| 228 | | |
| 229 | | |
| | 262 | |
| | 263 | |
| | 264 | == Security == |
| | 265 | |
| | 266 | === SINDES Update - J. Dudziec === |
| | 267 | |
| | 268 | Certificate authority + secured file store. |
| | 269 | |
| | 270 | Several issues requiring major reengineering |
| | 271 | * Only one SINDES user per system: no fine grain permissions for different users |
| | 272 | * Impossible to delete a file in the file store |
| | 273 | * Impossible a to move a machine from one cluster to another one |
| | 274 | * No support of subclusters |
| | 275 | * Unattended installation of machines not really possible: SINDES must be notified first |
| | 276 | |
| | 277 | Progress since last workshop |
| | 278 | * Documentation on Quattor wiki |
| | 279 | * Code in SF with Apache2 license: still some issues (currently GPL) |
| | 280 | |
| | 281 | SINDES v2 overview |
| | 282 | * Apache + SOAP |
| | 283 | * Internal DB for SINDES-specific information, eg. SINDES items (file + permissions) |
| | 284 | * Interaction with CDB through CDB2SQL to retrieve host information (eg. cluster/subcluster) |
| | 285 | * Krb used in replacement for SINDES CA for accessing SINDES server |
| | 286 | * Same client tool for users and hosts |
| | 287 | * Major improvement of code maintainability: 300 LOC instead of 10K in v1 |
| | 288 | * Site-specific authorization modules to use whatever is appropriate at the site: CERN is using egroups, LANDB... |
| | 289 | |
| | 290 | Impact of SINDES CA removal: not necessarily more difficult to setup Krb than SINDES CA... |
| | 291 | * SINDES CA adds a lot of complexity to SINDES code, not necessarily secure... |
| | 292 | * May consider adding support for optional other authentication methods, like certificates |
| | 293 | |
| | 294 | Unattended installation |
| | 295 | * CERN: initial keytab download allowed if request coming from low ports and reverse DNS matches (no time window) |
| | 296 | * MS: adding a time-window feature to Krb |
| | 297 | |
| | 298 | Only client available in v1 is command line, other APIs under consideration for v2 |
| | 299 | * May change the implication of a GPL license |
| | 300 | |
| | 301 | |
| | 302 | === Quattor and CERN Security - L. Munoz Meijias === |
| | 303 | |
| | 304 | Applying SW updates |
| | 305 | * CERN IT preparing snapshots of recommended versions every week, users picks one of them |
| | 306 | * In case of major security vulnerability/problem, CERN Security can make mandatory an update |
| | 307 | |
| | 308 | Challenge of managing 250M accounts... in particular challenge of maintaining ACLs |
| | 309 | * Unix group are not an appropriate solution: difficult to maintain, no recursive groups |
| | 310 | * LDAP + egroups used to implement the required features |
| | 311 | * egroups: logical name for a set of accounts, recursive |
| | 312 | * Quattor used to configure LDAP authorization |
| | 313 | * Still an issue to configure non LDAP-aware services |
| | 314 | |
| | 315 | Access to accounts: mainly through Krb (+PAM) |
| | 316 | * SSH keys are a potential problem in case of computers compromised outside CERN, no way to know if they have been removed from all CERN computers |
| | 317 | * Privileged accounts: no possibility to ssh out from a privilege account |
| | 318 | * Need to restrict more accounts (apache, oracle) |
| | 319 | * Would like to restrict the allowed origin of incoming connections to privilege accounts |
| | 320 | |
| | 321 | Multi-factor authentication: no uniform way of doing it, work in progress to make progress on this |
| | 322 | |
| | 323 | Logging of all commands and command arguments on sensitive systems using `snoopy` |
| | 324 | * Intercept calls to execv and sent to syslog what is executed |
| | 325 | |
| | 326 | Monitoring with alarming of ~12 security-sensitive files per computer |
| | 327 | * File permissions |
| | 328 | |
| | 329 | |
| | 330 | == Development Process and Tools == |
| | 331 | |
| | 332 | === End of current sprint === |
| | 333 | |
| | 334 | See [https://trac.lal.in2p3.fr/Quattor/wiki/Development/Scrum/Sprint-2011-01 wiki]. |
| | 335 | |
| | 336 | === Maven-based Build Tools - C. Loomis === |
| | 337 | |
| | 338 | Tools available |
| | 339 | * Build plugins, configuration for full configuration module |
| | 340 | * Archetype to build config for a new configuration module |
| | 341 | * Creates tarballs as well as RPMs |
| | 342 | |
| | 343 | [https://trac.lal.in2p3.fr/Quattor/wiki/Web/UsingMaven Documentation] available. |
| | 344 | |
| | 345 | Usage status |
| | 346 | * pan |
| | 347 | * pan-templates |
| | 348 | * ncm-query an ncm-cdispd: prototype available |
| | 349 | |
| | 350 | Making releases |
| | 351 | * "Magic" to do a release with Maven is easy: `mvn clean release:prepare release:perform` |
| | 352 | * Builds, tags, uploads packages, makes "site", increments version |
| | 353 | * But requires some specific permissions: write access to nexus repository for packages, write access to SF website for "site" information |
| | 354 | * Allow anyone from command line to make release? |
| | 355 | * Use continous integration server (eg. Hudson) for releases? Preferred solution... but it is an additional service (not available on SF, need to manage identities) |
| | 356 | |
| | 357 | Continous integration service: much more benefits than just the release making |
