The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "URT:Agenda-2018-01-22"
Jump to navigation
Jump to search
(→ARC) |
|||
| (7 intermediate revisions by 4 users not shown) | |||
| Line 90: | Line 90: | ||
DPM 1.9.2 released and we plan to push it to EPEL stable tomorrow. | DPM 1.9.2 released and we plan to push it to EPEL stable tomorrow. | ||
as it fixes as well a vulnerability, it would be good to add it ASAP to UMD | as it fixes as well a vulnerability, it would be good to add it ASAP to UMD | ||
* http://lcgdm.web.cern.ch/dpm-192-release | * http://lcgdm.web.cern.ch/dpm-192-release | ||
| Line 104: | Line 104: | ||
== ARC == | == ARC == | ||
ARC | Nothing special to report. ARC 6 is the main focus. Very preliminary timeline: release candidate by April? | ||
In ARC 6 nagios and gangliarc will not anymore be shipped together with ARC, but will have separate releases. However, the reports on any nagios news (or gangliarc news) will still be done by me for URT. | |||
Working on setting up GitLab CI and Jenkins testing. | |||
== QCG == | == QCG == | ||
| Line 119: | Line 116: | ||
== xrootd == | == xrootd == | ||
xrootd 4.8.0 is available in EPEL | xrootd 4.8.0 is available in EPEL stable since 2018-01-02. | ||
* EPEL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f299186143 | * EPEL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f299186143 | ||
* EPEL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0ab7ad1fce | * EPEL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0ab7ad1fce | ||
== caNl == | == caNl == | ||
= Preview = | = Preview = | ||
to be released in the next days: | |||
*CentOS7: APEL-SSM 2.2.0 ARC 15.03 update 18 CVMFS 2.4.4 davix 0.6.7 dCache 3.1.26 and dcap 2.47.12 DPM 1.9.2 XRootD 4.8.0 | |||
*sl6: APEL-SSM 2.2.0 ARC 15.03 update 18 CVMFS 2.4.4 davix 0.6.7 dCache 2.16.57 and dcap 2.47.12 DPM 1.9.2 XRootD 4.8.0 | |||
= AOB = | |||
== products that need to download from VOMS the list of users == | |||
VOMS allows to every owner of a IGTF certificate to download the list of users. This is not compliant with the European GDPR, since VO membership is considered sensitive data., so that VOMS needs to implement a stricter ACL to the users list. | |||
In order to understand how to proceed, first of all we need to figure out all the use cases: please let us know if any of your products needs to get the users DN for performing the authentication and authorisation mechanism (i.e. grid-mapfile generation containing the users certificate subject). | |||
== bouncycastle update in EPEL == | |||
There is an update coming to EPEL 6 involving some Java components. | |||
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28 | |||
There are updated packages for: | |||
* bouncycastle-1.58-2.el6 | |||
** The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM: | |||
*** bouncycastle-1.58-2.el6.noarch.rpm | |||
*** bouncycastle-mail-1.58-2.el6.noarch.rpm | |||
*** bouncycastle-pg-1.58-2.el6.noarch.rpm | |||
*** bouncycastle-pkix-1.58-2.el6.noarch.rpm | |||
*** bouncycastle-tls-1.58-2.el6.noarch.rpm | |||
** Previously, only bouncycastle itself was in EPEL 6. This update adds the others to the EPEL 6 repository. | |||
** A bouncycastle-mail package (matching the old bouncycastle version i EPEL 6) was provided in the UMD repo. | |||
* jglobus-2.1.0-4.el6 (I guess noone is using this...) | |||
* voms-api-java-3.2.0-7.el6 | |||
The update also adds packages previously not in EPEL 6 due to missing bouncycastle dependencies: | |||
* canl-java-2.5.0-1.el6 | |||
* voms-clients-java-3.0.7-6.el6 | |||
With this update there are some changes w.r.t. the packages currently in UMD: | |||
* Since voms-api-java is updated to version 3, the voms-api-java3 currently in UMD becomes obsolete, so references to /usr/share/java/voms-api-java3.jar should be changed to /usr/share/java/voms-api-java.jar | |||
* In the new bouncycastle version some classes have moved between the different bouncycastle packages. | |||
** The new canl-java depends on bouncycastle and bouncycastle-pkix. | |||
** The new voms-api-java depends on canl-java (and hence on bouncycastle and bouncycastle-pkix), but no longer on bouncycastle-mail. | |||
* The class org.bouncycastle.openssl.PasswordFinder is deprecated in the new bouncycastle and canl-java 2.5.0 provides a replacement eu.emi.security.authn.x509.helpers.PasswordSupplier. | |||
Providers of products depending on these components should investigate compatibility and see what changes are needed to code and configuration. | |||
Packages declaring dependencies on the affected packages in the UMD repo are: | |||
