
Would be nice if the server logfile showed the full path for the changed files.
Add docs to lcfg-systemd man page for standard macros.
Add an lcfg-profile man page which includes details of the mutator macros.
Better docs for lcfg-ngeneric and lcfg-om
Can lcfg-authorize support unix groups as well as netgroups?
Add support for cgroups to provide greater control than can be achieved through pam_limits

-- Main.squinney - 2016-10-07

Topic revision: r10 - 2017-02-03 - squinney