IPv6 and self-managed servers

We’ve had IPv6 enabled on the “self-managed server” subnets (164 and 197) for quite a while now, and mostly it has been trouble-free.  Recently, however, we’ve had reports of login slowness to some self-managed servers following a system upgrade.

What we expect to happen is that your machine will automatically set its IPv6 address based on its ether MAC address, together with the prefix that our routers multicast every few seconds (a “SLAAC address”).  We have that MAC address registered in our host-configuration system, so we can create DNS forward and reverse entries using it, with the result that you can refer to your machine by name and the IPv4 or IPv6 address will be used as appropriate.  What seems to have happened is that these upgrades have somehow enabled IPv6 “privacy” addresses instead.

Privacy addresses are a good idea for a laptop which is roaming, as they mean that you can’t be tracked based on the fixed (“IID”) part of your IPv6 address.  However, they make little sense for a server, which is not expected to move around, but is expected to be contactable by its clients.  Ideally you would fix your login slowness by turning these privacy addresses off again, but unfortunately we haven’t yet got a relable set of instructions for doing so.

As a workaround while we find out how to turn off privacy addresses cleanly, what we propose is this: we will leave IPv6 enabled on the subnets, as we know there has been a demand for it; and we will change our DNS configuration so that we generate reverse entries for the IPv6 addresses we expect you to have, but we will stop generating the forward entries by default, so that when a client asks for your machine’s address it won’t be told the IPv6 one that isn’t working in quite a few cases.

On request (send in a support ticket in the usual way) we can easily re-enable those forward entries on a per-host basis, so if you want your machine to be contactable by its clients using IPv6 then that’s no problem.  On the other hand, if you don’t want it to be, or you don’t mind either way, then you don’t need to do anything.

We propose making this change on Monday (27th) at lunch time.  Once we do have a reliable set of instructions we’ll let you know and revert to the current setup.

Posted in Uncategorized | Leave a comment

Printing changes reminder

Back in November 2020 we announced a change to the cloud printing service at Informatics. Unsurprisingly this was probably of little interest to most people as they worked from home during lockdown. Now that people are returning to the Informatics buildings, this is a quick reminder of what happened.

We are still using the University’s “cloud” based printing service, but it is now called EdPrint. The idea is the same, you send your print jobs to a virtual printer (EdPrint or EdPrintPull), but it doesn’t actually print out until you visit any EdPrint configured printer, tap/swipe your staff or student card on the reader by the printer, at which point you can “release” the print jobs you sent previously to be printed at this printer.

Similarly, if you want to scan or copy things at the printer, you need to first swipe in to access those functions.

Not all physical printers have the same capabilities, not all printers are colour, and some support A3 size paper, others are only A4.

The EdPrint system will determine if your print job is colour or mono, and you will be charged appropriately if using a colour printer. At the point you release your colour jobs on a colour printer, you can choose to print in greyscale to save toner and money.

Printing from devices

University managed Windows PCs and DICE linux machines are already configured with “EdPrintPull” and “edprint” respectively. If you are using a self-managed Mac, Windows PC, Linux, or mobile device, then the Information Services (IS) web pages have information on how to install and use EdPrint on those:

which they tend to refer to as “MobilityPrint”.

Our own computing.help.inf.ed.ac.uk/printing pages contain links to these IS pages.

Further Changes

Also mentioned in July’s Newsletter and this blog post, we are also removing the less used printers, to be redeployed elsewhere in the University. Ultimately this will mean the mono A4 printers some of which have already gone, and others will do so over time.

Neil

Posted in Information, Service Update | Leave a comment

How to avoid the remote.inf.ed.ac.uk downtime

Updated (26/08/21): this work is complete.

This is about downtime for the remote desktop service, and how you can carry on using the service while your usual server is not available.

What’s remote.inf.ed.ac.uk?

The remote desktop service gives you a remote DICE graphical session when you connect to username.remote.inf.ed.ac.uk, where username stands for your own DICE username. (For a more detailed reminder, see the remote desktop help pages.)

It’s provided by several servers, and those servers now need to be updated to keep them secure and working well. While we’re updating a server, it will not be possible to use it; and the updates may take a whole day.

When?

  • cittern, dulcimer and lute will be down on Monday 23 August.
  • cittern, guitar, theorbo and zither will be down on Thursday 26 August.

Which server do I normally use?

