Difference between revisions of "Operations Bulletin Latest"

From GridPP Wiki
Jump to: navigation, search
()
()
Line 407: Line 407:
  
 
===== =====
 
===== =====
 +
 +
'''Monday 24th of October'''
 +
*Dirty COW vulnerability - CVE-2016-5195
 +
Sites are asked to act to mitigate this as soon as possible - see the advisory. Hopefully by the times the meeting comes we'll have more information on an SL fix - when this comes sites will have 7 days to update.
 +
 
Monday 17th October
 
Monday 17th October
 
* Due to problems with pattern matching filters, Pakiti was not complaining about some instances until recently. This was in connection to vulnerability EGI-SVG-2016-11476.  
 
* Due to problems with pattern matching filters, Pakiti was not complaining about some instances until recently. This was in connection to vulnerability EGI-SVG-2016-11476.  

Revision as of 14:59, 24 October 2016

Bulletin archive


Week commencing Monday 24th October 2016
Task Areas
General updates

Monday 17th October


Monday 26th September

Monday 19th September

  • International Symposium on Grids and Clouds (ISGC) 2017 call for papers closes at the end of October.
  • August WLCG T2 Availability:
    • ALICE. All okay
    • ATLAS. Glasgow: 86%:97% | Oxford: 82%:82%
      • Glasgow availability was down due to a power cut in their machine room at the beginning of the month. It took a few days to recover from it.
      • Oxford was down for a few days due to an A/C failure on Friday 12th August. The cluster was shutdown and restored on Monday 15th.
    • CMS. All okay
    • LHCb. All okay (but note ECDF as N/A).
  • There was a GDB last week. Minutes will appear here.
  • Notes from Thursday's EGI OMB. Actions:
    • NGIs using the GOCDB API should assess if their use is compatible with the new developments available in the test instance.
    • Gather information about best practices for the users who are transitioning from WMS to DIRAC.
    • Discuss the CSIRT proposal with sites and ROD staff.
    • The ARGO proposal for GOCDB proposal has an impact on the site managers and therefore NGIs should discuss this proposal with their sites and staff.
  • Notes from Monday's WLCG ops meeting.
  • Jeremy C will follow up on External Accounts this week.
  • Alastair mentions "ARC Camp!" for an interested person (TB-SUPPORT 14th Sept).
  • Decommissioning of the old downtime notification system took place last week. From now on use the [ https://operations-portal.egi.eu/downtimes/subscription new system].
    • You have to select the targets of you subscription then a channel of communication (RSS, Ical or email) . Don't forget to fill your email address if you have selected the email channel!
  • VAPOR application v2.1 is now online. Various changes including integration of Gstat features.
  • APEL Tests Paused today - There is a temporary problem with the APEL Pub and Sync tests. They are not reflecting recent data received by the APEL repository.


WLCG Operations Coordination - AgendasWiki Page

Monday 3rd October

  • There was a WLCG ops coordination meeting last week: Agenda. (Good to review in the ops meeting).

Monday 26th September

Monday 19th September


Tuesday 13th September

  • There was an ops coordination meeting on 1st September. Agenda|Minutes.
  • News from the WLCG accounting Task Force: The new accounting portal with changes performed for the WLCG view is ready for validation.
  • EL7 plans from the experiments were presented at 1st September WLCG ops coordination meeting and summarised in the minutes twiki. Site plans will soon be collected by WLCG Operations.


Tier-1 - Status Page

Tuesday25th October A reminder that there is a weekly Tier-1 experiment liaison meeting. Notes from the last meeting here

  • Following the replacement of the "UKLight" router that handles the data traffic in/out of the Tier on 5th October we have seen significantly more data flowing across the "non-OPN" bypass route.
  • Some changes were made to increase the number of CMS batch jobs that we run in order to bring the number more into line with the pledge.
  • We have had load issues for both the Atlas Scratch Disk and on the Castor 'GEN' instance. This latter caused some access problems for all users of 'GEN' (e.g. Alice).
  • Owing to staff availability the upgrade of Castor to version 2.1.15 is being scheduled to tale place in January.
Storage & Data Management - Agendas/Minutes

Wednesday 26 Oct

  • Feedback from WLCHEPiXG - don't miss it!

Wednesday 19 Oct

  • Long list of loose ends - accounting and information systems, IPv6 surprising successes

Wednesday 12 Oct

  • Initial impressions from WLCG workshop and CHEP-so-far
  • Coming events where GridPP storage-and-data-management could be, will be, or should be (re)presented.

