HEPiX Meeting 2011-07-11

Present (in no particular order):

I am missing many people from the attendance list due to not being able to see the room. Please let me know if you have been missed.


Tony Cass, CERN
Balmero, CERN
Thomas Finnern, DESY
Owen Synge, DESY
Ian Gable, University of Victoria
Romain Wartel, CERN
Ian Collier, RAL
Jie Tao, KIT
David Kelsey, RAL

1. Discussion of policy draft document.

• Dave: We developed a year ago, or more,  the initial use cases discussed within the HEPiX working group.
• Dave: After the EGI meetings we have begun to expand the policy document to include further use cases. Romain Wartel is taking the editorial lead with the document. This is work the is going on under the auspices of the EGI security group.
• Dave sent a  pointer to the list with the new draft:  https://wiki.egi.eu/wiki/SPG:Drafts:Virtualisation_Policy
• The main aim of the modification is to add VM operator role (the person who has root on the machine) which could be a third party. (please see the document for details).
• Tony asked if there were any objections for a single policy document that encompasses for the original hepix use case and the addition of this new use case. Ian collier voiced his support for this proposal and there were no objections.
• Ian Gable commented that he viewed the VM operator requirement "enable malicious network activity to be linked with any VM and its VM operator" as being difficult given that you may not be operating the VM. Romain commented that this is nothing more then the normal grid monitoring requirement. Tony clarified that there would be a handoff in responsibility down to the VM operator for the complete audit trail.
• Ulrich was uncertain about the meaning of Policy Requirements on the VM Operator, Point 4. He felt that there needed to clarification of what the responsibilities were in terms of contextualization. Dave, Tony, and Michel agreed that there needed some clarifications about the definition contextualization.
• Tony commented that he is not certain that contextualized is important thing to have in the policy.
• Dave asked if the VM operator concept had an impact on the image catalogue. Tony commented that there is no impact on the image catalogue since the VM operator is a concept that only applies to a running instance not an image. Owen agreed.
• Tony suggest that we go away and read the document rather then continue the discussing now.

2. Image catalogues

• Tony commented that since the image catalogue deals with images not instances no changes were required to the catalogue to deal with the new use cases.
• Owen commented on the json image list that has been developed. He suggested that the list have more then one person listed within the image list. Tony was concerned that multiple endorsers would cause trouble with the policy. Owen commented that what actually matters is the signature.
• Owen would also like to request that there is a smaller meeting to discuss the meta data list in the list.
• Dave commented that the policy as written applies to a physical person.
• Owen would like to trust the individuals as listed in the list rather then en endorsing entity certificate (much like a robot certificate). Tony commented then you have to vet a team.
• Rmain commented the he belives it should be a service certificate since the service provides VM images in much the same way a GridFTP server provides files.
• After further discussion Dave commented that in the IGTF people like to have the name of the individual.
• Thomas wanted to know if endorsing was a site role, or a person role. Tony clarified that it's definitely a person (or group of persons role).
• Dave commented that he believes this is exactly the robot certificate use case. Robot certs name a natural person ultimately responsible for the key material.

3. Stratus Lab testing

• Tony asked what people are doing with stratus lab testing. Ian Collier commented that they are preparing to generate an image using the StratusLab 1.0 tools.
• Ian Collier asked if there was anything preventing us from using StratusLab catalogue at the moment. Romain answered, that at the moment it does not provide lists of images only individual images.
• Michel made an inaudible comment (thanks to evo). Michel can you recall what it was?

4. Next Meetings

• Follow ups:
  • Issue of policy document, in relation to operator role
  • Issue about team endorsement
  • How we interact with StratusLab
• work days: wednesday 28th of september, 14 september, wednesday 31 aug 3, wednesday 17 aug.

5. Contextulization

• Tony asked if contextulization has been well examined
• No one disagreed
• Thomas commented that there are a few details that need working out beyond basic networking
•  Andre commented that documentation needs work.