Archive for the ‘Announcements’ Category

Web server upgrade – step 1

Tuesday, July 9th, 2019

After 11(!) years of loyal service, the current D-PHYS web server hardware will be retired in 2019 and all web sites hosted by ISG will migrate to new hardware. We will take the opportunity to reorganize the way we host web sites and improve the general setup of the web server.

In a first step, we will migrate the ‘personal’ web sites (those residing in public_html/ in a home directory or group share) on Wednesday, 17.7.2019. We have extensively tested the new setup, and unless you’re using dynamic content in your public_html folder (like PHP or other CGI scripts), you should not notice anything. With CGIs, there’s a slight chance we might have overlooked something, so please test your dynamic content after that date and get in touch if you see a problem.

The regular web sites hosted by us will be successively moved to the new hardware at a later time and we will get in touch with their owners should it be necessary.

Note that this will not affect the department website in any way as that one is hosted on the CMS of Informatikdienste.

Home server maintenance on Tue, July 9, 17:00

Wednesday, July 3rd, 2019

Update 20:10 Migration finished! Everything should work as normal.

In order to guarantee sustained performance and availability of our storage system, we schedule a maintenance downtime of our home directory server on

Tuesday, July 09, starting at 17:00

This only affects the home shares (technically: smb:\\home.phys.ethz.ch & /home/USERNAME). Email and group shares will have no interruption.

Since the server also needs a file system check, the downtime will take several hours.

For emergency cases, there will be read-only access to last night’s backup as described here .

We will update this posting once the home server is back online.

The end of Windows 7 is coming…

Wednesday, January 16th, 2019

The time has come to upgrade your Windows 7 computer to Windows 10
since extended support for Windows 7 ends on January 14, 2020 (Windows lifecycle).

Why can I no longer use Windows 7 on the ETH network after the end of 2019?

Only operating systems with security support by the vendor are allowed to connect to the ETH network.

Unsupported operating systems that no longer receive security updates render the computer vulnerable to threats like viruses, malware or hacker attacks and also pose a threat to other computers on the network.

What should I do now?

  • If you are using an OEM computer with preinstalled Windows 7 for your daily work, please update it to Windows 10 by the end of this year, at the latest. The easiest way is to use the “Microsoft Media Creation Tool” available here.
    This process is called “inplace upgrade”. All applications and configuration settings should be kept.
  • If your computer is installed with the Windows 7 Enterprise license from ETH IDES, order Windows 10 Enterprise from the IT-Shop and use it for the upgrade.
  • If your computer is located in a lab and needs to be highly available to collect measurement data, there is the possibility to use a Windows 10 LTSC version instead of the Enterprise version. Please contact your IT administrator within your group. He should be able to help you or can get in touch with us if he needs additional help. More details about the LTSC version are described on our readme page.
  • If you think that you cannot upgrade your computer, please refer to our readme for possible solutions or contact us.

Note that at some point the network security group of Informatikdienste will start scanning for remaining Windows 7 computers at which point we will be forced to disconnect them from the network.

Storage migration

Monday, December 3rd, 2018

Update 21:00 – IGP shares are back. Welcome to igp-data!
Update 19:30 – the D-PHYS shares are back. IGP will take a little more time.

In order to guarantee sustained performance and availability of our storage system, we need to schedule a few storage maintenance windows. The first one will take place on Wednesday, 12.12.2018 at 16:00 and affect all D-PHYS and IGP group shares, but not IPA or galaxy (technically: windata/macdata, but not astrogate or ipa-data). The relevant shares will be offline for at least 3 hours.

For emergency cases, there will be read-only access to last night’s backup as described here.

Please note that these migrations will bring some overall changes to the D-PHYS storage setup:

  • the SMBv1 protocol will be disabled on all file servers. It has a long history of security issues and we’ve migrated all clients to newer versions, so this should not affect anyone. However, there’s a small chance that we didn’t catch all connections, so please contact us if you experience any issues after the migration.
  • all SMB protocol versions will be restricted to ETH-internal access. This step has been long overdue and since most ISPs block the necessary ports anyway, it shouldn’t affect too many users. What it means however: in the future, file server access from outside ETH requires VPN.
  • IGP/D-BAUG will get their own front-end server igp-data. If you’re with IGP and have already switched your file server mounts from windata to igp-data, you’re good and don’t have to do anything. If you haven’t, you should do so before Dec 12 in order to get a seamless migration experience.

We’ll update this post as the migration progresses and as soon as the systems are back.

Groupware migration

Thursday, September 27th, 2018

On Tuesday, October 2, starting at 07:00, we will migrate our groupware instance to another server. For about 1 hour you won’t have access to your calendar. If you’re one of the few people who also sync their email via groupware, mail will be offline too (you can always use webmail). After the migration your clients should just reconnect and resume syncing. If you notice any issues after we’re done, please get in touch.

Update Wed 07:45: migration completed, please let us know if you experience any problems.

