Change Freeze during strike action from 23rd February 2018 to 21st March 2018

In order to minimize the risk to computing facilities during the strike action there will be a ‘change freeze’ for those computing systems managed by the School’s computing staff. This will be effective from Friday 23rd February to Wednesday 21st March (or the end of the industrial action).

Obviously there may be some business critical changes required – these will be referred to CEG (Computing Executive Group) for approval. Should all CEG members be on strike (or otherwise unavailable), Martin Wright will be consulted to determine the business criticality of any proposed change. He may chose to confer with others.

I hope that you understand and support my reasoning behind introducing this freeze.

Alastair Scobie (Head of Computing)

Posted in Uncategorized | Leave a comment

Cloud Printing in Informatics – an Update.

Last year I wrote an article extolling the virtues of cloud based printing and announcing the intention to extend the use of cloud printing to those parts of Informatics where it was not already available. With one or two exceptions, this proposal was greeted with some enthusiasm and so over the next few weeks, the Xerox Multi Function Devices in the North East corners of the Forum and the Wilkie Building kitchen area will become cloud enabled. One part of the proposal that caused some dismay was the prospect of only having one printer on each floor of the Forum and so it’s been decided to locate A4 mono cloud devices in the South West corners of each Forum floor and in the ground floor reception area. These devices can also act as mono photocopiers and colour scanners.

For the moment the existing print queue names will continue to work but the intention is to disable these queues on the 1st of March and only have cloud queues within Informatics.

The one exception to this is for printers in admin offices. Though the introduction of cloud printing removes the need for these devices, the intention is for them to remain, at least until they irretrievably break down! These printers will continue to use their existing queue names since they can’t be cloud enabled.

Since the cloud print queues need to associate print jobs with your University UUN, the printing setup on non-DICE machines may need some adjustment. Full instructions on how to do this will be provided on before the switch over. Arrangements to provide Informatics staff and research students with a suitable amount of free print quota will also be in place by then.

If you have any questions, please leave a comment.

UPDATE: We’ve agreed to delay turning off the existing print queues until after the end of the current semester. This will afford you all an opportunity to compare both printing methods side by side, though you may of course find yourself waiting for your cloud print job while a job sent straight to the printer prints out!

Posted in Uncategorized | 12 Comments

Forum network switch upgrade

We will soon be replacing all existing 100 Mb/s network switches in all of the Informatics Forum IT closets with new 1Gb/s switches.

There are 17 IT closets in the Forum, each of which provides networking connectivity to its nearby offices. Typically, each closet contains three or four 100 Mb/s switches – so there is a lot of work to be done, and the entire programme will take some time.

We will be doing this upgrade one closet at a time, and we will make announcements via email to let you know when any particular closet is being worked on.

The switch replacement means that network connectivity will be temporarily lost for machines which are served by 100 Mb/s switches in the closet being upgraded. Typically, this means that network connectivity will be temporarily lost for machines attached to either the blue or red network cables which appear on desks in the Forum. Network connectivity should never be lost for machines attached to the grey cables on desks: those are already connected to 1Gb/s switches.

The end result of this work will be that all wired network connections in the Forum will run at 1Gb/s – the only remaining 100 Mb/s connections will be those used for the VoIP telephones.

The new switches also give other advantages: amongst other things, they allow us to implement better network security, and they allow us to implement IPv6 on all Forum subnets.

We apologise in advance for any disruption this work will cause, and thank you for your patience.

Posted in Service Update | Leave a comment

Forum UPS work on Saturday 3rd

The Forum server rooms are covered by a pair of Uninterruptible Power Supplies (UPSes), one of which has developed a fault in its interface to the outside world.  As a result we can neither query its status, nor expect it to signal machines to shut down when the power goes off.

UPS Repair Man came on schedule on Saturday 3rd. He turned the faulty unit off, took it apart, and put some new cards in it. Unfortunately he then struggled for the rest of the day trying to get one of those new cards to recognise the specific model of UPS we have. As a result, he couldn’t start the unit up with those new cards, so he eventually stripped them all back out again, replaced the old ones, and brought the faulty unit back up in the same (faulty) state as before. He’s off to consult his base now.

