LCFG Annual Review 2016
On
Thursday 1st December 2016 instead of our normal monthly Deployers Meeting we will be holding our traditional Annual Review session. This will start at 2pm and we aim to be finished by 5pm. It will be held in room
1.07 of the
George Square Library (note that this is
NOT the usual room).
All users of LCFG are encouraged to attend this meeting to hear about what has been happening over the last year and what developments they can look forwards to in the next year. This is also an excellent opportunity to raise issues that are important to you, put forward ideas for future developments you would like to see and chat about all things LCFG!
As is traditional the meeting will be followed by a social event and we will go for dinner somewhere. Even if you cannot attend the meeting in the afternoon you are very welcome to join us for the social event in the evening.
If you have any topics you are particularly keen to have discussed then please edit this page and add them to the General Discussion section below with a brief summary.
Upstream Report
Compiler
Various new features have been added to the LCFG compiler this year.
- Support for
mIFNULL
and mIFNULLQ
mutators.
- ACL template support which controls how the
.htpasswd
file is generated for each host. This is controlled using the server.acltemplate
resource which defaults to apache_legacy.tt
for SL6 servers and apache.tt
otherwise. This also allows sites to create completely different local configs. Also tightened up the file system access permissions.
- The ΒΆ (pilcrow) character is now replaced with a newline in resource values to make it easier to generate multi-line data for any component.
Component Changes
There has been a lot of work to add support for SL7 and, in particular, to improve how the components behave in the world of Systemd. Here are a few of the highlights:
- apacheconf
- Updated to support apache 2.4, also many improvements as proposed at the 2015 Annual Meeting. We now have some documentation: ApacheConf and ApacheConfModules.
- autofs
- Now co-operates with systemd
- cosign
- New support for apache 2.4
- dns
- New 'configureserver' type which co-operates with systemd.
- fstab
- Support for encrypted partitions
- inifile
- Now fully sub-classable (e.g. by sssd and sysconfig components)
- lvm
- SL7 support
- multipath
- SL7 support
- mock
- Improved support for Fedora and Centos chroots including the centos 7 i686 alternate arch.
- ngeneric
- New
try_restart
method which will restart a component which is already started but otherwise is a no-op. Ideal when one component needs to restart another.
- rpmaccel (squid)
- Overhauled to support SL7 and squid 3.3
- sysconfig
- Reworked to be an inifile sub-class
SL6
We are currently putting a lot of effort into upgrading all our machines to SL7. As the number of SL6 machines in Informatics dwindles so does the level of support we are able to provide for this platform. As of 24th November we have slightly over 300 machines still running on SL6, they are nearly all servers so although we are still doing weekly testing for desktop style profiles there is a chance that problems which only affect those machines may not be spotted. Depending on progress it's possible that we will drop support for SL6 as early as Easter 2017. Unless a major issue crops up with LCFG support for SL6 we are unlikely to be doing much in the way of further development work for this platform.
The platform was updated to
SL6.8 in August. We do not intend to do any further minor updates for this platform.
SL7
This is our primary platform, in Informatics there are currently slightly over 900 machines running on SL7. Looking ahead, this will continue to be our desktop platform for the academic year 2017/2018. We have now ported the majority of our services to SL7 and we expect our servers to be running on this platform for quite a while.
There was a certain amount of upheaval related to a belated decision to switch to the "modern" network interface naming style, see
ConsistentNamingSchemeByModel for full details.
The platform was updated to
SL7.2 in the first half of 2017. RHEL7.3 was released in November and we expect SL7.3 within the next month or so. Hopefully this will fix support for Intel Skylake based systems (e.g. the HP EliteDesk 800 G2).
RHEL8
Looking at the dates for previous
Redhat releases
it looks likely that RHEL8 (at least the beta) will arrive in the first half of 2017.
RHEL 4 GA |
2005-02-15 |
RHEL 5.0 |
2007-03-15 |
RHEL 6.0 |
2010-11-09 |
RHEL 7.0 Beta |
2013-12-11 |
RHEL 7.0 GA |
2014-06-09 |
RHEL 8.0 beta |
?? Spring 2017 ?? |
We hope to begin investigating LCFG support for EL8 as soon as the beta is available, hopefully the scale of the changes between 7 and 8 will be an order of magnitude smaller than that between 6 and 7...
