Difference between revisions of "URT:Agenda-2018-09-24"
(→Globus) |
m (→Globus) |
||
(16 intermediate revisions by 6 users not shown) | |||
Line 10: | Line 10: | ||
* preparing CMD-OS/CMD-ONE update | * preparing CMD-OS/CMD-ONE update | ||
* asked security contact for each product, please fill it in https://wiki.egi.eu/wiki/UMD_products_ID_cards | * asked security contact for each product, please fill it in https://wiki.egi.eu/wiki/UMD_products_ID_cards | ||
* open issues with 4.7.1 | |||
** Maarten asking for fixing https://ggus.eu/index.php?mode=ticket_info&ticket_id=136074#update#51 | |||
** issue with bouncycastle requiring bouncycastle1.58-pkix https://ggus.eu/index.php?mode=ticket_info&ticket_id=136364 | |||
Line 16: | Line 19: | ||
=== In Verification === | === In Verification === | ||
* apel ssm 2.3.0 | |||
* storm 1.11.14 | |||
* dpm 1.10.2 | |||
* xroot 4.8.4 | |||
=== Under Staged Rollout === | === Under Staged Rollout === | ||
Line 68: | Line 73: | ||
== dCache == | == dCache == | ||
NTR | |||
== DPM/LFC == | == DPM/LFC == | ||
NTR | |||
== Data management clients == | == Data management clients == | ||
New gfal release ( 2.16) | |||
http://dmc.web.cern.ch/release/gfal2-2160 | |||
will notify when it will be pushed to EPEL | |||
== FTS == | == FTS == | ||
FTS 3.8.0 has been tagged | |||
https://gitlab.cern.ch/fts/fts3/tags/v3.8.0 | |||
will notify when it will be pushed to EPEL | |||
== ARC == | |||
There will be an ARC 5 update involving how ARC counts held jobs in Condor. Expected to be released this week or next. | |||
ARC 6 - we are aiming at an alpha release | ARC 6 - we are aiming at an alpha release expected this week. Is a very early test-release. Bugs are expected. Testers are welcome. | ||
== CREAM == | == CREAM == | ||
Line 129: | Line 137: | ||
* In versions of globus-gssapi-gsi before 11.26 (January 2016) there was a bug that meant that using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled TLS 1.1 and 1.2, and not only SSLv3. So sites that have such old versions installed and also have set the FORCE_TLS option (which was not the default) could not be contacted by clients that requested TLS version 1.2 as the minimum. The number of sites affected by this issue is expected to be small, and they can be fixed by upgrading and/or configuration. | * In versions of globus-gssapi-gsi before 11.26 (January 2016) there was a bug that meant that using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled TLS 1.1 and 1.2, and not only SSLv3. So sites that have such old versions installed and also have set the FORCE_TLS option (which was not the default) could not be contacted by clients that requested TLS version 1.2 as the minimum. The number of sites affected by this issue is expected to be small, and they can be fixed by upgrading and/or configuration. | ||
* The other issue is sites deploying the BeStMan SRM server. This uses a java / jetty / jglobus implementation of GSI and not the Globus Toolkit. Efforts to persuade this implementation to accept a TLS 1.2 connection has so far not been successful. The number and size of sites | * The other issue is sites deploying the BeStMan SRM server. This uses a java / jetty / jglobus implementation of GSI and not the Globus Toolkit. Efforts to persuade this implementation to accept a TLS 1.2 connection has so far not been successful. The number and size of sites affected by this issue is not insignificant and includes e.g. the CERN EOS. | ||
TLS 1.0 and 1.1 are recommended not to be used due to security concerns, so long term it makes sense to set the default minimum TLS version to 1.2. However, in order to limit the disruption, the configuration file in the globus-gssapi-gsi version currently in EPEL testing (14.7-2) have been patched to set the default minimum TLS version to 1.0. | TLS 1.0 and 1.1 are recommended not to be used due to security concerns, so long term it makes sense to set the default minimum TLS version to 1.2. However, in order to limit the disruption, the configuration file in the globus-gssapi-gsi version currently in EPEL testing (14.7-2) have been patched to set the default minimum TLS version to 1.0. | ||
