It's nice if you are LHCb, but .... (X509_VOMS_DIR/X509_VOMSES)

[chaen]

From @marianne013

The 'new' logic in the bashrc/diracosrc where the script checks if /etc/vomses and /etc/grid-security/vomsdir exist and is not empty does not work for the GridPP DIRAC instance. The reason for this is failry simple:
A non-negligible number of our users work on LHC dominated resources, so these directories exist and contain all the necessary files for the LHC VOs but nothing else (/etc/grid-security/certificates is usually fine as it's not VO specific).
I don't want to ask the users to get their central services to update these directories, these are small experiments with little computing support and we would like to keep this as straight forward as possible.
On the other hand I haven't been able to come up with a clean solution as how to set this depending on DIRAC server. Does anyone have a creative idea ?
(I've set it on the GridPP DIRAC UI on cvmfs, but this is not always available from the users' submit nodes.)

[chaen]

After checking a bit more in depth with @chrisburr and testing, we came up with the conclusion that for the case of X509_VOMSES, it's actually okay to have a list of pathes.

@marianne013 can you please try this fix on a broken UI ? chaen@ac241b9
set the environment variable X509_VOMSES=/etc/vomses:whatever:somethingelse

If that works, then we will change the dirac-install in the management repo to concatenate the path instead of replacing them

[marianne013]

I don't think the underlying voms command can cope:
lx02:~ > export VOMS_USERCONF=/etc/grid-security:/cvmfs/grid.cern.ch/etc/grid-security/vomses
lx02:~ > voms-proxy-init --voms lz
No valid VOMSES information found locally while looking in: [/etc/grid-security:/cvmfs/grid.cern.ch/etc/grid-security/vomses]
VOMS server for VO lz is not known! Check your vomses configuration.

[chaen]

When you run the dirac-proxy-init -ddd, it should print out the voms-proxy-init it uses. Can you show us what it looks like please ?

[sfayer]

2021-10-07 10:16:07 UTC dirac-proxy-init/Subprocess [140203249497920] VERBOSE: shellCall: voms-proxy-init2 -cert "/tmp/x509up_u1000" -key "/tmp/x509up_u1000" -out "/tmp/tmp8Nz1tR" -voms "lz:/lz" -valid "23:54" -vomses "/etc/vomses" -vomses "/tmp/tmp6EnWd0/vomses" -r -timeout 12

[chaen]

That's strange, I can't reproduce. I tried doing it with my proxy using several vomses dir, and it works (besides telling me that I am not part of this VO).

Which DIRAC installation do you run ? python3 or 3 ? Could you problem be related to that ?

#5474

[marianne013]

Hi Chris, I think you don't see the error as your vomses fix works, so it decides you are not a member of the VO and never gets to the proxy check for which uses the vomsdir and which is the bit that doesn't work. The offer of joining the gridpp VO and just using the mulit-vo certification test stands.

[chaen]

fine... how do I join ?

[marianne013]

From an earlier email from Simon:
We add a CS entry:
/Operations/UseLocalVOMS = True (or something?)

We modify the thing that makes the local vomses to also create:
$DIRAC/.localvoms
if the CS option exists.

We modify bashrc to check for .localvoms file.

Or something like that?

[fstagni]

This is also possible, and might not even need the flag in CS, but what Chris is proposing looks less invasive.

[marianne013]

Too many communication channels, I had put that on Slack https://voms.gridpp.ac.uk:8443/voms/gridpp/register/start.action I still think we should revert to the previous behaviour for Vanilla DIRAC, as it makes no sense to get this info which unlike the crls gets updated in the order of years from some kind of central setup instead of the DIRAC server !!!!! (Clearly exclamation marks increase the impact of the answer. But @dirac core could just admit that you were wrong !!!!) !!!

…

On Tue, 12 Oct 2021 at 10:31, chaen ***@***.***> wrote: fine... how do I join ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5441 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZXZ75ZJPOEE7ZDNP32TYLUGP563ANCNFSM5FCG2DRA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- Sent from my guinea pig enhanced living room

----------------------------------------------------------- ***@***.*** HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: Working from home, please use email. http://www.hep.ph.ic.ac.uk/~dbauer/

[andresailer]

I have the same problem for the FCC VO, which at the moment isn't even available on cern lxplus. I could ask for that to be added on lxplus, or hack my CVMFS bashrc, but a more permanent solution is definitely required

[marianne013]

