Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

URT:Agenda-2018-01-22

From EGIWiki
Jump to navigation Jump to search

Meeting

News

  • UMD3 deprecation
    • WMS dismission plan presented at OMB
    • in parallel, UMD team will test upgrading the umd-release package from UMD3/SL6 to UMD4/SL6 to make usre everything works properly
    • plan will be arranged and agreed with PTs in January/February
    • at some point UMD3 will be "freezed" (no more updates of any kind, either security ones)
      • OMB suggested to remove it completely so that it's not used anymore
      • probably we will establish a period of 2-4 weeks during which sites get progressively aware that the old repos won't work anymore and switch to UMD4/SL6
      • if any security issue comes out during that period, we will ask to shut down the repository


  • CMD-OS update still in preparation
  • CMD-ONE first release to be fixed adding site BDII

UMD4

In Verification

Under Staged Rollout

Ready to be Released

CMD-OS

In Verification

In Staged Rollout

Ready to be released

CMD-ONE

In verification

In Staged Rollout

Ready to be released

Report from WLCG MW Officer

Singularity (http://singularity.lbl.gov/) is planned to be used in production by CMS and ATLAS next year.

Should we start include it also in UMD? (also as part of WN)

Updates from Technical Providers

APEL

Frontier

Indigo-DataCloud

dCache

DPM/LFC

DPM 1.9.2 released and we plan to push it to EPEL stable tomorrow.

as it fixes as well a vulnerability, it would be good to add it ASAP to UMD

Data management clients

NTR

FTS

NTR

ARC

Nothing special to report. ARC 6 is the main focus. Very preliminary timeline: release candidate by April? In ARC 6 nagios and gangliarc will not anymore be shipped together with ARC, but will have separate releases. However, the reports on any nagios news (or gangliarc news) will still be done by me for URT.


Working on setting up GitLab CI and Jenkins testing.

QCG

Globus

xrootd

xrootd 4.8.0 is available in EPEL stable since 2018-01-02.

caNl

Preview

to be released in the next days:

  • CentOS7: APEL-SSM 2.2.0 ARC 15.03 update 18 CVMFS 2.4.4 davix 0.6.7 dCache 3.1.26 and dcap 2.47.12 DPM 1.9.2 XRootD 4.8.0
  • sl6: APEL-SSM 2.2.0 ARC 15.03 update 18 CVMFS 2.4.4 davix 0.6.7 dCache 2.16.57 and dcap 2.47.12 DPM 1.9.2 XRootD 4.8.0

AOB

products that need to download from VOMS the list of users

VOMS allows to every owner of a IGTF certificate to download the list of users. This is not compliant with the European GDPR, since VO membership is considered sensitive data., so that VOMS needs to implement a stricter ACL to the users list.

In order to understand how to proceed, first of all we need to figure out all the use cases: please let us know if any of your products needs to get the users DN for performing the authentication and authorisation mechanism (i.e. grid-mapfile generation containing the users certificate subject).

bouncycastle update in EPEL

There is an update coming to EPEL 6 involving some Java components.

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28

There are updated packages for:

  • bouncycastle-1.58-2.el6
    • The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM:
      • bouncycastle-1.58-2.el6.noarch.rpm
      • bouncycastle-mail-1.58-2.el6.noarch.rpm
      • bouncycastle-pg-1.58-2.el6.noarch.rpm
      • bouncycastle-pkix-1.58-2.el6.noarch.rpm
      • bouncycastle-tls-1.58-2.el6.noarch.rpm
    • Previously, only bouncycastle itself was in EPEL 6. This update adds the others to the EPEL 6 repository.
    • A bouncycastle-mail package (matching the old bouncycastle version i EPEL 6) was provided in the UMD repo.
  • jglobus-2.1.0-4.el6 (I guess noone is using this...)
  • voms-api-java-3.2.0-7.el6

The update also adds packages previously not in EPEL 6 due to missing bouncycastle dependencies:

  • canl-java-2.5.0-1.el6
  • voms-clients-java-3.0.7-6.el6

With this update there are some changes w.r.t. the packages currently in UMD:

  • Since voms-api-java is updated to version 3, the voms-api-java3 currently in UMD becomes obsolete, so references to /usr/share/java/voms-api-java3.jar should be changed to /usr/share/java/voms-api-java.jar
  • In the new bouncycastle version some classes have moved between the different bouncycastle packages.
    • The new canl-java depends on bouncycastle and bouncycastle-pkix.
    • The new voms-api-java depends on canl-java (and hence on bouncycastle and bouncycastle-pkix), but no longer on bouncycastle-mail.
  • The class org.bouncycastle.openssl.PasswordFinder is deprecated in the new bouncycastle and canl-java 2.5.0 provides a replacement eu.emi.security.authn.x509.helpers.PasswordSupplier.

Providers of products depending on these components should investigate compatibility and see what changes are needed to code and configuration.

Packages declaring dependencies on the affected packages in the UMD repo are:

  • glite-ce-common-java
  • glite-ce-cream-api-java
  • argus-pap
  • argus-pdp
  • argus-pep-server

These are the directly declared dependencies, some recursive dependencies might be affected too.

The packages glite-security-trustmanager and glite-security-util-java in EPEL 6 have been retired.

There is also an update for EPEL 7:

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-50d69f64bd

Of the issues listed above only the PasswordFinder vs. PasswordSupplier issue should be relevant here.

The corresponding Fedora updates do not update bouncycastle, only update canl-java (and rebuilds the existing versions of voms-api-java and voms-clients-java for the PasswordFinder vs. PasswordSupplier change in canl-java). These are already in stable:

other AOB

Retrieved from "https://wiki.egi.eu/w/index.php?title=URT:Agenda-2018-01-22&oldid=98354"