AI VM's configuration: user access and firewall

Thursday 20 Jun 2013, 14:00 → 15:35 Europe/Zurich

513/1-024 (CERN)

Slides VOCsMeeting20130620.pdf VOCsMeeting20130620.pptx

Attendance:

IT-CS:       Veronique Lefebure
IT-DI:        Denise Heagerty, Romain Wartel 
IT-DSS:     Alex Iribarren
IT-OIS:      Jan Van Eldik
IT-PES:      Ben Jones, Gavin Mccance, Vítor Gouveia
PH-ATLAS: Sergey Baranov, Yuro Smirnov
PH-LBC:     Joel Closier
PH-LCD:    Andre Sailer, Christian Grefe
PH-UCM     Jorge Amando Molina-Perez
PH-UGC     Alexandre Eline

Comments/Questions/discussion:

Development lifecycle:

More news about the development lifecycle will be provided in the next meetings. The current development lifecycle is under revision.

Migration to the standard workflow

The voc_devel branch was deleted 20/6/2013. (after the meeting). No objections were raised.
Starting the 20/6/2013 the devel branch is the only branch that should be used for development.

Puppet 3

The puppet3 migration is on-going.
The first step was the migration of the puppet masters assigned to the devel environment.
The migration should be finished on the next days and all the puppets masters and clients would get it too.
It was recommend to the VOCs merge their custom branches into the devel environment.
who is using the devel environment should not me affected by the migration.

Users Account

ML: Why is there an interactiveusers variable but no interactivedenyusers?
=> (BJ) The expected use of the interactiveusers variable is for vendor accounts. To deny user access there are several alternatives such as sssd_filter_users or interactivedenygroups.

SB:  Will the puppet module sudo write the sudo file directly?
=> (VG) Yes, it will write the file /etc/sudoers.d/****.  It will permit to make changes to sudo without editing the /etc/sudoers file.

ML: How do you add AFS groups, such as z5 (containing all the LHCb users)?
=> (VG) It's possible to write the file /etc/groups with the puppet resource group.
If the group specificed is an AFS group this group will be added to the VMs

OpenStack Security Groups

Security groups, as used in Ibex, are desired but in Grizzly this feature will be disabled. 

When will Grizzly be in operation?
=> (JvE): In early July. It is currently in Integration Testing within the team with wider testing planned after that. The exact date for opening the service depends on the success of the tests. Once Grizzly enters production, the Ibex systems will stay available for 1 month to allow the move to Grizzly.

There was recently information that hardware resources are not available to create new machines on Ibex. Could you explain that?
=> (JvE): Ibex has reached is limit and Grizzly is running on new hardware and it would require too much work to add this new hardware to Ibex.

Firewall

The Responsible of the LANDB set with Puppet should also be CDB-LANDBSET
Do the firewall numbers need to be unique?
=> No, coordination with other people is not needed. It is possible to choose arbitrarily the numbers.

Questions off topic

ML: There have been many messages on the ai-admins egroup. Is the membership needed?
=>(VG): Membership of the ai-admins egroup is needed for access to the Git repository.

Following some discussion, it was concluded that it would be useful to separate the access control from the information flow.

Future meetings

The next meeting will be in about 1 month and is expected to cover monitoring.
It was also mentioned if the VOCs have topics that they would like to be covered at the meetings they can contact Vitor or Alex.

14:00 → 14:05 Introduction

14:05 → 14:15 AI development lifecycle

14:15 → 14:25 Puppet 3

14:25 → 14:35 AI user access

14:35 → 14:45 OpenStack security groups

14:45 → 14:55 Firewall