URT:Agenda-2018-02-05
Meeting
- Calendar: https://indico.egi.eu/indico/categoryDisplay.py?categId=107
- meetings are on GoToMeeting
News
- UMD4 regular release (4.7.0) planned for April 2018; dedicated updates are always possible
- UMD3 deprecation
- WMS dismission plan presented at OMB
- in parallel, UMD team will test upgrading the umd-release package from UMD3/SL6 to UMD4/SL6 to make usre everything works properly
- plan will be arranged and agreed with PTs in January/February
- at some point UMD3 will be "freezed" (no more updates of any kind, either security ones)
- OMB suggested to remove it completely so that it's not used anymore
- probably we will establish a period of 2-4 weeks during which sites get progressively aware that the old repos won't work anymore and switch to UMD4/SL6
- if any security issue comes out during that period, we will ask to shut down the repository
- CMD-OS update still in preparation: found SR for cloudkeeper, no way to include yet user id isolatin patch for Mitaka/Ubuntu
- CMD-ONE first release to be fixed adding site BDII
UMD4
In Verification
Under Staged Rollout
Ready to be Released
CMD-OS
In Verification
In Staged Rollout
Ready to be released
CMD-ONE
In verification
In Staged Rollout
Ready to be released
Report from WLCG MW Officer
Singularity (http://singularity.lbl.gov/) is planned to be used in production by CMS and ATLAS next year.
Should we start include it also in UMD? (also as part of WN)
Updates from Technical Providers
APEL
Frontier
Indigo-DataCloud
dCache
DPM/LFC
Data management clients
NTR
FTS
NTR
ARC
QCG
Globus
xrootd
caNl
Preview
AOB
products that need to download from VOMS the list of users
VOMS allows to every owner of a IGTF certificate to download the list of users. This is not compliant with the European GDPR, since VO membership is considered sensitive data., so that VOMS needs to implement a stricter ACL to the users list.
In order to understand how to proceed, first of all we need to figure out all the use cases: please let us know if any of your products needs to get the users DN for performing the authentication and authorisation mechanism (i.e. grid-mapfile generation containing the users certificate subject).
bouncycastle update in EPEL
There is an update coming to EPEL 6 involving some Java components.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28
There are updated packages for:
- bouncycastle-1.58-2.el6
- The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM:
- bouncycastle-1.58-2.el6.noarch.rpm
- bouncycastle-mail-1.58-2.el6.noarch.rpm
- bouncycastle-pg-1.58-2.el6.noarch.rpm
- bouncycastle-pkix-1.58-2.el6.noarch.rpm
- bouncycastle-tls-1.58-2.el6.noarch.rpm
- Previously, only bouncycastle itself was in EPEL 6. This update adds the others to the EPEL 6 repository.
- A bouncycastle-mail package (matching the old bouncycastle version i EPEL 6) was provided in the UMD repo.
- The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM:
- jglobus-2.1.0-4.el6 (I guess noone is using this...)
- voms-api-java-3.2.0-7.el6
The update also adds packages previously not in EPEL 6 due to missing bouncycastle dependencies:
- canl-java-2.5.0-1.el6
- voms-clients-java-3.0.7-6.el6
With this update there are some changes w.r.t. the packages currently in UMD:
- Since voms-api-java is updated to version 3, the voms-api-java3 currently in UMD becomes obsolete, so references to /usr/share/java/voms-api-java3.jar should be changed to /usr/share/java/voms-api-java.jar
- In the new bouncycastle version some classes have moved between the different bouncycastle packages.
- The new canl-java depends on bouncycastle and bouncycastle-pkix.
- The new voms-api-java depends on canl-java (and hence on bouncycastle and bouncycastle-pkix), but no longer on bouncycastle-mail.
- The class org.bouncycastle.openssl.PasswordFinder is deprecated in the new bouncycastle and canl-java 2.5.0 provides a replacement eu.emi.security.authn.x509.helpers.PasswordSupplier.
Providers of products depending on these components should investigate compatibility and see what changes are needed to code and configuration.
Packages declaring dependencies on the affected packages in the UMD repo are:
- glite-ce-common-java
- glite-ce-cream-api-java
- argus-pap
- argus-pdp
- argus-pep-server
These are the directly declared dependencies, some recursive dependencies might be affected too.
The packages glite-security-trustmanager and glite-security-util-java in EPEL 6 have been retired.
There is also an update for EPEL 7:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-50d69f64bd
Of the issues listed above only the PasswordFinder vs. PasswordSupplier issue should be relevant here.
The corresponding Fedora updates do not update bouncycastle, only update canl-java (and rebuilds the existing versions of voms-api-java and voms-clients-java for the PasswordFinder vs. PasswordSupplier change in canl-java). These are already in stable:
- https://bodhi.fedoraproject.org/updates/FEDORA-2018-d64f3921b6 (Fedora 26)
- https://bodhi.fedoraproject.org/updates/FEDORA-2018-651aed081f (Fedora 27)
noarch packages depend on x86-64
when trying to install the following “noarch” packages on ppc64le system, some of them still required x86-64 dependency:
fts-rest-3.5.4-1.el7.centos.noarch.rpm fts-rest-cloud-storage-3.5.4-1.el7.centos.noarch.rpm fts-rest-http-authz-signed-cert-3.5.4-1.el7.centos.noarch.rpm fts-rest-oauth2-3.5.4-1.el7.centos.noarch.rpm fts-rest-selinux-3.5.4-1.el7.centos.noarch.rpm glexec-wrapper-scripts-0.0.7-1.el7.noarch.rpm mkgltempdir-0.0.5-1.el7.noarch.rpm nordugrid-arc-aris-5.3.1-1.el7.centos.noarch.rpm nordugrid-arc-ca-utils-5.3.1-1.el7.centos.noarch.rpm nordugrid-arc-client-tools-1.0.7-1.el7.centos.noarch.rpm nordugrid-arc-compute-element-1.0.7-1.el7.centos.noarch.rpm nordugrid-arc-doc-2.0.15-1.el7.centos.noarch.rpm nordugrid-arc-gridmap-utils-5.3.1-1.el7.centos.noarch.rpm nordugrid-arc-information-index-1.0.7-1.el7.centos.noarch.rpm nordugrid-arc-ldap-infosys-5.3.1-1.el7.centos.noarch.rpm nordugrid-arc-ldap-monitor-5.3.1-1.el7.centos.noarch.rpm nordugrid-arc-nagios-plugins-doc-1.9.1-0.rc1.el7.centos.noarch.rpm nordugrid-arc-nagios-plugins-egi-1.9.1-0.rc1.el7.centos.noarch.rpm nordugrid-arc-ws-monitor-5.3.1-1.el7.centos.noarch.rpm qcg-appscripts-4.0.0-18.centos7.noarch.rpm qcg-broker-4.2.0-6.centos7.noarch.rpm qcg-broker-client-4.2.0-4.centos7.noarch.rpm qcg-comp-egi-is-provider-4.0.0-5.centos7.noarch.rpm qcg-egi-is-conf-4.0.0-1.centos7.noarch.rpm qcg-ntf-egi-is-provider-4.0.0-1.centos7.noarch.rpm qcg-ntf-nagios-probe-4.0.0-1.noarch.rpm
other AOB
- Next meeting: Jan 22th, 2017 https://indico.egi.eu/indico/event/3554/
- Globus EOL - Status tracked here: https://wiki.egi.eu/wiki/Globus_EOL_assessment