* glite-ce-common-java | |||
* glite-ce-cream-api-java | |||
* argus-pap | |||
* argus-pdp | |||
* argus-pep-server | |||
These are the directly declared dependencies, some recursive dependencies might be affected too. | |||
The packages glite-security-trustmanager and glite-security-util-java in EPEL 6 have been retired. | |||
There is also an update for EPEL 7: | |||
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-50d69f64bd | |||
Of the issues listed above only the PasswordFinder vs. PasswordSupplier issue should be relevant here. | |||
The corresponding Fedora updates do not update bouncycastle, only update canl-java (and rebuilds the existing versions of voms-api-java and voms-clients-java for the PasswordFinder vs. PasswordSupplier change in canl-java). These are already in stable: | |||
* https://bodhi.fedoraproject.org/updates/FEDORA-2018-d64f3921b6 (Fedora 26) | |||
* https://bodhi.fedoraproject.org/updates/FEDORA-2018-651aed081f (Fedora 27) | |||
= AOB | == other AOB == | ||
*Next meeting: '''Jan 22th, 2017''' https://indico.egi.eu/indico/event/3554/ | *Next meeting: '''Jan 22th, 2017''' https://indico.egi.eu/indico/event/3554/ | ||
Latest revision as of 16:32, 22 January 2018
Meeting
- Calendar: https://indico.egi.eu/indico/categoryDisplay.py?categId=107
- meetings are on GoToMeeting
News
- UMD 4.6.0 regular release: RELEASED http://repository.egi.eu/2017/12/18/release-umd-4-6-0/
- UMD 4.6.0/CentOS7
- FTS3 3.6.8 - several new features and bug fixes http://fts3-service.web.cern.ch/documentation/releases#qt-release-ui-tabs3
- ARGUS 1.7.2 - update component Argus PAP service version 1.7.2 fixing PAP permissions
- CVMFS server 2.4.1 - http://cvmfs.readthedocs.io/en/2.4/cpt-releasenotes.html
- dmlite 0.8.8 - bug fixes http://lcgdm.web.cern.ch/dmlite-088-being-released-epel
- GFAL 2.14.2 - https://dmc.web.cern.ch/release/gfal2-2.14.2
- GFAL-utils 1.5.1 - http://dmc.web.cern.ch/release/gfal2-util-1.5.1
- GFAL-python 1.9.3 - http://dmc.web.cern.ch/release/gfal2-python-1.9.3
- Gridsite 2.3.4 - https://github.com/CESNET/gridsite/wiki/Gridsite-release-page#GridSite_234
- UI 4.0.3 - first release of User Interface for centos7 (non supported clients removed) https://twiki.cern.ch/twiki/bin/view/LCG/EL7UIMiddleware
- CREAM 1.16.5 - first release of CREAM with C7 and draft support to Accelerator Devices (GPU, MIC); supported batch systems are Torque, Slurm, HTCondor, LSF; see details on https://wiki.italiangrid.it/twiki/bin/view/CREAM/CREAMReleaseUMD4_5_0
- dCache 3.2.10 - fixes https://www.dcache.org/downloads/1.9/release-notes-3.2.shtml#10
- UMD 4.6.0/SL6
- cvmfs-config-egi 2.0.1 - missing cvmfs config since last UMD release http://cvmfs.readthedocs.io/en/2.3/cpt-releasenotes.html
- VOMS admin 3.7.0 - http://italiangrid.github.io/voms/release-notes/voms-admin-server/3.7.0/
- CVMFS server 2.4.1 - http://cvmfs.readthedocs.io/en/2.4/cpt-releasenotes.html
- GFAL 2.14.2 - https://dmc.web.cern.ch/release/gfal2-2.14.2
- GFAL-utils 1.5.1 - http://dmc.web.cern.ch/release/gfal2-util-1.5.1
- GFAL-python 1.9.3 - http://dmc.web.cern.ch/release/gfal2-python-1.9.3
- ARGUS 1.7.2 - update component Argus PAP service version 1.7.2 fixing PAP permissions
- dmlite 0.8.8 - bug fixes http://lcgdm.web.cern.ch/dmlite-088-being-released-epel
- Gridsite 2.3.4 - https://github.com/CESNET/gridsite/wiki/Gridsite-release-page#GridSite_234
- dCache 3.2.10 - fixes https://www.dcache.org/downloads/1.9/release-notes-3.2.shtml#10
- Announcement on URT discuss list, to be announced also through EGI Monthly Broadcast in January
- UMD3 deprecation
- WMS dismission plan presented at OMB
- in parallel, UMD team will test upgrading the umd-release package from UMD3/SL6 to UMD4/SL6 to make usre everything works properly
- plan will be arranged and agreed with PTs in January/February
- at some point UMD3 will be "freezed" (no more updates of any kind, either security ones)
- OMB suggested to remove it completely so that it's not used anymore
- probably we will establish a period of 2-4 weeks during which sites get progressively aware that the old repos won't work anymore and switch to UMD4/SL6
- if any security issue comes out during that period, we will ask to shut down the repository
- CMD-OS update still in preparation
- CMD-ONE first release to be fixed adding site BDII
UMD4
In Verification
Under Staged Rollout
Ready to be Released
CMD-OS
In Verification
In Staged Rollout
Ready to be released
CMD-ONE
In verification
In Staged Rollout
Ready to be released
Report from WLCG MW Officer
Singularity (http://singularity.lbl.gov/) is planned to be used in production by CMS and ATLAS next year.