Line 146: | Line 154: | ||
** '''[[Preview 1.19.0]]''' [https://appdb.egi.eu/store/software/preview.repository/releases/1.0/1.19.0/ AppDB info] (sl6): ARGUS 1.7.2, CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, STORM 1.11.14, xrootd 4.8.4 | ** '''[[Preview 1.19.0]]''' [https://appdb.egi.eu/store/software/preview.repository/releases/1.0/1.19.0/ AppDB info] (sl6): ARGUS 1.7.2, CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, STORM 1.11.14, xrootd 4.8.4 | ||
** '''[[Preview 2.19.0]]''' [https://appdb.egi.eu/store/software/preview.repository/releases/2.0/2.19.0/ AppDB info] (CentOS 7): CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, xrootd 4.8.4 | ** '''[[Preview 2.19.0]]''' [https://appdb.egi.eu/store/software/preview.repository/releases/2.0/2.19.0/ AppDB info] (CentOS 7): CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, xrootd 4.8.4 | ||
*gathering information for the new update: DPM 1.10.3, ... | |||
= AOB = | = AOB = | ||
== nagios probes | == nagios probes on CentOS 7 == | ||
'''to assess''': | |||
*SRM probes (maintained by dCache PT): https://ggus.eu/index.php?mode=ticket_info&ticket_id=136736 (no reply yet) | |||
*ARGUS: nagios-plugins-argus https://ggus.eu/index.php?mode=ticket_info&ticket_id=136697 (no reply yet) | |||
*UNICORE: https://ggus.eu/index.php?mode=ticket_info&ticket_id=136705 | |||
**need to ask PL-Grid about the nagios probes, | |||
**verify and discuss offline the status about the UNICORE and EGI interactions. | |||
'''planned/in progress''': | |||
*BDII: glue-validator nagios-plugins-bdii https://ggus.eu/index.php?mode=ticket_info&ticket_id=136695 (on hold until December) | |||
*CREAMCE: glite-ce-cream-cli https://ggus.eu/index.php?mode=ticket_info&ticket_id=136700 | |||
**The package for the CREAM probe will be delivered with the next update of CREAM on UMD. At the moment there's no release date for update 1.16.8, we're collecting several bug fixes for different components; | |||
*NGI ARGUS probes (security) https://ggus.eu/index.php?mode=ticket_info&ticket_id=136737 | |||
**just one probe from secmon set: https://github.com/ARGOeu/secmon-probes/blob/master/src/probes/argus-ban | |||
**discuss internally if deploying all secmon probes on production ARGO instances or extract this probe in a new repo. | |||
'''available''': | |||
*ARC-CE: nordugrid-arc-nagios-plugins nordugrid-arc-nagios-plugins-egi https://ggus.eu/index.php?mode=ticket_info&ticket_id=136699 (SOLVED) | *ARC-CE: nordugrid-arc-nagios-plugins nordugrid-arc-nagios-plugins-egi https://ggus.eu/index.php?mode=ticket_info&ticket_id=136699 (SOLVED) | ||
**The ARC probes and associated client utilities are released for CentOS/SL 7 in the NorduGrid repository. | **The ARC probes and associated client utilities are released for CentOS/SL 7 in the NorduGrid repository. | ||
Line 158: | Line 183: | ||
*QCG: https://ggus.eu/index.php?mode=ticket_info&ticket_id=136704 | *QCG: https://ggus.eu/index.php?mode=ticket_info&ticket_id=136704 | ||
**already provided for CentOS 7; | **already provided for CentOS 7; | ||
*DPM/LFC: nagios-plugins-lfc https://ggus.eu/index.php?mode=ticket_info&ticket_id=136698 (SOLVED) | *DPM/LFC: nagios-plugins-lfc https://ggus.eu/index.php?mode=ticket_info&ticket_id=136698 (SOLVED) | ||
**there are no plans for future developments of LFC Nagios probes | **there are no plans for future developments of LFC Nagios probes | ||
Line 168: | Line 190: | ||
