1maria dimou- cern-it-gd lcg november 2007 gdb october 2007 vom(r)s workshop report grid...
DESCRIPTION
3Maria Dimou- cern-it-gd LCG November 2007 GDB Transition to production Waiting for 4 new SLC4 hosts with set-up: lcg-voms.cern.ch (2 hosts, identical configuration, automatic fail-over via LinuxHA). Functions: User registration via vomrs Voms-proxy attribution. Voms.cern.ch (2 hosts, identical configuration, automatic fail-over via LinuxHA). Functions: Gridmap file preparation. Voms-proxy attribution. LinuxHA on SLC4 was never used so far. CERN/IT/FIO is helping us with this port. NB!!! This function split between voms and lcg-voms is in use since December 18 th 2006!!! Still some VOs and sites are not aware.TRANSCRIPT
1Maria Dimou- cern-it-gd
LCG
November 2007 GDB
October 2007 VOM(R)S Workshop report
https://twiki.cern.ch/twiki/bin/view/LCG/VomsWG
Grid Deployment Board2007-11-07
2Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Main challenges on the agenda
1. Complete the voms-admin+glite scripts’ certification process.
2. Install latest vomrs and voms on test host voms111.cern.ch.
3. Prompt VOs to test this installation with Generic Attributes (GAs) activated.
4. Check new software environment: OS SLC4 New oracle-instant-client version 10.2.0.3 Different oracle connectivity parametres (OCI) New tomcat5-5.5 version Dramatically different voms-admin (version 2).
Full agenda: http://indico.cern.ch/conferenceOtherViews.py?view=standard&confId=18764
3Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Transition to production
Waiting for 4 new SLC4 hosts with set-up: lcg-voms.cern.ch (2 hosts, identical configuration,
automatic fail-over via LinuxHA). Functions: User registration via vomrs Voms-proxy attribution.
Voms.cern.ch (2 hosts, identical configuration, automatic fail-over via LinuxHA). Functions:
Gridmap file preparation. Voms-proxy attribution.
LinuxHA on SLC4 was never used so far. CERN/IT/FIO is helping us with this port.
NB!!! This function split between voms and lcg-voms is in use since December 18th 2006!!! Still some VOs and sites are not aware.
4Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Future topics at the workshop
VOMS db Replication Allowed by policy, implemented in voms core, requested
by the VOs, needs testing. Following successful CNAF-internal tests, CERN-CNAF
tests were decided . VOM(R)S Service registration
The objective is to allow cron jobs to obtain voms-proxies.
Discussed also at the 29/10/07 JSPG. Features: Trace back the individual who registered the service. VO Admin entering hundreds of hosts or site admins
becoming VO members is inconceivable. Reached no implementable conclusion. VOs and other middleware developers have to specify
requirements.
5Maria Dimou- cern-it-gd
LCG
November 2007 GDB
VOM(R)S versions In production today (All on Oracle) :
Vomrs-1.3.1-d with GAs implemented but not activated
Voms-admin-1.2.19-1 with GAs implemented but not
activated.
voms-server-1.7.16-2
Certified and going to production end of November 2007:
Vomrs-1.3.1-e with GAs activated [Details]
Voms-admin-2.0.9 with GAs activated.
voms-server-1.7.23-1.slc4
6Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Pre-requisites for production Still suffering from periodic memory problems on
the CERN VOMS servers. On developers’ request we completely removed voms-admin from lcg-voms.cern.ch, leaving only vomrs. This requires an exceptional startup procedure, not available in the gLite scripts.
Due to our complex installation (4 hosts) the gLite ‘site’ configuration scripts are needed, which are currently broken and being re-written by the certifier.
7Maria Dimou- cern-it-gd
LCG
November 2007 GDB
(More) pre-requisites
Vomrs code change to handle problems with voms-admin synchronisation due to VO members with certificates from expired CAs.
LinuxHA testing is not yet finished.
The new servers we requested last May will come after Christmas we have to “improvise” with temporary hardware.
We can’t go back due to a change in the database schema.
8Maria Dimou- cern-it-gd
LCG
November 2007 GDB
The Others The Sites Delays in updating VO configuration data at the sites
are a big problem. The “VO Configurator” is now available from the CIC portal but:
How much complexity do we put in it?
How do we convince the sites to use it?
Voms no more requires the entire hostcert.pem to be installed at all sites. This will require a configuration change from their side.
Voms-admin no more accepts ‘emailAddress’ and ‘USERID’ in a DN. Sites have to upgrade to openssl-0.9.7+
9Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Operational dangers
Between Christmas 2007 and March 2008 we are losing:
The CERN VOM(R)S service manager and supporter.
The only (worldwide) vomrs tester and supporter.
The only voms code certifier.
There is no such thing as a ‘frozen’, ‘stable’, ‘off the shelf’ service for voms/vomrs due to:
Bug fixes
New requirements
10Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Consequences
User support via mailing lists and GGUS tickets takes 5% of the supporters’ time but not less than that. It can’t be abandoned and it can’t be given to people who don’t know the service set-up.
Current installation according to CERN/IT/FIO quattor practices with individual rpms in CDB requires in depth knowledge of the certification status of every component. It can’t be given to a sys. Admin who doesn’t know about voms.
11Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Increasing complexity voms-admin-2 is dramatically different from voms-admin-
1.2.19. We anticipate a lot of support effort required at the beginning.
voms-admin-2.5 is the next stop gap, implementing JSPG requirements for periodic user expiration in the VO etc. Who will do the big certification and vomrs testing job required for that?
JRA1 has not yet decided whether voms-admin-2 and 2.5 will be, both, supported.
Vom(r)s Oracle port is only used at CERN. All developers are reluctant to envisage any testing anywhere else but CERN.
12Maria Dimou- cern-it-gd
LCG
November 2007 GDB
Moreover
FNAL is willing to maintain vomrs but will never test ORGDB (CERN HR db) integration (LHC VO exclusivity).
For GA usage, the UI must be equipped with voms-admin client and paraphernalia.
13Maria Dimou- cern-it-gd
LCG
November 2007 GDB
In summary and conclusion
voms and vomrs are still very visible and critical services. Therefore they can’t be stripped from resources for
1. development,
2. deployment and
3. support.
Thank You!