Keep Safe

Recently we’ve been patching the DICE and Windows managed desktop computers to mitigate the Meltdown and Spectre attacks. We’ll continue to apply patches and fixes as they become available.

If you use any other sort of computer in Informatics, it’s up to you to keep it updated with the latest fixes. See meltdownattack.com for a comprehensive list of links to security advisories from affected companies.

It’s usually a good idea to configure the operating system to automatically install the latest recommended fixes. This Microsoft page explains how to configure automatic updates for Windows 10 and for Windows 7, and this Apple page explains how to do it for Macs. Linux distros have their own arrangements, but for example this Ubuntu page explains how to configure automatic updates. Phones should also be kept up to date.

Posted in Uncategorized | Leave a comment

groups.inf web server upgrade

The web server that hosts the groups.inf.ed.ac.uk web site (and various others) is one of the last to be upgraded to SL7. I had hoped to squeeze it in before the end of the year, but it will now happen on Friday January 12th 2018.

The groups.inf web server actually hosts multiple sites, the main ones being (groups|conferences|workshops).inf.ed.ac.uk, but see the complete list at the end of this post.

The upgrade will change the version of Apache from 2.2 to 2.4 and, as with the homepages upgrade, this may require some changes to .htaccess files if you use them. As these files will be accessed (at least for a short time) by both the SL6 Apache 2.2 and then SL7 Apache 2.4 servers, then you need make the changes conditional on which server is
parsing the file or you will get errors.

I’ve already searched for .htaccess files that could be affected, and edited them to use the new directives, eg if you had an .htaccess file that had:

Order allow,deny
Deny from all

Then it will now look like:

<IfVersion < 2.4>
Order allow,deny
Deny from all
</IfVersion>

<IfVersion >= 2.4>
require all denied
</IfVersion>

# neilbSL7

The # neilbSL7 is just a marker I used to record that I’d updated the file. For a list of changes when upgrading from Apache 2.2 to 2.4, see https://httpd.apache.org/docs/2.4/upgrading.html.

Other Changes

SSI expressions have also changed, but the old behaviour can be enabled with SSILegacyExprParser on in a suitable .htaccess file. I’ve actually made this the default for groups.inf to aid transition, but would like to turn it off at some point in the future.

The PHP version will also change from 5.3.3 to 5.4.16. Again, at some point in the future, I’d like to update that further to 5.6.

For anyone using Cosign access control, then simply turning on Cosign with “CosignProtected on” is not enough to force authentication with Apache 2.4. You need the full:

  CosignProtected On
  AuthType Cosign
  Require user AAA BBB CCC

Also “CosignAllowPublicAccess on”, does not work as it did before. If you have it set on and then try to do a “require valid-user” (or similar) you will get a server error because of the conflicting instructions. So sections that were “Allow public access on”, you’ll just have to not enable authentication at all, or be happy to turn off public access, and force authentication.

Testing

Where I can, I’ve created temporary “sl7” URLs to the various .inf.ed.ac.uk sites (listed below) so you can test your site on the new server ahead of the upgrade. There is just an extra “.sl7” in front of the existing “.inf.ed.ac.uk” part of the URL eg http://groups.inf.ed.ac.uk/ becomes http://groups.sl7.inf.ed.ac.uk/

For sites who’s DNS is not within inf.ed.ac.uk, there are no test URLs. If the owners want to contact me ahead of the switch, I can probably arrange a temporary URL to try things on. Best to do that via the support form.

Previous upgrades of web servers from SL6 to SL7 have been fairly uneventful, so hopefully this upgrade will be equally smooth.

Neil

List of all web sites hosted on the groups.inf server

aicat.inf.ed.ac.uk
carma.inf.ed.ac.uk
www.cav2005.inf.ed.ac.uk
compucast.inf.ed.ac.uk
conferences.inf.ed.ac.uk
cybersecpriv.inf.ed.ac.uk
data.cstr.inf.ed.ac.uk data.cstr.ed.ac.uk
dbibd-05.inf.ed.ac.uk
devproj.inf.ed.ac.uk
www.etaps05.inf.ed.ac.uk
events.inf.ed.ac.uk
groups.inf.ed.ac.uk ease.groups.inf.ed.ac.uk
hoppers.inf.ed.ac.uk
www.icdt2005.inf.ed.ac.uk
www.ilsi.inf.ed.ac.uk
infcricket.inf.ed.ac.uk
isoc.inf.ed.ac.uk
media.inf.ed.ac.uk
mipc.inf.ed.ac.uk
newbuildpics.inf.ed.ac.uk
progclub.inf.ed.ac.uk
proofgeneral.inf.ed.ac.uk
rad.inf.ed.ac.uk
ref2014.inf.ed.ac.uk
ref2020.inf.ed.ac.uk
robotperception.inf.ed.ac.uk
secpriv.inf.ed.ac.uk
select.inf.ed.ac.uk
touchscreens.inf.ed.ac.uk
uitp05.inf.ed.ac.uk
valkyrie.inf.ed.ac.uk
waim-05.inf.ed.ac.uk
workshops.inf.ed.ac.uk
# There are .sl7.inf.ed.ac.uk test URLs for all the sites above here
# but not for the following
inspace.ed.ac.uk
history.dcs.ed.ac.uk
www.enhance-project.org
www.gaussianprocess.org
www.hscma2011.org
pact2013.pactconf.org
www.mgb-challenge.org
www.neurogems.org

