1Maria Dimou- cern-it-gd

LCG

November 2007 GDB

October 2007 VOM(R)S Workshop report

https://twiki.cern.ch/twiki/bin/view/LCG/VomsWG

Grid Deployment Board2007-11-07

2Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Main challenges on the agenda

1. Complete the voms-admin+glite scripts’ certification process.

2. Install latest vomrs and voms on test host voms111.cern.ch.

3. Prompt VOs to test this installation with Generic Attributes (GAs) activated.

4. Check new software environment: OS SLC4 New oracle-instant-client version 10.2.0.3 Different oracle connectivity parametres (OCI) New tomcat5-5.5 version Dramatically different voms-admin (version 2).

Full agenda: http://indico.cern.ch/conferenceOtherViews.py?view=standard&confId=18764

3Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Transition to production

Waiting for 4 new SLC4 hosts with set-up: lcg-voms.cern.ch (2 hosts, identical configuration,

automatic fail-over via LinuxHA). Functions: User registration via vomrs Voms-proxy attribution.

Voms.cern.ch (2 hosts, identical configuration, automatic fail-over via LinuxHA). Functions:

Gridmap file preparation. Voms-proxy attribution.

LinuxHA on SLC4 was never used so far. CERN/IT/FIO is helping us with this port.

NB!!! This function split between voms and lcg-voms is in use since December 18th 2006!!! Still some VOs and sites are not aware.

4Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Future topics at the workshop

VOMS db Replication Allowed by policy, implemented in voms core, requested

by the VOs, needs testing. Following successful CNAF-internal tests, CERN-CNAF

tests were decided . VOM(R)S Service registration

The objective is to allow cron jobs to obtain voms-proxies.

Discussed also at the 29/10/07 JSPG. Features: Trace back the individual who registered the service. VO Admin entering hundreds of hosts or site admins

becoming VO members is inconceivable. Reached no implementable conclusion. VOs and other middleware developers have to specify

requirements.

5Maria Dimou- cern-it-gd

LCG

November 2007 GDB

VOM(R)S versions In production today (All on Oracle) :

Vomrs-1.3.1-d with GAs implemented but not activated

Voms-admin-1.2.19-1 with GAs implemented but not

activated.

voms-server-1.7.16-2

Certified and going to production end of November 2007:

Vomrs-1.3.1-e with GAs activated [Details]

Voms-admin-2.0.9 with GAs activated.

voms-server-1.7.23-1.slc4

6Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Pre-requisites for production Still suffering from periodic memory problems on

the CERN VOMS servers. On developers’ request we completely removed voms-admin from lcg-voms.cern.ch, leaving only vomrs. This requires an exceptional startup procedure, not available in the gLite scripts.

Due to our complex installation (4 hosts) the gLite ‘site’ configuration scripts are needed, which are currently broken and being re-written by the certifier.

7Maria Dimou- cern-it-gd

LCG

November 2007 GDB

(More) pre-requisites

Vomrs code change to handle problems with voms-admin synchronisation due to VO members with certificates from expired CAs.

LinuxHA testing is not yet finished.

The new servers we requested last May will come after Christmas we have to “improvise” with temporary hardware.

We can’t go back due to a change in the database schema.

8Maria Dimou- cern-it-gd

LCG

November 2007 GDB

The Others The Sites Delays in updating VO configuration data at the sites

are a big problem. The “VO Configurator” is now available from the CIC portal but:

How much complexity do we put in it?

How do we convince the sites to use it?

Voms no more requires the entire hostcert.pem to be installed at all sites. This will require a configuration change from their side.

Voms-admin no more accepts ‘emailAddress’ and ‘USERID’ in a DN. Sites have to upgrade to openssl-0.9.7+

9Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Operational dangers

Between Christmas 2007 and March 2008 we are losing:

The CERN VOM(R)S service manager and supporter.

The only (worldwide) vomrs tester and supporter.

The only voms code certifier.

There is no such thing as a ‘frozen’, ‘stable’, ‘off the shelf’ service for voms/vomrs due to:

Bug fixes

New requirements

10Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Consequences

User support via mailing lists and GGUS tickets takes 5% of the supporters’ time but not less than that. It can’t be abandoned and it can’t be given to people who don’t know the service set-up.

Current installation according to CERN/IT/FIO quattor practices with individual rpms in CDB requires in depth knowledge of the certification status of every component. It can’t be given to a sys. Admin who doesn’t know about voms.

11Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Increasing complexity voms-admin-2 is dramatically different from voms-admin-

1.2.19. We anticipate a lot of support effort required at the beginning.

voms-admin-2.5 is the next stop gap, implementing JSPG requirements for periodic user expiration in the VO etc. Who will do the big certification and vomrs testing job required for that?

JRA1 has not yet decided whether voms-admin-2 and 2.5 will be, both, supported.

Vom(r)s Oracle port is only used at CERN. All developers are reluctant to envisage any testing anywhere else but CERN.

12Maria Dimou- cern-it-gd

LCG

November 2007 GDB

Moreover

FNAL is willing to maintain vomrs but will never test ORGDB (CERN HR db) integration (LHC VO exclusivity).

For GA usage, the UI must be equipped with voms-admin client and paraphernalia.

13Maria Dimou- cern-it-gd

LCG

November 2007 GDB

In summary and conclusion

voms and vomrs are still very visible and critical services. Therefore they can’t be stripped from resources for

1. development,

2. deployment and

3. support.

Thank You!