Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "MW SAM tests"

From EGIWiki
Jump to navigation Jump to search
Line 108: Line 108:
* WMS  
* WMS  
|-
|-
| align="center" | eu.egi.sec.StoRM-EMI-1
| align="center" | eu.egi.sec.StoRM-EMI-2
| Test checks if SRM (StorRM) is using EMI 2 middleware.<BR> Test queries site BDII with base DN of O=grid for the following pattern: <BR>"<nowiki>(&(GlueSEImplementationName=StoRM)(|(GlueSEImplementationVersion=1.9.*)(GlueSEImplementationVersion=1.10.*))(GlueSEUniqueID=*$HOSTNAME$*))</nowiki>". Returns CRITICAL if query returns any results.
| Test checks if SRM (StorRM) is using EMI 2 middleware.<BR> Test queries site BDII with base DN of O=grid for the following pattern: <BR>"<nowiki>(&(GlueSEImplementationName=StoRM)(|(GlueSEImplementationVersion=1.9.*)(GlueSEImplementationVersion=1.10.*))(GlueSEUniqueID=*$HOSTNAME$*))</nowiki>". Returns CRITICAL if query returns any results.
|-
|-

Revision as of 19:25, 6 March 2014

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Tools menu: Main page Instructions for developers AAI Proxy Accounting Portal Accounting Repository AppDB ARGO GGUS GOCDB
Message brokers Licenses OTAGs Operations Portal Perun EGI Collaboration tools LToS EGI Workload Manager


Middleware monitoring SAM instance

This table lists tests used for tracking installed MW versions on EGI sites. All tests except eu.egi.sec.WN are executed every 24h and extract product version information from BDII. In case that site does not have Site-BDII defined probe will try to query resource BDII directly. Test eu.egi.sec.WN is executed every 6h via SAM CE probe.

Tests are executed on the new central SAM instance: https://midmon.egi.eu/nagios. Alarms for these tests are opened directly in the Operations Portal Dashboard. POEM profile used on this instance is MW_MONITOR.

General tests

Nagios test Description
The probe uses Accounting Portal web page (http://accounting.egi.eu/userdn_publication.php?ExecutingSite=SITE_NAME) to check publishing of user DNs by sites. The probe looks for data in the last 30 days:
  • It checks number of jobs in the cpu table (to avoid problems with test sites with 0 hour jobs) and User records in the period.
  • If there are job records but no user records it returns CRITICAL.
  • If there are no records at all it returns UNKNOWN.

Sites administrators that for policy reasons decide not to publish user DNs in the site usage records should report this to the EGI OperationsTeam through a GGUS tickets. For each of these sites the test will return OK.

The probe uses existing MPI pseudo service types MPICH, MPICH-1, MPICH2, OPENMPI and OPENMPI-1 (extracted from BDII) to find MPI service endpoints without eu.egi.MPI service endpoint defined in the GOCDB. If the service endpoint has one of pseudo service type and it doesn't have eu.egi.MPI test returns CRITICAL.
org.bdii.GLUE2-Validate http://gridinfo.web.cern.ch/glue/glue-validator-guide
https://twiki.cern.ch/twiki/bin/view/EGEE/GLUEValidatorErrorCodes
org.nagios.GLUE2-Check Test checks if the site BDII is publishing GLUE2 information. Test queries a base DN of GLUE2DomainID=<site-name>,o=glue for the pattern "(&(objectClass=GLUE2Domain)(GLUE2DomainID=<site-name>))". In case that base DN or object is missing test will return CRITICAL. In case BDII returns more than 1 object test will return CRITICAL. In case BDII is down test will return UNKNOWN.

SHA-2 tests

These tests are checking if service endpoint is using SHA-2 compliant version. Details about SHA-2 support can be found here.

Nagios test Description
eu.egi.sec.CREAMCE-SHA-2 Test checks if CREAM-CE is using at least version 1.14.3.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointImplementationName=CREAM)(GLUE2EndpointURL=*$HOSTNAME$*))'.
For each entry found test checks:
  • attribute GLUE2EntityCreationTime and ignore entries without GLUE2EntityCreationTime and with GLUE2EntityCreationTime older than 3600 seconds.
  • attribute GLUE2EndpointImplementationVersion and ignore entries with value less than 1.14.3.

