Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

LCFG Project

LCFG Project

Recent Activity for the LCFG project

  1. LCFG Project
  2. Uncategorised
  3. Weekly Changes – 21/04/2025

Weekly Changes – 21/04/2025

After a few quiet weeks due to holidays normal service is resumed with a selection of bug fixes and new features. Here are the details of the notable changes…

fstab

On Ubuntu Noble the LCFG fstab component manages the permissions for mount points, including those added using the fstab.entries resource. For security, the mode on the directory defaults to 0700. We recently discovered that this default occasionally causes problems when you need to add an entry to the /etc/fstab file to override the mount options on an API File System (e.g. /proc). To resolve this, we now support retaining the mode for an existing mount point when the mode resource is set to retain. Note that if the mount point does not exist it will still be created with the default secure permissions. For example:

!fstab.entries           mADD(proc)
!fstab.spec_proc         mSET(proc)
!fstab.file_proc         mSET(/proc)
!fstab.vfstype_proc      mSET(proc)
!fstab.mode_proc         mSET(retain)
!fstab.mntopts_proc      mSETQ("defaults,hidepid=2")

inifile component

The LCFG component for managing the contents of INI-style files has been updated. This fixes a bug in setting the group on a file, see bug#1474 for full details.

Package Mirrors

Configuration options have been added for mirroring the following package repositories:

  • APTLY_MIRROR_GANESHA5 – NFS fileserver (version 5)
  • APTLY_MIRROR_CEPH_REEF – Ceph Reef release
  • APTLY_MIRROR_CEPH_SQUID – Ceph Squid release
  • APTLY_MIRROR_QGIS – QGIS geographic information system
  • APTLY_MIRROR_GLOBUS – Globus data sharing software
  • APTLY_MIRROR_OPENNEBULA – OpenNebula cloud-computing platform
  • APTLY_MIRROR_GRAFANA – Grafana platform for data analytics and monitoring

For all of these except Ceph there are mirror configurations suitable for both Ubuntu Jammy and Noble. Ceph is currently only available for Jammy. There will not be any support for Focal for these repositories.

For convenience, the current key files have also been added to the aptly-keyrings package.

Package repositories

It is now possible to minimise the repositories configured for an Ubuntu system by defining the ED_OPTIONS_PACKAGES_MINIMAL_REPOS at the start of an LCFG profile.

SSH server kernel modules

The LCFG header for creating a secure external-facing SSH server – ed/options/ssh-server.h – disables the loading of kernel modules after boot time. This provides protection against many rootkits. To ensure the system is actually useful there is a list of kernel modules which should always be loaded at boot time. It was recently spotted that this includes the nfsd module which is unlikely to be required and can cause problems, it seems likely this was a mistake with the intention being to load the nfsv3 client module.

If the lcfg/options/iptables.h header is used in this scenario it will now ensure the nf_tables kernel module is loaded at boot time.

Simple Default Deny Incoming iptables firewall

lcfg/options/iptables-simple.h sets up a simple incoming default deny firewall using iptables and has gained a couple of convenience macros to add exceptions to the end or beginning of the rules.

  • IPTABLES_SIMPLE_CONCAT(rule,"comment text")
  • IPTABLES_SIMPLE_PRECONCAT(rule,"comment text")

inf-level files

Those with access to the Informatics headers and package lists may notice that a large number of files have been deleted. These were related to the old inf-level system that we used for platform development and testing on SL7. They have not been maintained for a long time so they have been removed for clarity.

Changes to headers and package lists

Members of the Informatics Computing team can browse all the changes to the headers and package lists.

Weekly Changes – 21/04/2025 / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0

Posted by

Categories

Uncategorised

Tags

No tags have been added to this post.

Previous post

Next post

You are viewing the last post.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel