SFT group meeting Desktop Forum report Alberto AIMAR

2 Desktop Forum, September 15th 2005 CNIC project update CRA, project status Linux update PC rental phase-out Fax services

Computing and Network Infrastructure for Controls CNIC What is CNIC? Why is CNIC necessary? CNIC definitions Changes for users once the CNIC policy is in place Network tools and policies for CNIC

CNIC-WG4 What is CNIC CNIC-WG –Working Group delegated by the CERN Controls Board Mandate covers only control systems, not office computing –Definition of Security policy Networking aspects Operating systems (Windows and Linux) Services and support –Members should cover all CERN controls domains and activities Service providers Service users

CNIC-WG5 Networking (1/2) General Purpose Network (GPN) –Desktop Computing, testing, access from outside, … Technical and Experiment Network (TN and EN) –Only operational devices –Authorization procedure Inter domain communications –Application Gateways –Trusted services Dependencies –File systems (DFS, …), –databases (CERNDB, …), –servers (DNS, …)

CNIC-WG6 Networking (2/2) Domain Gateway filters: –Only allow network traffic from trusted hosts Trusted hosts by controls networks: –IT/CS network services –Central IT services (e.g. AFS, DFS, NICE domain controllers, TSM backup servers, Oracle.....) –Application Gateways (e.g. Windows Terminal Servers, Linux gateway servers)

CNIC-WG7 Use Case - Office connection Connection to controls monitoring system (e.g. PVSS) from office PC –Connection to application gateway (e.g. Windows Terminal Server). –Open session to application (e.g. PVSS) with connection to controls machine and PLCs.

Administrative Information Services CERN - Organisation Européenne pour la Recherche Nucléaire Wim van Leersum/IT-AIS-F8 CRA Status First release (end of October ?): –Current CCDB functionality (account mgmt) –Data cleanup –Automatic account expiration Design finished Data base schema/User Interface implemented AIS and Nice account management tested

Administrative Information Services CERN - Organisation Européenne pour la Recherche Nucléaire Wim van Leersum/IT-AIS-F9 CRA current activities Data cleanup –Accounts review –Admin groups –Primary/Secondary account group –Ais/Nice Synchronization –Expired accounts removal Migration of Oracle users EDMS account management Training accounts mgmt

10 Linux SLC5  Red Hat Enterprise Linux 5 / Scientific Linux 5: – up-to-date, including stable 2.6 kernel – BUT: release 2nd Q 2006  Add 2-4 weeks for building SL5 – Another 2-4 for building SLC5  RedHat does not commit to any release date – but their product lifecycle is months –... may be too late for CERN full certification.

11 Linux SLC4  Responsible for OS certification: – Linux Certification Committee   Responsible for physics compilers/software stack certification: – LCG SPI (approved by Architects Forum)  Certify twice – SLC4 – 'slowly' Q3/Q – SLC5 – 'fast' Q (Q ?)  Use 'split certification' – Operating system – Experiments compilers plus software  Decide deployment late... and then do it quickly !

DTF: of 7 Summary  No new rental agreements  (Already frozen 2 DTFs ago)  Consider all past payments as capital repayments  Send proposals to buy-out (by completing capital repayment) or return  Immediately (rather than wait for next contract renewal)

13 An opportunity for a better service u A bi-directional FAX- gateway u Outgoing fax sent from u Supports Text, HTML, and all major file formats (including PDF, Office, drawings, etc) u Robust decoding of attachments u NEW: must be registered to use the service u (part of the CERN mail services) u Cover page can be customized Syntax for fax:

14 … a better service … u Incoming fax u When registering ( every user obtains a unique phone number for his/her “virtual” fax machinehttp://cern.ch/fax u xxxx, u All faxes sent to the unique phone number will be digitized to PDF format and sent to the of the user u The default “cover page” contains the user name and the virtual fax number (so people can reply directly to a fax)

15 Status of the service u The new service is production since beginning of September u Already 270 users registered ! u Over 1100 faxes sent, 600 received u Only staff members, fellows and service accounts can become registered user of the service u This can change u Telephone cost is not recharged but accounted. Abuses are monitored u Work is being done to add the assigned “Fax number” in the CERN phone book

