Choose timezone
Your profile timezone:
Collaboration meeting
→
Europe/Zurich
Vidyo
Vidyo
# Argus Collaboration Meeting - 2/12/2016
Agenda: http://indico.cern.ch/event/586734/
## Presence
Andrea
Maarten (notes)
Marco
Mischa
Vincenzo
## General News
The selection board for the Indigo-DataCloud post at CNAF will be held Dec 16.
The expectation is for the selected candidate to start early 2017, hopefully Jan.
The person will mainly work on Indigo-DataCloud objectives, but should also have
some time for Argus maintenance. Given a recent Fed Cloud security incident,
it was acknowledged that Argus should also be used there, to be able to ban users.
As had already been proposed from the very beginning, Argus shall therefore be
integrated with the Indigo AAI.
## UMD4 Integration
Argus 1.7 was released for CentOS/EL7 on Nov 10 and for SL6 on Nov 23.
In yesterday's WLCG Operations Coordination meeting the WLCG MW Officer
Andrea Manzi has advised sites to upgrade Argus to 1.7 and indicated
that the new version is foreseen to become the baseline at some point.
## Development News
Andrea, Marco and Mischa expect to have time for 1.7.1 activities as of next week.
* Merging pull requests, building rpms, testing, updating the docs, ...
* We first need to decide what to do about the policy update script
* Should we have a way to guard against a misconfiguration on the server,
which would allow IOTA CAs to be used for all VOs?
* Should that be done outside of the PAP, which owns all other policies?
* Andrea: the IOTA CA check actually is at a lower level, viz. the TLS level
* Mischa: David Groep suggested an extra policy rpm "ca-policy-egi-iota",
not included by default
* Maarten: site admins would just install the set of rpms that "work",
without realizing they would allow IOTA CAs for all VOs
* Mischa: a test probe could be developed to discover misconfigurations,
as IOTA CAs shall not be enabled for the "ops" VO
* Maarten: an explicit Argus configuration parameter with a safe default
would be the safest approach
* Mischa: it should name the list of acceptable policies;
today they are classic + mics + slcs, the admin would have to add iota
and hopefully run the policy update script at the same time...
* Andrea: the best place to implement this would be CANL, so that the
functionality is available in a consistent way also elsewhere
* CANL is still maintained by Krzysztof Benedyczak
* Andrea: the fastest would be to submit a pull request with the changes
that we propose for the new functionality; we can do a private build
in case an official release will not happen for a while
* Mischa: the PIP parsing and caching logic should be imitated
* Andrea: the CAs are handled by a validator that will scan the certificates
directory only upon initialization and regular reloads, not per request
* Mischa: the PIP might even do a callout to CANL for that functionality
* Maarten: improving the PIP might be done in a later release
After some discussion it was agreed how to provide script + configuration:
* Argus will come with an extra rpm that has the script plus a template
configuration file for testing
* The UMD will have an extra rpm containing the EGI configuration file;
when the set of eligible VOs changes, a new version will be released
and sites will be asked to rerun the policy update script as needed
* A configuration directory in /etc shall contain the configuration files,
allowing independent entities to manage their own sets of eligible VOs;
for example, there could be some national or local VO to be added
Timeline:
* Vincenzo: the next UMD4 update is planned for Feb
* All: it looks realistic to aim for a 1.7.1 release by the end of Jan
## Open issues
GGUS ticket 124315 about Argus on pure IPv6 nodes:
* essentially resolved
* the issues looked due to an inconsistent network/DNS configuration
* probably little, if anything, to be improved on the Argus side
* Andrea and Mischa will have a last look before the ticket is closed
## Next meeting
Fri Jan 20 at 14:00
There are minutes attached to this event.
Show them.
