This applies to all self-managed computers (servers, workstations and laptops) on which the product "Sophos Anti-Virus" from the IT store is installed.

"Sophos Anti-Virus" will become End of Life by the end of June 2023 and will be no longer supported by the vendor or ETH Zurich. After this date, there will be no updates and your machine will not be sufficiently protected any longer.

ETH Zurich recommends using the built-in antivirus solution of the respective operating system.

Detailed instructions for uninstalling Sophos Antivirus and activating the antivirus solutions of your operating system can be found in the following link in the IT Knowledgebase: Anti-Virus: Replacement of Sophos for Self-Managed Devices.

Users of managed Windows Computers by ISG can ignore this information because we will manage the transition from Sophos to MS Defender automatically.

This post is meant to give you a short overview of what has been accomplished in D-PHYS IT by ISG this year. We’ve been hard at work to further improve and extend our services for you, our customers. Since it took us almost exactly one year to fill our vacant Linux System Engineer position (once again: welcome Sascha!), we didn't have as much capacity for innovation as in previous years and had to focus more on system maintenance.

Some highlights of 2022:

• Mail server: the D-PHYS mail server got an OS upgrade in spring and was migrated to our general hypervisor setup, which adds redundancy and facilitates maintenance. In addition, work is in progress to support DKIM and further tighten our SPF and DMARC settings.
• Web server setup: the main D-PHYS web server got an OS upgrade in spring, test and staging environments and optional ssh access for power users.
• Infrastructure work: our Ansible deployment setup was further extended and refined and the first Windows servers have been added.
  Work has started to replace the Sophos virus scanner on managed Windows workstations.
  We migrated our floating licenses from three servers to a single high availability server.
  Within the next year, we'll migrate all eGroupware users to the new SOGo calendar.
• Storage: in 2022 the disk space occupied by data and backup grew from 3.7 PiB to 4.8 PiB, marking a significant annual growth in storage volume. A major storage migration is due in early 2023.
• Matrix/Element: This year we counted 737 active users, who sent 1'019'205 messages in 5'259 rooms that were created on our server. Our users also participated in 423 other rooms where 1'190'446 messages were sent. Two additional research groups migrated from Slack to Matrix.
• ISG lecture series: our Basics of Computing Environments for Scientists lecture series was held twice in 2022 with surprisingly low attendance.
• Outages: apart from some short-term network interruptions, our systems were pretty stable in 2022, with the notable exception of a localized "3 dead disks in a RAID6" disaster in September.
• OS upgrades: most managed Linux workstations were upgraded to Ubuntu 22.04 and the majority of servers are now running Debian bullseye. The Windows team prepared a new LTSC release and a Windows 11 setup. The managed Macs were all upgraded to macOS Monterey.
• Software upgrades: mostly incremental upgrades in our Windows and Linux software list this year.
• IT security: with the world being what it is, IT security plays an ever increasing role in our work and permeates all our plans and projects. We also take part in the current rewrite of ETH's IT security regulations.

I would like to take this opportunity to thank my whole team for their hard and dedicated work all year long.

Happy Holidays and see you in 2023!

It is my pleasure to welcome Sascha Giger into our group. He joins us to complete the Linux team.

Welcome Sascha!

This Thursday 2022-02-10 starting at 07:00 we will upgrade the server hosting most of our websites.

Affected websites

The following websites are unavailable during the downtime:

• Most ISG websites (news, readme, wiki)
• All customer webshares (dedicated websites and webapps)
• D-PHYS shop and Experimente

Important changes for website owners

All website owners: If you are a website owner/admin, please join our new Matrix room #web:phys.ethz.ch, to get support and news. After the upgrade, please check your websites for problems.

Python WSGI app owners: All WSGI apps have been switched to use a virtual environment to pin the currently used Python package versions. We encourage you to review and upgrade your dependency versions (via requirements.txt) after the server upgrade. Please read our new WSGI documentation for details.

Versions

• OS: Debian 10 -> 11
• Python: 3.7 -> 3.9
• PHP: 7.3 -> 7.4

The central Informatikdienste will have a scheduled downtime of all networking (cable and wireless) in the buildings HPK, HEZ, HPM, HPL and HPW on Monday 6th Dec 2021 in the evening between 19h00 and 23h00.

This is the second of three downtimes for the ongoing project to split the current networks into smaller chunks. This major undertaking will also induce a short downtime for some computers in the dynamic DHCP pool in other buildings (as some of our IP ranges are being moved to the listed buildings).

Users don’t need to do anything and their computers should come back online automatically. Otherwise try to reboot or get in touch with us.

In order to prepare for the migration, Informatikdienste will forbid all changes to their DHCP servers between Friday 3th Dec 13:00 and Tuesday morning. As a consequence we will not be able to register new devices or hostnames during this period.

Between yesterday Tue 23rd Nov 07:27 and tonight Wed 24th Nov 01:48 several hundred emails have erroneously been flagged as spam by our mail server. Please check your SpamBox folder for potential false positives during that period.