Posted in Service Update | 1 Comment

Looking up DICE user/group information

Users of DICE machines may have noticed that system utilities such as
getent and finger are no longer returning a full list of Informatics users.

We use sssd (System Security Service Daemon) on DICE to cache LDAP
data, such as user and group information. For finger to work with
anything other than usernames, it requires the sssd “enumerate”
option. This enumerates, and caches, the entire LDAP user and group
directory locally. The man page (sssd.conf(5)) recommends against
doing this, “especially in large environments” (although it doesn’t
specify what “large” is). This has always worked for us, and so we
have enabled this option previously.

The version of sssd on Scientific Linux 7.3 has unfortunately proved
unreliable with enumerate enabled, to the extent of rendering a
machine unusable. Subsequent releases and proposed bug-fixes have not
effectively resolved the problem and so we have had to disable
enumerate across DICE machines.

We have produced some local utilities to help replace the lost
functionality caused by the system changes described above.

finger-dice is a wrapper utility around the system finger command and
can be used to find out details about users given only part of their
name (e.g. surname).

getent-dice database (where database is one of passwd, group,
netgroup) will produce a full list, although note that it does not
return information on system users or groups.

dice-user-info is a general utility for finding out contact
information for people in Informatics. It takes a single argument and
matches against name, location and telephone number.

All of these utilities have man pages.

Posted in Uncategorized | 5 Comments

Cloud Printing for the Forum

Cloud based printing is becoming more and more widespread across the University. Instead of needing to remember the queue name of the nearest printer, jobs are sent to a single cloud queue (to be strictly accurate, there are in fact two queues, one for mono jobs and one for colour) and can then be collected from a wide range of cloud enabled printers located in most parts of the University estate. The user simply taps their University ID card on the reader of a cloud printer and is presented with a list of the jobs in the cloud print queues belonging to the user. One or more jobs can them be selected for printing.

Cloud based printing provides benefits both for the user and for the School. As mentioned above, users can print out their jobs at (with a very few exceptions) any cloud printer in the University including those located in the libraries, in other Schools, in the School levels and concourse of Appleton Tower and in other public areas. Flexibility is a further benefit; should the user, on going to a printer to print out their job, find that it is in the middle of a multi-hundred page photocopy session, they can simply walk a little further to one of the other printers in the building and collect their printout there.

For the School, the benefit comes in cost savings. Jobs are only printed out when the user presents their University ID card to the reader on a cloud printer thus avoiding the drifts of uncollected printouts which currently gather around the School’s printers. Jobs which are not printed within 24 hours are automatically deleted from the queues.

Another advantage is that cloud printing is more secure. Since jobs are only printed when the user is present at the printer, there is no danger of sensitive material being seen by others as it sits in the out-tray awaiting collection.

Cloud queues are charged queues. Every user account in the University has a print credit balance associated with it and every time a job is printed on a cloud device, the appropriate amount is debited from the user’s balance. Charging only occurs when the job is actually printed off so jobs which are deleted after 24 hours do not incur a charge.

Informatics staff and research students are not currently charged for printing and there are no plans for this to change; a central mechanism is in place by which print credit is automatically topped up every week and it is intended to implement this for Informatics staff and research students.

After a trial deployment in Forrest Hill last year, all printers on the School’s floors in Appleton Tower are now cloud devices and this is working well. It makes sense for all the School’s printers to be cloud enabled and it is proposed to introduce cloud based printing in the Forum by the end of the year. Any comments you might have on this proposal would be welcome.

Posted in Uncategorized | 9 Comments

Virtual DICE – new version

We’re pleased to announce a new version of Virtual DICE for the 2017-18 session. Here’s how to download it. If you don’t know what Virtual DICE is, read on.

The managed Linux machines here in the School of Informatics run an environment which we call DICE. It’s based on Linux. We use DICE on desktop computers and on servers, but we also make a VirtualBox virtual machine version of it, intended for personal machines. This virtual version is called Virtual DICE.