***(read only) http://svn.cern.ch/guest/lcgdm/nagios-plugins | ***(read only) http://svn.cern.ch/guest/lcgdm/nagios-plugins | ||
***(r/w) https://<yourlogin>@svn.cern.ch/reps/lcgdm/nagios-plugins | ***(r/w) https://<yourlogin>@svn.cern.ch/reps/lcgdm/nagios-plugins | ||
== Next meeting == | == Next meeting == | ||
*Oct 8th, 2018 https://indico.egi.eu/indico/event/4241/ | *Oct 8th, 2018 https://indico.egi.eu/indico/event/4241/ |
Latest revision as of 16:18, 24 September 2018
Meeting
- Calendar: https://indico.egi.eu/indico/categoryDisplay.py?categId=107
- meetings are on GoToMeeting
News
- UMD 4.8.0. planned for *end of October*
- preparing CMD-OS/CMD-ONE update
- asked security contact for each product, please fill it in https://wiki.egi.eu/wiki/UMD_products_ID_cards
- open issues with 4.7.1
- Maarten asking for fixing https://ggus.eu/index.php?mode=ticket_info&ticket_id=136074#update#51
- issue with bouncycastle requiring bouncycastle1.58-pkix https://ggus.eu/index.php?mode=ticket_info&ticket_id=136364
UMD4
In Verification
- apel ssm 2.3.0
- storm 1.11.14
- dpm 1.10.2
- xroot 4.8.4
Under Staged Rollout
NA
Ready to be Released
NA
CMD-OS
In Verification
- OOI 1.2.0
- rOCCI-cli 4.10.2
In Staged Rollout
NA
Ready to be released
NA
CMD-ONE
In verification
NA
In Staged Rollout
- rocci-cli 4.10.2
- rocci-server 2.0.4
- keystorm 1.1.0
- cloudkeeper 1.6.0
- cloudkeeper-one 1.3.0
- cloud-info-provider 0.9.1
Ready to be released =
NA
Updates from Technical Providers
APEL
Frontier
Indigo-DataCloud
dCache
NTR
DPM/LFC
NTR
Data management clients
New gfal release ( 2.16)
http://dmc.web.cern.ch/release/gfal2-2160
will notify when it will be pushed to EPEL
FTS
FTS 3.8.0 has been tagged
https://gitlab.cern.ch/fts/fts3/tags/v3.8.0
will notify when it will be pushed to EPEL
ARC
There will be an ARC 5 update involving how ARC counts held jobs in Condor. Expected to be released this week or next.
ARC 6 - we are aiming at an alpha release expected this week. Is a very early test-release. Bugs are expected. Testers are welcome.
CREAM
CentOS 7 packages for "CREAM nagios probes": work in progress
QCG
Globus
The update that was listed as being in EPEL testing at the previous meeting is now in EPEL stable:
EPEL testing 2018-09-06, EPEL stable 2018-09-21:
- EPEL 7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-4f23223148
- EPEL 6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-b81da23189
Grid Community Toolkit (GCT)
As you should be aware, the developers announced that the support of the Globus Toolkit would end on 1 Jan 2018. The development did not completely stop, and there have been updates from the original developers during 2018, which we have packaged for Fedora, EPEL and Debian. When the end of support was announced, a community effort to keep up the maintenance of the toolkit was established [1]. The Grid Community Forum's fork of the Globus Toolkit, named Grid Community Toolkit [2] has been in preparation for some time. And there is now an update in EPEL testing based on the GCT version of the toolkit:
EPEL testing 2018-09-22:
- EPEL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-8aebaba2a9
- EPEL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d19f4f231e
This update is a drop in replacement, keeping the names of the libraries and binaries in the toolkit, keeping the package names in the repositories and keeping library sonames the same as in the Globus Toolkit.
Most of the changes to the code in the GCT release with respect to the latest Globus Toolkit release were already present in the packages in the repositories due to patches applied in the packaging.
globus-gssapi-gsi and TLS 1.2
As reported at the last meeting, the globus-gssapi-gsi package in the update that was then in EPEL testing (version 13.10-1) changed the default minimum TLS version to 1.2. It is possible to change it to 1.0 (the old default) or 1.1 in /etc/grid-security/gsi.conf or using environment variables.
