The changes for this week include various fixes to make our services more robust. Here’s the summary…

rpcbind and rdxprof

Since the starting of the rdxprof daemon was split out from the LCFG client component we have experienced problems with rpcbind stealing the UDP port that rdxprof uses to receive notifications from the LCFG server. To solve this problem we are now trialling a solution which changes the systemd configuration for rpcbind so that it waits for rdxprof to be started (and thus has to select a different port). Full details are in bug#1265. Note that this only applies to SL7, on Ubuntu rpcbind is started with different options which completely avoids the potential for the issue to occur.

Support for disabling the PAM afs_session module

To avoid a dependency on AFS many of our servers are configured to use local home directories. During the recent OpenAFS crisis we discovered that this wasn’t sufficient, we still experienced slow logins on those servers due to the inclusion of the afs_session module in the standard PAM login stack. The advantage of including the module is that users can still access AFS as normal when necessary without running the aklog command first. To test removing the module there is now support for a DICE_NO_AFS_SESSION macro which can be specified at the top of an LCFG profile. We still need to discuss whether the standard configuration for machines using local home directories should have this enabled or disabled. It might be that we invert the macro and specify it when pam_afs_session is needed on those machines.

x509 component

Following on from the introduction of the version 9 schema last week it is now the default schema and the component code has been updated to 0.1.15. This adds lefullchain_$ boolean resource (default: true) so that we can configure whether lets encrypt certs use the fullchain, containing chain certs and the domain cert (as they always have until now), or the shorter chain file which just contains the chain certs. The latter is more correct for, e.g. web serving, but we still require the fullchain file for, e.g. xrdp.

Routing and systemd-networkd

It looks like restarting the systemd-networkd service on Ubuntu machines kills the default route which is managed by the LCFG routing component (which uses the rdisc daemon). A simple solution has been implemented in the lcfg-routing.service config by making it “part of” the systemd-networkd.service config. This means that the routing component will now be restarted whenever the systemd-networkd service is restarted.

Lab machines in the Forum

Occasionally there is a need for a machine in the Forum to be configured as a standard student lab machine. To make this easier there are now live/studentlabs-forum.h and dice/options/studentlabs-forum.h headers. In particular, this configures machines to be excluded from the lab.inf pool.

LCFG paths

There are still lots of references to LCFG paths in the dice headers which are wrong for Ubuntu (e.g. logs are now in /var/log/lcfg). The sysinfo component has resources which can be used to handle these in a platform-independent way (e.g. sysinfo.path_lcfglog). A few of them have been fixed this week, at some point soon we will be applying a bulk change to fix the majority of those remaining.

New Software

Along with the weekly security updates, the following packages were newly installed on DICE Ubuntu. Note that not all machines will carry all these packages:

• zbar-tools / qrencode – Tools for working with QR codes
• recoll – desktop full-text search tool
• SageMath – free open-source mathematics software system

Weekly Changes – 25/01/2021 / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0