[committee] Wheel meeting minutes 2019-08-25

Felix von Perger frekk at ucc.asn.au
Mon Aug 26 18:04:49 AWST 2019 

Hi all,

Attached are the minutes from the wheel meeting this Sunday.

Cheers,

Felix

-------------- next part --------------
Wheel meeting 2019-08-25
========================

(Sorry these are such a mess, [TPG] is bad at minutes)

## Action items from last meeting (2019-06-22)

- ACTION items: put etckeeper on everything, plus above action items - [TPG] volunteers to do murasoi
  - See below for discussion

- ACTION: [FVP] to update the ActiveDirectory wiki page
  - Looks like it was done.

- ACTION: [FVP] Purchase a windows server licence - unsure is this can be done individually on connectingup.org
  - Unknown

- ACTION: look into having these services automatically start (not starting when dependencies are unavailable, and stopping when necessary)
  - Services are:  mussel: apache, freeradius, imapproxy;  mooneye: mailman, postfix; samson: AD
  - See below.

## General items `agenda.next`
- [FVP] http://www.csn.ul.ie/#recruit http://skynet.ie/guide/basic/introdoc.html
  - [NTU] Another comuter club, Onboarding documentation. People should read this

- [NTU] Samba AD familiarisation/monitoring/maintenance/updates/config-managed rebuilds
  - Carry over.

- [NTU] Demo: remote console access to the major servers?

- [NTU] Demo: restore files from offsite?
  - Carry over

- [NTU] Communication of changes and proposed changes
	- Keep the tech/wheel group mailing lists up to date
	- is https://wiki.ucc.asn.au/ChangeLog working?
		- or can it be semi-automated?
		- where not recorded elsewhere?

- [NTU] Password/Key rotations

## Email Agenda Items

- [FVP] Setting up a per-club VLAN, and/or a webcam/IoT VLAN - UniSFA has expressed interest in managing their network/WiFi more independently from UCC, and it would be nice to give them a technical recommendation on ways that could be done. If other clubs were given a separate VLAN and single public IP with NAT, this would be beneficial from a security/accountability perspective, and also make it easier for a possible future migration of other clubs away from UCC internet. It would also be worth discussing reasonable expectations/guidelines for admin access to devices on the network not owned by UCC - for example, UniSFA committee can enter the admin password to deepthought upon request but do not wish to share it (I think this is reasonable).
- [FVP] Installing SSDs in servers - if we have enough Proxmox machines to make a decent sized cluster, is it necessary to use two SSDs for a system RAID1 in these machines? Could we just live with the risk of disk failure and just clean-rebuild hosts when necessary? (I think it is OK to accept the risk, provided we can easily rebuild hosts without problems, especially given SSDs are expensive)
- [FVP] Regarding dual-boot machines, review the SOE and see if anything more should be added.
- [FVP] Regarding member data (specifically the membership register) and compliance with Privacy legislation, it would be worth discussing how we can be compliant and what an appropriate "privacy policy" would look like.
- [FVP] Regarding keys, I think it would be worth reviewing who currently has keys to the machine room and having a discussion about whether wheel members should, or need to have keys, if using combination locks or other locking mechanisms would be more efficient, or whether a shared set of keys in the lockbox would be sufficient.
- [FVP] I would also appreciate if wheel could review who currently holds or has access to any club-related keys generally, justify such access, and clarify under what conditions and to whom it should apply, from both a security perspective and considering current Guild/Tenancy regulations. For the record, I would like to suggest the club contracts out the secure destruction of excess keys where the existence/abundance of such keys may warrant a security concern.
- [FVP] Changing passwords following the recent wheel/group review would also be a good idea, and I am happy to assist in that process later this week.


# Meeting opened 14:45
Present: [SJH] [MSH] [AJT] [TPG] [NTU] [DAS] [333] [TEC]
Apologies: [THA] [CFE] [FVP] [MPT] [LE@] [GEE]

## Next meeting: Sun 2019-11-17 16:00

## [TEC] for wheel

- Committee have said yes (meeting 2019-08-16)
- Wheel asked him last meeting, he said no
- [TEC]: "Not opposed to the idea"
- Vote to put [TEC] on wheel:
  - Passes, welcome [TEC]

## Policy ideas around accepting/providing admin memberships
- See incidents with group membership early this year.
- Minimum membership policy: 6 months minimum membership before can join groups

## Per-club/IoT VLANs
- [NTU] Other clubs should be using direct Uni uplinks?
  - Possible issues with cost of such a connection.
  - UniSFA should see if UWA can provide such a thing.
  - UCC is responsible for its network, so should be able to control (or at least check) all machines on the network.
    - If other clubs use the network, UCC needs either usernames or admin access.
  - [MSH] Option: Move deepthough to wifi (or at least to the Wifi VLAN) to avoid clubroom VLAN issues (and knowing if it's deepthought that causes issues instead of some random on the cable).
- [TPG] IoT VLAN should definitely happen

## AD server on mooneye
- [MSH] Backup AD on mooneye to remove the current /etc/passwd hack
  - Mooneye is still 32-bit? Yes. This should be fixed (It's an "Intel Xeon" - no suffix, Dell 2850)
  - [333] Aparently 32-bit x86 testing isn't that good any more, may be buggier
- Should be rebuilt to at least fix the 32-bit issue
- Options:
  - Just add an AD server to it (RODC?) - Easiest option.
  - Re-design and rebuild mooneye on new hardware.
- Either way, include monitoring to spot when the user database fails (on all servers)

## Ethical guidlines review
- Random item: #8 "Environment Quality"
  - Let people know when/why you've made a change that will affect users
  - This has recently been referenced by members, likely incorrectly.

## ACTION: etckeeper on everything
  - Already on most/all machines
  - [NTU] Make sure it's up to date
  - [TPG] Stores secrets, can't make it public :(
  - ACTION [???]: Figure out how to filter out secrets
    - [MSH] Run etckeeper as non-root?
    - [TEC] Use symlinks to keep the secrets away from etckeeper.

## ACTION: Service resiliance
- [333] autofs for home? (won't mount until needed)
  - [NTU] Test on merlo + mooneye?
  - [MSH] Don't test on mooneye, it's quirky.
- [TPG] Merlo should't be writing to /home for logs anyway.
- [MSH] Move mail from mooneye to the /home host? (motsugo)
  - [NTU] Move mail to a VM? Allows it to be updated separately.
  - Items on this VM: MTA (postfix), mailman, and samba RODC - pretty simple?
  - [MSH] Move DNS to murasoi.

[TEC] leaves 15:49

## Status update on new servers [333]
- mudkip and magikarp : Donated by [333] as VM hosts
  - HP Proliant 360P (Gen 8) - Xeon E5 CPUs.
  - 64GB (mudkip) / 192G (magikarp) of RAM
  - Intended to be used as cluster members (use CEPH only?)
  - Could get SSDs to add to ceph cluster.
- [MSH] Some free SSDs from IRC?
- [333] got some rails for them.
- [MSH] Are they hot? Just wondering.
  - [333] says "not very hot" 150W idle, 400W under heavy load

## Password rotation:
  - ACTION: NTU and FVP to generate and apply new passwords.

## SSDs on servers
- See discussion about new servers
- Can add single SSDs to cluster members as ceph disks
- New servers are using SD cards as primary storage currently
 - [MSH] Can we mount these RO to reduce wear?
 - [NTU] Raid to the cluster? Boot from SD then set up a mirror volume on the cluster (active backup of the SD card).

## SOE Review
- DEFER

## Privacy Policy
- DEFER

## Physical key review
- Machine room keys:
  - The lockbox copy (original)
  - [TPG] 1st generation
  - No others at the meeting
- Clubroom keys:
  - There is one copy in the room, [TPG] holding a copy with a bit of a history.
    - [TPG] I got it from [BOB], who got it from [STU], unknown where he got it from.
  - Discussion about official policies as to key access. Tennancy has ideas about key access that may not be accurate ([DAS)]
  - [NTU] Expectation that the club should be able to control its own key access

## Possible new wheel members?
- No idea from [DAS] or [AJT]

Meeting closed: 16:16

More information about the committee mailing list