On the minus side, we’ll have to go through some of this again once they get an idea of what to do next. On the plus side, turning the faulty unit off didn’t appear to cause any problem for the working one (other than to have it flash a fault light, which is apparently a firmware bug!), so we may be able to do the process on a normal day next time assuming we can find enough load to shed.

Posted in Uncategorized | Leave a comment

Virtual DICE updated

There’s a new version of Virtual DICE, our lightweight DICE-like virtual machine. Here’s how to install it on your own computer.

We release a new version of Virtual DICE twice a year. This version has the hostname sensa. It runs Scientific Linux 7.4, as DICE machines do. This version works better with Windows 10.

To move from an earlier version of Virtual DICE, please export whatever files you want to keep (for example, copy them to your AFS home directory) then delete it and install the new sensa version instead.

To find out more read the Virtual DICE help pages.

Posted in Uncategorized | Tagged | Leave a comment

Suspension of inactive DICE accounts

As a measure to increase the overall security of our systems, we will shortly be introducing a policy where DICE accounts are suspended if they are inactive for 180 days. Please see here for details:

If you have any questions concerning this, please contact support in the usual way.

Posted in Uncategorized | Leave a comment

Keep Safe

Recently we’ve been patching the DICE and Windows managed desktop computers to mitigate the Meltdown and Spectre attacks. We’ll continue to apply patches and fixes as they become available.

If you use any other sort of computer in Informatics, it’s up to you to keep it updated with the latest fixes. See for a comprehensive list of links to security advisories from affected companies.

It’s usually a good idea to configure the operating system to automatically install the latest recommended fixes. This Microsoft page explains how to configure automatic updates for Windows 10 and for Windows 7, and this Apple page explains how to do it for Macs. Linux distros have their own arrangements, but for example this Ubuntu page explains how to configure automatic updates. Phones should also be kept up to date.

Posted in Uncategorized | Leave a comment

groups.inf web server upgrade

The web server that hosts the web site (and various others) is one of the last to be upgraded to SL7. I had hoped to squeeze it in before the end of the year, but it will now happen on Friday January 12th 2018.

The groups.inf web server actually hosts multiple sites, the main ones being (groups|conferences|workshops), but see the complete list at the end of this post.

The upgrade will change the version of Apache from 2.2 to 2.4 and, as with the homepages upgrade, this may require some changes to .htaccess files if you use them. As these files will be accessed (at least for a short time) by both the SL6 Apache 2.2 and then SL7 Apache 2.4 servers, then you need make the changes conditional on which server is
parsing the file or you will get errors.

I’ve already searched for .htaccess files that could be affected, and edited them to use the new directives, eg if you had an .htaccess file that had:

Order allow,deny
Deny from all

Then it will now look like:

<IfVersion < 2.4>
Order allow,deny
Deny from all

<IfVersion >= 2.4>
require all denied

# neilbSL7

The # neilbSL7 is just a marker I used to record that I’d updated the file. For a list of changes when upgrading from Apache 2.2 to 2.4, see

Other Changes

SSI expressions have also changed, but the old behaviour can be enabled with SSILegacyExprParser on in a suitable .htaccess file. I’ve actually made this the default for groups.inf to aid transition, but would like to turn it off at some point in the future.

The PHP version will also change from 5.3.3 to 5.4.16. Again, at some point in the future, I’d like to update that further to 5.6.

For anyone using Cosign access control, then simply turning on Cosign with “CosignProtected on” is not enough to force authentication with Apache 2.4. You need the full:

  CosignProtected On
  AuthType Cosign
  Require user AAA BBB CCC

Also “CosignAllowPublicAccess on”, does not work as it did before. If you have it set on and then try to do a “require valid-user” (or similar) you will get a server error because of the conflicting instructions. So sections that were “Allow public access on”, you’ll just have to not enable authentication at all, or be happy to turn off public access, and force authentication.


