perfSONAR Operations Meeting (03 Oct 2014)
Chaired by: Dr. McKee, Shawn; Babik, Marian
Attending: Shawn McKee, Frederique Chollet, Joel Closier, Jason Zurawski, Frederic Schaer, Ian Gable, Andreas Petzhold, Alessandro de Salvo, Laurent Caillat-Vallet, Romain Wartel
at CERN: John Shade, Felix Lee, Marian Babik
The meeting purpose was to:
- Propose changes to the current operations of perfSONAR
- Discuss deployment of the additional components (datastore, configuration interface)
- Discuss and agree on the steps to take in the different areas of the perfSONAR operations (helpdesk, monitoring, mesh configuration, infrastructures, campaigns)
- Discuss coming release of perfSONAR (3.4) and its impact
- Discuss Shell Shock vulnerability
- Identify early-adopters for the testing of the new mesh configuration interface
Doodle for next meeting:
List of actions (to be added to WG JIRA):
- Request new GGUS SU in 3rd level expers - WLCG perfSONAR Support (Marian)
- Review and re-write current documentation at https://twiki.cern.ch/twiki/bin/view/LCG/PerfsonarDeployment (Marian, Shawn, ALL to comment)
- Infrastructure Monitoring
- Official source for it wil be https://maddash.aglt2.org/WLCGperfSONAR/check_mk/ (this box will be migrated to OSG, so we might have a new URL in the near term)
- Drop NDT/NPAD metrics (and also ask sites to disable the functionality) (Shawn)
- Migrate existing metrics to 3.4 (Shawn)
- Improve accessibility of the check_mk machine (ideally based on DNs, Shawn/Marian)
- Establish official dashboad for infrastructure monitoring (in SSB)
- Agreed to use perfSONAR report as a temporary solution before we have regular dashboard. Check and comment, it's available at http://grid-monitoring.cern.ch/perfsonar_report.txt (ALL)
- WLCG mesh configuration - volunteers are needed, please e-mail Shawn (ALL)
- Make sure all sonars are registered in GOCDB/OIM (ALL), to be discussed what we do with LHCONE sonars
- Attend EGI OMB and propose to offer them the possibility to follow up on perfSONAR status in their operations (through some of our metrics)
- Establish wlcg-perfsonar-security mailing list and communicate it to infrastructure security teams
- Implement remediation plan on shell shock vulnerability
- Review current documentation, come up with instructions on iptables and send them for comments to wlcg-perfsonar-support (Shawn, Marian, Jason)
- Offer new configuration URL that will work for current mesh configs at CERN, but also for new ones at OSG (Soichi, Shawn, Marian)
- New re-installation guide for perfSONAR 3.4 (Shawn)
- Test and validate all this works as expected, volunteer are needed to review and test (ALL)
- Send broadcast to EGI and WLCG ops with new instruction to re-install (Marian)
Marian presented an overview of the current deployment and proposed several changes (see slides).
John asked if we plan to keep supporting the current maddash.
The plan is to migrate the current maddash, so it uses perfSONAR data store as its main source (as opposed to contacting all perfSONAR MAs to get the information).
On iptables/firewall rules:
Frederic commented that he would prefer to close port 80 to all incoming traffic and only keep 443 open (this can be restricted to site's internal subnet and infrastructure monitoring). He also suggested that by using the iptables statistics we can determine if the central/campus firewall is blocking the access (to be followed up with perfSONAR dev team). Marian commented that we will document detailed instructions on how we would sites to setup iptables, this will be sent to the mailing list for comments.
On shellshock vulnerability:
Romain commented that the support from our side was excellent and that he no longer sees any issues with the European sonars, there might be still issues in US - to be followed up with Shawn. We have also agreed to create wlcg-perfsonar-security and communicate it to the infrastructure security teams (Marian, Shawn and Jason will participate initially).