I've long hacked my cvmfs bashrc, but I have users (Oh Canada !) who need to install the tar ball. It's just wrong. @andre Sailer ***@***.***> If you email Matt ( ***@***.***) with FCC details he can add it at least to cvmfs which is available from lxplus. He usually does it within a day. Daniela

…

On Tue, 12 Oct 2021 at 11:39, Andre Sailer ***@***.***> wrote: I have the same problem for the FCC VO, which at the moment isn't even available on cern lxplus. I could ask for that to be added on lxplus, or hack my CVMFS bashrc, but a more permanent solution is definitely required — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5441 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZXZ73H3SPZNK7HVEP2MIDUGQF53ANCNFSM5FCG2DRA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- Sent from my guinea pig enhanced living room

----------------------------------------------------------- ***@***.*** HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: Working from home, please use email. http://www.hep.ph.ic.ac.uk/~dbauer/

[andresailer]

I also have people from Canada that couldn't use the cvmfs installation, any idea what is wrong there?

[chaen]

I've requested to be a member. Can you give me the exact steps to reproduce ?

And sorry if that fix isn't to your liking, but it did fix a real problem. Now, obviously we will try to find a solution that works for everybody, but just reverting does not seem to be an option for me, unless you have a solution to propose to the original problem we were trying to solve ?

[marianne013]

What was the original problem ? LHCb changing their voms server once a decade ?

…

On Tue, 12 Oct 2021 at 12:10, chaen ***@***.***> wrote: I've requested to be a member. Can you give me the exact steps to reproduce ? And sorry if that fix isn't to your liking, but it did fix a real problem. Now, obviously we will try to find a solution that works for everybody, but just reverting does not seem to be an option for me, unless you have a solution to propose to the original problem we were trying to solve ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5441 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZXZ774V3U5XF2CS4WLZITUGQJR7ANCNFSM5FCG2DRA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- Sent from my guinea pig enhanced living room

----------------------------------------------------------- ***@***.*** HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: Working from home, please use email. http://www.hep.ph.ic.ac.uk/~dbauer/

[chaen]

It was observed and discussed about a billion times during the hackaton. These variables are set on the host, and they are correct. And when you end up in the container, they are still set, but they are wrong.

[chaen@lxplus754 ~]$ env | grep X509
X509_CERT_DIR=/etc/grid-security/certificates
X509_VOMSES=/etc/vomses
X509_VOMS_DIR=/etc/grid-security/vomsdir
[chaen@lxplus754 ~]$ ls /etc/vomses/
alice-lcg-voms2.cern.ch    dune-voms2.fnal.gov                           na48-lcg-voms2.cern.ch                    vo.aleph.cern.ch-lcg-voms2.cern.ch    vo.l3.cern.ch-voms2.cern.ch
alice-voms2.cern.ch        envirogrids.vo.eu-egee.org-lcg-voms2.cern.ch  na48-voms2.cern.ch                        vo.aleph.cern.ch-voms2.cern.ch        vo.opal.cern.ch-lcg-voms2.cern.ch
atlas-lcg-voms2.cern.ch    envirogrids.vo.eu-egee.org-voms2.cern.ch      na62.vo.gridpp.ac.uk-voms02.gridpp.ac.uk  vo.compass.cern.ch-lcg-voms2.cern.ch  vo.opal.cern.ch-voms2.cern.ch
atlas-voms2.cern.ch        escape-voms-escape.cloud.cnaf.infn.it         na62.vo.gridpp.ac.uk-voms03.gridpp.ac.uk  vo.compass.cern.ch-voms2.cern.ch      vo.sixt.cern.ch-lcg-voms2.cern.ch
cms-lcg-voms2.cern.ch      geant4-lcg-voms2.cern.ch                      na62.vo.gridpp.ac.uk-voms.gridpp.ac.uk    vo.delphi.cern.ch-lcg-voms2.cern.ch   vo.sixt.cern.ch-voms2.cern.ch
cms-voms2.cern.ch          geant4-voms2.cern.ch                          ops-lcg-voms2.cern.ch                     vo.delphi.cern.ch-voms2.cern.ch
dream-voms.hpcc.ttu.edu    ilc-grid-voms.desy.de                         ops-voms2.cern.ch                         vo.gear.cern.ch-lcg-voms2.cern.ch
dteam-voms2.hellasgrid.gr  lhcb-lcg-voms2.cern.ch                        unosat-lcg-voms2.cern.ch                  vo.gear.cern.ch-voms2.cern.ch
dune-voms1.fnal.gov        lhcb-voms2.cern.ch                            unosat-voms2.cern.ch                      vo.l3.cern.ch-lcg-voms2.cern.ch
[chaen@lxplus754 ~]$ ls /etc/grid-security/vomsdir/
alice  cms    dteam  envirogrids.vo.eu-egee.org  geant4  lhcb  na62.vo.gridpp.ac.uk  unosat            vo.compass.cern.ch  vo.gear.cern.ch  vo.opal.cern.ch
atlas  dream  dune   escape                      ilc     na48  ops                   vo.aleph.cern.ch  vo.delphi.cern.ch   vo.l3.cern.ch    vo.sixt.cern.ch
[chaen@lxplus754 ~]$ singularity exec --bind /cvmfs /cvmfs/cernvm-prod.cern.ch/cvm4/ bash --norc
Singularity> ls /etc/vomses
ls: cannot access /etc/vomses: No such file or directory
Singularity> ls /etc/grid-security/vomsdir
Singularity> 