Wednesday 05 Oct

  • GridPP (re)presentations at WLCG workshop (coming weekend) and CHEP (next week), and cloud workshop at Crick (Nov.)
  • Grid specific stuff - and interoperations and interconnecting infrastructures - and future requirements and technologies

Wednesday 28 Sept

Tier-2 Evolution - GridPP JIRA

Monday 17th October

  • Validation of APEL accounting of VM resources and VM-only sites has been completed.
  • From 4th October: A Lightweight sites questionnaire for WLCG sites has been circulated. The aim is to get to a "matrix" of approaches that sites can choose from,

depending on criteria that is covered in the questionnaire.

Tue 10 Oct

  • Vac-in-a-Box 00.34 supports Vac 01.00 itself rather than pre-release (note that upgrading to 01.00 requires a reboot due to network layout changes)
  • "Vacuum Platform" specification published as HSF-TN-2016-04

Wed 05 Oct


Accounting - UK Grid Metrics HEPSPEC06 Atlas Dashboard HS06

Monday 26th September

  • A problem with the APEL Pub and Sync tests developed last Tuesday and was resolved on Wednesday. This had a temporary impact on the accounting portal.

Tuesday 14th June

  • GridPP accounting switched to use the 'new' EGI accounting portal.
  • APEL delays from UK sites look about 'normal' (i.e. delays are typical).

Tuesday 9th February

  • 4th Feb: The data from the APEL summariser that was fixed yesterday has now propagated through the data pipeline and the Accounting Portal views and the Sync and Pub tests are all working again.
  • Sheffield is slightly behind other sites (but looks normal) and so is QMUL.


Documentation - KeyDocs

Tue 20th Sept GridPP Approved VOs now has link to RPM versions of the VOMS records. They are available for now via the VOMS RPMS Yum Repository. The latest version, which is consistent with the Yaim records in the Approved VOs doc, is 1.0-1. Plan is that when VO records change, Approved VOs doc version will be incremented, and RPMs of changed VOs (only those) will be released carrying the same version stamp as the document. Thus a site that upgrades to "latest" will get the records compatible with the newest version of the GridPP Approved VOs document.

Note: A typical RPM contains as so:

[sjones@hep169]$ rpm -qlp gridpp-voms-dteam-1.0-1.noarch.rpm 
/etc/grid-security/vomsdir/dteam
/etc/grid-security/vomsdir/dteam/voms.hellasgrid.gr.lsc
/etc/grid-security/vomsdir/dteam/voms2.hellasgrid.gr.lsc
/etc/vomses/dteam-voms.hellasgrid.gr
/etc/vomses/dteam-voms2.hellasgrid.gr
/root/vo_xml/dteam.xml

The vomsdir (lsc) files (which list the DNs and CA DNs of acceptable certificates) and the vomses files (which give the coordinates of VOMS servers of various VOs) are provided, as if they were created by YAIM in the normal locations. No other features of YAIM are facilitaed by these RPMs. Thus they are useful for migrating from YAIM, but do not provide all the functions of YAIM such as setting SW dirs or other ENV vars etc.

Tue 6th Sept Benchmarking procedure. Contains instructions for ARC/Condor, CREAM/Torque, VAC. Needs to be updated for use with other systems.

https://www.gridpp.ac.uk/wiki/Benchmarking_procedure

Mon 1st Aug LZ VO now up to date in portal, and will be updated in Approved VOs automatically from now on. Sites supporting LZ are advised to read LZ VOMS settings section of https://www.gridpp.ac.uk/wiki/GridPP_approved_VOs (which is between LSST and MAGIC!)

Tue 26th July

Elena has provided VOMS info for DUNE. I'm maintaining it by hand, at present, similarly for LZ.

Both should be present and correct in the Operations Portal, but are not.

https://www.gridpp.ac.uk/wiki/GridPP_approved_VOs


General note

See the worst KeyDocs list for documents needing review now and the names of the responsible people.

Interoperation - EGI ops agendas

Monday 19th September

  • The next EGI ops meeting is on 12th October.

Monday 18th July

  • EGI ops coordination meeting on the 18th.
  • Delayed from last week due to holidays
  • UMD 3.14.3 to be released, fixing problem with gpgkeys, urgent (could be out by now)
  • 4.1.1 at the end of June fixing edg-mkgridmap issue
  • 4.2.0 end of July
  • Planned to return to schedule after release of CMD v1, partly after new RT released for EGI
  • SL5 NGI SAMs can be decommissioned
  • New direct submission CREAM probes
  • RFC proxies to be the default
  • New config for DTEAM VOs (new .lsc config)
  • SL5 report submitted
  • Issues with storage migration to be discussed on mailing list


Monitoring - Links MyWLCG

Tuesday 1st December


Tuesday 16th June

  • F Melaccio & D Crooks decided to add a FAQs section devoted to common monitoring issues under the monitoring page.
  • Feedback welcome.


