General information


Middleware


UMD

  • CentOS Stream 8 now the recommended OS for new installations
  • C8->CS8 migrations recommended
  • CS9 will be supported by CERN and FNAL
  • middleware: recommended path is C7->CS9 (we will skip CS8)


Operations

ARGO/SAM

  • Integration of EOS storage element: GGUS 154335
  • Monitoring probe status:

    • We are testing the monitoring probe for the EOS Storage endpoints (GGUS 156251) which uses the XRootD interface (see https://github.com/EGI-Federation/nagios-plugins-xrootd )

    • On GOCDB the EOS endpoints are registered as XrootD service endpoints.

    • In order to allow the proper execution of the probe, we would like you to:

      • enable the ops VO on your endpoints

      • for each EOS (Xrootd) service endpoint add the following Extension Property:

      • Please do the same even if you provide an XRootD interface with a different type of storage element.

    • Test results on the devel instance

FedCloud

Feedback from DMSU

New Known Error Database (KEDB)

The KEDB has been moved to Jira+Confluence: https://confluence.egi.eu/display/EGIKEDB/EGI+Federation+KEDB+Home

  • problems are tracked with Jira tickets to better follow-up their evoulution
  • problems can be registered by DMSU staff and EGI Operations team

Monthly Availability/Reliability


Under-performed sites after 3 consecutive months, under-performed NGIs, QoS violations: (April 2022):

sites suspended: ITEP (security reasons)

New CERN Grid CA

  • IGTF 1.116 was released on April 25th introducing a new CERN Grid CA
  • The new certificate was put into production on May 2nd
  • This change affects middleware products relying on older versions of the "canl-java" library for which a service restart is needed to make use of the new CA (and the new IGTF release in general)
    • Argus
    • dCache
    • StoRM
    • VOMS-Admin
  • On May 2nd a broadcast was circulated asking to restart the NGI Argus endpoints which were failing the tests
  • the following versions of dCache do not need a restart:

myproxy-6.2.9-8 restores backward compatibility

  • Last week WLCG found out that the version of MyProxy released in EPEL (6.2.9-7) was working only with 6.2.9-7 clients
  • Issue reported to Grid CF.
  • A fix was released, and a version backward-compatible (6.2.9-8) is now in EPEL 7 and 8.

Documentation

IPv6 readiness plans

Transition from X509 to federated identities (AARC profile token)

  • WLCG is testing aai tokens (WLCG profile) as authz system for accessing the middleware, with Indigo IAM as a replacement of VOMS
  • In Feb 2022 OSG will fully move to token-based AAI, abandoning X509 certificates
  • HTCondorCE: replacement of Grid Community Toolkit
    • The long-term support series (9.0.x) from the CHTC repositories will support X509/VOMS authentication through Sep 2022 Jan 2023
    • Starting in 9.3.0 (released in October), the HTCondor feature releases does NOT contain this support
    • EGI sites are recommended to stay with the long-term support series for the time being

What we need to know in preparation of the transition:

Checking the middleware compliance with the AARC Profile token:

Circulated a survey to check the awareness and readiness of users communities:

  • which GRID services do they use
    • Compute: ARC-CE
    • Compute: HTCondorCE
    • Storage: SRM
    • Storage: webdav/http
    • Storage: GridFTP

  • do you interact directly with Compute and Storage services (e.g., through command line) or do you use a tool (e.g., DIRAC, data transfer tools, data management tools, etc.) available to your VO?

  • do you own and need a personal X509 certificate to access the services or can you use a federated identity (e.g., institutional identity, social account, etc.)
  • are they familiar with AAI identities
  • are they ready for the switch

Broadcast sent to the VO on Jan 28th (it requires login): https://operations-portal.egi.eu/broadcast/archive/2896 

  • reply so far from:
    • atlas
    • biomed
    • enea
    • eiscat.se
    • glast.org (srm, gfal-utils)
    • ildg (srm, gridftp; direct access with x509)
    • Km3Net
    • lhcb
    • project.nl
    • vo.france-grilles.fr
    • vo.grapevine.eu
    • vo.hess-experiment.eu
    • vo.complex-systems.eu
    • VOCE
  • usage of DIRAC in general, a few VOs access directly to the services
  • a training over federated identities for users (and sys-admins) could be useful
  • VOs framework based on either X509 or AAI (because the usage of DIRAC)

Migration of the VOs from VOMS to Check-in

  • transition period where both X509 and tokens can be used
    • delays in updating the GRID elements to the latest version compliant with tokens
    • not all if the middleware products can be compliant with tokens at the same time
    • the same VO has to interact with element supporting different authentications

Testing HTCondorCE and AARC Profile token

  • INFN-T1 is going to test the AARC Profile token with its HTCondorCE endpoints
  • dteam VO registered in Check-in/Comanage:
    • Entitlements:
      • urn:mace:egi.eu:group:dteam:role=member#aai.egi.eu
      • urn:mace:egi.eu:group:dteam:role=vm_operator#aai.egi.eu

New benchmark replacing HEP-SPEC06

The benchmark HEPSCORE is going to replace the old Hep-Spec06

  • preparing plans with WLCG and the EGI Accounting team for deploying the new benchmark
  • transition period where both the benchmark will be published and used to normalise the data
    • to allow comparison between the two kind of data
  • APEL is working on a version where the accounting records contains 2 benchmarks 

AOB

  • DPM migration

Next meeting

Apr

  • No labels