It’s now more than three years since we implemented IPv6 for the School’s managed Linux (DICE) desktops and servers, and in that time we have seen very few issues which were specifically related to IPv6. We were not, unfortunately, able to roll it out to the “self-managed” subnets at that time, for a few reasons, but we now believe it is time to give it a try there too.
So, on Tuesday 19th November we will be enabling IPv6 for the “DHCP” subnet. (Specifically, we will start sending out Router Advertisements, which will cause any IPv6-aware machine on the subnet to configure itself automatically with at least one IPv6 address.) If there are significant problems we can easily and quickly back the change out again. Note that no DNS entries will be added for machines on this subnet.
All being well, we would then propose turning on IPv6 for the self-managed server wires SM164 and SM197 some time in the new year. There are a couple of reasons for this: it will allow you to gain IPv6 experience with machines on the DHCP subnet in advance; and, more particularly, it will give you time to ensure that any access controls you have in place are correct for IPv6 as well as IPv4. We’ll post more details nearer the time.
Our IPv6 deployment project’s final report is here, and the project’s home page has links to sundry IPv6 resources.
In order to minimise the risk to computing facilities during the strike action there will be a ‘change freeze’ for those computing systems managed by the School’s computing staff: the University’s Information Services are implementing a similar ‘change freeze’. This ‘change freeze’ is being extended to cover the online class exams on Thursday 5th, Friday 6th and Tuesday 10th December.
The combined ‘change freeze’ will be effective from noon on Thursday 21st November to noon on Tuesday 10th December (or the end of the industrial action).
Obviously there may be some business critical changes required – these will be referred to CEG (Computing Executive Group) for approval. Should all CEG members be on strike (or otherwise unavailable), the Director of Professional Services (Joy Candlish) will be consulted to determine the business criticality of any proposed change. She may choose to confer with others.
I hope that you understand and support my reasoning behind introducing this freeze.
Alastair Scobie (Head of Computing)
For security reasons we are reviewing our use of user authored CGI scripts that are currently running on our web services.
Those CGIs that run as the author, such as those on homepages.inf.ed.ac.uk and sweb.inf.ed.ac.uk, are not under review at the moment, but other CGIs that run as the web server daemon are.
The main services this affects are CGIs on www.inf.ed.ac.uk and those on groups.inf.ed.ac.uk.
In the first instance we’ve looked at the accesses of all CGIs on www.inf.ed.ac.uk, and if a CGI has not been accessed in the last 6 months, we no longer serve it from the web server. There is also a default deny for any new CGIs added to www.inf, so those that have access to the CGI area of www.inf will need to ask computing staff to enable serving of any new CGI. At this point we’ll want to review its contents, and discuss how accessible it needs to be, e.g. do you expect only current students and staff to access it.
We’ll then start security reviewing the remaining active CGIs, and contacting authors/owners where appropriate.
This is only the beginning of a longer process, and we’ll start looking at CGIs on groups.inf.ed.ac.uk next.
If you have any old CGIs that are nolonger used, then removing them will help us with our review, and increase the security of the Informatics services.
We’ve been using OpenAFS as the School’s network file system (i.e. the thing that lets you access your DICE home directory and research group space on pretty much any machine from pretty much anywhere in the world) for the best part of 15 years. That’s a awfully long time in the fast moving world of computing and so one of the development projects I have on my plate at the moment is to look into whether OpenAFS is still the most appropriate fit to the School’s needs.
From my ivory tower, I can draw up a long list of filesystem features and capabilities which I think might be desirable but at the end of the day, what’s useful and what’s unnecessary can only be determined by you, the end user.
So please take a few moments to let me know what you think about the existing School network filesystem. Tell me about what you like about it, what you dislike about it and missing features you would like to see in a replacement. There’s no guarantee that any requests can be met but at least they can be taken into account. You can make your opinions heard by leaving a comment after this article or emailing me at
cms @ inf.ed.ac.uk
Remember, it’s the School’s network file system I’m interested in, your DICE home directory and research group space stored on the School’s file servers and accessed via a pathname beginning /afs/inf.ed.ac.uk/…. I’m not concerned at the moment with any centrally provided file space or data stored on self-managed machines.
I look forward to hearing from you!
We’ve updated Virtual DICE! Both “little” and “large” VMs have been updated.