There is considerable uncertainty about the future of the Scientific Linux project. At the SL7 stage CERN dropped out of the project leaving only Fermilab, could we see them deciding to merge with Centos? Or become a Centos SIG? We will have to consider the possibility of being forced to switch to Centos. This could lead to some major changes in the way we manage our support for the platform. In particular, unlike SL the Centos project does NOT provide security support for earlier minor releases
Given the huge effort required to upgrade all of our servers we might focus on desktops for this release.
IS Report
macOS
There will be no further releases of the LCFG packages for Apple macOS. The last supported release was for OS X 10.11 which will be maintained until at least summer 2017.
IS has moved a member of staff into Desktop Services to run a new service based on JAMF Casper.
ITI Enterprise Services
Over the last year our focus has continued to shift from desktops to servers, with a growing number of our infrastructure servers managed by LCFG
- EASE KDCs
- Central Authorisation LDAP
- Shibboleth IdPs
- Devolved LCFG
- IS Jabber
- Internal Mail Relays
- EdUni Certificate Authority
and with plans for more this academic year
- EASE and Staffmail Databases
- DNS
- External and Bulk Mail Relays
- Sympa Mailing Lists
Some of these servers are supporting services that are managed outside of LCFG but take advantage of the managed platform it provides.
Placing services behind the load balancer introduces new challenges - for example cannot rely on DNS to provide a mapping between services and servers.
Although IS have chosen Puppet for its preferred configuration management technology, the conversion of existing services to the mature, full featured and supported LCFG platform captures and codifies our local patches and configurations ready for reimplementation if required. We will likely attempt dual managed hosts in the coming year.
Linux desktop package requests are now processed the same as those for MS Windows and Apple macOS. However, there is no new effort in IS to perform the actual packaging and so continues to be a limited service.
Statistics
School |
Linux |
Macs |
ace |
19 |
198 |
biolsci |
54 |
165 |
epcc |
68 |
0 |
geos |
155 |
72 |
isfm |
0 |
75 |
isd |
31 |
1102 |
isg |
64 |
1 |
maths |
142 |
9 |
phys |
424 |
0 |
see |
349 |
0 |
OS |
Count |
sl |
1309 |
sl6 |
518 |
sl66 |
374 |
sl68 |
144 |
sl7 |
790 |
OS |
Count |
osx |
1655 |
osx6 |
4 |
osx7 |
60 |
osx8 |
96 |
osx9 |
110 |
osx10 |
931 |
osx11 |
453 |
We now have 18002 RPMs in our devolved repositories and 821 package recipes.
Upcoming Developments
- LCFG client v4
- network component rewrite
General Discussion
- Future platform support
- Support for the latest hardware, UEFI
- Dell System Update - interaction with
updaterpms
? Local mirror?
- Multistage components - Use
systemd
to call different methods before and after the third party service is started, e.g. cups, mariadb
- What small improvements would you love to see?
- Macros documented in man pages
fstab v network component
Would it actually be better to prioritise a rewrite of the fstab component rather than the network component?
There is a need for proper support for LVM and also we would like full disk encryption. There are also more bugs filed against fstab than then network component. Several people noted that they would like to have a way of forcing the component to overwrite the
/etc/fstab
file when resources change.
Alastair noted that the network component needs a test suite adding first so that we can ensure that any rewritten version generates correct configurations. That should be easy enough since it's only generating text files.
SL6 timescales
Informatics is aiming to be finished with SL6 by Easter. For other schools it might be the summer, not everyone has started scheduling their upgrades yet. Informatics will support SL6 as long as it doesn't require too much work. Support is likely to disappear when we get to a point of having no way to test the weekly release on SL6 machines, particularly if a huge backported set of security updates were to suddenly appear.
Package List tools
As not all package providers have rsync support we would like to add support for mirroring package repositories over http using wget or reposync.
Kenny noted that sometimes packages have invalid RPM filenames which do not conform to the
name-version-release.arch.rpm
format. Stephen said that we could add a tool which generates a hardlink with the correct filename based on the values in the RPM header.
Small Improvements
- openssh component bug - [[https://bugs.lcfg.org/show_bug.cgi?id=930][Test sshd config validity]
- Would be nice if the server logfile showed the full path for the changed files.
- Add docs to lcfg-systemd man page for standard macros.
- Add an lcfg-profile man page which includes details of the mutator macros.
- Better docs for lcfg-ngeneric and lcfg-om
- Can lcfg-authorize support unix groups as well as netgroups?
- Add support for cgroups to provide greater control than can be achieved through pam_limits
-- Main.squinney - 2016-10-07