16 Desktop Forum, October 13th 2005 CNIC / NICEFC - NICE For Controls CNIC / LINUXFC - LINUX For Controls Videoconferencing with VRVS/EVO (not reported here) AOB By A.Pfeiffer

17 NICEFC strategy  Three directions followed …  Improve the Windows installation services in a way where the configuration is read entirely from a central database (reinstalling a device restores its assigned applications)  Simplify the installation of Custom Terminal Servers to allow cloning of the current production service (application gateways)  Build a “Management Framework” where owners of machines can define and manage the exact configuration of computers under their control  Web based User Interfaces for administration  Central Configuration & Reporting Database  Client Service running on each participating Windows PC

18 Concrete results so far …  Installation “from the network” in production since June  No need for floppy disk or CDs anymore  No need to preload disk images on new computers  See:  Application gateway “service” being prepared  Already 2 Terminal service gateways installed (AB/CO, TS/CV)  Starting point: a “clone” of the general purpose terminal server configuration  The service is not free and is charged on a yearly base  This ensures its scalability and focuses the effort on real needs  See:  

19 Concrete results so far …  The “Management Framework” is available for test  Provides complete delegation of system administration to “locally managed” Sets  It allows the definition of “Named Set of Computers”  It allows to control which patches and applications are installed on these sets  Either “standard” centrally provided packages or created by local administrators  It allows to control WHEN the deployments take place  It allows to define specific policies for all sets  Hardware and Software Inventory and Metering possible using standard mechanisms  A general solution for locally managed computers with a maximum reuse of standard packages prepared centrally

20 Linux For Controls Requirements R1The computers shall have well defined configurations –Only defined versions of defined packages shall be installed –It must be possible to have additional packages/versions on computers dedicated to test or development activities –Equipment responsible persons (at domain, NSC or node level) or the CERN CSO must be able to determine when to install patches and upgrades R2It must be possible to do a version rollback –It must be possible to go back to previous versions of configurations –It must be possible to go back to previous versions of packages installed

21 Linux For Controls Requirements R3 It must be possible to manage computers by user- definable groups –It must be possible to define the responsibility for computers according to their functionality (NSC) –The configuration parameters must be definable according to the domain and NSC of the computer R4It must be possible to clone computer(s) and re-install from scratch –It must be possible to give a new computer the same configuration as an existing configured computer –For replacements or troubleshooting it must be possible to reinstall a computer from scratch

22 Linux For Controls Requirements R5It must be possible to validate changes before applying them R6It must be possible to verify the configuration –It must be possible to test if the real configuration is identical to the desired configuration –It must be possible to change the real configuration to the desired configuration R7It must be possible to manage user installed packages and patches

23 Linux For Controls Requirements R8It must be possible to do remote system management R9Minimal Execution Rights –It must be possible to restrict the execution rights of the accounts for certain applications R10 It must be possible to disable or restrict data transfer peripherals –To avoid that extra software that could compromise the security or functionality of a computer can be installed via CDs, DVDs, USB or similar devices, it must be possible to restrict or disable these devices.

24 AOB  Skype  problem with "supernodes" which kicks in at CERN (high bandwidth) causing high network traffic and legal issues (as we then become a telecom operator)  There are requests for having a VoIP service  is on working list (not with high priority)  needs to be moved to high priority in a common effort between IT and PH  Windows 2000  is supported if it is patched (at least SP4)... from MicroSoft until 2009  IT would like to reduce support earlier (beginning from next year)  VPN requirements (feedback)  most people were misunderstanding on other ways to work  few cases where VPN is needed (see document on agenda page)document on agenda page  users have to use the less convenient ways of viewing web pages which are only visible from within cern (e.g. through terminalservices)  no performance issue even over low (non-ADSL/modem connections.  CRA : accounts will keep alive for one year  controls group: unix uid should never be reused (present policy is reusing)  another discussion in DTF is needed to iterate on the requirements/needs