Tuesday 31st March

Monday 7th December

On-duty - Dashboard ROD rota

Monday 17th October

  • Mostly quiet. We've got six outstanding tickets, four of which have been there for a while. There's one new ticket against Liverpool's ARC-CEs. The final one is there purely to silence the availability alarm at EFDA-JET until the decommissioning process is complete.

Monday 19th September

  • Fairly quiet week, with just the usual suspects.
  • ROD responses received.

Monday 22nd August

  • Unusually quiet week. Nothing significant.
  • Portal very slow at times though.
  • New rota meet-o-matic request circulated - ROD team members please respond this week!

Monday 28th June

  • The ROD rota needs to be updated.
Rollout Status WLCG Baseline

Tuesday 7th December

  • Raul reports: validation of site BDII on Centos 7 done.

Tuesday 15th September

Tuesday 12th May

  • MW Readiness WG meeting Wed May 6th at 4pm. Attended by Raul, Matt, Sam and Jeremy.


References


Security - Incident Procedure Policies Rota

Monday 24th of October

  • Dirty COW vulnerability - CVE-2016-5195

Sites are asked to act to mitigate this as soon as possible - see the advisory. Hopefully by the times the meeting comes we'll have more information on an SL fix - when this comes sites will have 7 days to update.

Monday 17th October

  • Due to problems with pattern matching filters, Pakiti was not complaining about some instances until recently. This was in connection to vulnerability EGI-SVG-2016-11476.
  • There was an EGI Trust Anchor release 1.78-1. Please upgrade by 2016.10.18 at your earliest convenience. Please check the release notes for more details
  • FedCloud Sites have received a 'Heads Up'.
  • We are down to a few SL5 services.

Tuesday 4th October

  • Sites not upgrading for EGI-SVG-2016-11476 have now been ticketed by EGI CSIRT. Although WNs not thought to be vulnerable they are asked to be upgraded as indicator of compliance elsewhere. No UK sites have been ticketed _BUT_ it looks like the monitoring is only working through CREAM CEs so there may be ARC CE installations that would show "vulnerable" if/when the monitoring is fixed. Please check.
  • Some randon stuff from DI4R
    • Keynotes (again) on European Open Science Cloud and Human Brain Project
    • Good run through of pilots/plans for "Enabling federated login to WLCG" [1]
    • Anybody developing software might like to look at OSG's Rob Quick's presentation on the Software Assurance Marketplace SWAMP, a free software QA tool which can help improve code quality and security.
    • Summary of the "WISE people take action on Security" workshop
    • High level stuff on activities around procurement of infrastructure from public cloud providers [2]
    • Bruce Becker gave a good/amusing/thoughtful lightening talk on managing distributed infrastructure in Africa [3]

Tuesday 27th September

  • One "critical" risk vulnerability EGI-SVG-2016-11476 reported 21/09. Updates should be applied by 29/09.
  • IGTF CA distribution 1.77 release 1 is now available for download from the Repository (and mirrors) [4]
  • Matt Doidge has joined the UK NGI security team. Thanks Matt - Ian.
  • WISE Security for Collaborating Infrastructures workshop @ DI4R conference 27/09/2016 [5]


Tuesday 20th September

  • Changes to site (re-)certification procedure proposed at OMB to enable security vulnerability checks which are currently blocked due to move to Argo monitoring. [6]
  • IGTF & EUGridPMA (certificate issuing authorities) meeting [7]
    • Summaries of issues exploiting federated identity management (e.g. eduGain) and social id's (e.g. facebook) on Monday [8] [9].

Tuesday 13th September

  • WLCG Traceability and Isolation WG (Vidyo meeting) 14th Sept. [10]
  • Public disclosure of a MySQL vulnerability, ongoing assessment by SVG initially & currently not thought critical for Grid services, but DBAs may be interested. [11] [12] [13]

The EGI security dashboard.


Services - PerfSonar dashboard | GridPP VOMS

- This includes notifying of (inter)national services that will have an outage in the coming weeks or will be impacted by work elsewhere. (Cross-check the Tier-1 update).

Monday 19th September

  • UK eScience CA - certificate issuance problems. Jens reported that on 15th a partial but significant database corruption occurred on the signing system for the CA. Data was restored from (offline) backups but the rebuild was not correctly configured.
  • A large number of site admins and other GridPP supporters appeared to be suspended from the dteam VO last week. “During a planned upgrade operation of VOMS service, a system malfunction occurred. As a result, some users received false notification about membership expiration. We are in contact with the software development team in order to identify the cause.”


Tuesday 10th May

  • Next LHCOPN and LHCONE meeting: Helsinki (FI) 19-20 of September 2016: Agenda.

Tuesday 22nd March

Tickets
Tools - MyEGI Nagios

13th September 2016


19th July

Both instances of gridppnagios at Oxford and Lancaster has been decommissioned.