There are two changes compared to last month’s release:
- VirtualBox Guest Additions has been updated to a much newer version, so the Virtual DICE VM should now be better integrated with the rest of your computer environment. For example, the focus will be more likely to follow the mouse – the VM should no longer capture your mouse and keyboard by default.
- DICE changes since September are included in the latest Virtual DICE releases.
You can find out more at:
If you have any problems with the new version please contact us using the computing support form. Thanks.
We advise waiting a while before updating your Mac to the new macOS version, Catalina, for two reasons: firstly it has bugs, which Apple is steadily fixing; secondly it introduces a security system which is causing problems for software which hasn’t been adapted to deal with it. At the time of writing, VirtualBox is an example. For more details, and some helpful links, see our computing.help page on macOS releases.
A new version of Virtual DICE is out – in fact, two new versions! They have the software for the 2019-20 session. Virtual DICE is the lightweight DICE-like virtual machine which you can install and run on your own computer. Here’s how to get it.
We release a new version of Virtual DICE twice a year. This time we’ve made two versions called little and large. Software on Virtual DICE explains why.
If you have an earlier version of Virtual DICE you should upgrade to the new version. To do that, make backup copies of whatever files you want to keep (for example, copy them to your AFS home directory – and here’s how to access AFS from Virtual DICE) then shut down and delete your Virtual DICE version, then install the new version instead.
To find out more read the Virtual DICE help pages.
The new OpenVPN configuration files which we have been beta-testing for the last month or so have now gone live, and our computing.help pages have been updated.
These configuration files are intended to have essentially the same effect as the previous ones. The only difference is that some configuration statements have been updated in line with the syntax expected by newer OpenVPN versions. If the configuration files you currently use work then there is no particular reason to install the new ones immediately, other than that IPv6 is now enabled through the tunnel. However, you may want to do so anyway, in case an upgrade to your machine results in the old ones no longer being accepted and you lose OpenVPN access at an inconvenient time.
We have changed the naming of the new files, partly so that the intended behaviour is clearer, and partly so that the new ones can be installed alongside the old ones. The new structure is explained in the README that goes with the configuration files.
We have also introduced the ability to have a separate “/ovpn” secondary identity, for those users who find it uncomfortable having their mobile devices remembering their DICE password. This identity provides OpenVPN access only; it does not allow access to any other Informatics services. If you would like to make use of this feature, please contact us through the support form in the usual way.
On Monday 19th August we will replace the SSH server named “hare” which hosts staff.ssh.inf.ed.ac.uk with a machine named “steen”.
All that will happen is that at about 08:00 on Monday we will change the DNS alias to point to the new machine. This change can take some time to propagate so we will not switch off access to hare immediately. It will be left running as normal until 12:00 Thursday 22nd August. This should allow sufficient time for users logged in to finish their existing sessions and move to the new server.
The IP address for the service will change from 184.108.40.206 to 220.127.116.11, your SSH client may warn you about this change and request verification. For reference the new SHA256 host key fingerprints are:
- RSA –
- ECDSA –
- ED25519 –
More information regarding the SSH service can be found on our help pages. If you encounter any problems accessing the SSH service please contact us via the Support Form.
Several people have opened support tickets recently asking about warning messages being produced by OpenVPN when connecting to Informatics. The reason for these warnings has been that the configuration syntax has gradually changed over time to accommodate new features, and the form we have in our configuration files is now deprecated and will be removed in new versions.
We have, therefore, been revising our configuration files to take account of these changes, and the new versions are now available for beta-testing. If you would like to do so you can download them from here, or by AFS from
/afs/inf.ed.ac.uk/group/inf-unit/OpenVPN/NewConfig/. Please select the versions appropriate for the platform you are using. For iOS (and perhaps also Android) a simple alternative approach is to email the configuration files to yourself as attachments, though you may have to adjust the MIME type to have your mail client recognise them as OpenVPN configuration files.
The format of the files’ names has been changed slightly to make it clearer what each file actually does. It’s now
where “routes” is one of “EdLAN” (which sends EdLAN addresses through the tunnel), “InfNets” (which sends a selection of Informatics addresses through the tunnel) or “AllNets” (which sends everything through the tunnel), and “site” is one of “Forum” or “AT”. (There are two additional sites, “DR” or “DEV”, which are for test and development of the service only. Please just ignore these.) This also allows the new files to be installed alongside the old one, to simplify testing.
All feedback welcome. Please send your comments using the support form in the usual way.