At a DICE command prompt, type the command: host username.remote
where username is your own DICE username. The first line of the output has the name of your usual remote desktop server. For example:
cc.remote.inf.ed.ac.uk is an alias for lute.inf.ed.ac.uk.
To get a DICE command prompt, open a terminal window.

How to avoid the downtime

On the day your usual server will be down, use the address temp.xrdp.inf.ed.ac.uk instead.
If you’ve forgotten how to configure your remote desktop software for a new host, see the remote desktop help pages.
After that day, please go back to using your usual host, because temp.xrdp.inf.ed.ac.uk is only temporary.

Comments and questions

If you have any, please send them in using the computing support form. Thanks!

Posted in Uncategorized | Leave a comment

Printer Changes in Informatics

During the recent lockdowns, new working practices have developed which place far less reliance on the printing out of materials. Recognising this, and wishing to reduce the financial and environmental impact of printing across its estate, the University has adopted a policy on sustainable printing, the implementation of which will see printers with low levels of usage in their existing locations being redeployed to areas where new printing requirements have been identified. This is being done in preference to procuring new devices for these areas.

In Informatics, the printers identified as suitable for redeployment are the small mono A4 devices located in the SW corner of each floor of the Forum and the labs on level 3 and 5 of Appleton Tower, hardly surprising since usage levels of all of these devices have been consistently low, even before lockdown. One of the Forum printers has already been moved to the Wilkie Building to accommodate Informatics students who have relocated there, and a second was recently moved to another part of the University. It’s not possible at present to say when the other devices will be removed since this will depend on when new locations are identified for them. Note that the A3 colour printers will still be available on all floors of the Forum, and that the colour printers on levels 4, 6 and 9 of Appleton tower will also remain.

Craig.

Posted in Service Update | Leave a comment

DMARC change to mailman lists

DMARC is a technology designed to combat forged email coming from
senders other than those who are entitled to send as a particular
domain.

Unfortunately there are times where you may want to legitimately “forge”
the sender address of an email. eg on mailing lists. Typically if a
poster sends a message to a list it arrives from their actual email
address, eg jbloggs@some.domain.org.

The mailing list software then sends that email to all the members of
the list, and depending on the list settings, usually as the original
sender’s email address, in this case jbloggs@some.domain.org. So if
this list is hosted at inf.ed.ac.uk, then our mailserver has to
“forge” the email to look like it has come from the @some.domain.org
domain.

Through DMARC the owners of some.domain.org say inf.ed.ac.uk is not
authorised to send mail as @some.domain.org, and anti-spam filters
will take this into account when deciding to deliver the “forged”
email.

This situation is now affecting the use of some of our lists, eg if
they contain non-inf.ed.ac.uk addresses, and those members post to the
list. The lists involved could be changed so that all posts to the list
appear to come From: listname@inf.ed.ac.uk (rather than the original
sender), but then all replies would automatically go to the list,
which is not usually what you want.

The mailing list software we use, mailman, has an option to detect if
a poster is posting from an address using DMARC, and for their posts
it changes the From: field to be listname@inf.ed.ac.uk, and sets the
Reply-To: their original address. This should then keep the anti-spam
filters happy, and still mean that replies would tend to go direct to
the poster, rather than the list.

This setting is now the default for new informatics mailing lists,
and shortly we will be retrospectively enabling this setting for
existing lists.

If you are a list owner, then you check the setting under Privacy
options -> Sender Filters -> dmarc_moderation_action

Neil
Services Unit

Posted in Information, Service Update | Leave a comment

Research Data Management

The University runs a Research Data Management Service which encompasses all aspects of Research Data Management including recording Data Management Plans, storing active data, sharing data, archiving data and providing forums and training facilities.

The main features are:


  • DMPonline
    Free and open web-based tool to help researchers write data plans
  • DataStore
    To store data in active use
  • DataSync
    ‘Dropbox-like’ file-hosting service for non-sensitive data
  • DataShare
    Edinburgh DataShare is the University’s Open Access (‘OA’) multi-disciplinary data repository run by the Research Data Service
  • DataVault
    Provides a long-term, low-cost, immutable, and safe storage solution for your research data, which is no longer active or not intended for publication.
  • PURE datasets
    Pure is the University’s Current Research System which provides a data catalogue and is used to populate Edinburgh Research Explorer

For more information on Research Data Management, please read the recently created computing.help page which gives a summary of all the options available within the University Research Data Management Service and

Research Data Management

Posted in Uncategorized | Leave a comment

Shut down of Informatics servers at KB

To improve the resilience of the services hosted in the JCMB server room, a new Uninterruptible Power Supply (UPS) is being installed to cover the whole room.

