Duke ITAC - May 31, 2018 Minutes
ITAC Meeting Minutes – May 31, 2018
4:00 - 4:05 – Announcements
Ken Rogerson welcomed all and there were no announcements.
4:05 - 4:30 – OIT Labs Update, Michael Faber, Mark-Everett McGill
What it is: Duke provides the facilities, equipment, and services to support the community’s ever-changing technology needs. OIT’s Labs group will offer insight into their busy year, including what’s new on campus and how it supports Duke’s academic mission.
Why it’s relevant: As IT trends continually evolve, Duke must stay at the forefront to meet the needs of students, faculty, and staff. We will discuss how new labs strategies and initiatives encourage learning and innovation, as well as how they can contribute to projects across the Duke community.
99% of students arrive on campus with a modern laptop and the need for a lab where they can use a computer to do their homework is unnecessary. Also, site licenses for critical software (Adobe, Microsoft, Matlab, Autodesk, GIS, etc.) that used to be available only on OIT supported lab machines, can now be downloaded on individual computers. This has resulted in a dramatic decrease in the number of machines and equipment on campus from 300+ in 2008 to 150 at present. The usage trends in labs show the same logins per workstation despite fewer workstations which indicates that we’re still meeting the needs of lab computing on campus.
Some recent changes in labs include transitioning away from the Teer lab that had 45 Linux machines and 32 iMacs as well as a shift from the Lilly Lab from general computing needs to imaging and scanning. We no longer provide hardware for Athletics and Hudson but still provide “soft” support for images as we continue to evaluate low usage labs.
The philosophical changes in the last couple of years show a shift in focus from Computer Labs to Technology Spaces and how we meet technology needs of a student that are not readily accessible in a backpack, laptop, or a dorm room and are not necessarily computer needs any more but directly align with the technology needs on campus.
The Multimedia Project Studio was a lab specifically opened for audio/video productions and graphics designs, and has been around for a while, is a perfect service model that supports technology needs. About 3½ years ago, we developed a Proof of Concept for another exploration facility known as the Co-Lab and eventually the Technology Engagement Center which is a modern computer lab without computers but a technology flagship including a classroom and 3D printing lab.
The Rubinstein Art Center, opened in 2017, offers great architecture and with an infrastructure that’s intentionally exposed, technology steps into the art space to combine art with technology.
Several new services have been added on campus out of these spaces which include the Bluesmith Studio and DesignHub platform repository. The launch of Duke's VCM allowed use of apps without having to install along with convenient reservations and once-a-day snapshots made a big impact on the reduction of computers. Another initiative has been the launch of Tech VR labs setup in residential spaces and focused on entertainment offering free video games and now with Mixed VR embed real world elements with VR to include the visuals as seen by the user along with their body. VR is also being used to look at a proposed space from an architect’s Computer Aided Design file before the building is actually built.
Esports, an electronic multiplayer video game, played by teams across the world on the internet with live streaming audiences in the millions, may become a popular offering to meet the technology and community needs.
In conclusion, the OIT labs have been evolving to meet the computing and technology needs and will continue to offer the latest. This approach both solidifies labs on campus in staying relevant, but also helps create an infrastructure & expertise available outside of OIT, using many standardized tools and services.
Q1: Since the physical tier lab retired and the virtual tier lives on, what is the trajectory of the login virtualized tier cluster VCM going forward and managing the virtual tier lab image? Is it two parallel paths?
A: We are planning to continue to update the OS and the software.
Q2: How do you share the whiteboard?
A: The Cisco Spark board may be the closest to your needs.
4:30 - 4:50 – ZeroTier Overlay Network, Mark McCahill
What it is: ZeroTier is a centrally managed overlay network that connects distributed computers to make it appear as if the whole world is a single data center. This simplifies providing secured services that span Duke’s datacenter and cloud services (such as Amazon and Azure) to campus and home users. OIT has begun using ZeroTier to provide access to the web dashboards for Apache Spark clusters used for Big Data analysis, and to securely connect RStudio and Jupyter notebooks front ends hosted in Azure to the Spark clusters run in Duke’s campus datacenter. OIT is also using ZeroTier to provide an encrypted virtual management network for distributed devices such as Raspberry Pis.
Why it’s relevant: ZeroTier is a simpler, more flexible solution that provides the functionality of VPN (virtual private network) and SDN (software defined network) technologies while running over existing TCP/IP networks. We will review ZeroTier’s capabilities and how it can help Duke Users construct virtual datacenters that span multiple networks and devices.
ZeroTier is a software defined overlay network providing virtual ethernet interfaces to network nodes running over existing network paths to provides centrally managed virtual network access. We are using ZeroTier to build hybrid cloud/on-prem systems and software available for Linux, MacOS, Windows, IOS, Android, and as a hardware appliance available on https://zerotier.com/
To understand a problem, Apache Spark users need access to the web-based dashboards for Spark cluster services and running an https proxy for a dozen services is a pain, and Spark typically runs in a private enclave.
