Monday, November 24, 2014

Holiday Schedule

On November 27 and 28th, the Grid Operations Center will be operating on a Holiday schedule. Staff will be available to respond to emergencies but routine operations will resume at start of business Monday, December 1.

OSG Operations wishes its users and OSG staff a happy Thanksgiving Holiday.

Tuesday, November 11, 2014

Announcing OSG Software versions 3.2.17 and 3.1.41

We are pleased to announce OSG Software versions 3.2.17 and 3.1.41.

If you are using the OSG PKI command line tools, you must upgrade
to the release. The OSG PKI servers no longer accept SSLv3 connections
and you must use the corresponding command line tools.

HTCondor 8.2.3 has moved from Upcoming into the 3.2 repository.
Next month we plan to release HTCondor 8.3.x in the Upcoming repository.
If you are currently running HTCondor 8.2 out of the Upcoming repository
and do not want to upgrade to HTCondor 8.3.x, be sure to disable the
Upcoming repository in your yum configuration before the December release.

OSG 3.2.17 contains:
* HTCondor 8.2.3
* XRootD 4.0.4
* GlideinWMS 3.2.7
* HTCondor CE 1.7
* GFAL tools come from EPEL

OSG 3.2.17 and 3.1.41 contain:
* Disable SSLv3 in OSG PKI tools
* VO Package v57 - New CERN VOMS servers
* CA Certificate update to IGTF 1.60
* RSV version 3.7.20
* various minor bug fixes

Release notes and pointers to more documentation can be found at:

https://www.opensciencegrid.org/bin/view/Documentation/Release3/Release3217
https://www.opensciencegrid.org/bin/view/Documentation/Release3/Release3141

Need help? Let us know:

https://www.opensciencegrid.org/bin/view/Documentation/Release3/HelpProcedure

We welcome feedback on this release!

OSG PKI Update - Affects OSG Certificate Command Line Tools

OSG Operations has applied an update to the OSG PKI to disable SSLv3. Users who request and retrieve certificates through the OSG Command Line Tools will need to update to the latest version of the osg-pki-tools package. Older versions of osg-pki-tools will be unable to request or retrieve certificates.

Wednesday, November 5, 2014

GOC Service Update - Tuesday, November 11th, 2014 at 13:00 UTC

The GOC will upgrade the following services beginning Tuesday, November 11th, 2014 at 13:00 UTC. The GOC reserves 8 hours in the unlikely event that unexpected problems are encountered. IMPORTANT NOTE: This update will contain updates to the OSG PKI SSL. Once this update is applied you will need the latest PKI Tools from OSG Software release 3.2.17 or 3.1.41 before requesting certificates via the command line tools. More details immediately below.

PKI tools
A new version will be available during this release. The affected tools are: osg-cert-request, osg-cert-retrieve, osg-gridadmin-cert-request, osg-user-cert-renew, osg-user-cert-revoke, osg-cert-revoke. You must update your tools to continue to use them.

GOC VOMS
Configuration change to address SSLv3 vulnerability.

OIM 3.38
Fixed a bug where wrong resource ID was used to lookup service detail while repopulating selected sites for mesh config / host group editor for OIM resources - related to (MYOSG-78)
Increased max resource number of OIM/wlcg under meshconfig / host groups (was defaulted at 32)
Added user_cert_renew test script that uses serial_id (OSGPKI-343)
Added "certificate banner" configuration option. Updated action token from admin_pki_quota to admin_pki_config (OSGPKI-395)
Moved the "contact goc for assistance" to the page banner.
Increased max secondary admin contact for mesh config to be 4 (per conversation with Shawn)
Updated pf_endpoint_crawler to test for 3.4 (rest) interface. Removed write_url as it is not used by 3.4. Also adding update_timestamp field.