Unfortunately this change turned out to be more disruptive than anticipated. By the time I was made aware of the problems, the update had already been pushed to EPEL stable. Two separate issues have been reported:
- In versions of globus-gssapi-gsi before 11.26 (January 2016) there was a bug that meant that using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled TLS 1.1 and 1.2, and not only SSLv3. So sites that have such old versions installed and also have set the FORCE_TLS option (which was not the default) could not be contacted by clients that requested TLS version 1.2 as the minimum. The number of sites affected by this issue is expected to be small, and they can be fixed by upgrading and/or configuration.
- The other issue is sites deploying the BeStMan SRM server. This uses a java / jetty / jglobus implementation of GSI and not the Globus Toolkit. Efforts to persuade this implementation to accept a TLS 1.2 connection has so far not been successful. The number and size of sites affected by this issue is not insignificant and includes e.g. the CERN EOS.
TLS 1.0 and 1.1 are recommended not to be used due to security concerns, so long term it makes sense to set the default minimum TLS version to 1.2. However, in order to limit the disruption, the configuration file in the globus-gssapi-gsi version currently in EPEL testing (14.7-2) have been patched to set the default minimum TLS version to 1.0.
xrootd
caNl
BDII
CentOS 7 packages for "BDII nagios probes": work in progress
WN/UI
Preview
- 2018-08-06
- Preview 1.19.0 AppDB info (sl6): ARGUS 1.7.2, CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, STORM 1.11.14, xrootd 4.8.4
- Preview 2.19.0 AppDB info (CentOS 7): CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, xrootd 4.8.4
- gathering information for the new update: DPM 1.10.3, ...
AOB
nagios probes on CentOS 7
to assess:
- SRM probes (maintained by dCache PT): https://ggus.eu/index.php?mode=ticket_info&ticket_id=136736 (no reply yet)
- ARGUS: nagios-plugins-argus https://ggus.eu/index.php?mode=ticket_info&ticket_id=136697 (no reply yet)
- UNICORE: https://ggus.eu/index.php?mode=ticket_info&ticket_id=136705
- need to ask PL-Grid about the nagios probes,
- verify and discuss offline the status about the UNICORE and EGI interactions.
planned/in progress:
- BDII: glue-validator nagios-plugins-bdii https://ggus.eu/index.php?mode=ticket_info&ticket_id=136695 (on hold until December)
- CREAMCE: glite-ce-cream-cli https://ggus.eu/index.php?mode=ticket_info&ticket_id=136700
- The package for the CREAM probe will be delivered with the next update of CREAM on UMD. At the moment there's no release date for update 1.16.8, we're collecting several bug fixes for different components;
- NGI ARGUS probes (security) https://ggus.eu/index.php?mode=ticket_info&ticket_id=136737
- just one probe from secmon set: https://github.com/ARGOeu/secmon-probes/blob/master/src/probes/argus-ban
- discuss internally if deploying all secmon probes on production ARGO instances or extract this probe in a new repo.
available:
- ARC-CE: nordugrid-arc-nagios-plugins nordugrid-arc-nagios-plugins-egi https://ggus.eu/index.php?mode=ticket_info&ticket_id=136699 (SOLVED)
- The ARC probes and associated client utilities are released for CentOS/SL 7 in the NorduGrid repository.
- FTS probes are available falso for CentOS 7: https://gitlab.cern.ch/fts/nagios-plugins-fts/blob/master/README.md
- QCG: https://ggus.eu/index.php?mode=ticket_info&ticket_id=136704
- already provided for CentOS 7;
- DPM/LFC: nagios-plugins-lfc https://ggus.eu/index.php?mode=ticket_info&ticket_id=136698 (SOLVED)
- there are no plans for future developments of LFC Nagios probes
- Packages are provided in EPEL 6 and 7 and source code is source packages and in the lcgdm svn repository
- the official repos are here, and they are released from time to time, mainly depending on the needs of the DPM project:
- (browser) https://svnweb.cern.ch/trac/lcgdm/browser/nagios-plugins
- (read only) http://svn.cern.ch/guest/lcgdm/nagios-plugins
- (r/w) https://<yourlogin>@svn.cern.ch/reps/lcgdm/nagios-plugins
Next meeting
- Oct 8th, 2018 https://indico.egi.eu/indico/event/4241/