To solve the above problem, ZeroTier provides an easy-to-manage network spanning across the Duke datacenter, MS Azure cloud, and specific users’ devices authorized for the network.
The following steps setup ZeroTier:
- Install ZeroTier client software on users’ computers.
- Clients will request access to ZeroTier network(s) with their ZeroTier nodeID.
- ZeroTier network admin grants access and assigns private IP address.
- Clients discover other clients on the network(s) they joined from ZeroTier Central and then can communicate directly (peer-to-peer).
To understand another problem, we need a private sysadmin management network for Raspberry Pi devices and we also need to securely connect them to a central server but since the Raspberry Pi devices move around, the management network needs to be able to handle devices that change IP addresses.
The solution to the above problem is to restrict VNC and ssh access to a private ZeroTier network on the Raspberry Pi’s by joining the Raspberry PIs, the server, and my laptop on that network.
In conclusion, Zero Tier is a distributed network hypervisor built atop a cryptographically secure global peer to peer network providing advanced network virtualization and management capabilities on par with an enterprise SDN switch, but across both local and wide area networks and connecting almost any kind of app or device. Network virtualization with ZeroTier is very useful for spanning clouds and creating private virtual networks. OIT is running ZeroTier software defined overlay networks for device management and to provide enhanced access to teaching/research tools. An early pilot test of a Duke-hosted ZeroTier Central instance is now running on https://zerotier-central.oit.duke.edu. The commercial site is free up to 100 machines.
Q1: Is all the underlying software open source?
A: Yes, but if you want a license for over 100 devices the cost is about $29 a month.
Q2: Does this have any relevance for Duke Health firewalls?
A: If Duke Health’s firewall wasn’t blocking port 9993, you’d be able to setup an overlay network between the campus and the Health system.
Q3: How robust is the software?
A: I’ve been using it for 6 months and its robust enough to connect me to dad’s computer and robust for the Spark Cluster. It’s a little unstable for the Raspberry Pi’s since they need to be awakened every so often. I use this for my media center which is on its own server and I stream my music over to my phone using zero tier but the iOS client times out after 12 hours and has to be reconnected.
Q4: How can the Spark Cluster benefit from using zero tier?
A: We could easily extend the Spark Cluster to make it look like a one big data center.
4:50 - 5:10 – Vanity URLs for Sites@Duke, Ryn Nasser
What it is: Sites@Duke, Duke’s centrally-managed WordPress service, provides an easy way for faculty, staff, and students to set up a website or blog using predefined design themes and plugins, at no charge to the user. Historically, Sites@Duke sites have been required to follow a set URL convention that provided little flexibility or originality in selecting a domain name. Now, a new feature allows users to implement vanity URLs through domain-mapping.
Why it’s relevant: Despite its ease of use and affordability, the lack of flexibility in choosing a URL has been a deterrent for many considering using Duke’s WordPress network to meet their website needs. This presentation outlines how the Sites@Duke team responded to this user feedback, and how the solution will open the service to new audiences. We will also discuss plans for future enhancements.
Domain Mapping on sites.duke.edu is a new offering from OIT to support enterprise services and integration plug-ins and to centrally manage security updates. The types of sites include blogs, personal or CV sites, course sites, research study informational sites, conference or event sites, or a small website for department, initiative, etc.
The implementation includes getting all the pieces in place with the biggest challenge of not taking down sites.duke.edu:
- Use of a set of templates to configure Apache
- Error-checking steps for valid YAML
- A Python script writes the configuration by parsing the template files
- Error-checking steps for correct config and certificate
- Python script copies config and certificate into place
The following steps are used for mapping domains:
- Generate request for signing (CSR)
- Domain owner signs certificate in Locksmith
- Add the signed certificate and domain to the configuration file
- Rebuild the sites.duke.edu containers one at a time so not all are down at the same time.
- Update the domain mapping section for the specific site
- Point DNS for domain to sites.duke.edu which can happen at the very end for existing sites or any time for a new site.
The demo site is https://test4.webservices.duke.edu.
The caveats are this process still requires manual intervention for DNS as it needs to determine who owns the domain, send ticket to repoint domain to sites.duke.edu, and update domain mapping for the specific sites.duke.edu site. Also, at present this process only applies to internal domains (SSL).
Third level sites are website.duke.edu which requires approval to create, fourth level sites are related.website.duke.edu that requires approval from the owner of the third level to map, and external sites are NOT.duke.edu.
