gLite > gLite 3.1 > glite-CREAM > Update to glite-CREAM 3.1.16-0  
 
 

 

 

gLite 3.1

glite-CREAM - Update to version 3.1.16-0


Date 06.07.2009
Priority Normal

Description



LCAS/LCMAPS update

Both LCAS and LCMAPS exist in library form only. They need an eco system in which they can live. This used to be the gridftp for example and nowaday glexec is used. This also means that LCAS and LCMAPS are mostly shielded from the end user and that the interaction primarely goes through glexec.
From a site point of view there is the configuration of LCAS and LCMAPS and the end user should have no control over it. Other then that, there is not much more interaction required.

New SCAS service

New Site Central Authorization Service (SCAS). SCAS is a Web Service that allows client programs to query for an authorization decision based upon user credentials to access a particular resource. The SCAS client has been added to the cream CE.

Upgrade of GlueCluster.template

The upgrade adds a new Glue attribute, GlueHostProcessorOtherDescription, needed by the lcg CE.

New version of gLExec
  • Improved error codes
  • Code cleanups prevent crashes. The most interesting ones are when having to work with secondary GIDs that are not shown with their groupname, because the machine can't resolve them.
  • More distinct error message reporting, every problem that is not a 202 system error will be reported on the stderr. To prevent misuse a 202 system error is not written to stderr, it will only be readable in the gLExec log.
  • Added glexec.conf option "use_lcas {yes,no}" to enable or disable LCAS. Could be good to use in SCAS setups.
  • Restored glexec.conf option "lcmaps_get_account_policy = scas:voms:local". You can now use multiple LCMAPS policies and specifically configured LCMAPS policies.
  • Default special group is 'glexec' and not 'apache' (not used due to usage of the whitelist function).
  • Added glexec.conf option "target_lock_mechanism {flock,fcntl,disabled} to select the locking mechansim for the $GLEXEC_TARGET_PROXY (or its default) location. Requested by the CREAM-BLAH-gLExec team. The default is still flock, but you can also use fcntl or bypass it (not safe) completely, see also below.
  • Added glexec.conf option "input_lock_mechanism {flock,fcntl,disabled} to select the locking mechansim for the $GLEXEC_SOURCE_PROXY (if set) location and GLEXEC_CLIENT_CERT. Requested by the CREAM-BLAH-gLExec team. The default is flock, but you can also use fcntl or bypass it (not safe) completely, see also below.
  • Manpages are cleaned up and reflect the current state of gLExec.
  • $SSL_CLIENT_CERT is not usable anymore as this is very error prone. Use GLEXEC_CLIENT_CERT instead.
  • The $GLEXEC_MODE="lcmaps_verify_account setting is disabled. This deprecated functionality is not used, functioned badly and is not supported in all the LCMAPS plugins.
  • New scas-client plug-in
    • The SCAS Client will properly be able to work now with root-squashed enabled network filesystems, by lowering its effective Unix credentials to the calling user. This will allow for the SCAS Client to read in the certificate and private key with the proper credentials (similar to the gLExec code).
    • The "--endpoint <url>" option can be set multiple times in the lcmaps.db file. The maximum amount of endpoints configurable is 32.
    • New option is "--endpoint-strategy round-robin|round-robin-random-start|random": The endpoint strategy tells the client in which order the configured endpoints should be tried to be contacted. With round-robin the list of endpoints will be tried from top to bottom as written in the lcmaps.db file. The option round-robin-random-start will follow the list of endpoints as written in the lcmaps.db file, but it will randomly start somewhere in the list of end-points. The random option will randomly choose an endpoint to try. When unlucky the same endpoint could be tried twice. This is true pseudo-random. The round-robin-random-start is made default. This will automagically provide a load balancing effect by randomly selecting a configured endpoints.
    • New option: "--retry <0-9+>"This will alter the retry count when interacting with an SCAS endpoint. By default each endpoint is tried twice by default before any other endpoint is tried (this excludes the various TCP/IP layer retries that are always performed at a lower level). This option can alter this default behavior. It can be set to any number as long as its more than 1. Between two tries there is a small amount of (random) time of delay build-in.