Ticket 1.83
Fixed missing submitter_name issue (TICKET-105)
Un-implemented security ticket notification suppression feature (TICKET-84)
Another bug fix for ticket URL/email highlighting feature (broken encoding) (TICKET-109)

MyOSG 2.29
meshconfig / removed references for v33 and made v34 default URLs.
meshconfig / improved auto-mesh configuration URL generator (I need to add autocomplete function later)
meshconfig / show default MA endpoint URLs for endpoint where crawler can not reach.
Applied check for active/disable flag for search result for resources for Submit Ticket button. Also added labels for active/disable flags (MYOSG-79)

Repo
Updating koji package to 1.6.0-8

RSV Process
Rebuilding rsvprocess1/2 instances to RHEL6

GOC-TX 1.42
Changed the SNOW2FP ticket status conversion rule (GOC Ticket 22547)

Virtualization Infrastructure
We will be transitioning the last of our VMware Server 1.x hosts to RHEL6/KVM; this will bring all our virtualization hosts into line with the same OS and infrastructure. This will affect confluence, data, repo, rsvprocess, and software, but in the case of repo and software we will be using the LVS HA to minimize end user impact. For the other services, however, there will be periods of downtime as the VMs are brought down, converted, and transitioned to a temporary host, then again when they are transitioned back to the newly-rebuilt permanent host.

High-Availability Infrastructure
We will be transitioning our HA infrastructure to LVS/keepalived rather than LVS/heartbeat so as to have fully redundant HA again, and also to be fully IPv6-ready.

perfSONAR 3.4+ install/update instructions

For any issues, please open an OSG ticket or contact mailto:wlcg-perfsonar-support@cern.ch.

Dear All,
this is to announce availability of the perfSONAR re-installation and upgrade instructions. We kindly request all WLCG sites to reinstall or upgrade their perfSONAR instances. Detailed instructions are now available at https://twiki.opensciencegrid.org/bin/view/Documentation/InstallUpdatePS

All sites that have terminated their instances following the shellshock exploit are requested to re-install following the instructions. In case you have already upgraded to perfSONAR version 3.3 or 3.4, you will still need to follow the instructions to configure your instances in order to take advantage of the new WLCG perfSONAR configuration system. We'd like to ask sites to update if possible before 8th of December.

For any issues, please open an OSG ticket or contact wlcg-perfsonar-support@cern.ch.For general information on the WLCG perfSONAR, please visit our new documentation at https://twiki.opensciencegrid.org/bin/view/Documentation/DeployperfSONAR

Best regards,
perfSONAR Support Team

Disabling SSLv3 for OSG VOMS Admin Server

The OSG Security team has concluded that the POODLE SSLv3 vulnerability
is not a *critical* concern to OSG software installations. Most services
are not affected, and those that are affected are difficult to exploit in
a meaningful way. Nonetheless, the recommendation is to disable support
for SSLv3 where reasonable.

OSG software includes VOMS Admin Server (currently, version 2.7.0), which
runs within Tomcat. By default Tomcat allows SSLv3 connections, but that
is easy to change. To disable SSLv3 support from a Tomcat instance that
contains VOMS Admin Server, add a "protocols" configuration attribute to
/etc/tomcat[56]/server.xml as follows (in diff format, sort of):

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation"
trustStoreDir="/etc/grid-security/certificates"
sslCertFile="/etc/grid-security/http/httpcert.pem"
sslKey="/etc/grid-security/http/httpkey.pem"
crlUpdateInterval="2h"
log4jConfFile="/usr/share/tomcat6/conf/log4j-trustmanager.properties"
clientAuth="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1"
+ protocols="TLSv1.1,TLSv1.2"
crlEnabled="true" crlRequired="true"/>







Note: OSG Software has tested this change only for a Tomcat instance that
is running VOMS Admin Server. But the change affects Tomcat itself and
thus affects all web applications running within that instance. So for
now, we recommend making this change to Tomcat instances that run only
VOMS Admin Server. There are known issues with applying this change to a
Tomcat instance that runs GUMS, in that dCache clients (at least) fail to
work with the changed GUMS server.