The challenges are proving Duke ownership of the domain (needed for SSL certificates) and not being able to automate DNS changes if sites.duke.edu moves. Also, mapped internal domains are pointed at the sites.duke.edu IPs and if this is done with external domains, they would all need to be tracked down.
In conclusion, the potential path forward is to require that Duke DNS is authoritative for any domains mapped to sites.duke.edu and demonstrates Duke ownership, mitigates issues if sites.duke.edu moves, and require that OIT manage the external domains through its preferred registrar instead of several external entities.
Q1: What is the process to transfer an external domain to Duke DNS?
A: We are in the midst of establishing a process for this including security
Q2: How long is the turnaround time for a site URL to become active?
A: Its about 30 minutes for my team.
Q3: How many such sites are there on sites.duke.edu?
Q4: What about posting a page on someone else’s domain?
A: You could request a third level redirect from that page but once you got to that page you would see the URL of that site.
5:10 - 5:20 – Ivy+ Update, Ryn Nasser
What it is: Representatives from top-tier schools meet annually to discuss and share information in various areas. Topics include overall university directions, budgets, projects, online learning tools, and daily operations.
Why it’s relevant: Sharing experiences and discussing challenges with our peers helps provide a collaborative environment where ideas are formed and problems are solved. Ryn will share her experience at the 2018 conference on web communications.
The Ivy+ Web Roundtable, held this year at the University of Chicago, April 19-20, 2018, is a joint effort between Communications and Information Technology consisting of two members from each of the universities where one member participates in the roundtable discussions. This year Ryn Nasser and Blythe Morrel attended from Duke.
The following schools attended this year:
- California Institute of Technology
- Carnegie Mellon University
- Columbia University
- Cornell University
- Dartmouth College
- Duke University
- Harvard University
- Massachusetts Institute of Technology
- Princeton University
- Stanford University
- University of Chicago
- Yale University
Topics of great interest and discussion were:
- Accessibility: 10 of the 12 schools have one or more accessibility specialists and a policy/guideline to address and prioritize compliance for high-level sites. The general focus was on moving forward, and not retrofitting existing sites for both development and content need assessment especially making pdf files accessible.
- Partnerships and structure: Most of the schools have central web services groups and half have cost recovery models where a percentage of cost recovery ranges from 40% to 70% for shared platform vs custom development.
- Site building innovations and trends: Teams are starting to rely more on “one size fits most” solutions for majority of websites as well as moving away from a-la-carte websites that require a lot of maintenance. Schools are steering customers toward centrally-provided content services over building separate websites.
- Content Management Systems Snapshot: 9 of the 12 schools primarily use Drupal for high-level mission-critical websites and at least 4 schools use Drupal as a “one size fits all” solution. Duke is currently not in this set of schools. Also, some schools support additional content management systems, such as WordPress, at the central level whereas some schools are still in a Legacy support mode and not in a rush to change.
Questions and Comments:
Q1: Was there a sense of departmental push-back against site changes?
A: Several groups discussed this and none of them mentioned any push backs as the schools seemed to be more acceptable to a centrally-provided content service over building separate websites.
Q2: Was there something in particular that you learned or heard?
A: One of the schools have a very robust Drupal platform that can easily be provisioned at a low cost.
5:20 - 5:30 – CSG Update, John Board, Tracy Futhey, Charley Kneifel, Mark McCahill
What it is: The Common Solutions Group works by inviting a small set of research universities to participate regularly in meetings and project work. These universities are the CSG members; they are characterized by strategic technical vision, strong leadership, and the ability and willingness to adopt common solutions on their campuses.
Why it’s relevant: CSG meetings comprise leading technical and senior administrative staff from its members, and they are organized to encourage detailed, interactive discussions of strategic technical and policy issues affecting research-university IT across time. We would like to share our experiences from the recent spring 2018 meeting.
The CSG attendees found the following topics to be of interest:
- One of approaches to identity proofing along with Multi Factor Authentication was using a selfie where if a person in Africa who needed a password reset could write down the case number generated by the analyst on a big piece of paper and take their picture holding the number similar to a mug shot, which the analyst would then compare to the picture in the database to ensure the pictures match. It was also noted that we are constrained to the Duke Card system, however, we could implement a similar approach more broadly.
- One of the schools has been using certificate-based authentication to websites without the need for username/passwords for decades but it was observed that 80% of the users continued to type a username and password as they’re so accustomed to doing, therefore, the need for education was acknowledged and also automating the installation and generation of certificates.
- Another school has developed a tool for automating tokens and certificates and building a cache so that revocation or expired certificates can be handled efficiently.
- Schools agreed on using an interpreter or analyst who fully understands the business needs and is able to determine if a viable use-case solution that is being communicated by a company salesperson is in the best interest of the university.
- None of the schools are using Cloud billing services to analyze billing systems.