Advance information: network migration

Thursday, July 12th, 2018

After a long (11 years) phase of stability in the D-PHYS network, we are preparing a pretty extensive network reorganization for 2018. This is mainly driven by ever-increasing information security requirements mandated by ETH. The D-PHYS network has traditionally been very open and we will try to keep it that way, but we need to implement some modifications. The basic premise is to partition our current /21 network (2048 IP addressess) into smaller groups that better represent the types of machines in those networks. This will then allow us to tailor each group’s firewall rules to the services needed by those machines. The roadmap looks like this:

  • Rearrange hosts in current /21 net to align with future VLAN boundaries
  • Partition the /21 net into smaller VLANs
  • Migrate individual subnets from our DHCP server to that of ID. This will also allow us to assign IPv6 addresses
  • Migrate the subnets into different virtual private zones (VPZ)
  • Assign and fine tune firewall settings on the different VPZ

As usual, we’ll try to implement these steps as smoothly as possible. However, a migration on this scale will not go entirely without issues. Step 1 will entail an IP address change for quite a number of hosts. We’ll make sure that our dyndns host names (foobar.dhcp.phys.ethz.ch) will be in sync with the new addresses, but this only works for properly configured DHCP hosts. Here’s how you can help: if you have any hosts in the 192.33.96.0/21 D-PHYS network that are statically configured (non-DHCP), please get in touch with us ASAP. The same is true if you’re using hard-coded IP addresses from that range instead of host names. We’ll need to deal with those hosts individually.
In the course of 2018 we’ll keep you updated on project progress and announce specific dates when we implement changes.

Update: since Informatikdienste are currently drafting an even more comprehensive Hönggerberg network reorganization that will deeply impact our plans as well, this project is currently on hold until we know more. Stay tuned.

Edit group share memberships yourself

Wednesday, April 18th, 2018

Owners of our group shares so far always had to contact us in order to have members added or removed to/from the underlying LDAP group. One of the benefits of the recent LDAP migration is that we can now offer a web interface for LDAP group member management.

group-edit
If you’re the owner of a group share and would like to be able to perform user management yourself, please get in touch with me. You can also use this interface to edit your group report settings.

Mail server maintenance on Tue, March 27

Friday, March 23rd, 2018

Update 07:25 The migration is complete and our mail server is back online. Please let us know if you notice anything peculiar. This concludes our multi-step migration to the new mail server hardware

In order to finalize the upgrade of the D-PHYS mail server, we schedule a maintenance downtime on

Tuesday, March 27, between 06:30 and 08:00 in the morning

During that time it will not be possible to send or receive emails. In particular, incoming external emails will not be lost, but held on the sender’s side and will be delivered after the migration. Outgoing mail will be kept in your mail client until the connection is restored.

We will update this posting once the mail server is back online.

New location for mail filtering rules, forwarding and vacation auto-replies

After the migration, all mail-related settings will be consolidated into the Roundcube Webmail interface:

  • spam filtering rules (whitelist, blacklist)
  • forwarding of your emails to a different account
  • setting a vacation or out-of-office auto-reply message
  • defining rules to automatically file incoming mails into specific folders

This will make configuring your email settings easier and also give you more options than before (for example, the out-of-office auto-reply can now be configured to automatically terminate at the end of your absence).

Please refer to our readme for details on how to customize these settings in the future. Feel free to contact us if you have any questions.

The current settings of all active users have been converted and imported.

In technical terms we are migrating from procmail to sieve. In particular the hidden text file ~/.procmailrc in the user’s home folder will be ignored after the migration.

Removal of old LDAP server

Tuesday, March 6th, 2018

As already described in this past posting, we have recreated our LDAP server infrastructure and will now retire the old server. For the last 4 weeks we’ve been sniffing for LDAP queries that still use the old server and we’ve addressed each of those requests individually. Since we can’t guarantee to detect each and every single network packet, now is your last chance to migrate to the new servers in case you haven’t done so already. The old server will go offline on

Friday, March 16

Please let us know if you have any questions.

Mail server maintenance on Wed, Jan 24

Friday, January 19th, 2018

Update 07:25 Migration finished, welcome on the new mail server!

We schedule a maintenance downtime for the D-PHYS mail server on

Wednesday, January 24, between 07:00 and 08:00 in the morning

During this period, sending and receiving new emails will have interruptions, thereby delaying incoming and outgoing mails. In particular, incoming external emails will not be lost, but held on the sender’s side and will be delivered after the migration. Outgoing mail will be kept in your mail client until the connection is restored. The IMAP server will not be affected, so all email clients should have continuous access to the existing mailboxes.

This maintenance window will be used to migrate the first part of our mail server infrastructure to the latest version of the operating system and new hardware with fast SSD storage.

New location for SpamAssassin user preferences

We re-designed how our mail server is parsing the user’s configuration for the spam filtering. Currently one has to edit the hidden text file ~/.spamassassin/user_prefs in the home folder. Starting from next Wednesday the spam filtering rules can be edited more conveniently through the settings in the Webmail interface. This will allow users to easily

  • accept mail from a given sender and never mark it as spam (whitelist)
  • reject mail from a given sender and always mark it as spam (blacklist)
  • set the threshold score required for any message to be considered as spam

The existing user preferences have been parsed and all of the above settings have been imported into the new setup. The contents of ~/.spamassassin/ will be ignored after the migration. Please contact us if you have questions regarding your advanced SpamAssassin rules.