WLCG Traceability and Isolation WG (Vidyo meeting)

Name: WLCG Traceability and Isolation WG (Vidyo meeting)
Start: 2016-11-23T16:00:00+01:00
End: 2016-11-23T17:30:00+01:00
Location: CERN

Wednesday 23 Nov 2016, 16:00 → 17:30 Europe/Zurich

31/S-028 (CERN)

31/S-028

CERN

Show room on map

Hide

Present: Vincent Brillault, Maarten Litmaath, Andrew McNab, Brian Bockelman, Ian Neilson, Mischa Sallé, Miguel Martinez Pedreira

● Previous meeting minutes

No comment on the notes of the previous meeting

● Singularity

Brian presented his ongoing work on Singularity as a potential solution for isolation (see slides):
- Provides isolation (no traceability), already has enough features to replace glexec
- Integrated with other systems: HTCondor, OSG VO, SLURM (Singularity 2.3.0)
  - Running Singularity in Singularity is not possible (due to SUID filtering)
- OSG working on officially supporting Singularity in ~June 2017, aiming at replacing glexec (if agreed to by stakeholders)
Singularity appears to the WG as the current best solution and is now evaluating it (upcoming actions):
- Security reviews (due to SUID):
  - Brian did not get it accepted for review (external company doing reviews for OSG), will push it again next quarter
  - Maarteen and Vincent will follow-up with EGI
- Testing:
  - Vincent to follow-up with the CERN site, to see if a small dedicated HTCondor cluster could have Singularity installed
  - Vincent? to follow-up with CernVM to have Singularity installed (without SUID)

● New traceability model

Vincent presented a new possible model for incident response, moving part of the security logs from the site to the VO.

Action: Vincent to write down a more formal proposal

Open question: How to validate the model?

● Next meeting

The date of Jan 18th was decided as the candidate for the next meeting

There are minutes attached to this event. Show them.

- 16:00 → 16:05
  
  Previous meeting minutes 5m
  
  See https://indico.cern.ch/event/563528/note/
  
  Speaker: Vincent Brillault (CERN)
  
  No comment on the notes of the previous meeting
- 16:05 → 16:45
  Singularity 40m
  
  Speaker: Brian Paul Bockelman (University of Nebraska-Lincoln (US))
  
  Singularity-isolation.pdf
  Brian presented his ongoing work on Singularity as a potential solution for isolation (see slides):
  
  Provides isolation (no traceability), already has enough features to replace glexec
  
  Integrated with other systems: HTCondor, OSG VO, SLURM (Singularity 2.3.0)
  
  Running Singularity in Singularity is not possible (due to SUID filtering)
  
  OSG working on officially supporting Singularity in ~June 2017, aiming at replacing glexec (if agreed to by stakeholders)
  
  Singularity appears to the WG as the current best solution and is now evaluating it (upcoming actions):
  
  Security reviews (due to SUID):
  
  Brian did not get it accepted for review (external company doing reviews for OSG), will push it again next quarter
  
  Maarteen and Vincent will follow-up with EGI
  
  Testing:
  
  Vincent to follow-up with the CERN site, to see if a small dedicated HTCondor cluster could have Singularity installed
  
  Vincent? to follow-up with CernVM to have Singularity installed (without SUID)
- 16:45 → 17:05
  
  New traceability model 20m
  
  Let's agree on the direction we are taking and its operational requirements
  
  Speaker: Vincent Brillault (CERN)
  
  201611-Traceability_Isolation_WG.pdf
  
  Vincent presented a new possible model for incident response, moving part of the security logs from the site to the VO.
  
  Action: Vincent to write down a more formal proposal
  
  Open question: How to validate the model?
- 17:05 → 17:10
  
  Next meeting 5m
  
  Speaker: Vincent Brillault (CERN)
  
  The date of Jan 18th was decided as the candidate for the next meeting