From zanchey at ucc.gu.uwa.edu.au Wed Jun 3 08:55:34 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Wed, 3 Jun 2015 08:55:34 +0800 (AWST) Subject: [tech] secure.ucc certificate expiry Message-ID: The TLS certificate for secure.ucc.asn.au (not *.ucc.asn.au) has expired (on May 11, 2015). We use the wildcard cert pretty much everywhere - HTTPS, IMAPS, SMTPS, RDP to Maaxen - but not the IPsec VPN, because StrongSwan doesn't support wildcards. The domain used for the VPN needs to be listed on the certificate as a subjectAltName, which on the wildcard cert is 'ucc.asn.au' as well as '*.ucc.asn.au'. At the moment I've changed the VPN to use 'ucc.asn.au' instead of 'secure.ucc.asn.au' (with appropriate firewall mangling), but I wonder if we could look at getting a few defined subjectAltNames added to our certificate. I don't think it's really worth renewing a separate certificate just for IPsec. Who looks after the wildcard certificate? Hopefully letsencrypt.org will get off the ground soon which will make this sort of thing much easier. Cheers David Adam zanchey@ [1]: https://wiki.strongswan.org/issues/794 From zanchey at ucc.gu.uwa.edu.au Wed Jun 3 11:31:41 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Wed, 3 Jun 2015 11:31:41 +0800 (AWST) Subject: [tech] secure.ucc certificate expiry In-Reply-To: References: Message-ID: On Wed, 3 Jun 2015, David Adam wrote: > The TLS certificate for secure.ucc.asn.au (not *.ucc.asn.au) has expired > (on May 11, 2015). We use the wildcard cert pretty much everywhere - > HTTPS, IMAPS, SMTPS, RDP to Maaxen - but not the IPsec VPN, because > StrongSwan doesn't support wildcards. The domain used for the VPN needs to > be listed on the certificate as a subjectAltName, which on the wildcard > cert is 'ucc.asn.au' as well as '*.ucc.asn.au'. > > At the moment I've changed the VPN to use 'ucc.asn.au' instead of > 'secure.ucc.asn.au' (with appropriate firewall mangling), but I wonder if > we could look at getting a few defined subjectAltNames added to our > certificate. I don't think it's really worth renewing a separate > certificate just for IPsec. Who looks after the wildcard certificate? I found the login details (they're in uccpass now) but getting subjectAltNames for wildcard certificates rapidly gets crazy expensive. I went ahead and bought a PositiveSSL certificate for 'secure.ucc.asn.au' (login details also in uccpass). Bring on the death of the TLS "industry". David Adam zanchey at ucc.gu.uwa.edu.au From trs80 at ucc.gu.uwa.edu.au Wed Jun 10 10:27:05 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Wed, 10 Jun 2015 10:27:05 +0800 (AWST) Subject: [tech] SOGo DB fixed Message-ID: Someone upgraded SOGo on mussel to the latest major version (2.3.0 from 2.2.17a-1) however the Debian packages don't run the SQL upgrade scripts. They're found in /usr/share/doc/sogo and I've run sql-update-2.1.17_to_2.3.0.sh as sogo, after editing it to account for our config being in ~sogo/GNUstep/Defaults/.GNUstepDefaults rather than /etc/sogo/sogo.conf (which is the new hotness apparently). -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Thu Jun 11 20:23:31 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Thu, 11 Jun 2015 20:23:31 +0800 (AWST) Subject: [tech] Yak shaving on Mollitz Message-ID: I wanted to try upgrading Mollitz (the backup server located offsite) to the latest version of Debian (8 or Jessie), and got to spend some quality time yak shaving[1]. The main problem is that the OCZ Vertex II SSD that is the boot drive doesn't play nicely with kernels any newer than 2.6.32 (which is the kernel from Debian 6, squeeze). Along the way, I discovered that: - GRUB confuses IPMI Serial-over-LAN - The DRAC5 Virtual Media applet doesn't work in Java and requires ActiveX - The latest Java doesn't like self-signed SSL and requires editing system-wide configuration to get it to work Most importantly, I figured upgrading the drive firmware might help, but the PowerEdge 2950 only supports Legacy ATA mode (not AHCI) for the SATA drives, and the OCZ upgrade utility only works with AHCI. In any case, Mollitz is now running Jessie but with an old kernel, the old udev and thus