1. 1Maria Dimou- cern-it-gd LCG November 2007 GDB October 2007 VOM(R)S Workshop report https://twiki.cern.ch/twiki/bin/view/LCG/VomsWG Grid Deployment Board 2007-11-07

2. 2Maria Dimou- cern-it-gd LCG November 2007 GDB Main challenges on the agenda  Complete the voms-admin+glite scripts’ certification process.  Install latest vomrs and voms on test host voms111.cern.ch.  Prompt VOs to test this installation with Generic Attributes (GAs) activated.  Check new software environment:  OS SLC4  New oracle-instant-client version 10.2.0.3  Different oracle connectivity parametres (OCI)  New tomcat5-5.5 version  Dramatically different voms-admin (version 2).  Full agenda: http://indico.cern.ch/conferenceOtherViews.py?view=stan dard&confId=18764 http://indico.cern.ch/conferenceOtherViews.py?view=stan dard&confId=18764

3. 3Maria Dimou- cern-it-gd LCG November 2007 GDB Transition to production  Waiting for 4 new SLC4 hosts with set-up:  lcg-voms.cern.ch (2 hosts, identical configuration, automatic fail-over via LinuxHA). Functions:  User registration via vomrs  Voms-proxy attribution.  Voms.cern.ch (2 hosts, identical configuration, automatic fail-over via LinuxHA). Functions:  Gridmap file preparation.  Voms-proxy attribution.  LinuxHA on SLC4 was never used so far. CERN/IT/FIO is helping us with this port.  NB!!! This function split between voms and lcg-voms is in use since December 18 th 2006!!! Still some VOs and sites are not aware.

4. 4Maria Dimou- cern-it-gd LCG November 2007 GDB Future topics at the workshop  VOMS db Replication  Allowed by policy, implemented in voms core, requested by the VOs, needs testing.  Following successful CNAF-internal tests, CERN-CNAF tests were decided.  VOM(R)S Service registration  The objective is to allow cron jobs to obtain voms-proxies.  Discussed also at the 29/10/07 JSPG. Features:  Trace back the individual who registered the service.  VO Admin entering hundreds of hosts or site admins becoming VO members is inconceivable.  Reached no implementable conclusion.  VOs and other middleware developers have to specify requirements.

5. 5Maria Dimou- cern-it-gd LCG November 2007 GDB VOM(R)S versions  In production today (All on Oracle) :  Vomrs-1.3.1-d with GAs implemented but not activated  Voms-admin-1.2.19-1 with GAs implemented but not activated.  voms-server-1.7.16-2  Certified and going to production end of November 2007:  Vomrs-1.3.1-e with GAs activated [Details]Details  Voms-admin-2.0.9 with GAs activated.  voms-server-1.7.23-1.slc4

6. 6Maria Dimou- cern-it-gd LCG November 2007 GDB Pre-requisites for production  Still suffering from periodic memory problems on the CERN VOMS servers. On developers’ request we completely removed voms-admin from lcg-voms.cern.ch, leaving only vomrs. This requires an exceptional startup procedure, not available in the gLite scripts.  Due to our complex installation (4 hosts) the gLite ‘site’ configuration scripts are needed, which are currently broken and being re-written by the certifier.

7. 7Maria Dimou- cern-it-gd LCG November 2007 GDB (More) pre-requisites  Vomrs code change to handle problems with voms-admin synchronisation due to VO members with certificates from expired CAs.  LinuxHA testing is not yet finished.  The new servers we requested last May will come after Christmas  we have to “improvise” with temporary hardware.  We can’t go back due to a change in the database schema.

8. 8Maria Dimou- cern-it-gd LCG November 2007 GDB The Others  The Sites  Delays in updating VO configuration data at the sites are a big problem. The “VO Configurator” is now available from the CIC portal but:  How much complexity do we put in it?  How do we convince the sites to use it?  Voms no more requires the entire hostcert.pem to be installed at all sites. This will require a configuration change from their side.  Voms-admin no more accepts ‘emailAddress’ and ‘USERID’ in a DN. Sites have to upgrade to openssl-0.9.7+

9. 9Maria Dimou- cern-it-gd LCG November 2007 GDB Operational dangers  Between Christmas 2007 and March 2008 we are losing:  The CERN VOM(R)S service manager and supporter.  The only (worldwide) vomrs tester and supporter.  The only voms code certifier.  There is no such thing as a ‘frozen’, ‘stable’, ‘off the shelf’ service for voms/vomrs due to:  Bug fixes  New requirements

10. 10Maria Dimou- cern-it-gd LCG November 2007 GDB Consequences  User support via mailing lists and GGUS tickets takes 5% of the supporters’ time but not less than that. It can’t be abandoned and it can’t be given to people who don’t know the service set-up.  Current installation according to CERN/IT/FIO quattor practices with individual rpms in CDB requires in depth knowledge of the certification status of every component. It can’t be given to a sys. Admin who doesn’t know about voms.

11. 11Maria Dimou- cern-it-gd LCG November 2007 GDB Increasing complexity  voms-admin-2 is dramatically different from voms-admin- 1.2.19. We anticipate a lot of support effort required at the beginning.  voms-admin-2.5 is the next stop gap, implementing JSPG requirements for periodic user expiration in the VO etc. Who will do the big certification and vomrs testing job required for that?  JRA1 has not yet decided whether voms-admin-2 and 2.5 will be, both, supported.  Vom(r)s Oracle port is only used at CERN. All developers are reluctant to envisage any testing anywhere else but CERN.

12. 12Maria Dimou- cern-it-gd LCG November 2007 GDB Moreover  FNAL is willing to maintain vomrs but will never test ORGDB (CERN HR db) integration (LHC VO exclusivity).  For GA usage, the UI must be equipped with voms-admin client and paraphernalia.

13. 13Maria Dimou- cern-it-gd LCG November 2007 GDB In summary and conclusion voms and vomrs are still very visible and critical services. Therefore they can’t be stripped from resources for  development,  deployment and  support. Thank You!