Collaboration meeting

Friday 5 Jun 2015, 14:00 → 15:00 Europe/Zurich

Vidyo

# ARGUS Collaboration Meeting - 5/6/2015

Presents: Andrea, Ian, Michel, Vincent, Vincenzo, Mischa, Maarten

[Agenda](http://indico.cern.ch/event/396796/)

## General news

openssl plan to put a minimum size on DH (Diff-Hellman) RSA-based keys used as cipher when establishing the TLS connection in a short term future
* 1024 bits instead of 512
* This doesn't affect the certificate key length
* Java may be impacted as it tend to comes with lower requirement (512): may be changed in a future version of Java but to be checked
* Mischa: ARGUS uses RH ssl based on nss so not too much concerned, also the ARGUS services are all Java so should not be a problem for their 
interaction
  * pepd may be a problem as it is doesn't support the new key (in particular elliptic curve) and may talk to openssl client. 
  Still using an old version of Jetty
  * Andrea: Java8 may help 
  

## New OS/Java support
 
### Java8 support

Oracle Java 7 is end of life since last April.
* May not apply to openjdk: not really a crisis

Java8 not working out of the box: requires some work for pepd at least
- Java8 enables the use of elliptic-curve based DH keys: that breaks at
  least the PEPd, and not the PAP. The PDP is a bit unclear.
  It breaks due to the (old) BouncyCastle version. It can be disabled
  in the java.security settings via jdk.tls.disabledAlgorithms
- The ECDH don't have the weak-cipher/small keyvlength problem

So, with the current version, we either break the PEPd by using ECDH and have no OpenSSL problem,
or we break the to-be-released OpenSSL interaction with the PEPd.

Also need to update to the last Jetty version: implies Java8 support

### EL7 support

1st version of UMD4 in September: not a requirement for ARGUS to be in the first version but would be a good message for ARGUS to be ready asap

### Timeline

Mischa checked C-based components developed by NIKHEF run properly against EPEL7
* argus-pep-api-c-library, pepcli and argus GSI callout. 
* also checked lcmaps-plugins-c-pep which uses theargus-pep-api-c-library

Service side (pepd, papd, pdpd)
* Real work is about updating Jetty
* Java8: probably minor issues, mainly a testing work
  * See Mischa's email from March
  * bouncycastle can be an issue also
* Also need to move systemd but not an immediate requirement

Proposed plan
* By sept.: minimal work to get the current code working
  * First thing is to complete an EL7 build
  * Need to build a test infrastructure: NIKHEF may have something, to be checked, connected to Jenkins. Also John White did something in the past
  to be checked with him: seems to be GitHub.
* Then do the other changes: Java8, systemd  

Timeline : have run the tests and identified the issues with EL7 by mid-July

Ian: as soon as EL7 packages are made available, RAL should be able to carry out some testing

## INDIGO Datacloud

Meeting in July about Indigo architecture: will make more clear the role of ARGUS

Hiring process for 2 new people at CNAF is in progress: some part will be allocated to ARGUS support/development, exact figure to be determined later

Maarten: keep in mind that ARGUS currently bound to legacy services requiring gridmapdir but the idea was at some point to get rid of these
legacy services.
  * Mischa: not sure to completly agree... should not make it mandatory to use it but would be good to keep the support.
  * Andrea: agree that the service should remain but that the implementation could evolve to be based on something different than a gridmapdir like
  a database to avoid the need of share file system for example

## Open issues

Still incidents at CERN: last one 2 days ago (LHC restart)
* Required a restart of all ARGUS servers
* Was not the proper day for trying to involve experts...
* Not clear if NFS shared file system played a role here...
* May ask service managers to make a snapshot of the VMs involved before killing them
* Not clear that this was related to a particularly high load

Readiness testbed would still be welcome but not a high priority for people who could do it...

## AOB

Next meeting July 3d 11 am

14:00 → 14:10 General news

14:10 → 14:25 INDIGO Datacloud

14:25 → 14:40 Open issues

14:40 → 14:55 EL7 and Java8 support

14:55 → 15:00 AOB