Returns CRITICAL if query does not return any result.

WARNING: This test will raise CRITICAL if proper CREAM-CE endpoint is not published in the Site-BDII.

WARNING: Upgrading CREAM-CE without running yaim will not solve the issue. CREAM-CE implementation version is hard-coded in file generated by Yaim.

eu.egi.sec.dCache-SHA-2 Test checks if dCache is using version >= 2.2.16, 2.6.*, 2.7.* or 2.8.*. For all other versions it returns CRITICAL.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(GLUE2ManagerProductName=dCache)(GLUE2ManagerID=*$HOSTNAME$*))'.
For each entry found test checks:
  • GLUE2ManagerProductVersion and ignore entries with values >= 2.2.16, 2.6.*, 2.7.* or 2.8.*.

Returns CRITICAL if query returns any results.

eu.egi.sec.StoRM-SHA-2 Test checks if StoRM is using at least UMD-3 middleware.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointImplementationName=StoRM)(!(GLUE2EntityOtherInfo=MiddlewareVersion=3.*))(GLUE2EndpointURL=*$HOSTNAME$*))'.
For each entry found test checks:
  • attribute GLUE2EntityCreationTime and ignore entries without GLUE2EntityCreationTime and with GLUE2EntityCreationTime older than 3600 seconds.

Returns CRITICAL if query returns any results.

eu.egi.sec.VOMS-SHA-2 Test checks if VOMS is using at least version 2.0.9.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=org.glite.voms)(GLUE2EndpointURL=*$HOSTNAME$*))'.
For each entry found test checks:
  • attribute GLUE2EntityCreationTime and ignore entries without GLUE2EntityCreationTime and with GLUE2EntityCreationTime older than 3600 seconds.
  • attribute GLUE2EndpointImplementationVersion and ignore entries with value less than 2.0.9.

Returns CRITICAL if query does not return any result. WARNING: This test will raise CRITICAL if proper VOMS endpoint is not published in the Site-BDII.

eu.egi.sec.WMS-SHA-2 Test checks if WMS is using at least UMD-3 middleware.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointImplementationName=WMS)(!(GLUE2EntityOtherInfo=MiddlewareVersion=3.*))(GLUE2EndpointURL=*$HOSTNAME$*))'.
For each entry found test checks:
  • attribute GLUE2EntityCreationTime and ignore entries without GLUE2EntityCreationTime and with GLUE2EntityCreationTime older than 3600 seconds.

Returns CRITICAL if query returns any results.

EMI-2 tests

Nagios test Description
eu.egi.sec.ARC-EMI-2 Test checks if ARC-CE is using EMI 2 middleware.
Test queries ARC-CE LDAP service on port 2135 with base DN of O=grid for the following pattern:
"(&(objectClass=nordugrid-cluster)(nordugrid-cluster-middleware=nordugrid-arc-2*))". Returns CRITICAL if query returns any results.
eu.egi.sec.DPM-GLUE2-EMI-2

Test checks if SRM (DPM) is using EMI 2 middleware.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=SRM)(GLUE2EndpointHealthStateInfo=*DPM*)(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EndpointURL=*$HOSTNAME$*))'. Returns CRITICAL if query returns any results.

eu.egi.sec.EMI-2 Test checks if service endpoint is using EMI 2 middleware.
Test queries site BDII with base DN of o=glue for the following pattern:
"(&(objectclass=GLUE2Endpoint)(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EndpointURL=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
Test is mapped to the following service types:
  • Central-LFC
  • CREAM-CE
  • emi.ARGUS
  • LB
  • Local-LFC
  • MyProxy
  • Site-BDII
  • Top-BDII
  • VOMS
  • WMS
eu.egi.sec.StoRM-EMI-2 Test checks if SRM (StorRM) is using EMI 2 middleware.
Test queries site BDII with base DN of O=grid for the following pattern:
"(&(GlueSEImplementationName=StoRM)(|(GlueSEImplementationVersion=1.9.*)(GlueSEImplementationVersion=1.10.*))(GlueSEUniqueID=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.WN-EMI-2 Test checks if WN is using EMI 2 middleware. Test checks if version in /etc/emi-version or $EMI_TARBALL_BASE/etc/emi-version is formatted "2.*" and returns CRITICAL.
In case the WN is using EMI-1 test will return UNKNOWN. If lcg-version or glite-version programs exist test returns UNKNOWN.

