Web server upgrade – step 1

After 11(!) years of loyal service, the current D-PHYS web server hardware will be retired in 2019 and all web sites hosted by ISG will migrate to new hardware. We will take the opportunity to reorganize the way we host web sites and improve the general setup of the web server.

In a first step, we will migrate the ‘personal’ web sites (those residing in public_html/ in a home directory or group share) on Wednesday, 17.7.2019. We have extensively tested the new setup, and unless you’re using dynamic content in your public_html folder (like PHP or other CGI scripts), you should not notice anything. With CGIs, there’s a slight chance we might have overlooked something, so please test your dynamic content after that date and get in touch if you see a problem.

The regular web sites hosted by us will be successively moved to the new hardware at a later time and we will get in touch with their owners should it be necessary.

Note that this will not affect the department website in any way as that one is hosted on the CMS of Informatikdienste.

Home server maintenance on Tue, July 9, 17:00

Update 20:10 Migration finished! Everything should work as normal.

In order to guarantee sustained performance and availability of our storage system, we schedule a maintenance downtime of our home directory server on

Tuesday, July 09, starting at 17:00

This only affects the home shares (technically: smb:\\home.phys.ethz.ch & /home/USERNAME). Email and group shares will have no interruption.

Since the server also needs a file system check, the downtime will take several hours.

For emergency cases, there will be read-only access to last night’s backup as described here .

We will update this posting once the home server is back online.

The end of Windows 7 is coming…

The time has come to upgrade your Windows 7 computer to Windows 10
since extended support for Windows 7 ends on January 14, 2020 (Windows lifecycle).

Why can I no longer use Windows 7 on the ETH network after the end of 2019?

Only operating systems with security support by the vendor are allowed to connect to the ETH network.

Unsupported operating systems that no longer receive security updates render the computer vulnerable to threats like viruses, malware or hacker attacks and also pose a threat to other computers on the network.

What should I do now?

  • If you are using an OEM computer with preinstalled Windows 7 for your daily work, please update it to Windows 10 by the end of this year, at the latest. The easiest way is to use the “Microsoft Media Creation Tool” available here.
    This process is called “inplace upgrade”. All applications and configuration settings should be kept.
  • If your computer is installed with the Windows 7 Enterprise license from ETH IDES, order Windows 10 Enterprise from the IT-Shop and use it for the upgrade.
  • If your computer is located in a lab and needs to be highly available to collect measurement data, there is the possibility to use a Windows 10 LTSC version instead of the Enterprise version. Please contact your IT administrator within your group. He should be able to help you or can get in touch with us if he needs additional help. More details about the LTSC version are described on our readme page.
  • If you think that you cannot upgrade your computer, please refer to our readme for possible solutions or contact us.

Note that at some point the network security group of Informatikdienste will start scanning for remaining Windows 7 computers at which point we will be forced to disconnect them from the network.

2018 in review

This post is meant to give you a short overview of what has been accomplished in D-PHYS IT by ISG this year. We’ve been hard at work to further improve and extend our services for you, our customers. Some highlights of 2018:

  • New mail server: between January and March, the virtual machines that make up the D-PHYS mail server were migrated to new hardware. We’re now running on a state-of-the-art server with SSD storage that will serve the department’s needs for many years to come.
  • New LDAP servers: in late 2017 we started a big migration to a cluster of new LDAP servers. This move was completed in the spring of 2018 and the old server turned off.
  • group membership edit: one of the benefits of the LDAP migration is that group memberships can now be managed directly by dedicated owners of a group. If you feel responsible for one such group and would like to be able to perform member management yourself without having to go through us each time, please get in touch.
  • New web server: we purchased new D-PHYS web server hardware to replace the old 10-year-old system. Since we’re also planning to change the setup of your web hosting, migrating the existing web sites to the new hardware will be a long process that will extend well into 2019.
  • Network migration: while we were in an advanced planning stage of a segmentation of the D-PHYS network and had already started to implement the first changes, Informatikdienste announced that the underlying network layout of the whole Hönggerberg campus would be redesigned in 2018/19 which deeply influences and impacts our work as well. We’re now on hold until we know details of ID’s technical implementation.
  • Storage: in 2018 the disk space occupied by data and backup grew from 1.6 PiB to 2.1 PiB, which means that growth in storage has picked up steam again after two slow years.
  • Outages: apart from the above-mentioned pre-announced migration windows and some short-term network interruptions, our systems have been very stable in 2018.
  • OS upgrades: the Windows 10 rollout has been largely completed and most Linux workstations have been upgraded to Ubuntu 18.04.
  • WiFi change: we accompanied and supported ETH’s wifi change project in November.
  • UCC: the UCC rollout which will replace the existing ETH telephony system with an all-IP based solution has been put on hold by Informatikdienste since the service quality was severely lacking. We’ll know more in 2019.Q2.
  • IT security: we participate in and support the ETH-wide IT security initiative.

I would like to take this opportunity to thank my whole team for their hard and dedicated work all year long.

Happy Holidays and see you in 2019!

Storage migration

Update 21:00 – IGP shares are back. Welcome to igp-data!
Update 19:30 – the D-PHYS shares are back. IGP will take a little more time.

In order to guarantee sustained performance and availability of our storage system, we need to schedule a few storage maintenance windows. The first one will take place on Wednesday, 12.12.2018 at 16:00 and affect all D-PHYS and IGP group shares, but not IPA or galaxy (technically: windata/macdata, but not astrogate or ipa-data). The relevant shares will be offline for at least 3 hours.