no systemd. As the kernel is now unsupported I think it would be a good idea to look at either upgrading the firmware on the SSD or replacing it with one that is less likely to lose all the data on it. This will be complicated by the fact that it is located offsite and also: " the top right bay (the one holding the ssd) has a screw holding the clip closed because it's a hot-swap bay that isn't hot-swap" David Adam UCC Wheel Member zanchey@ [1]: http://sethgodin.typepad.com/seths_blog/2005/03/dont_shave_that.html From trs80 at ucc.gu.uwa.edu.au Thu Jun 11 22:35:55 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Thu, 11 Jun 2015 22:35:55 +0800 (AWST) Subject: [tech] Yak shaving on Mollitz In-Reply-To: References: Message-ID: On Thu, 11 Jun 2015, David Adam wrote: > In any case, Mollitz is now running Jessie but with an old kernel, the old > udev and thus no systemd. As the kernel is now unsupported I think it > would be a good idea to look at either upgrading the firmware on the SSD > or replacing it with one that is less likely to lose all the data on it. > This will be complicated by the fact that it is located offsite and also: > > " the top right bay (the one holding the ssd) has a screw holding the > clip closed because it's a hot-swap bay that isn't hot-swap" As the offsite provider, what's the info on upgrading the firmware? -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Fri Jun 12 11:19:35 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Fri, 12 Jun 2015 11:19:35 +0800 (AWST) Subject: [tech] Yak shaving on Mollitz In-Reply-To: References: Message-ID: On Thu, 11 Jun 2015, James Andrewartha wrote: > On Thu, 11 Jun 2015, David Adam wrote: > > > In any case, Mollitz is now running Jessie but with an old kernel, the old > > udev and thus no systemd. As the kernel is now unsupported I think it > > would be a good idea to look at either upgrading the firmware on the SSD > > or replacing it with one that is less likely to lose all the data on it. > > This will be complicated by the fact that it is located offsite and also: > > > > " the top right bay (the one holding the ssd) has a screw holding the > > clip closed because it's a hot-swap bay that isn't hot-swap" > > As the offsite provider, what's the info on upgrading the firmware? You'll need to shut the machine down, pull the drive, put it into something that supports AHCI, and then run the firmware upgrade utility. The easiest way is the bootable image: http://ocz.com/consumer/download/firmware/OCZ_Bootable_Tools_v4.9.0.634.iso [DAA] From zanchey at ucc.gu.uwa.edu.au Sat Jun 13 23:34:33 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Sat, 13 Jun 2015 23:34:33 +0800 (AWST) Subject: [tech] Murasoi upgraded to Debian stable "jessie" 8.1 Message-ID: With the server downtime today, I figured nobody would mind too much if routing went away for another few minutes. I upgraded Murasoi to Debian "jessie" 8.1. Like most of the transitions, it was surprisingly smooth. The only problem I ran into was that our very custom syslog-ng configuration needed updating to match the type of syslog messages that systemd sends [1][2]. Otherwise, it looks good: # systemctl status ? murasoi State: running Jobs: 0 queued Failed: 0 units Since: Sat 2015-06-13 20:28:39 AWST; 3h 5min ago [DAA] zanchey@ From mjpomery at ucc.asn.au Fri Jun 19 20:40:39 2015 From: mjpomery at ucc.asn.au (Mitchell Pomery) Date: Fri, 19 Jun 2015 20:40:39 +0800 (AWST) Subject: [tech] Power Work Happening in Cameron Hall - Saturday 20th Message-ID: Hi All, UCC will be experiencing power disruptions tomorrow as more works are done to Cameron Hall. They should be minor and disruptions to UCC services may occur briefly throughout the day. Please bear with us while these interruptions occur. Interruptions should cease around 5PM and wheel members will confirm that services are operating as expected. If you are in Cameron Hall throughout the day, there may be no lights in the building. Please be courteous to the electricians while they work. Regards, Mitchell Pomery OCM and IPP 2015 UCC President 2014 OCM 2013 From mjpomery at ucc.asn.au Wed Jun 24 12:13:51 2015 From: mjpomery at ucc.asn.au (Mitchell Pomery) Date: Wed, 24 Jun 2015 12:13:51 +0800 (AWST) Subject: [tech] [ucc] Minutes of Meeting on Tuesday, 23rd June 2015 In-Reply-To: <20150623082950.A79DD20081@motsugo.ucc.gu.uwa.edu.au> References: <20150623082950.A79DD20081@motsugo.ucc.gu.uwa.edu.au> Message-ID: I didn't get a chance to drop things in before the committee meeting, so here goes. There is also information in here that tech should have, mainly in the Machine technical Reports. > ##Education Report > - > - Planning for camp in progress > - Programming competition > - Considering stuff for special projects grant > - 3D printer > - General approval > - [AMS] to investigate I can't see a 3d printer being a worthwhile investment. I have talked to [HTL] and he mentioned one of the liquid 3D printers where you can easily print overhangs. This may be worthwhile as we can sell prints off to other clubs (unigames), but coming up with a way of making sure that the printer doesn't cost us bucketloads should be part of the investigation. > ##Machine Technical Reports > ###Servers > - Kalamari collects a lot of dust > - It needs cleaning ocassionally > - It is still running super cool > - [BG3] to clean Kalamari > > ###Network > - WiFi > - Haven't had any reports of issues > - Has been working well Nope. This isn't something that should be an individual persons responsibility. I've cleaned it recently, but it will need cleaning about once a month. There's a brush for removing uist on top of kalamari. This is something nyone can do if they have access to the machine room (wheel or not). Also: Power upgrades happened to cameron hall on Saturday the 13th, which took all UCC services offline for the day. [TPG] and [DAA] did most of the hard work getting things back up while I supervised (watched). On Tuesday the 16th, late at night the UPS started beeping. Wednesday morning it was turned off. In doing this, bitumen was accidentally rebooted. On coming back up it seems to have decided to not load parts of its config. I had a look at it and tried to get the config from rancid on Molmol, but was unable to log into molmol. We ended up plugging the uplink straight into Murasoi, rather than routing it through bitumen, and [DAA] was able to ssh in, get to mollitz (backup server) and grab a copy off of there and get it all working within 15 minutes of getting access. The uplink is still plugged directly into murasoi. Unless someone has undone that and not told me (or I missed the IRC message) We also had an issue with our mailman setup where no emails to the lists were ending up in recipients inboxes. I discovered this while trying to email a list and not recieving a copy in my inbox instantly. UWA also had an unrelated incident where emails from UWA to other providers were being autoconsidered as spam. Unrelated to anything we do, but it does mean that a heap of emails from UCC would have been rejected. The issue has been resolved. > ###Desktop > - Clownfish > - [BOB] had a look at it > - Unsurprisingly, removing Mate repositories helped fix it > - Fixed the gnome install > - Lock screen works > ##Drinks and Snacks > - All hail [JDN] > - Snack run to end all snack runs was done Chiops are ontop of the machine room. I'm going to look at making the machine room roof more solid, cause keeping snacks up there is nicer than having a machine room full of snacks. Also we have a step ladder. I also owe UCC a coke and a mars bar (or dispense credit for them). Everything was broken and I needed food to help me fix it all. > ###Guild/SOC > - Tenancy meeting on July 4th, followed by cleanup > - Special Projects Grants due sometime in July I won't be here for the cleanup. I will be several hundred kilometers away. This should not be new information. > ###Other Entities > - FM have finished power works in Cameron Hall > - Will be doing data work at some point > - Fixed leaks in the roof See higher for my notes on Power works. There is also another issue that I need to talk to [GOZ] about to resolve in regards to these works. > ##Events > - FREEDOM LAN > - Still free > - July 4th People need to know how to set up for this. I can answer questions, but the wiki