EMI-1 tests

Nagios test Description
eu.egi.sec.ARC-EMI-1 Test checks if ARC-CE is using EMI 1 middleware.
Test queries ARC-CE LDAP service on port 2135 with base DN of O=grid for the following pattern:
"(&(objectClass=nordugrid-cluster)(nordugrid-cluster-middleware=nordugrid-arc-1*))". Returns CRITICAL if query returns any results.
eu.egi.sec.Argus-EMI-1 Test checks if ARGUS is using EMI 1 middleware.
Test queries site BDII with base DN of O=glue for the following pattern:
"(&(objectclass=GLUE2Endpoint)(GLUE2EndpointImplementationName=Argus)(|(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EntityOtherInfo=MiddlewareVersion=3.*))(GLUE2EndpointURL=*$HOSTNAME$*))". Returns CRITICAL if query does not return any result.

WARNING: This test will raise CRITICAL if ARGUS endpoint is not published in the Site-BDII.

eu.egi.sec.dCache-EMI-1 Test checks if SRM (dCache) is using EMI 1 middleware.
Test queries site BDII with base DN of O=grid for the following pattern:
"(&(GlueSEImplementationName=dCache)(GlueSEImplementationVersion=*1.9.12*)(GlueSEUniqueID=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.DPM-EMI-1 Test checks if SRM (DPM) is using EMI 1 middleware.
Test queries site BDII with base DN of O=grid for the following pattern:
"(&(GlueSEImplementationName=DPM)(|(GlueSEImplementationVersion=unset)(GlueSEImplementationVersion=1.8.1)(GlueSEImplementationVersion=1.8.2))(GlueSEUniqueID=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.

WARNING: This test will raise CRITICAL on gLite 3.2 DPM instances using DPM 1.8.2.
WARNING: This test will raise CRITICAL on EMI-2 DPM instances using DPM 1.8.3.

eu.egi.sec.DPM-GLUE2-EMI-1 Test checks if SRM (DPM) is using EMI 1 middleware, version 1.8.6 in particular.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=SRM)(GLUE2EndpointHealthStateInfo=*DPM*)(!(|(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EntityOtherInfo=MiddlewareVersion=3.*)))(GLUE2EndpointURL=*$HOSTNAME$*))'. Returns CRITICAL if query returns any results.
eu.egi.sec.DPM-GLUE2-EMI-2

Test checks if SRM (DPM) is using EMI 2 middleware version less than 1.8.6 or 1.8.7.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=SRM)(GLUE2EndpointHealthStateInfo=*DPM*)(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EndpointURL=*$HOSTNAME$*))' and
'(&(objectClass=GLUE2StorageManager)(GLUE2ManagerProductName=DPM)(!(\\|(GLUE2ManagerProductVersion=1.8.6)(GLUE2ManagerProductVersion=1.8.7)))(GLUE2ManagerServiceForeignKey=*$HOSTNAME$*))</nowiki>'. Returns CRITICAL if query returns any results.

eu.egi.sec.EMI-1 Test checks if service endpoint is using EMI 1 middleware.
Test queries site BDII with base DN of o=glue for the following pattern:
"(&(objectclass=GLUE2Endpoint)(GLUE2EntityOtherInfo=MiddlewareVersion=1.*)(GLUE2EndpointURL=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.LB-EMI-1 Test checks if LB is using EMI 1 middleware.
Test queries site BDII with base DN of O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=org.glite.lb.Server)(!(|(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EntityOtherInfo=MiddlewareVersion=3.*)))(GLUE2EndpointURL=*$HOSTNAME$*))'. Returns CRITICAL if query returns any results.
eu.egi.sec.LFC-EMI-1 Test checks if EMI is using EMI 1 middleware.
Test queries site BDII with base DN of O=glue for the following pattern:
"(&(objectclass=GLUE2Endpoint)(GLUE2EndpointImplementationName=LFC)(|(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EntityOtherInfo=MiddlewareVersion=3.*)(GLUE2EndpointImplementationVersion=1.8.3.1)(GLUE2EndpointImplementationVersion=1.8.4))(GLUE2EndpointURL=*$HOSTNAME$*))". Returns CRITICAL if query does not return any result.

