gLite 3.1
glite-CREAM - Update to version 3.1.16-0
|
Date |
06.07.2009 |
Priority |
Normal |
Description
LCAS/LCMAPS update
Both LCAS and LCMAPS exist in library form only. They need an eco system in which they can live. This used to be the gridftp for example and nowaday glexec is used.
This also means that LCAS and LCMAPS are mostly shielded from the end user and that the interaction primarely goes through glexec.
From a site point of view there is the configuration of LCAS and LCMAPS and the end user should have no control over it. Other then that, there is not much more interaction required.
New SCAS service
New Site Central Authorization Service (SCAS). SCAS is a Web Service that allows client programs to query for an authorization decision based upon user credentials to access a particular resource. The SCAS client has been added to the cream CE.
Upgrade of GlueCluster.template
The upgrade adds a new Glue attribute, GlueHostProcessorOtherDescription, needed by the lcg CE.
New version of gLExec
- Improved error codes
- Code cleanups prevent crashes. The most interesting ones are when having to work with secondary GIDs that are not shown with their groupname, because the machine
can't resolve them.
- More distinct error message reporting, every problem that is not a 202 system error will be reported on the stderr. To prevent misuse a 202 system error is not written to stderr,
it will only be readable in the gLExec log.
- Added glexec.conf option "use_lcas {yes,no}" to enable or disable LCAS. Could be good to use in SCAS setups.
- Restored glexec.conf option "lcmaps_get_account_policy = scas:voms:local". You can now use multiple LCMAPS policies and specifically configured
LCMAPS policies.
- Default special group is 'glexec' and not 'apache' (not used due to usage of the whitelist function).
- Added glexec.conf option "target_lock_mechanism {flock,fcntl,disabled} to select the locking mechansim for the $GLEXEC_TARGET_PROXY (or its default) location.
Requested by the CREAM-BLAH-gLExec team. The default is still flock, but you can also use fcntl or bypass it (not safe) completely, see also below.
- Added glexec.conf option "input_lock_mechanism {flock,fcntl,disabled} to select the locking mechansim for the $GLEXEC_SOURCE_PROXY (if set) location and GLEXEC_CLIENT_CERT.
Requested by the CREAM-BLAH-gLExec team. The default is flock, but you can also use fcntl or bypass it (not safe) completely, see also below.
- Manpages are cleaned up and reflect the current state of gLExec.
- $SSL_CLIENT_CERT is not usable anymore as this is very error prone. Use GLEXEC_CLIENT_CERT instead.
- The $GLEXEC_MODE="lcmaps_verify_account setting is disabled. This deprecated functionality is not used, functioned badly and is not supported in all the
LCMAPS plugins.
- New scas-client plug-in
- The SCAS Client will properly be able to work now with root-squashed enabled network filesystems, by lowering its effective Unix credentials to the calling user.
This will allow for the SCAS Client to read in the certificate and private key with the proper credentials (similar to the gLExec code).
- The "--endpoint <url>" option can be set multiple times in the lcmaps.db file. The maximum amount of endpoints
configurable is 32.
- New option is "--endpoint-strategy round-robin|round-robin-random-start|random": The endpoint strategy tells the client in which order the
configured endpoints should be tried to be contacted. With round-robin the list of endpoints will be tried from top to bottom as written in the lcmaps.db file.
The option round-robin-random-start will follow the list of endpoints as written in the lcmaps.db file, but it will randomly start somewhere in the list of end-points.
The random option will randomly choose an endpoint to try. When unlucky the same endpoint could be tried twice. This is true pseudo-random.
The round-robin-random-start is made default. This will automagically provide a load balancing effect by randomly selecting a configured endpoints.
- New option: "--retry <0-9+>"This will alter the retry count when interacting with an SCAS endpoint. By default each endpoint
is tried twice by default before any other endpoint is tried (this excludes the various TCP/IP layer retries that are always performed at a lower level).
This option can alter this default behavior. It can be set to any number as long as its more than 1. Between two tries there is a small amount of (random)
time of delay build-in.
Please also have a look at the list of known issues.
This update fixes various bugs. For the full list of bugs, please see list below.
Fixed bugs
Number | Description |
#39898 |
glexec refuses to execute /bin/sh |
#40822 |
glexec refuses doubly limited proxies |
#44508 |
Failed to obtain a lock on the destination proxy |
#45523 |
Glexec error messages |
#45914 |
glexec and proxy rotation |
#46148 |
random error from glexec |
#46570 |
GlueHostProcessorOtherDescription is not present in the GlueCluster.template |
#46859 |
glite-info-templates - Missing variables not reported. |
#46861 |
[ yaim-glexec-wn ] YAIM fails if no pilot users are defined |
#46883 |
[ yaim-glexec-wn ] if SCAS_ENABLED then CONFIG_GRIDMAPDIR should be set to "no" |
#47148 |
SCAS Memory leak fix causes periodic errors |
#47152 |
LCMAPS will fail to succeed in absense of the poolindex value |
#47170 |
[ yaim-glexec-wn ] YAIM should check formatting of GLEXEC_EXTRA_WHITELIST |
#47808 |
glxec seg faults when called from root |
#48093 |
[ scas-client ] LCMAPS scas-client plugin fails to read proxy file from NFS |
#48095 |
GLEXEC: target location not accessible should return 201 with proper error message. |
#48106 |
GLEXEC: segfaults when (based on SecGIDs) the system can't provide a groupname |
#48167 |
GLEXEC: seg fault when glexec.conf is malformed |
#49493 |
[CREAM-CE] WN cannot download job executable from CE via gridftp after PPS Update 46 |
#50570 |
[LCMAPS saml2-xacml2 plugin] Segmentation fault when X509_USER_PROXY is not defined |
#50646 |
[GLEXEC] glexec -V returns 202 on success |
#51885 |
glexec currently uses flock() non-blocking |
Updated rpms
The RPMs can be updated using yum via
Service reconfiguration after update
Service must be reconfigured.
Service restart after update
Not needed.
How to apply the fix
- Update the RPMs (see above)
- Update configuration (see above)
- Restart the service if necessary (see above)
|
|