Unfortunately this work needs the power to be switched off for a period of time. That will mean shutting down servers and services.

The thing that will affect most users will be a delay on some machines when they try to access their files in AFS, as one of the AFS Database servers is in JCMB. If an AFS client is using that DB server, it will take a couple of minutes for it to fail over to one of the others in the Forum or Appleton Tower.

Servers will be powered down from 5pm on Friday (11th June), and restarted as soon as they can be once the work is complete. We expect this to happen on late Saturday afternoon/evening.

Other services will also be affected, including the student lab booking service lbs.inf.ed.ac.uk, but their owners have been contacted separately. However, any oddities from Friday evening until Saturday evening are likely to be related to this power work.

Thank you for your understanding.

Posted in Information, Service Update, system event | Leave a comment

Routing changes between Informatics and EdLAN

For many years we have used the OSPF routing protocol to exchange IPv4 and IPv6 routes with the rest of EdLAN as well as internally within Informatics.  As a result of the University’s network replacement project, however, that’s going to have to change as EdLAN adopts a more layered structure.  We’ll continue to use OSPF internally, as it suits our needs well, but we’re going to adopt BGP instead to exchange routes with EdLAN.

It’s a bit more fiddly to set up, as there are many more knobs that can be adjusted to allow for different users’ situations, but it does have the advantage (to both us and EdLAN) that policy decisions over which routes are accepted by either side are much more clearly set out, so in the long term there should be better stability and fewer surprises.

We’ve been trying this out on a couple of test routers for a while now, and are reaching the point where we’re ready to bring it into service.  The cutover date for the Informatics Forum EdLAN distribution router is likely to be Tuesday 15th June, though before that can happen we do need to upgrade all of our Linux Forum edge routers.  This will be happening over the next week or so, and will require each one to be rebooted in turn.  Most of this work shouldn’t be noticed, for the most part, but there will be short breaks while the Forum main router and the OpenVPN endpoint are rebooted.  We’ll try to give as much notice of these as we can, though given the time constraints of the EdLAN replacement project, the Covid restrictions, and the fact that we really want to be on-site for this work, it probably won’t be possible to delay much,

Once the Forum is bedded in, we’ll move on to convert the Appleton Tower part of our network and our (mostly-)DR site at JCMB.

In due course there will also be changes to the way our network edge is set up, but the details of that will have to be worked through nearer the time.

Posted in Uncategorized | Leave a comment

Making your website HTTPS

For a few years now, modern browsers like Chrome, Firefox and Edge
have been warning as “insecure”, web sites that are served as plain
text over HTTP (port 80).

web browser insecure HTTP screenshot

Example web browser warning when visiting an HTTP site.

Informatics are working through making all our managed websites
available over encrypted HTTPS (port 443). If you run your own website that
is only accessible over HTTP, then you probably want to be thinking
about making it accessible via HTTPS.

At some point web browsers are likely to drive home the point more
forcefully that users are visiting an HTTP only site, and
may even stop supporting HTTP only sites.

If you’ve already configured your own web server, then adding HTTPS is
relatively straightforward, the trickier part being obtaining a
suitable HTTPS SSL certificate for your site.

You will probably have the option to generate a “self-signed”
certificate, which will at least encrypt the web traffic between your
site and the browser, but will lead the web browser flagging a
different warning about a site using a self-signed certificate.

To obtain a trusted SSL certificate, you could use something like Let’s Encrypt
(https://letsencrypt.org/), or perhaps purchase one from your ISP, or a
separate commercial SSL provider.

Good luck.

Posted in Information, News | Leave a comment

Remote desktop now needs the VPN

To use our remote desktop service, or any RDP connection to a computer at Edinburgh University, you must now (edit: from 07:00 on Wednesday 28 April) use a University VPN. If you don’t, you won’t get a connection.

If you already use the University VPN or the Informatics OpenVPN, carry on – RDP should work for you. You won’t need the VPN if your computer is already on the University of Edinburgh network – for instance in a computing lab or an office on campus.

RDP without VPN has been blocked for security reasons.

See these pages for more help:

Posted in Uncategorized | Leave a comment