WARNING: This test will raise CRITICAL if Central-LFC or Local-LFC endpoint is not published in the Site-BDII.

eu.egi.sec.Site-BDII-EMI-1 Test checks if Site-BDII is using EMI 1 middleware.
Test queries site BDII with base DN of GLUE2GroupID=resource,O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=bdii_site)(!(|(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EntityOtherInfo=MiddlewareVersion=3.*)))(GLUE2EndpointURL=*$HOSTNAME$*))'. Returns CRITICAL if query returns any results.
eu.egi.sec.StoRM-EMI-1 Test checks if SRM (StorRM) is using EMI 1 middleware.
Test queries site BDII with base DN of O=grid for the following pattern:
"(&(GlueSEImplementationName=StoRM)(|(GlueSEImplementationVersion=1.7.*)(GlueSEImplementationVersion=1.8.*))(GlueSEUniqueID=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.Top-BDII-EMI-1 Test checks if Top-BDII is using EMI 1 middleware.
Test queries top BDII with base DN of GLUE2GroupID=resource,O=glue for the following pattern:
'(&(objectclass=GLUE2Endpoint)(GLUE2EndpointInterfaceName=bdii_top)(!(|(GLUE2EntityOtherInfo=MiddlewareVersion=2.*)(GLUE2EntityOtherInfo=MiddlewareVersion=3.*)))(GLUE2EndpointURL=*$HOSTNAME$*))'. Returns CRITICAL if query returns any results.
eu.egi.sec.VOMS-EMI-1 Test checks if VOMS is using EMI 1 middleware.
Test queries site BDII with base DN of O=grid for the following pattern:
'(&(objectclass=GlueService)(GlueServiceType=org.glite.voms-admin)(GlueServiceVersion=2.6.*)(GlueServiceEndpoint=*$HOSTNAME$*))'. Returns CRITICAL if query returns any results.

gLite 3.2 tests

Nagios test Description
eu.egi.sec.DPM Test checks if SRM service endpoint is using gLite 3.2 middleware. Test queries site BDII for the following pattern
"(&(GlueSEImplementationName=DPM)(|(GlueSEImplementationVersion=1.7.*)(GlueSEImplementationVersion=1.8.0)(GlueSEImplementationVersion=1.8.1)(GlueSEImplementationVersion=1.8.2))(GlueSEUniqueID=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.LFC Test checks if LFC service endpoint is using gLite 3.2 middleware. Test queries site BDII for the following pattern
"(&(objectclass=GlueService)(|(GlueServiceType=lcg*-file-catalog)(GlueServiceType=*data-location-interface))(GlueServiceVersion=1.7.*)(GlueServiceEndpoint=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.WN Test checks if WN is using gLite 3.2, EMI-1 or LCG middleware. Test checks if lcg-version or glite-version programs exist. Also, test checks if version in /etc/emi-version or $EMI_TARBALL_BASE/etc/emi-version is formatted "1.*".

Security SAM instance

This table lists tests being used to date for tracking installed MW versions on EGI sites. All tests are executed every 24h and extract product version information from BDII. Accuracy of the probes depends on the software version being published. Services that do not publish correctly may not be detected; false positives may also be possible in case of products that erroneously publish gLite3.1/3.2 information. Additionally, end-points associated to retired service types in GOCDB are detected; the retired service types being checked are Classic-SE, MON, RB.

Tests are executed on the security SAM instance: https://secmon.egi.eu/nagios. Alarms for these tests are opened in the Operations Portal Security Dashboard.

