Present: Vincent Brillault, Maarten Litmaath, Andrew McNab, Brian Bockelman, Ian Neilson, Mischa Sallé, Miguel Martinez Pedreira
● Previous meeting minutes
No comment on the notes of the previous meeting
- Brian presented his ongoing work on Singularity as a potential solution for isolation (see slides):
- Provides isolation (no traceability), already has enough features to replace glexec
- Integrated with other systems: HTCondor, OSG VO, SLURM (Singularity 2.3.0)
- Running Singularity in Singularity is not possible (due to SUID filtering)
- OSG working on officially supporting Singularity in ~June 2017, aiming at replacing glexec (if agreed to by stakeholders)
- Singularity appears to the WG as the current best solution and is now evaluating it (upcoming actions):
- Security reviews (due to SUID):
- Brian did not get it accepted for review (external company doing reviews for OSG), will push it again next quarter
- Maarteen and Vincent will follow-up with EGI
- Vincent to follow-up with the CERN site, to see if a small dedicated HTCondor cluster could have Singularity installed
- Vincent? to follow-up with CernVM to have Singularity installed (without SUID)
● New traceability model
Vincent presented a new possible model for incident response, moving part of the security logs from the site to the VO.
Action: Vincent to write down a more formal proposal
Open question: How to validate the model?
● Next meeting
The date of Jan 18th was decided as the candidate for the next meeting
There are minutes attached to this event.