pre-GDB - Traceability & Isolation WG

Europe/Zurich
31/S-028 (CERN)

31/S-028

CERN

6
Show room on map
Description

Initial meeting of Traceability & Isolation Working Group

# VO status:
 * ALICE:
  + Has its own logging infrastructure
  + Has its own suspension infrastructure
  - User theoretically capable of attacking the pilot (no separation) and stealing its credentials
  + Working on cgroups/containers

 * ATLAS:
  + Has its own logging infrastructure
  + No multi-user payload: either a single payload (default) or multiple of the same user
  + Pilot's credentials are only kept in memory
  - User theoretically capable of attacking the pilot (no separation)
  - Enormous ammount of logs being produced, processing/search them is hard

 * CMS:
  * Fully using glexec for:
   + Isolating the user payload from the pilot job
   + Logging (mapping IP/time -> user)
   + Emergency suspension
  * No independant logging infrastructure

 * LCHb:
  * On the grid:
   - user theoretically capable of attacking the pilot (no separation) and stealing its credentials
   * glexec supported but not used
  * Inside VMs:
   + Root/pilot/user jobs running as different user ID (replace glexec with sudo)
   + Logs can be sent to the site, if requested
  * Would like to have only one implementation for both grid & cloud. Namespaces looking promising

# Update from OSG Traceability and Isolation:
 * "If you add all the existing policy and technical requirements together, you get today's glexec."
 - Traditional UID separation difficult:
  - Need SUID binary to change uid
  - Persistant shared storage (e.g. NFS) need to be cleaned
 - Containers (namespaces) don't seem mature enough, esp. for shared storage
 * Explored several solutions to keep user isolation without user certificates: http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1218

# Discussions:
 * Brian Bockelman said that Centos 7.2 seems to still be missing some unpriviledged namespace support
 * Tim Bell commented that some namespace feature are only available via a kernel option: user_namespace.enable=1
 * Romain Wartel reminded the participants of the existance of recommendations for logging: https://edms.cern.ch/document/428037/3 and https://edms.cern.ch/document/793208/1

# Actions: arising from discussions:
 * ALICE, ATLAS, LHCb: compare the logs they produce to these recommendations

# Next meeting
To be decided later via a Doodle

There are minutes attached to this event. Show them.