Please also have a look at the list of known issues.

This update fixes various bugs. For the full list of bugs, please see list below.

Fixed bugs

Number Description
 #39898 glexec refuses to execute /bin/sh
 #40822 glexec refuses doubly limited proxies
 #44508 Failed to obtain a lock on the destination proxy
 #45523 Glexec error messages
 #45914 glexec and proxy rotation
 #46148 random error from glexec
 #46570 GlueHostProcessorOtherDescription is not present in the GlueCluster.template
 #46859 glite-info-templates - Missing variables not reported.
 #46861 [ yaim-glexec-wn ] YAIM fails if no pilot users are defined
 #46883 [ yaim-glexec-wn ] if SCAS_ENABLED then CONFIG_GRIDMAPDIR should be set to "no"
 #47148 SCAS Memory leak fix causes periodic errors
 #47152 LCMAPS will fail to succeed in absense of the poolindex value
 #47170 [ yaim-glexec-wn ] YAIM should check formatting of GLEXEC_EXTRA_WHITELIST
 #47808 glxec seg faults when called from root
 #48093 [ scas-client ] LCMAPS scas-client plugin fails to read proxy file from NFS
 #48095 GLEXEC: target location not accessible should return 201 with proper error message.
 #48106 GLEXEC: segfaults when (based on SecGIDs) the system can't provide a groupname
 #48167 GLEXEC: seg fault when glexec.conf is malformed
 #49493 [CREAM-CE] WN cannot download job executable from CE via gridftp after PPS Update 46
 #50570 [LCMAPS saml2-xacml2 plugin] Segmentation fault when X509_USER_PROXY is not defined
 #50646 [GLEXEC] glexec -V returns 202 on success
 #51885 glexec currently uses flock() non-blocking

Updated rpms

Name Version Full RPM name Description
glite-CREAM 3.1.16-0 glite-CREAM-3.1.16-0.i386.rpm gLite metapackage (glite-CREAM)
glite-info-templates 1.0.0-11 glite-info-templates-1.0.0-11.noarch.rpm glite-info-templates
glite-security-glexec 0.6.8-3.slc4 glite-security-glexec-0.6.8-3.slc4.i386.rpm org.glite.security.glexec R 0.6.8-3
glite-security-lcmaps-plugins-basic 1.3.10-2.slc4 glite-security-lcmaps-plugins-basic-1.3.10-2.slc4.i386.rpm This package provides the timeslot (fabric openings hours), poolaccount selection, localaccount selection, LDAP enforcement and POSIX enforcement (changing the process ownership to the mapped user
glite-security-lcmaps-plugins-scas-client 0.2.8-2.slc4 glite-security-lcmaps-plugins-scas-client-0.2.8-2.slc4.i386.rpm LCMAPS plugin that functions as the PEP (client side) implementation to an Site Central authZ Service
glite-security-lcmaps-plugins-verify-proxy 1.4.2-1.slc4 glite-security-lcmaps-plugins-verify-proxy-1.4.2-1.slc4.i386.rpm org.glite.security.lcmaps-plugins-verify-proxy v. R_1_4_2_1
glite-security-lcmaps 1.4.7-1.slc4 glite-security-lcmaps-1.4.7-1.slc4.i386.rpm org.glite.security.lcmaps v. 1.4.7-1
glite-security-saml2-xacml2-c-lib 0.0.14-2.slc4 glite-security-saml2-xacml2-c-lib-0.0.14-2.slc4.i386.rpm org.glite.security.saml2-xacml2-c-lib

The RPMs can be updated using yum via

Service reconfiguration after update

Service must be reconfigured.

Service restart after update

Not needed.

How to apply the fix

  1. Update the RPMs (see above)
  2. Update configuration (see above)
  3. Restart the service if necessary (see above)