Transcript HEPIX - STFC

HEPIX
• May 2004 Edinburgh
• http://hepwww.rl.ac.uk/hepix/nesc/agenda.htm
• Linux/Unix highlights
SLAC OS Status
• Linux
– RedHat Enterprise 3 (RHEL3) rolling out to most
servers and desktops
– Begun weekly RedHat service meetings (by phone)
– About 20 issues opened so far with them (missing
function, driver issues)
– Have yum-based service to pull updates to systems.
– Working out how to update mobile/offsite systems
(up2date?)
– ALDI project to automate desktop upgrades
DESY- Linux
• DL5 (SuSE 8.2) rollout in progress (25% done)
• support for base distribution ends April 2004
–
9.0 patches will help for another 6 months
• successor - better: continuation - needed early
next year
• DL5 is most likely the last DESY Linux based on
SuSE
–
if a common HEP distribution with long lifetime is
available and affordable, that's what we'll use
•
started looking at Scientific Linux
–
–
•
thanks to Fermilab for providing this!
current version seems very compatible with DL5 (for users)
purchase of licenses is an option - if price/value ratio ok
DESY- Linux/amd64
• aka ia32e aka x86_x64
• first test system is a success
–
–
IBM eServer 325, 2 x Opteron 246 (2.0 GHz), 4 GB
RAM
SuSE 9.0 Professional/amd64
• performs superior to fastest Xeon Systems (3.2
GHz)
–
–
except FP
ROOT applications especially fast, benefit from 64bit
mode
• deployment of a small number of production
systems soon
–
seamless integration is relatively easy
• concern: cernlib dependency locks users into
32bit past
DESY-Security
• rules for individually maintained systems are in
effect now
• regular scans from outside our firewall
–
–
–
of all hosts with any port open through firewall
for open ports and known vulnerabilities
by commercial service provider
• access to mail servers now by imaps only
–
got rid of clear text protocols pop and imap
• automated deployment of patches
–
–
linux, old NT domain (netinstall), new XP domain
(SUS)
policies still evolving
DESY - Security continued
• due to recent sasser threat, manually checked
ALL notebooks brought on site for two days
–
only a few systems got infected
• increased update frequency for virus signatures
–
update server: hourly, client: every three hours
• a few users were tricked into installing Bagle.J
–
lesson: treat encrypted attachments like
executables, and quarantine them
• firewall now inhibits outgoing SMTP, except for
approved mail servers
–
imagine all sites and providers did that