While we are constantly updating our filtering rules to catch the nasty spam, we are always doing our best to avoid flagging real emails as spam. We apologize for this and are still investigating the details of the root cause. Because the bulk of the messages were being correctly delivered, it took us several hours before we noticed the problem and could fix it.

The central Informatikdienste will have a scheduled downtime of all networking (cable and wireless) in the buildings HPH, HPP, HPR, HPS, HPV and HPZ on Monday 8th Nov 2021 in the evening between 19h00 and 23h00.

This is the first of three downtimes for the ongoing project to split the current networks into smaller chunks. This major undertaking will also induce a short downtime for some computers in the dynamic DHCP pool in other buildings (as some of our IP ranges are being moved to the listed buildings).

Users don't need to do anything and their computers should come back online automatically. Otherwise try to reboot or get in touch with us.

In order to prepare for the migration, Informatikdienste will forbid all changes to their DHCP servers between Friday 5th Nov 13:00 and Tuesday morning. As a consequence we will not be able to register new devices or hostnames during this period.

In August of 2010, we introduced our groupware solution for D-PHYS. In the last 11 years the system has served the Department well, but we believe now would be a good time to think about the future of groupware at D-PHYS. Here's an incomplete list of things we noticed over the years:

• the groupware system seems to get used almost exclusively as a calendar
• for distributed calendars, the world and people's expectations have changed
• file and sync formats have come and gone
• 17 people will have 634 completely orthogonal and incompatible use cases for calendars
• the product that won our evaluation round in 2010 is not necessarily the best system for 2021

We have sampled the market and test-installed several candidates, but since our humble ISG-internal calendar only covers one very specific use case, we strongly encourage you to give us your feedback so that the next D-PHYS calendar solution will suit you well. In particular, we're interested in learning

• are you using any other egroupware module(s) aside from the calendar? If you don't tell us about it now, a potential replacement may not have this functionality!
• what's your current calendar use case? Just a personal calendar? A group calendar? In which configuration?
• what's your desired calendar use case? This might be the most interesting thing to learn...
• which sync protocols/devices are you using?
• what other software/products/services have you been/are you using?

If you would like to help make sure the next evolution in distributed D-PHYS calendars is a success, please join our Matrix room and participate! Thanks a lot.

Several network migrations will take place over the next months that will have an impact on the design and inner workings of the ethernet network at D-PHYS. Even though all hosts will be affected at a technical level, we believe that most changes will not require any involvement from your side. By the end of the year this should further increase the fault-tolerance of the cabled network infrastructure and enhance the security of the bulk of the computers at D-PHYS.

Network segmentation

The central Informatikdienste are splitting several networks into smaller chunks to increase the overall stability and fault-tolerance. Unfortunately the details are flagged as confidential, prohibiting us from exposing the precise structure of this segmentation. The main repercussion is that our D-PHYS networks will no longer be able to span across all current buildings at once. So depending on the building, we will have to introduce new subnets and assign new IP addresses to the computers inside.

NAT network

Motivated by the above-mentioned segmentation as well as security considerations, we are planning to migrate a large number of hosts to a NAT network. This means that the computer will only get an ETH-internal IP address and will no longer be directly reachable from outside of ETH. From inside ETH or VPN, all communication with that computer remains unaffected. However, while the host can still communicate with all of the internet, it will no longer be exposed to direct attacks from the outside. We believe that this is a very sensible default for most computers and laptops. Of course it will still be possible to assign a public IP to selected hosts in order to provide a specific service to the outside. The new NAT network also provides DynDNS with sentname.dhcp-int.phys.ethz.ch hostnames and full IPv6 connectivity. So if you rely on DNS entries for dynamic IP addresses, make sure to use the domain dhcp.phys.ethz.ch for public subnets and dhcp-int.phys.ethz.ch for internal subnets.

DHCP migration

Right now, some of our networks are serviced by our own D-PHYS DHCP servers, while others use the DHCP servers of central IT services. We are now consolidating all networks and migrating the remaining ones step-by-step to the DHCP servers of Informatikdienste. This change is mostly technical and should remain unnoticed by most users.

For further details and up-to-date information please refer to our readme page.

Update 07:00 All web services are back online.

Tomorrow Wednesday 2021-01-20 starting at 06:00 we will upgrade the server hardware hosting most of our web services. We expect them to be back by 08:00 at the latest.

Affected web services

The following services are unavailable during the downtime:

• Most ISG websites (news, readme, wiki)
• All customer webshares (dedicated websites and webapps)
• All groupshare and personal homepages (public_html)
• Web databases (on sqlweb.phys.ethz.ch)
• D-PHYS shop and Experimente
• D-PHYS GitLab
• Chat (Matrix, Element, Jitsi)

Our Debian, Ubuntu and Raspbian mirror as well as Grafana, InfluxDB and Webmail will not be affected.

We will not be able to send any status updates via our news blog or via our Matrix news and status rooms.