Twice a year we release a new version of Virtual DICE. The latest version, released on 4 October 2017, has the hostname rezzonico and this login screen:
Virtual DICE rezzonico login screen

If you have an earlier version of Virtual DICE, please export whatever files you want to keep (for example, copy them to your AFS home directory) then delete it and install the new rezzonico version instead.

Because Virtual DICE is a virtual machine designed to be run on personal laptops and the like, it does not by default have a large amount of memory, file space or CPU cores, so it’s not useful for big, demanding computing applications. However, since it’s a virtual machine, you can change its hardware specification as you like, up to the limits imposed by your host machine.

You also get root access, so you can reconfigure Virtual DICE as you like.

To find out more read the Virtual DICE help pages.

Posted in Uncategorized | Tagged | 3 Comments

Lecture Recording – MediaHopper Replay

The new lecture recording facility, MediaHopper Replay, is now live (as of 5th September) and by the start of teaching, the service will be available in 114 teaching spaces.

Further details can be found on the IS page which includes a link to help and support web pages. There are still training sessions available and we would strongly recommend that you go along. Drop-in sessions for staff who would like to try out ad-hoc recording will start on 11th September.

All lectures in semester 1 where recording has been requested will be set up in Learn and set to record automatically before week 1.

Posted in Uncategorized | Leave a comment

Software Collections

The standard versions of various developer tools provided as part of a Scientific Linux release (e.g. SL6 or SL7) can become quite old. To gain access to newer versions various software collections can be added to a system.

Redhat summarises the software collections as: “For certain applications, more recent versions of some software components are often needed in order to use their latest new features. Red Hat Software Collections is a Red Hat offering that provides a set of dynamic programming languages, database servers, and various related packages that are either more recent than their equivalent versions included in the base Red Hat Enterprise Linux system, or are available for this system for the first time.

We have recently updated the available software collections for DICE and can now provide the following:

devtoolset-6
Provides gcc 6.2.1

rh-git29
git 2.9.3
rh-php70
PHP 7.0.10
rh-php56
PHP 5.6.25
php55
PHP 5.5.21
rh-ruby24
ruby 2.4.0
rh-python35
python 3.5.1

Note that, due to the way software collections work, the newer PHP versions cannot be used alongside the standard system version (5.4.16) in web servers, this means we do not provide it on any of the main Informatics web servers.

For further information see our Computing Help page. Currently only the devtoolset, php55 and rh-python35 are installed by default, others are available upon request, please contact the Computing Team via our Support Form.

Posted in Uncategorized | Leave a comment

Self-managed server room – planned power outage

Good news! We are extending the Forum self-managed server room facility by adding three brand new racks in a nearby room.

Bad news! To arrange the necessary power feeds to the new room, we will need to completely switch off the power to the existing self-managed server room for a short period next week.

The necessary electrical work is planned to start on Monday 3rd July 2017, and should then finish on Wednesday 5th July. Sometime during this period (most likely on the Wednesday, we think), there will be a necessary power-off of around 2 to 3 hours, to allow for final connections and testing.

Users of the self-managed server room have already been notified about this via the ‘self-managed server room mailing list’ (see our Self-managed server room help page if you’re not aware of the existence of that); we’ll keep you updated via the same list.

The end result will be worth it – but we apologize for the temporary inconvenience.

As usual: if you have questions about this, please contact us via our User Support form.

Posted in News, Service Update | Leave a comment

Staff NX server reboot

We need to reboot the staff NX server (jubilee) to upgrade it to SL7.3. We plan to start this work at 9am on Thursday 29th June, we expect the service to be unavailable for approximately 1 hour.

During the period of downtime the alternative NX server – nx.inf.ed.ac.uk – will be available.

If you have any queries regarding this please use the User Support form.

Posted in Uncategorized | Leave a comment

ScientificLinux 7.3 upgrade

The 3rd minor update to ScientificLinux 7 (which is based on RHEL7) is now ready for deployment to the Informatics SL7 DICE office and student lab machines. A minor update like this provides us with the opportunity to update important software and fix any bugs which are not security issues (we apply security updates as soon as they are available) in a controlled manner.

To complete this upgrade a reboot is required. Lab machines will reboot overnight Wednesday/Thursday, for office desktops a delayed reboot will be scheduled. The delay will be 5 days, although the reboots are delayed it would be greatly appreciated if people could manually reboot their machines at their earliest convenience; the delayed reboot would then be cancelled. Upgrades for individual servers will be scheduled over the next few weeks and users affected will be contacted as necessary.

SL7.3 was released on January 25th 2017 and since then it has been thoroughly tested in our DICE environment so we are confident that this update will not cause any issues for users.

Full details of the package updates are available on the LCFG wiki. For further, in depth information, there are also release notes from ScientificLinux and Redhat.

If you have any questions or problems with the upgrade please contact our User Support team using the support form.

Posted in Uncategorized | Leave a comment