Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

LCFG Project

LCFG Project

Recent Activity for the LCFG project

  1. LCFG Project
  2. Uncategorised
  3. Weekly Changes – 03/04/2023

Weekly Changes – 03/04/2023

There were fewer changes this week for the Ubuntu Jammy platform as the focus moves on to hardware testing. Nevertheless this was a busy week, solving some interesting and challenging problems with Systemd and Apparmor. Here are all the notable details…

Ubuntu Jammy

Details of recent progress on the Ubuntu Jammy platform are now recorded separately, see the latest report.

pam_nologin and systemd-user-sessions.service

On DICE we use the PAM nologin module to deny login access whilst doing maintenance on multi-user systems. Recently we noticed after a reboot that users were able to login because the /etc/nologin file, which had been created by the LCFG auth component, had been deleted. Investigations revealed that this was being deleted on every boot by the systemd-user-sessions service. The intention of that service is that it creates /run/nologin on shutdown and then deletes it on next boot once the system is “ready” for user access. For historical reasons, it also deletes /etc/nologin (which isn’t documented anywhere) and that breaks our assumptions that the file will persist as long as necessary. To work around this problem on DICE we have introduced a replacement systemd-user-sessions service which only works with the run file:

[Unit]
Description=Permit User Sessions (LCFG)
After=remote-fs.target nss-user-lookup.target sshd.service

[Service]
Type=oneshot
ExecStart=/usr/bin/rm -f /run/nologin
ExecStop=/usr/bin/echo "This system is currently down for maintenance." > /run/nologin
RemainAfterExit=yes

So that everyone benefits from the improved version, we will move this to the LCFG level once we’re happy it’s working as expected.

This has been reported to the Systemd project – issue 26965 – so at some point in the future we should see an upstream fix.

apparmor

There is a new header which can be used to completely disable the apparmor Linux security module. We had previously assumed that to disable apparmor it was sufficient to just disable the Systemd service. It turns out that the only way to fully disable it is to pass the apparmor=0 option on the kernel command line.

Having apparmor enabled spectacularly broke the LCFG dns component on DICE Ubuntu last week when the bind9 packages were upgraded and is likely to cause problems for other components which do not behave exactly as expected in the upstream apparmor rules.

Ubuntu Installer

The new installer copies all logs from the install process into the /var/log/install directory on the target host. A new install method has been added to tighten up the permissions on that directory so they are not publically readable.

aptly

The aptly package repository many software has been updated to 1.5.0 for Ubuntu. Several Go libraries required for building the package are not available on Focal so this package provides the pre-built binaries from the project website rather than being built from source.

The LCFG header also now ensures that gnupg is installed.

rsyslog

The Systemd configuration for rsyslog on Ubuntu now sets LimitNOFILE=16384 to match with SL7. This is the upstream default setting on Ubuntu, so it’s not changing anything but having the option exposed through a resource allows it to be easily changed when necessary.

hardware component

The LCFG hardware component has been modified to deal with changes to localectl behaviour on Ubuntu Jammy.

DNS component

The LCFG dns component has been modified as some utilities are now found in different locations on Ubuntu Jammy.

truecrypt/veracrypt

The veracrypt disk encryption software is now available on DICE Ubuntu systems. This is using the pre-built packages provided on the upstream website. By default only the allocated user for a system will have permission to run the software using sudo.

Changes to headers and package lists

Members of the Informatics Computing team can browse all the changes to the headers and package lists.

Weekly Changes – 03/04/2023 / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0

Posted by

Categories

Uncategorised

Tags

No tags have been added to this post.

Previous post

Next post

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel