URT:Agenda-08-06-2015

From EGIWiki
Jump to: navigation, search
Adobe connect direct link Conference system is on adobe connect, no password required.
Indico page for the meeting

Contents


News

UMD releases status


Status of the products verification/staged rollout

Released

Under Staged Rollout

....

In Verification

Ready to be released:

Rejected

Timeline for the next UMD updates

Updates from the product teams

This section is directly contributed by the product teams. Please, add under your section the scheduled releases with a short comment about the updates introduced and where they are going to be released (EMI repositories, EPEL, private repositories ecc), linking external pages with these information is ok, but please add at least the expected date of the next release. It is important to discuss, within the URT, changes that may affect directly or indirectly other products. The text will be copied into the agenda of the next URT meeting, PT will just need to check that all the information are up to date. Please, feel free to alter the template if it doesn't feet with your needs.

APEL

ARC

Argus

dCache

BDII

DPM/LFC

Data management clients

will ask our colleagues at T0 to prepare the verification reports

FTS

Frontier-Squid

EMIR

UNICORE

(expected in the course of 2015 that we will publish packages for UMD via AppDB at https://appdb.egi.eu/store/software/unicore

For now, packages for UNICORE 7.2.0 can be downloaded from

Debian: http://unicore-dev.zam.kfa-juelich.de/release-candidates/core/7.2.0-packages/deb

RPM: http://unicore-dev.zam.kfa-juelich.de/release-candidates/core/7.2.0-packages/rpm

RPM packages were tested on Centos 6, so SL6 will be fine. SL5 is NOT supported any more.

Changes are listed with respect to the last UNICORE version available in UMD which is 6.6.0


LB

Gridsite

Proxyrenewal

CANL

gLite-security

gLExec-wn

CREAM


CREAM GE utils

STORM

VOMS

WMS

Globus

The updated globus-gssapi-gsi version 11.16 in EPEL testing changed the default name compatibility mode from "HYBRID" to "STRICT_RFC2818". This caused some issues when tested on some deployed systems. See the GGUS ticket for details:

https://ggus.eu/index.php?mode=ticket_info&ticket_id=114076

To remedy this upstream issued an updated version 11.18 that changed the default back to HYBRID. However, upstream considers this to be a temporary measure, and would like to change the default to "STRICT_RFC2818" eventually.

The EPEL update request has been modified to now use the 11.18 version.

The issues in the GGUS ticket were mainly due to configuration mistakes such as a reverse DNS lookup pointing to the wrong name or host certificates that didn't have the hostname listed in alt subject names and are basically understood.

Please provide feedback if you have objections to changing the default to "STRICT_RFC2818" in the future.

You can test the impact of different name compatibility mode settings on your software by changing the name resolution mode in the configuration file /etc/grid-security/gsi.conf (introduced in version 11.15) or by using the GLOBUS_GSSAPI_NAME_COMPATIBILITY environment variable. The environment variable has precedence over the config file setting.

The "HYBRID" setting in addition to the RFC 2818 way of doing name comparison also accepts the old GT2 way of doing this, which includes accepting matching to the name from the reverse DNS lookup. This by some is considered a security problem, and changing the default to "STRICT_RFC2818" will avoid this.

More details about the different name compatibility modes from /etc/grid-security/gsi.conf is copied below:

# GSSAPI Name compatiblity mode when trying to determine
# if a host certificate is legitimate. GSI predates RFC2818,
# so there are some old, less-secure, practices by default.
# The different modes are:
# STRICT_GT2:
#     Strictly backward-compatible with GT 2.0 name matching. 
#     X.509 subjectAltName values are ignored. Names with
#     hyphens are treated as wildcarded such that 
#     host-ANYTHING.example.com will match a certificate named
#     host.example.com. The name matching will rely on canonical
#     host (as resolved via getnameinfo) name associated with
#     a connection's IP addresses.
# STRICT_RFC2818:
#     Support RFC 2818 server identity processing. Hyphen 
#     characters are treated as normal part of a host name. 
#     dnsName and ipAddress subjectAltName extensions are matched
#     against the host and port passed to GSSAPI. If subjectAltName 
#     is present, X.509 SubjectName is ignored. 
# HYBRID:
#     Support a hybrid of the two previous name matching algorithms,
#     liberally matching both hyphen wildcards, canonical names
#     associated with IP addresses, and subjectAltName extensions.
#     This has been the default since GT 4.2

History of Globus updates in EPEL (since GT 6.0)

QCG

Next Release is planned for UMD update in May.


xrootd

xrootd 4.2.1 available in EPEL testing.

Versions with the same major version (in this case 4) are meant to be backwards compatible, so this should not cause problems when updating from the current 4.1.1. But as always - please test and provide feedback!

Report from WLCG MW Officer

Other topics

Actions (done and in progress)

Java 7

EPEL 7

AOB

Minutes

Audio conference details

Room link: http://connect.ct.infn.it/egi-inspire-sa1-ter/

Please provide you Name and product team/affiliation as Guest Name.

In left top corner you will find "Meeting->Audio Setup Wizard" Button which will help you to configure your audio.

You can test Your Computer with this link http://connect.ct.infn.it/common/help/en/support/meeting_test.htm

Adobe Connect tutorials: http://tv.adobe.com/show/learn-adobe-connect-8/

Adobe connect is flash-based, please if you have issues with your configuration try Chrome as browser.

Back to the URT agendas list page: URT_meetings_agendas

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export