12th July 2016

Central ARGO monitoring service has started from 1st of July. All grid resources are monitored through two Nagios instances

https://argo-mon.egi.eu/nagios/

https://argo-mon2.egi.eu/nagios/

It has same interface as gridppnagios. Alarms from these instances goes to Operational Dashboard

http://argo.egi.eu/ is a web interface which provides availability/reliability figures and site status. It is equivalent of old myegi interface with some additional services.

I am planning to decommission both instances of gridppnagios in coming weeks. I have stopped nagios and httpd on both instances so it will not send tests to grid resources in UK. I will also decommission storage-monit.physics.ox.ac.uk which was only used for storage replication test.

We will keep vo-nagios.physics.ox.ac.uk running until we get a replacement for vo-monitoring.


Monday 13th June

  • Active Nagios instance moved to Lancaster

Tuesday 5th April 2016

Oxford had a scheduled network warning so active nagios instance was moved from Oxford to Lancaster. I am not planning to move it back to Oxford for the time being.


Tuesday 26th Jan 2016

One of the message broker was in downtime for almost three days. Nagios probes picks up a random message broker and failover is not working so a lot of ops jobs hanged for long time. Its a known issue and unlikely to be fixed as SAM Nagios is in its last leg. Monitoring is moving to ARGO and many things are not clear at the moment.

Monday 30th November

  • The SAM/ARGO team has created a document describing Availability reliability calculation in ARGO tool.
VOs - GridPP VOMS VO IDs Approved VO table

Tuesday 19th May

  • There is a current priority for enabling/supporting our joining communities.

Tuesday 5th May

  • We have a number of VOs to be removed. Dedicated follow-up meeting proposed.

Tuesday 28th April

  • For SNOPLUS.SNOLAB.CA, the port numbers for voms02.gridpp.ac.uk and voms03.gridpp.ac.uk have both been updated from 15003 to 15503.

Tuesday 31st March

  • LIGO are in need of additional support for debugging some tests.
  • LSST now enabled on 3 sites. No 'own' CVMFS yet.
Site Updates

Tuesday 23rd February

  • For January:

ALICE: All okay.

RHUL 89%:89% Lancaster 0%:0%

RALPP: 80%::80%

RALPP: 77%:77%

  • Site responses:
    • RHUL: The largest problem was related to the SRM. The DPM version was upgraded and it took several weeks to get it working again (13 Jan onwards). Several short-lived occurrences of running out of space on the SRM for non-ATLAS VOs. For around 3 days (15-17 Jan) the site suffered from a DNS configuration error by their site network manager which removed their SRM from the DNS, causing external connections such as tests and transfers to fail. For one day (25 Jan) the site network was down for upgrade to the 10Gb link to JANET. Some unexpected problems occurred extending the interruption from an hour to a day. The link has been successfully commissioned.
    • Lancaster: The ASAP metric for Lancaster for January is 97.5 %. There is a particular problem with ATLAS SAM tests which doesn’t affect the site activity in production and analysis and this relates to the path name being too long. A re-calculation has been performed.
    • RALPP: Both CMS and LHCb low figures are due to specific CMS jobs overloading the site SRM head node. The jobs should have stopped now.



Meeting Summaries
Project Management Board - MembersMinutes Quarterly Reports

Empty

GridPP ops meeting - Agendas Actions Core Tasks

Empty


RAL Tier-1 Experiment Liaison Meeting (Wednesday 13:30) Agenda Meeting takes place on Vidyo.

Highlights from this meeting are now included in the Tier1 report farther up this page.

WLCG Grid Deployment Board - Agendas MB agendas

Empty



NGI UK - Homepage CA

Empty

Events
UK ATLAS - Shifter view News & Links

Atlas S&C week 2-6 Feb 2015

Production

• Prodsys-2 in production since Dec 1st

• Deployment has not been transparent , many issued has been solved, the grid is filled again

• MC15 is expected to start soon, waiting for physics validations, evgen testing is underway and close to finalised.. Simulation expected to be broadly similar to MC14, no blockers expected.

Rucio

• Rucio in production since Dec 1st and is ready for LHC RUN-2. Some fields need improvements, including transfer and deletion agents, documentation and monitoring.

Rucio dumps available.

Dark data cleaning

files declaration . Only Only DDM ops can issue lost files declaration for now, cloud support needs to fill a ticket.

• Webdav panda functional tests with Hammercloud are ongoing

Monitoring

Main page

DDM Accounting

space

Deletion

ASAP

• ASAP (ATLAS Site Availability Performance) in place. Every 3 months the T2s sites performing BELOW 80% are reported to the International Computing Board.


UK CMS

Empty

UK LHCb

Empty

UK OTHER
  • N/A
To note

  • N/A