WLCG Traceability and Isolation WG (Vidyo meeting)

Europe/Zurich
31/S-028 (CERN)

31/S-028

CERN

8
Show room on map

Present: Vincent Brillault, Maarten Litmaath, Andrew McNab, Brian Bockelman, Ian Neilson, Mischa Sallé, Miguel Martinez Pedreira

● Previous meeting minutes

No comment on the notes of the previous meeting


● Singularity

  • Brian presented his ongoing work on Singularity as a potential solution for isolation (see slides):
    • Provides isolation (no traceability), already has enough features to replace glexec
    • Integrated with other systems: HTCondor, OSG VO, SLURM (Singularity 2.3.0)
      • Running Singularity in Singularity is not possible (due to SUID filtering)
    • OSG working on officially supporting Singularity in ~June 2017, aiming at replacing glexec (if agreed to by stakeholders)
  • Singularity appears to the WG as the current best solution and is now evaluating it (upcoming actions):
    • Security reviews (due to SUID):
      • Brian did not get it accepted for review (external company doing reviews for OSG), will push it again next quarter
      • Maarteen and Vincent will follow-up with EGI
    • Testing:
      • Vincent to follow-up with the CERN site, to see if a small dedicated HTCondor cluster could have Singularity installed
      • Vincent? to follow-up with CernVM to have Singularity installed (without SUID)

● New traceability model

Vincent presented a new possible model for incident response, moving part of the security logs from the site to the VO.

Action: Vincent to write down a more formal proposal

Open question: How to validate the model?


● Next meeting

The date of Jan 18th was decided as the candidate for the next meeting

There are minutes attached to this event. Show them.
    • 4:00 PM 4:05 PM
      Previous meeting minutes 5m

      See https://indico.cern.ch/event/563528/note/

      Speaker: Vincent Brillault (CERN)

      No comment on the notes of the previous meeting

    • 4:05 PM 4:45 PM
      Singularity 40m
      Speaker: Brian Paul Bockelman (University of Nebraska-Lincoln (US))
      • Brian presented his ongoing work on Singularity as a potential solution for isolation (see slides):
        • Provides isolation (no traceability), already has enough features to replace glexec
        • Integrated with other systems: HTCondor, OSG VO, SLURM (Singularity 2.3.0)
          • Running Singularity in Singularity is not possible (due to SUID filtering)
        • OSG working on officially supporting Singularity in ~June 2017, aiming at replacing glexec (if agreed to by stakeholders)
      • Singularity appears to the WG as the current best solution and is now evaluating it (upcoming actions):
        • Security reviews (due to SUID):
          • Brian did not get it accepted for review (external company doing reviews for OSG), will push it again next quarter
          • Maarteen and Vincent will follow-up with EGI
        • Testing:
          • Vincent to follow-up with the CERN site, to see if a small dedicated HTCondor cluster could have Singularity installed
          • Vincent? to follow-up with CernVM to have Singularity installed (without SUID)
    • 4:45 PM 5:05 PM
      New traceability model 20m

      Let's agree on the direction we are taking and its operational requirements

      Speaker: Vincent Brillault (CERN)

      Vincent presented a new possible model for incident response, moving part of the security logs from the site to the VO.

      Action: Vincent to write down a more formal proposal

      Open question: How to validate the model?

    • 5:05 PM 5:10 PM
      Next meeting 5m
      Speaker: Vincent Brillault (CERN)

      The date of Jan 18th was decided as the candidate for the next meeting