Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

5-Jul-05Deployment Board2 Deployment Session Summary of earlier deployment session We discussed Introductions –Useful! Technical Documentation Security Policy and Procedures

5-Jul-05Deployment Board3 Deployment Issues We did not discuss LCG and gLite releases and deployment Deployment Metrics – Get fit actions Storage issues Tier 2 deployment and operations And many issues

5-Jul-05Deployment Board4 Documentation Strong requirement for good documentation –User guides –Sys Admin guides –Web pages –Etc Progress to date not bad (but slow) We need someone to drive this Oversight Committee agrees Is anyone interested/able to do this? Or should we recruit?

5-Jul-05Deployment Board5 Documentation Conclusions –Aim mainly at sys admins –Lots of good ideas –Advantage in having someone external –Discussed scope (GridPP/LCG/EGEE) –Technical writer – different skills from sysadmin –Encouraged volunteers –Or else will recruit

5-Jul-05Deployment Board6 Security Policy and Procedures User and VO AUP Incident Response Lessons from recent ssh key incident Security Vulnerability policy

5-Jul-05Deployment Board7 AUP New User and VO AUP policy Short and sweet –Does not satisfy legal experts –More work required New incident response policy and procedures

5-Jul-05Deployment Board8 Lessons from recent ssh incident Dteam user trying to run MPI jobs copied ssh keys Lots of discussion on LCG-Rollout and TB-Support –How do I blacklist a user certificate? –How do we get the user’s certificate revoked? –Is this an incident? –Why doesn’t LCG security team urgently investigate? –Will we see a full report on lessons learned? –Need good advice for sys admins to avoid incidents? –There is no DTEAM AUP – why running MPI jobs? –How does sys admin contact the user? –There is no infrastructure for dealing with real incidents?

5-Jul-05Deployment Board9 Security Vulnerability Linda Cornwall will present tomorrow There has been lots of discussion re policy –Discuss these now Everyone agrees aim –To protect our sites, resources and data –Improve quality of middleware and deployment Concerns about –Legal liability –Do we “publish” vulnerabilities (if so, when?) –Developers will not fix unless we publish –How do we keep information private before publishing?

5-Jul-05Deployment Board10 Decision? LCG, EGEE, GridPP management will decide the approach –PEB, PMB etc General EGEE agreement – Athens and Brno meetings –Internal activity so cannot fully publish –Responsibility for informing internal and external customers rests on SA1 (OSCT/ROCs) and JRA1 Feedback welcome to inform this –When/how do sites need to be informed? If this approach does not produce results we should retain right to change to Important to get this right BUT even more important to get on with fixing problems –Volunteers needed for Risk Analysis

5-Jul-05Deployment Board11 Tier 2 Deployment & operations 24*7 service Accounting VO support Resource delivery Permanent storage How do sites get back in if blacklisted? Communication –Sites & ROCs Experiments