Nagios test Description
eu.egi.sec.Classic-SE Test is associated to Classic-CE service endpoints in the GOC DB and it always returns CRITICAL. This service type has been obsoleted for a while and it should be removed from all sites.
eu.egi.sec.CREAMCE-gLite-32 Test queries site BDII for the following pattern "(&(GlueServiceType=org.glite.ce.CREAM)(GlueServiceVersion=1.12.*)(GlueServiceEndpoint=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.dCache Test queries site BDII for the following pattern
"(&(GlueSEImplementationName=dCache)(|(GlueSEImplementationVersion=1.8.*)(GlueSEImplementationVersion=1.9.1-*)(GlueSEImplementationVersion=1.9.5)(GlueSEImplementationVersion=1.9.5-*)(GlueSEImplementationVersion=1.9.8-*)(GlueSEImplementationVersion=1.9.10-*)(GlueSEImplementationVersion=production-1.9.5-*)(GlueSEImplementationVersion=cells))(GlueSEUniqueID=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.gLite-CE Test is associated to gLite-CE service endpoints in the GOC DB and it always returns CRITICAL. This service type has been obsoleted for a while and it should be removed from all sites.
eu.egi.sec.gLite-31 Test queries site BDII for the following pattern "(&(GlueServiceDataValue=3.1.0)(GlueChunkKey=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.gLite-32 Test queries site BDII for the following pattern "(&(GlueServiceDataValue=3.2.0)(GlueChunkKey=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.
eu.egi.sec.gLite-32-sup Test queries site BDII for the following pattern "(&(GlueServiceDataValue=3.2.0)(GlueChunkKey=*$HOSTNAME$*))". Returns WARNING if query returns any results. This query is used for gLite 3.2 service types which are supported til the end of November 2012 (see the gLite 3.2 support calendar).
eu.egi.sec.LCG-CE Test is associated to CE service endpoints in the GOC DB and it always returns CRITICAL. LCG-CE is unsupported (see the gLite 3.2 support calendar).
eu.egi.sec.MON Test is associated to MON service endpoints in the GOC DB and it always returns CRITICAL. This service type has been obsoleted for a while and it should be removed from all sites.
eu.egi.sec.RB Test is associated to RB service endpoints in the GOC DB and it always returns CRITICAL. This service type has been obsoleted for a while and it should be removed from all sites.
eu.egi.sec.Total-gLite-31 Test queries site BDII for the following pattern "(GlueServiceDataValue=3.1.0)". Returns CRITICAL if query returns any results. At this point query does not create alarm in Dashboard and it is used only as a counter of service endpoint with gLite 3.1 available on site.
eu.egi.sec.Total-gLite-32 Test queries site BDII for the following pattern "(GlueServiceDataValue=3.2.0)". Returns WARNING if query returns any results. At this point query does not create alarm in Dashboard and it is used only as a counter of service endpoint with gLite 3.2 available on site.
eu.egi.sec.WMS-gLite-31 Test queries site BDII for the following pattern "(&(GlueServiceType=org.glite.wms.WMProxy)(GlueServiceVersion=3.2*)(GlueServiceEndpoint=*$HOSTNAME$*))". Returns CRITICAL if query returns any results.

Table below defines mappings between MW tests and service types.

Service type Nagios test Comment
CE eu.egi.sec.LCG-CE
Central-LFC eu.egi.sec.gLite-31
eu.egi.sec.gLite-32-sup
Classic-SE eu.egi.sec.Classic-SE
FTS eu.egi.sec.gLite-31
eu.egi.sec.gLite-32-sup
gLite-CE eu.egi.sec.gLite-CE
Local-LFC eu.egi.sec.gLite-31
eu.egi.sec.gLite-32-sup
MON eu.egi.sec.MON
MyProxy eu.egi.sec.gLite-31
eu.egi.sec.gLite-32
RB eu.egi.sec.RB
Site-BDII eu.egi.sec.gLite-31
eu.egi.sec.gLite-32
eu.egi.sec.Total-gLite-31
eu.egi.sec.Total-gLite-32
SRM eu.egi.sec.gLite-31
eu.egi.sec.gLite-32-sup
eu.egi.sec.dCache
Top-BDII eu.egi.sec.gLite-31
eu.egi.sec.gLite-32
VO-box eu.egi.sec.gLite-31
VOMS eu.egi.sec.gLite-31
eu.egi.sec.gLite-32
WMS eu.egi.sec.WMS-gLite-31