For emergency cases, there will be read-only access to last night’s backup as described here.

Please note that these migrations will bring some overall changes to the D-PHYS storage setup:

  • the SMBv1 protocol will be disabled on all file servers. It has a long history of security issues and we’ve migrated all clients to newer versions, so this should not affect anyone. However, there’s a small chance that we didn’t catch all connections, so please contact us if you experience any issues after the migration.
  • all SMB protocol versions will be restricted to ETH-internal access. This step has been long overdue and since most ISPs block the necessary ports anyway, it shouldn’t affect too many users. What it means however: in the future, file server access from outside ETH requires VPN.
  • IGP/D-BAUG will get their own front-end server igp-data. If you’re with IGP and have already switched your file server mounts from windata to igp-data, you’re good and don’t have to do anything. If you haven’t, you should do so before Dec 12 in order to get a seamless migration experience.

We’ll update this post as the migration progresses and as soon as the systems are back.

Groupware migration

On Tuesday, October 2, starting at 07:00, we will migrate our groupware instance to another server. For about 1 hour you won’t have access to your calendar. If you’re one of the few people who also sync their email via groupware, mail will be offline too (you can always use webmail). After the migration your clients should just reconnect and resume syncing. If you notice any issues after we’re done, please get in touch.

Update Wed 07:45: migration completed, please let us know if you experience any problems.

Advance information: network migration

After a long (11 years) phase of stability in the D-PHYS network, we are preparing a pretty extensive network reorganization for 2018. This is mainly driven by ever-increasing information security requirements mandated by ETH. The D-PHYS network has traditionally been very open and we will try to keep it that way, but we need to implement some modifications. The basic premise is to partition our current /21 network (2048 IP addressess) into smaller groups that better represent the types of machines in those networks. This will then allow us to tailor each group’s firewall rules to the services needed by those machines. The roadmap looks like this:

  • Rearrange hosts in current /21 net to align with future VLAN boundaries
  • Partition the /21 net into smaller VLANs
  • Migrate individual subnets from our DHCP server to that of ID. This will also allow us to assign IPv6 addresses
  • Migrate the subnets into different virtual private zones (VPZ)
  • Assign and fine tune firewall settings on the different VPZ

As usual, we’ll try to implement these steps as smoothly as possible. However, a migration on this scale will not go entirely without issues. Step 1 will entail an IP address change for quite a number of hosts. We’ll make sure that our dyndns host names (foobar.dhcp.phys.ethz.ch) will be in sync with the new addresses, but this only works for properly configured DHCP hosts. Here’s how you can help: if you have any hosts in the 192.33.96.0/21 D-PHYS network that are statically configured (non-DHCP), please get in touch with us ASAP. The same is true if you’re using hard-coded IP addresses from that range instead of host names. We’ll need to deal with those hosts individually.
In the course of 2018 we’ll keep you updated on project progress and announce specific dates when we implement changes.

Update: since Informatikdienste are currently drafting an even more comprehensive Hönggerberg network reorganization that will deeply impact our plans as well, this project is currently on hold until we know more. Stay tuned.

Edit group share memberships yourself

Owners of our group shares so far always had to contact us in order to have members added or removed to/from the underlying LDAP group. One of the benefits of the recent LDAP migration is that we can now offer a web interface for LDAP group member management.

group-edit
If you’re the owner of a group share and would like to be able to perform user management yourself, please get in touch with me. You can also use this interface to edit your group report settings.

Mail server maintenance on Tue, March 27

Update 07:25 The migration is complete and our mail server is back online. Please let us know if you notice anything peculiar. This concludes our multi-step migration to the new mail server hardware

In order to finalize the upgrade of the D-PHYS mail server, we schedule a maintenance downtime on

Tuesday, March 27, between 06:30 and 08:00 in the morning

During that time it will not be possible to send or receive emails. In particular, incoming external emails will not be lost, but held on the sender’s side and will be delivered after the migration. Outgoing mail will be kept in your mail client until the connection is restored.

We will update this posting once the mail server is back online.

New location for mail filtering rules, forwarding and vacation auto-replies

After the migration, all mail-related settings will be consolidated into the Roundcube Webmail interface:

  • spam filtering rules (whitelist, blacklist)
  • forwarding of your emails to a different account
  • setting a vacation or out-of-office auto-reply message
  • defining rules to automatically file incoming mails into specific folders

This will make configuring your email settings easier and also give you more options than before (for example, the out-of-office auto-reply can now be configured to automatically terminate at the end of your absence).

Please refer to our readme for details on how to customize these settings in the future. Feel free to contact us if you have any questions.

The current settings of all active users have been converted and imported.

In technical terms we are migrating from procmail to sieve. In particular the hidden text file ~/.procmailrc in the user’s home folder will be ignored after the migration.

Removal of old LDAP server

As already described in this past posting, we have recreated our LDAP server infrastructure and will now retire the old server. For the last 4 weeks we’ve been sniffing for LDAP queries that still use the old server and we’ve addressed each of those requests individually. Since we can’t guarantee to detect each and every single network packet, now is your last chance to migrate to the new servers in case you haven’t done so already. The old server will go offline on

Friday, March 16

Please let us know if you have any questions.