should have most of the info. If there is any info that whoever is running the event thinks needs updating, let me know. http://wiki.ucc.asn.au/UCCLAN > - Camp > - Meeting tomorrow at 12pm > - Survey went out Meeting happened late last night over teamspeak. We are on track to run a great event. Buy your tickets from camp.ucc.asn.au > - Anniversary Dinner > - [TJB] to organize I'm willing to help out with this. I've been looking at various venues that we can host it and would like to help with the event. > ##Action Items > - [BG3] to purchase POE gear, whiteboards and guidewire > - Will happen after Exams > - Ongoing Will look at this tomorrow night/this weekend. Guidewire will happen next weekend when I am in Geraldton. > - Committee investigating additional Windows machine > - [JDN] can buy his specced machine for $1018 > - Specs will go to tech@ again > - [*OX] wants a copy, will buy it off us > - [JDN] moves that we budget $2200 to purchase two of the machines he has specced, [LDA] seconds > - Passes unanimously > - [JDN] to purchase I would like to see the specs sent to the lists before a purchase is made (now that exams and assignments are over). > ##Current Action Items > - [AMS] to investigate 3D printer > - [CHS] to send out an email about FREEDOM LAN and Camp > - [BG3] to purchase POE gear, whiteboards and guidewire > - [JDN] to purchase new computer parts There was something I wanted to add to Action items but I forgot what it was. Regards, Mitchell Pomery OCM and IPP 2015 UCC President 2014 OCM 2013 From trs80 at ucc.gu.uwa.edu.au Wed Jun 24 14:29:15 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Wed, 24 Jun 2015 14:29:15 +0800 (AWST) Subject: [tech] Yak shaving on Mollitz In-Reply-To: References: Message-ID: On Fri, 12 Jun 2015, David Adam wrote: > You'll need to shut the machine down, pull the drive, put it into > something that supports AHCI, and then run the firmware upgrade utility. > The easiest way is the bootable image: > http://ocz.com/consumer/download/firmware/OCZ_Bootable_Tools_v4.9.0.634.iso Right, after dicking around for a few days with making a bootable USB that didn't work, I burnt a CD (how 1998) and have upgraded the firmware. I had to temporarily move the actual CDROM in the server to be able to reconnect the SATA data and power cables. Anyway, it's all up again: Linux mollitz 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From kurama101 at ucc.gu.uwa.edu.au Thu Jun 25 15:59:02 2015 From: kurama101 at ucc.gu.uwa.edu.au (Jordan Meerwald) Date: Thu, 25 Jun 2015 15:59:02 +0800 (AWST) Subject: [tech] New Clubroom Windows Machine Message-ID: Hi all, Here are the specifications for the new Windows machine. I plan to buy it from MSY on Monday or Tuesday next week, so if you see any issues let me know before then. Motherboard: ASRock H97M Pro4 $109 CPU: i5 4690 3.5GHz $295 RAM: GSkill Sniper 8GB (2x4GB) Kit DDR3 1600 $87 HDD: WD Black 7200rpm 1TB $97 GPU: Gigabyte G1 Gaming 2GB GTX960 $295 PSU: Corsair CX600M 600W 80+ Bronze semi-modular $116 Case: Fractal Core 1000 mini tower $59 Total: $1058 Thanks [JDN] Treasurer From trs80 at ucc.gu.uwa.edu.au Fri Jun 26 09:39:12 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Fri, 26 Jun 2015 09:39:12 +0800 (AWST) Subject: [tech] Murasoi dropouts Message-ID: If you've been paying close attention, you may have noticed that murasoi's network is dropping occasionally. dmesg shows: [Fri Jun 26 07:48:25 2015] e1000 0000:01:01.0 eth0: Detected Tx Unit Hang Tx Queue <0> TDH TDT <2e> next_to_use <2e> next_to_clean
buffer_info[next_to_clean] time_stamp <10b250914> next_to_watch jiffies <10b2513b2> next_to_watch.status <0> [Fri Jun 26 07:48:25 2015] e1000 0000:01:01.0 eth0: Reset adapter [Fri Jun 26 07:48:29 2015] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX Some quick googling returns http://blog.bradiceanu.net/2010/11/28/netdev-watchdog-eth0-transmit-timed-out/ which suggests building a more recent version of the e1000 driver (which is 8.0.35 vs 3.16's 7.3.21-k8-NAPI) and setting in modprobe.d: options e1000 ignore_64bit_dma=1 Further discussion is happening in #ucc -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /