[tech] Wheel/Tech Meeting Minutes 9/06/16

David Adam zanchey at ucc.gu.uwa.edu.au
Sun Jun 19 21:22:29 AWST 2016 

Sorry I missed the meeting at short notice.

On Thu, 9 Jun 2016, Frames wrote:
> Wheel/Tech Meeting Minutes
> ===============
> 
> **Date: 2016/06/09**
> 
> Molmol and ZFS
> -------
> NTU: It is going down so often noone will notice if we takje it down
> BG3: How often
> TPG: Once a weekish
> TPG: Windows will fall back to cahce if we turn it off.
> MSH: We can test it for example with debain
> BOB: It causes a particular problem with VMs, especially ones that don't come
> up cleanly like Koha.
> BOB: We shouold be jumping on this problem it is the biggest impact on users
> BOB: DAA said that we might need the check some flags.
> MSH: DAA, I think, has now checked those and they are fine.
> BOB: Suggests  that TBB solves this, as a current student who is wheel member.
> TBB: Will look at after exam.
> 
> General conclusion is to test it on a LiveCD/USB.
> With existing ZFS volumes.

The basic answer is yes, it should be fine with Debian - [JCF] checked the 
feature flag support and there is nothing stopping us using it with a 
current version of ZFS on Linux.

It's worth having a copy of the ZFS on Linux administration guide[1] 
handy. 

The biggest difference is that the Linux implementation imports the pool 
on startup and exports it on shutdown, which means it cleanly transfers 
between systems, but FreeBSD does not. Before starting, I suggest 
rebooting Molmol into single-user mode in FreeBSD, running `zpool export 
space`, and then rebooting into Linux. If you want to boot FreeBSD again, 
boot into single-user, run `zpool import -a` and then reboot into 
multi-user.

If you are going to take it down for any extended period of time, could 
you let tech@ know?

> LDAP/Samba4.
> --------
> 
> MSH: have a look at FreeeIPA, it is open source beingused commercially
> NTU: I don;t think this has changes: if you want modern windows either uses
> Microsoft ActiveDirectory, Or use Samba4 -- which has to use it's own LDAP.
> *OX: If we did ActiveDictory we would need to use its LDAP
> TPG: Nah you can move it to another domain
> BOB: I talked to DAA on the way he has a test set up that is working with the
> windows, but not the linux.
> NTU/TPG/BOB: we would need to sync samba and LDAP
> BOB: This is going to be a lot easier now we have a clubroom SOE, so it is
> just mint and debian.
> *OX: Surely that [syncing] is the wrong way, samba brand name purpose is
> networking windows and linux
> BOB: Well no, we should be able to do it correctly, with linux binding to
> SAMBA
> NTU: or with linux connecting to LDAP connecting the Samba
> AJT: I'm interested not sure I have the know-how.
> *OX: Really it is mostly about talking to DAA
> MSH: and IRC.
> BOB: I, and I think also DAA, would rather be teaching people than solving
> them.
> *OX: So project for during the holidays. Shall we set a date to have a group
> come and have a hack at it.
> BOB: Start of July -- before camp.
> SJH: Please don't break mail
> MSH: Turn off postfix before breaking things, so mail bounces.

At present, the following works:
- Migrating our OpenLDAP directory to Samba 4 AD with minimal data loss
- Binding new machines to the new AD domain

The following does not:
- Linux NSS and PAM
- ucc-adduser, etc.

There are a few options but a working day sounds good. Sunday 10th July? 
We could do a general tech working day and take some things down for new 
kernels etc. if needed.

> Passwords
> --------------
> BOB: we now have UCCPASS, no more sharing passwords
> General discussion  that pass seems to be dumping to the main screen buffer --
> so shows in scrollback

See the manual page for pass(1) - you can use `uccpass show -c ucc/foo` to 
copy it to the clipboard (assumes Xforwarding and xclip installed). 
I use a new tmux window and close it immediately after copying or typing 
the password.
 
> General discussion that  that 2FA for sudo etc would be cool.
> *OX: that would be cool, if nayone wants to set it up
> MSH: Too hard except sudo, which is easy

pam_googleauthenticator and sudo are not friends - it is trivial to bypass 
if you control your home directory.

> IPv6 issues?
> --------
> BOB: What IPv6 issues?
> TPG: idk Just wrote that down. Comssa seems to be havign trouble idk.

IPv6 at UWA is bad.

traceroute to google.com (2404:6800:4006:806::200e) from 2405:3c00:10:4::2, port 80, from port 54860, 30 hops max, 60 bytes packets
 1  2405:3c00:10:4::1 (2405:3c00:10:4::1)  0.518 ms  0.343 ms  0.335 ms
 2  ::ffff:10.10.1.1 (::ffff:10.10.1.1)  1.017 ms  0.617 ms  0.555 ms
 3  syd15s01-in-x0e.1e100.net (2404:6800:4006:806::200e)  0.914 ms [closed]  0.616 ms  0.629 ms

Hey look, Google is our upstream!

David Adam
zanchey at ucc.gu.uwa.edu.au

More information about the tech mailing list