[chaen]

and it was discussed in tickets before doing it: #5083

[andresailer]

They are not set on my host?

2021-10-12 14:00 sailer@lxplus754:~$ env | grep X509
2021-10-12 14:00 sailer@lxplus754:~$   

This seems to be an LHCb environment setting

[dirac@lbcertifdirac70 sailer]$ env | grep X509
X509_CERT_DIR=/etc/grid-security/certificates
X509_VOMSES=/etc/vomses
X509_VOMS_DIR=/etc/grid-security/vomsdir
[dirac@lbcertifdirac70 sailer]$ exit
2021-10-12 14:14 sailer@lbcertifdirac70:~$ env | grep X509
2021-10-12 14:14 sailer@lbcertifdirac70:~$ 

I most humbly apologize, but I don't remember the discussions in the hackathon.
And even then, we obviously missed that there is an issue with defaulting to /etc/....
I don't understand from you explanation why the defaults for these variables should be in /etc/ .
I could understand that the bashrc checks that pre-existing variables are correct, but from that it doesn't follow that the defaults are /etc/...

[marianne013]

And now in practice it turns out people outside the hackathon don't use the container and it causes problems in real life ? There is no need to access these directories in /etc on lxplus (or anywhere else, including inside that container) at all whether they are installed or not, that's sort of the point I am trying to make. It should *always* point to the DIRAC supplied vomses/vomsdirs inside the container or out. /certificates is different as a) it gets updated every 6 h or so (if installed properly) and b) it's not VO specific. How does the saying go; No battle plan survives contact with the enemy, though even I don't think my users are that bad.

…

On Tue, 12 Oct 2021 at 12:29, chaen ***@***.***> wrote: and it was discussed in tickets before doing it: #5083 <#5083> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5441 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZXZ72YIQP73LDVTTK4OUTUGQLZ7ANCNFSM5FCG2DRA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- Sent from my guinea pig enhanced living room

----------------------------------------------------------- ***@***.*** HEP Group/Physics Dep Imperial College London, SW7 2BW Tel: Working from home, please use email. http://www.hep.ph.ic.ac.uk/~dbauer/

[marianne013]

On Tue, 12 Oct 2021 at 13:17, Andre Sailer ***@***.***> wrote: They are not set on my host? 2021-10-12 14:00 ***@***.***:~$ env | grep X509 2021-10-12 14:00 ***@***.***:~$ This seems to be an LHCb environment setting I most humbly apologize, but I don't remember the discussions in the hackathon. And even then, we obviously missed that there is an issue with defaulting to /etc/.... I don't understand from you explanation why the defaults for these variables should be in /etc/ . I could understand that the bashrc checks that pre-existing variables are correct, but from that it doesn't follow that the defaults are /etc/... I know the feeling - I have to admit I sometimes lose track of these

things. Simon will mutter "uh oh", but if I don't follow up he won't. Back in the old days(TM) when gridUIs were installed centrally the most common place would be /etc. Of course Imperial never did, because we were always (at times eye rollingly) special, but that's a different story. I don't think X509 is set anywhere by default, CMS certainly doesn't do it.

[andresailer]

What I mean by defaults are these lines in the bashrc
https://github.com/DIRACGrid/management/blob/da4f172dd190834619162a662e9490a09eb2cdd6/dirac-install.py#L2133

                    '  export X509_VOMSES="/etc/vomses"',

That is instead of checking X509_* then checking /etc/* why not check the variables and then use the DIRAC locations.

[andresailer]

Created a PR DIRACGrid/management#50

[marianne013]

This seems fixed in higher DIRAC versions. This comment is added to the discussion just so the author can mark it as an answer :-)