Where I can, I’ve created temporary “sl7” URLs to the various sites (listed below) so you can test your site on the new server ahead of the upgrade. There is just an extra “.sl7” in front of the existing “” part of the URL eg becomes

For sites who’s DNS is not within, there are no test URLs. If the owners want to contact me ahead of the switch, I can probably arrange a temporary URL to try things on. Best to do that via the support form.

Previous upgrades of web servers from SL6 to SL7 have been fairly uneventful, so hopefully this upgrade will be equally smooth.


List of all web sites hosted on the groups.inf server
# There are test URLs for all the sites above here
# but not for the following

Posted in Service Update | 1 Comment

Looking up DICE user/group information

Users of DICE machines may have noticed that system utilities such as
getent and finger are no longer returning a full list of Informatics users.

We use sssd (System Security Service Daemon) on DICE to cache LDAP
data, such as user and group information. For finger to work with
anything other than usernames, it requires the sssd “enumerate”
option. This enumerates, and caches, the entire LDAP user and group
directory locally. The man page (sssd.conf(5)) recommends against
doing this, “especially in large environments” (although it doesn’t
specify what “large” is). This has always worked for us, and so we
have enabled this option previously.

The version of sssd on Scientific Linux 7.3 has unfortunately proved
unreliable with enumerate enabled, to the extent of rendering a
machine unusable. Subsequent releases and proposed bug-fixes have not
effectively resolved the problem and so we have had to disable
enumerate across DICE machines.

We have produced some local utilities to help replace the lost
functionality caused by the system changes described above.

finger-dice is a wrapper utility around the system finger command and
can be used to find out details about users given only part of their
name (e.g. surname).

getent-dice database (where database is one of passwd, group,
netgroup) will produce a full list, although note that it does not
return information on system users or groups.

dice-user-info is a general utility for finding out contact
information for people in Informatics. It takes a single argument and
matches against name, location and telephone number.

All of these utilities have man pages.

Posted in Uncategorized | 5 Comments

Cloud Printing for the Forum

Cloud based printing is becoming more and more widespread across the University. Instead of needing to remember the queue name of the nearest printer, jobs are sent to a single cloud queue (to be strictly accurate, there are in fact two queues, one for mono jobs and one for colour) and can then be collected from a wide range of cloud enabled printers located in most parts of the University estate. The user simply taps their University ID card on the reader of a cloud printer and is presented with a list of the jobs in the cloud print queues belonging to the user. One or more jobs can them be selected for printing.

Cloud based printing provides benefits both for the user and for the School. As mentioned above, users can print out their jobs at (with a very few exceptions) any cloud printer in the University including those located in the libraries, in other Schools, in the School levels and concourse of Appleton Tower and in other public areas. Flexibility is a further benefit; should the user, on going to a printer to print out their job, find that it is in the middle of a multi-hundred page photocopy session, they can simply walk a little further to one of the other printers in the building and collect their printout there.

For the School, the benefit comes in cost savings. Jobs are only printed out when the user presents their University ID card to the reader on a cloud printer thus avoiding the drifts of uncollected printouts which currently gather around the School’s printers. Jobs which are not printed within 24 hours are automatically deleted from the queues.

Another advantage is that cloud printing is more secure. Since jobs are only printed when the user is present at the printer, there is no danger of sensitive material being seen by others as it sits in the out-tray awaiting collection.

Cloud queues are charged queues. Every user account in the University has a print credit balance associated with it and every time a job is printed on a cloud device, the appropriate amount is debited from the user’s balance. Charging only occurs when the job is actually printed off so jobs which are deleted after 24 hours do not incur a charge.

Informatics staff and research students are not currently charged for printing and there are no plans for this to change; a central mechanism is in place by which print credit is automatically topped up every week and it is intended to implement this for Informatics staff and research students.

After a trial deployment in Forrest Hill last year, all printers on the School’s floors in Appleton Tower are now cloud devices and this is working well. It makes sense for all the School’s printers to be cloud enabled and it is proposed to introduce cloud based printing in the Forum by the end of the year. Any comments you might have on this proposal would be welcome.

Posted in Uncategorized | 9 Comments