NX service upgrade

On Thursday 26th January we plan to upgrade the NX remote desktop service.

All that will happen is that at about 09:00 we will change the DNS aliases (nx.inf and staff.nx.inf) to point to the new machines. This change can take some time to propagate so we will not immediately remove access to the old servers, they will be left running as normal until 12:00 Friday 3rd February. This should allow sufficient time for users logged in to finish their existing sessions and move to the new server.

The general access service (nx.inf.ed.ac.uk) will move from piccadilly to hammersmith, the new IP address will be 129.215.202.146.

The staff service (staff.nx.inf.ed.ac.uk) will move from northern to jubilee, the new IP address will be 129.215.33.6.

The SSH key fingerprints will change which will cause the NX client to request verification. See the NX help pages for the new key fingerprints and further information regarding the NX service.

If you encounter any problems accessing the NX service please contact us via the Support Form.

Posted in Uncategorized | Leave a comment

macOS Sierra

The university information security office recommends keeping system software up to date as the first basic requirement to protect yourself online.

Users of self-managed machines, particularly laptops and tablets that are used outside the School need to be particularly vigilant. Computing support rarely recommend installing the initial release of new software straight away, e.g. 10.12.0, as there are inevitably problems to be resolved. In the case of Mac OS X we now recommend that users upgrade to macOS Sierra, if possible, for reasons of security. The current release is now 10.12.3

Some older machine models are no longer supported so please do check the requirements online. If you believe that your hardware or application software is not compatible with Sierra and that you need to stick with an older version then please check the security fixes for your operating system are up to date.

Recent updates to Sierra, as well as Yosemite and El Capitan provide important security fixes for browser vulnerabilities, noted in this security advisory.

We have put some initial information about Sierra on the computing help website at macos-releases .

Please remember there is a local mailing list  mac-users@inf.ed.ac.uk, which is a very low traffic list for self-support amongst Informatics Apple users.  To subscribe visit http://lists.inf.ed.ac.uk/mailman/listinfo/mac-users .

 

Posted in Uncategorized | Leave a comment

blog.inf upgrade to SL7

We are planning to upgrade the WordPress server providing blog.inf from SL6 to SL7, and to this end a clone of blog.inf running on SL7 has been set up. If you wish to test that your blog and any associated plugins behave as you expect under SL7, then take a look at the SL7 test server, wobleg.inf.ed.ac.uk, and let us know if you find anything amiss.

WordPress itself will also be upgraded to version 4.6.1 (from 4.5.2), which addresses some security issues and fixed 15 bugs. For more information, see the release notes.

Note that this site is a clone of the live site, and a one-time copy was taken on 23/01/2017. Note also that the site is not accessible outside of the Informatics firewall, and any changes you make to the test site will be temporary, as the test site will be deleted after the live service upgrade.

Please try to do any testing within the next week, as – all other things being equal – the upgrade will take place at some point after 1st February (date to be announced).

Note that it is also intended to upgrade other managed WordPress servers within Informatics to SL7, and a similar process may apply.

Posted in Uncategorized | Leave a comment

Disruption to Informatics services based in Appleton Tower

Following on from the recent reminder of disruption to Informatics and central University systems on Tuesday 10th January, here is a bit more detail.

A fault was recently identified in the Appleton Tower “essential services” electrical supply, which amongst other things powers the basement server room which houses many Informatics and central University systems. Unfortunately a complete shut-down of this supply is required in order to repair the fault.

This work has been scheduled for the evening of 10th January.

The following websites will be unavailable (from 5pm) for the duration of the scheduled work:

  • Informatics Web CMS service, wcms.inf.ed.ac.uk
  • LFCS website, wcms.lfcs.inf.ed.ac.uk
  • ANC website, www.anc.ed.ac.uk
  • CISA website, www.cisa.inf.ed.ac.uk
  • HCRC website, www.hcrc.ed.ac.uk
  • ILCC website, www.ilcc.inf.ed.ac.uk
  • Peter Buneman 2013 Workshop, pbf2013.inf.ed.ac.uk
  • CLASSiC Project website, www.classic-project.org
  • EMIME project website, www.emime.org
  • Articulatory data corpus, www.mngu0.org
  • Ultrax Speech project, www.ultrax-speech.org

The CDT cluster is also affected, and will be powered down from 4.30pm on the 10th. Some additional maintenance will also be carried out, and it is unlikely that the whole cluster will be back up before 11am the following morning (although individual James nodes may be available before then).

Note that some home directories will also be unavailable from 5pm for the duration, mostly those of students and visitors. To check your home directory, (on a DICE machine) use the “homedir” command, and look for one of the affected hosts in the output – the second field contains a host/partition pair, and if the host (the bit before “/”) is one of keto, ladon, naga, or cetus, then you will be affected. For example, an affected directory would show as:

% homedir
fred (Fred Smith) : naga/vicepa : /afs/inf.ed.ac.uk/user/f/fred : free 1320.2G (used 39%)
%

If you are affected, but would prefer not to be, contact Computing Support (who may be able to move your home directory to an unaffected server). Note that this is aimed primarily at new staff or visitors who may still have a home directory on an affected server, it is unlikely that UG student requests will be acceded to.

Note that the student.compute server will also be unavailable from 4.30pm on the 10th.

Other servers and services affected:

  • Login server (ssh.inf)
  • Student login server (student.ssh.inf)
  • Remote access server (nx.inf)
  • Projects database (projects.inf)
  • ANC server (trout.inf)

Note that connectivity to Forrest Hill & Wilkie may be lost, as might wireless and ‘phones.

Note also that it is assumed (unless otherwise stated) that all services will be unavailable from 4:30pm on the 10th, and returned to normal service at or before the end of the scheduled “At Risk” time of 12:00pm (noon) on the 11th.

Details of the work scheduled by IS can be found at http://reports.is.ed.ac.uk/alerts/index.cfm?fuseaction=view_alert&alert_id=6406

Posted in Uncategorized | 1 Comment

capturED replacement

The lecture capture system (capturED) that has been in place throughout the University for a number of years is now no longer supported by IS. As a result of the efforts of AHSS (in particular, the Business School), CSE has found an alternative (Panopto) which has been piloted and is now installed in the majority of lecture theatres.

A number of lectures have now been recorded successfully using panopto. Although it does have its limitations e.g. in the majority of lecture theatres, it is only possible to capture screen and audio, the feedback so far suggests that it has proved reliable and simple to use. There is now a page on computing.help which links to clear instructions created by PPLS on how to use panopto.

computing.help.inf.ed.ac.uk/panopto

The pages do, however, refer to contacting PPLS support – if you do have any questions or need support, please contact Informatics support in the usual way rather than PPLS.

You may also have seen a recent news article about the University targeting an improved student digital experience by investing in a state-of-the-art lecture recording system covering 400 rooms. The process has only just started and there is an opportunity to take part in the User Consultation process. If you would like to contribute to this process, you can take a look at:

https://www.wiki.ed.ac.uk/display/LRec/Lecture+Recording+User+Consultation

and add any comments/suggestions that you may have.

Posted in Uncategorized | Leave a comment

Linux “Dirty COW” vulnerability

On 20th October 2016 it was announced that a serious security hole had been discovered in the Linux kernel which was already being actively exploited. This vulnerability has been dubbed "Dirty COW" due to the exploit using a race condition in the implementation of the copy-on-write mechanism. Although described as a local exploit the bug can be exploited via web frameworks such as WordPress so we consider this to be a critical remotely exploitable vulnerability.

DICE machines have been updated and rebooted to apply the fix. All users with self-managed machines MUST ensure their machines are running a kernel which is not exploitable via this vulnerability. All Linux distributions now have fixes available, see the "Dirty COW" website for details.

If you need advice or assistance with dealing with this issue please contact the Computing Team via our support form.

Posted in Uncategorized | Leave a comment

Virtual DICE

A new version of Virtual DICE is now available for download. (Here’s how to download it.) If you don’t know what Virtual DICE is, read on.

The managed Linux machines here in the School of Informatics run an environment which we call DICE. We use DICE on desktop computers and on servers, but we also make a VirtualBox virtual machine version of it, intended for personal machines. This virtual version is called Virtual DICE.

Twice a year we release a new version of Virtual DICE. The latest version, released on 2 November 2016, has the hostname priuli and this login screen:
Virtual DICE login screen

If you have an earlier version of Virtual DICE, please export whatever files you want to keep (for example, copy them to your AFS home directory) then delete it and install the new version instead.

Because Virtual DICE is a virtual machine designed to be run on personal laptops and the like, it does not by default have a large amount of memory, file space or CPU cores, so it’s not useful for big, demanding computing applications. However, since it’s a virtual machine, you can change its hardware specification as you like, up to the limits imposed by your host machine.

To find out more read the Virtual DICE help pages.

Posted in Uncategorized | Leave a comment

Changes to DICE Password Policy

We have introduced a new password policy for DICE accounts:

http://computing.help.inf.ed.ac.uk/password-policy

The significant changes made to the previous policy are:

  • We now have a more flexible approach to the number of character
    classes required in any password – specifically that the longer the
    password, the fewer number of distinct character classes is required.

  • All password checking is now undertaken on the server-side – prior to
    these changes, we had a mixture of client and server side checks.

Posted in Uncategorized | Leave a comment

IPv6

The “IPv6 investigation” project has made good progress since my previous post in January.  We have had global connectivity since February, and have been testing on a variety of subnets since then, including all of our “server” subnets, and most recently the “Appleton Tower” (including Forrest Hill and Wilkie) managed DICE desktop subnet.

We have seen few issues with these, so will be rolling IPv6 out to the Forum DICE subnet on Tuesday of next week (6th September).  All SL7 machines on that subnet will then acquire IPv6 addresses, which they will start to use, often in preference to their IPv4 addresses.  DNS entries will also be created for all of these machines.

(Servers are being given IPv6 addresses individually as their managers deem the services on them to be IPv6-ready, particularly as regards access control.)

Unfortunately we won’t be able to roll out IPv6 to self-managed machines for a while yet.  Many of our network switches are currently lacking some security features which are required before it would be safe to open these subnets to the variety of systems we have on them.  We had hoped that these switches would have been upgraded by now, but the process was blocked by IS’s ongoing EdLAN review.  We’ll post again once we’re in a position to begin IPv6 tests with self-managed machines.

Managed Windows desktops will also be IPv4-only for now.  We identified a few issues with these in testing, which we have passed back to IS for evaluation, and await their response.

The project’s working documentation, including useful links, can be found here.

Posted in Uncategorized | Leave a comment

SSH Server Upgrade

We need to upgrade the general access SSH server (schiff) to SL7. We plan to start this work at 9am on Tuesday 16th August. We expect the service to be unavailable for approximately 2 hours, we will send out another message when the work has been completed.

During the period of downtime an alternative SSH server – staff.ssh.inf.ed.ac.uk – will be available for those with permission to access that server (all staff and postgrad students).

If you have any queries regarding this please use the User Support form.

Posted in Uncategorized | Leave a comment