Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "URT:Agenda-2018-10-08"

From EGIWiki
Jump to navigation Jump to search
Line 117: Line 117:


== Globus ==
== Globus ==
The update that was listed as being in EPEL testing at the previous meeting is now in EPEL stable:
EPEL testing 2018-09-06, EPEL stable 2018-09-21:
* EPEL 7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-4f23223148
* EPEL 6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-b81da23189


'''Grid Community Toolkit (GCT)'''
'''Grid Community Toolkit (GCT)'''
Line 137: Line 130:


Most of the changes to the code in the GCT release with respect to the latest Globus Toolkit release were already present in the packages in the repositories due to patches applied in the packaging.
Most of the changes to the code in the GCT release with respect to the latest Globus Toolkit release were already present in the packages in the repositories due to patches applied in the packaging.
This update has been 14 days in EPEL testing and can be pushed to EPEL stable. The update has received a +1 karma from Andrea Manzi. There is no negative feedback I am aware of.


'''globus-gssapi-gsi and TLS 1.2'''
'''globus-gssapi-gsi and TLS 1.2'''


As reported at the last meeting, the globus-gssapi-gsi package in the update that was then in EPEL testing (version 13.10-1) changed the default minimum TLS version to 1.2. It is possible to change it to 1.0 (the old default) or 1.1 in /etc/grid-security/gsi.conf or using environment variables.
As previously reported, the globus-gssapi-gsi package currently in EPEL stable (version 13.10-1) changed the default minimum TLS version to 1.2. It is possible to change it to 1.0 (the old default) or 1.1 in /etc/grid-security/gsi.conf or using environment variables.


Unfortunately this change turned out to be more disruptive than anticipated. By the time I was made aware of the problems, the update had already been pushed to EPEL stable. Two separate issues have been reported:
Unfortunately this change turned out to be more disruptive than anticipated. By the time I was made aware of the problems, the update had already been pushed to EPEL stable. Two separate issues have been reported:

Revision as of 14:28, 8 October 2018

Meeting

News

UMD4

In Verification

  • apel ssm 2.3.0
  • storm 1.11.14
  • dpm 1.10.2
  • xroot 4.8.4

Under Staged Rollout

NA

Ready to be Released

NA

CMD-OS

In Verification

  • OOI 1.2.0
  • rOCCI-cli 4.10.2

In Staged Rollout

NA

Ready to be released

NA

CMD-ONE

In verification

NA

In Staged Rollout

  • rocci-cli 4.10.2
  • rocci-server 2.0.4
  • keystorm 1.1.0
  • cloudkeeper 1.6.0
  • cloudkeeper-one 1.3.0
  • cloud-info-provider 0.9.1

Ready to be released =

NA

Updates from Technical Providers

APEL

Frontier

Indigo-DataCloud

dCache

NTR

DPM/LFC

dmlite 1.10.4 in EPEL6 and EPEL7 stable

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-766ee4f28b

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3bc292f74f

dpm-xrootd 3.6.6 in EPEL testing

Data management clients

New gfal release ( 2.16)

http://dmc.web.cern.ch/release/gfal2-2160

will notify when it will be pushed to EPEL

FTS

FTS 3.8.0 has been tagged

https://gitlab.cern.ch/fts/fts3/tags/v3.8.0

will notify when it will be pushed to EPEL

ARC

There will be an ARC 5 update involving how ARC counts held jobs in Condor. Expected to be released this week or next.


ARC 6 - we are aiming at an alpha release expected this week. Is a very early test-release. Bugs are expected. Testers are welcome.

CREAM

CentOS 7 packages for "CREAM nagios probes": work in progress

QCG

Globus

Grid Community Toolkit (GCT)

As you should be aware, the developers announced that the support of the Globus Toolkit would end on 1 Jan 2018. The development did not completely stop, and there have been updates from the original developers during 2018, which we have packaged for Fedora, EPEL and Debian. When the end of support was announced, a community effort to keep up the maintenance of the toolkit was established [1]. The Grid Community Forum's fork of the Globus Toolkit, named Grid Community Toolkit [2] has been in preparation for some time. And there is now an update in EPEL testing based on the GCT version of the toolkit:

EPEL testing 2018-09-22:

This update is a drop in replacement, keeping the names of the libraries and binaries in the toolkit, keeping the package names in the repositories and keeping library sonames the same as in the Globus Toolkit.

Most of the changes to the code in the GCT release with respect to the latest Globus Toolkit release were already present in the packages in the repositories due to patches applied in the packaging.

This update has been 14 days in EPEL testing and can be pushed to EPEL stable. The update has received a +1 karma from Andrea Manzi. There is no negative feedback I am aware of.

globus-gssapi-gsi and TLS 1.2

As previously reported, the globus-gssapi-gsi package currently in EPEL stable (version 13.10-1) changed the default minimum TLS version to 1.2. It is possible to change it to 1.0 (the old default) or 1.1 in /etc/grid-security/gsi.conf or using environment variables.

Unfortunately this change turned out to be more disruptive than anticipated. By the time I was made aware of the problems, the update had already been pushed to EPEL stable. Two separate issues have been reported:

  • In versions of globus-gssapi-gsi before 11.26 (January 2016) there was a bug that meant that using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled TLS 1.1 and 1.2, and not only SSLv3. So sites that have such old versions installed and also have set the FORCE_TLS option (which was not the default) could not be contacted by clients that requested TLS version 1.2 as the minimum. The number of sites affected by this issue is expected to be small, and they can be fixed by upgrading and/or configuration.
  • The other issue is sites deploying the BeStMan SRM server. This uses a java / jetty / jglobus implementation of GSI and not the Globus Toolkit. Efforts to persuade this implementation to accept a TLS 1.2 connection has so far not been successful. The number and size of sites affected by this issue is not insignificant and includes e.g. the CERN EOS.

TLS 1.0 and 1.1 are recommended not to be used due to security concerns, so long term it makes sense to set the default minimum TLS version to 1.2. However, in order to limit the disruption, the configuration file in the globus-gssapi-gsi version currently in EPEL testing (14.7-2) have been patched to set the default minimum TLS version to 1.0.

xrootd

caNl

BDII

CentOS 7 packages for "BDII nagios probes": work in progress

WN/UI

Preview

  • 2018-08-06
    • Preview 1.19.0 AppDB info (sl6): ARGUS 1.7.2, CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, STORM 1.11.14, xrootd 4.8.4
    • Preview 2.19.0 AppDB info (CentOS 7): CGSI-gSOAP 1.3.11, CREAM 1.16.7, davix 0.6.8, dCache 3.2.27, frontier-squid 3.5.27-5.2, xrootd 4.8.4
  • gathering information for the new update: DPM 1.10.3, ...

AOB

nagios probes on CentOS 7

to assess:

planned/in progress:

available:

Next meeting

  • Oct 22th, 2018