Should we start include it also in UMD? (also as part of WN)
Updates from Technical Providers
APEL
Frontier
Indigo-DataCloud
dCache
DPM/LFC
DPM 1.9.2 released and we plan to push it to EPEL stable tomorrow.
as it fixes as well a vulnerability, it would be good to add it ASAP to UMD
Data management clients
NTR
FTS
NTR
ARC
Nothing special to report. ARC 6 is the main focus. Very preliminary timeline: release candidate by April? In ARC 6 nagios and gangliarc will not anymore be shipped together with ARC, but will have separate releases. However, the reports on any nagios news (or gangliarc news) will still be done by me for URT.
Working on setting up GitLab CI and Jenkins testing.
QCG
Globus
xrootd
xrootd 4.8.0 is available in EPEL stable since 2018-01-02.
- EPEL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f299186143
- EPEL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0ab7ad1fce
caNl
Preview
to be released in the next days:
- CentOS7: APEL-SSM 2.2.0 ARC 15.03 update 18 CVMFS 2.4.4 davix 0.6.7 dCache 3.1.26 and dcap 2.47.12 DPM 1.9.2 XRootD 4.8.0
- sl6: APEL-SSM 2.2.0 ARC 15.03 update 18 CVMFS 2.4.4 davix 0.6.7 dCache 2.16.57 and dcap 2.47.12 DPM 1.9.2 XRootD 4.8.0
AOB
products that need to download from VOMS the list of users
VOMS allows to every owner of a IGTF certificate to download the list of users. This is not compliant with the European GDPR, since VO membership is considered sensitive data., so that VOMS needs to implement a stricter ACL to the users list.
In order to understand how to proceed, first of all we need to figure out all the use cases: please let us know if any of your products needs to get the users DN for performing the authentication and authorisation mechanism (i.e. grid-mapfile generation containing the users certificate subject).
bouncycastle update in EPEL
There is an update coming to EPEL 6 involving some Java components.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28
There are updated packages for:
- bouncycastle-1.58-2.el6
- The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM:
- bouncycastle-1.58-2.el6.noarch.rpm
- bouncycastle-mail-1.58-2.el6.noarch.rpm
- bouncycastle-pg-1.58-2.el6.noarch.rpm
- bouncycastle-pkix-1.58-2.el6.noarch.rpm
- bouncycastle-tls-1.58-2.el6.noarch.rpm
- Previously, only bouncycastle itself was in EPEL 6. This update adds the others to the EPEL 6 repository.
- A bouncycastle-mail package (matching the old bouncycastle version i EPEL 6) was provided in the UMD repo.
- The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM:
- jglobus-2.1.0-4.el6 (I guess noone is using this...)
- voms-api-java-3.2.0-7.el6
The update also adds packages previously not in EPEL 6 due to missing bouncycastle dependencies:
- canl-java-2.5.0-1.el6
- voms-clients-java-3.0.7-6.el6
With this update there are some changes w.r.t. the packages currently in UMD:
- Since voms-api-java is updated to version 3, the voms-api-java3 currently in UMD becomes obsolete, so references to /usr/share/java/voms-api-java3.jar should be changed to /usr/share/java/voms-api-java.jar
- In the new bouncycastle version some classes have moved between the different bouncycastle packages.
- The new canl-java depends on bouncycastle and bouncycastle-pkix.
- The new voms-api-java depends on canl-java (and hence on bouncycastle and bouncycastle-pkix), but no longer on bouncycastle-mail.
- The class org.bouncycastle.openssl.PasswordFinder is deprecated in the new bouncycastle and canl-java 2.5.0 provides a replacement eu.emi.security.authn.x509.helpers.PasswordSupplier.
Providers of products depending on these components should investigate compatibility and see what changes are needed to code and configuration.
Packages declaring dependencies on the affected packages in the UMD repo are:
- glite-ce-common-java
- glite-ce-cream-api-java
- argus-pap
- argus-pdp
- argus-pep-server
These are the directly declared dependencies, some recursive dependencies might be affected too.
The packages glite-security-trustmanager and glite-security-util-java in EPEL 6 have been retired.
There is also an update for EPEL 7:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-50d69f64bd
Of the issues listed above only the PasswordFinder vs. PasswordSupplier issue should be relevant here.
The corresponding Fedora updates do not update bouncycastle, only update canl-java (and rebuilds the existing versions of voms-api-java and voms-clients-java for the PasswordFinder vs. PasswordSupplier change in canl-java). These are already in stable:
- https://bodhi.fedoraproject.org/updates/FEDORA-2018-d64f3921b6 (Fedora 26)
- https://bodhi.fedoraproject.org/updates/FEDORA-2018-651aed081f (Fedora 27)
other AOB
- Next meeting: Jan 22th, 2017 https://indico.egi.eu/indico/event/3554/
- Globus EOL - Status tracked here: https://wiki.egi.eu/wiki/Globus_EOL_assessment