| | 358 | * Not necessary a big deal to set up the service |
| | 359 | * Already have the StratusLab experience |
| | 360 | * Is LAPP ready to do it (previously in charge of build infrastructure)? |
| | 361 | |
| | 362 | More discussion tomorrow? Attempt to start a Hudson server? |
| | 363 | |
| | 364 | |
| | 365 | === Development Process Discussion === |
| | 366 | |
| | 367 | Generally good feeling for those who participated |
| | 368 | * But not a very good feeling about EVO |
| | 369 | * Let's test the MS audio system for next standups |
| | 370 | |
| | 371 | Meeting day and time: Thursday 2pm CET is not necessarily the best slot |
| | 372 | * Start a Doodle to find another possible slot, preferably during the morning |
| | 373 | * Wednesday may be a good choice, avoid Monday/Friday |
| | 374 | |
| | 375 | Sprint duration: 1 month, smaller backlog |
| | 376 | * Monthly meeting to close the sprint and have the user interaction slot |
| | 377 | |
| | 378 | Configuration module management: how to know/update what is the recommended (stable) version to use? |
| | 379 | * No great idea... |
| | 380 | * Involve manual steps/work |
| | 381 | * Must be sustainable... |
| | 382 | * To be reviewed when we have converted all configuration modules to use Maven tools and have a continuous integration server in place. |
| | 383 | |
| | 384 | Migration from SVN to Git: is it desirable? if yes, which steps? |
| | 385 | * StratusLab feedback: required a bit of effort for SVN users but several benefits at the end |
| | 386 | * Smaller, more specific repositories: smaller number of users with write access per repository |
| | 387 | * External references are really external to the repository |
| | 388 | * At SF, all users with write access in the project have write access to Git repositories by default but can be restricted per repository |
| | 389 | * Short term steps: new projects (eg. SINDES) in Git, panc moved from SVN to Git |
| | 390 | * Need a candidate with interaction between several developers: CCM-related things (ccm, ncm-cdispd, ncm-ncd, QuattorFS), AII and its plugins |
| | 391 | |
| | 392 | |
| | 393 | == RHEL6 == |
| | 394 | |
| | 395 | === CERN Experience === |
| | 396 | |
| | 397 | * Path to install perl modules has changed: fixed by Luis for every Perl modules in SVN |
| | 398 | * Now installed in /usr/lib/perl, that applications are not supposed to use (not used by anybody) |
| | 399 | * Using standard installation place makes RPM OS-version dependent |
| | 400 | * Use /opt/quattor/lib/perl: upgrade ncm-ncd to look in both places |
| | 401 | * `rpmt-py` broken by 2 changes in standard Python RPM bindings: fixed by Christos |
| | 402 | * `curl` bug breaking SINDES and potentially anything using `wget`: certificate not looked in the right place |
| | 403 | * No workaround/fix yet |
| | 404 | * No impact known yet on Quattor itself |
| | 405 | * `ncm-grub` doesn't update the kernel after a kernel upgrade and %post script in RPM is failing |
| | 406 | * Christos will try to look at this |
| | 407 | * Also a need to add kernel architecture to grub command |
| | 408 | * `SELinux`: issue with rpmt-py, need to be documented on Quattor wiki |
| | 409 | * LDAP configuration is now in another place with another layout (previous information as a string now several tokens): ncm-authconfig has to be enhanced |
| | 410 | * Difficult to split the existing string in SL6 tokens: site specific |
| | 411 | * Rework the schema to have something more appropriate to handle different platforms? |
| | 412 | * Luis will try to summarize the problem and possible solutions on quattor-devel |
| | 413 | * Not clear if others are using LDAP for authentication... |
| | 414 | * Time synchronization in virtual machines run on HyperV: need to run new `ntpdate` service during startup to force synchronization |
| | 415 | * Initial time seems to be UTC... |
| | 416 | * ncm-modprobe: modprobe configuration files changed their location, new attribute in the schema to specify this location |
| | 417 | * Need to be handled by OS configuration templates |
| | 418 | * ncm-symlinks: use of last version required |
| | 419 | |
| | 420 | |
| | 421 | === AUTH === |
| | 422 | |
| | 423 | * A few fixes to be committed |
| | 424 | |
| | 425 | === MS === |
| | 426 | |
| | 427 | * Pb with AII file system partitionning (caches not flushed or something like that): thinking at using standard Anaconda for this, driving it from Quattor config |
| | 428 | * In the past, issues with Anaconda's handling of file system partitionning |
| | 429 | * ncm-pam issue, about to commit the fix |
| | 430 | |
| | 431 | === Discussion === |
| | 432 | |
| | 433 | RHEL6 raises the question of the potential changes that may be required for multiple-platform support |
| | 434 | * MS wants to restart Solaris port |
| | 435 | * Some components may be valid only on one platform: how to prevent them to be used on the wrong one |
| | 436 | * Bind the path in configuration to something that prevents its use |
| | 437 | |
| | 438 | |
| | 439 | |
| | 440 | |
| | 441 | == Conclusions - Next Workshop == |
| | 442 | |
| | 443 | Next workshop in Strasbourg. Start a Doodle to find the most appropriate date. |
| | 444 | * Best candidates look week 41 (10-14/10) and 42 (17-21/10) |
| | 445 | |
