Hi Martin.
We never used the mkxprofd daemon as it was always source of huge
disasters for us (but other sites had different experiences with it), so
I do not know how it behaves when changing the rpm list and/or the /tmp
path.
I have never seen the "two entries per node" syndrome.
Emanuele
"Bly, MJ (Martin)" wrote:
>
> Emanuele,
>
> Our actions were as rollows:
>
> Checkout new tag (LCG1-1_0_1)
> Modify redhat73-cfg.h to add :/tmp as directed
> Modify cfgdir-cfg.h to reflrct name change of tag directory
> Modify site-cfg.h to change SITE_EDG_VERSION to LCG1-1_0_1
> Redstart mkxprod service: `service mkxprofd restart'
> Waited, got bored, forrced update with `/etc/obj/updaterpms run'
>
> As to your tests:
>
> If I stop the mkxprofd service demon and use "do_mkxprofd.sh `ls lcg*`",
> the system recognises the switch in presence of the :/tmp entry in
> redhat73-cfg.h
> and an update is run on the nodes. If I/we rely on the service demon,
> nothing
> happens in this particular case.
>
> Looks like I'm going to use the do_mkxprofd.sh in future.
>
> I've now also got two entries per node on my lcfg status web page.
> Something
> screwy somewhere!
>
> Martin.
> --
> -------------------------------------------------------
> Martin Bly | +44 1235 446981 | [log in to unmask]
> Systems Admin, Tier 1/A Service, RAL PPD CSG
> -------------------------------------------------------
>
> > -----Original Message-----
> > From: Emanuele LEONARDI [mailto:[log in to unmask]]
> > Sent: Monday, September 22, 2003 10:24 AM
> > To: [log in to unmask]
> > Subject: Re: [LCG-ROLLOUT] Critical security upgrade: new tag
> > LCG1-1_0_1
> >
> >
> > To summarize: you checked out the new tag, downloaded the new
> > rpms, and
> > added the :/tmp to redhat73-cfg.h but after running mkxprof nothing
> > happened.
> >
> > You then run /etc/obj/updaterpms by hand on each node and
> > this time the
> > new rpms were installed.
> >
> > Just to see if the /tmp trick is working at your site, please log on a
> > node (anyone should do) and start a "tail -f
> > /var/obj/log/client" on it
> > to get a real time update of what happens to the node configuration.
> > Then go to your LCFG server and issue a mkxprof for the node: if
> > everything is aligned you should see no message from the tail process.
> > At this point add (or remove if it is already there) the :/tmp in
> > redhat73-cfg.h and start mkxprof again. This time you should see that
> > the updaterpms object is started but no new packages are
> > installed/updated/removed (you may get some "Duplicate rpm" message,
> > though).
> >
> > Please let me know the outcome of this test.
> >
> > Cheers
> >
> > Emanuele
> >
> > P.S. in general, if after ~30 sec from the mkxprof command no
> > update is
> > started on the client node, this means that the client node
> > was not able
> > to find on the server a configuration which is newer than the one
> > already installed. This can be due either to syntax errors in
> > the config
> > files (usually reported by mkxprof and detailed in
> > <http://YourLCFGServer/status>) or to the /tmp business.
> >
> > "Bly, MJ (Martin)" wrote:
> > >
> > > Hi Emanuele,
> > >
> > > Yes, I added the :/tmp as instructed. It didn't make any
> > difference.
> > >
> > > Martin.
> > > --
> > > -------------------------------------------------------
> > > Martin Bly | +44 1235 446981 | [log in to unmask]
> > > Systems Admin, Tier 1/A Service, RAL PPD CSG
> > > -------------------------------------------------------
> > >
> > > > -----Original Message-----
> > > > From: Emanuele LEONARDI [mailto:[log in to unmask]]
> > > > Sent: Monday, September 22, 2003 9:49 AM
> > > > To: [log in to unmask]
> > > > Subject: Re: [LCG-ROLLOUT] Critical security upgrade: new tag
> > > > LCG1-1_0_1
> > > >
> > > >
> > > > Hi Martin.
> > > >
> > > > You just hit a nice "feature" of the LCFG system. Something
> > > > we have been
> > > > complaining with EDG WP4 since more than 1.5 years, to no avail.
> > > >
> > > > The updaterpms object is only executed if the updaterpms
> > CONFIGURATION
> > > > changes, not if the RPM LISTS change. This is utterly
> > confusing and
> > > > annoying for everybody.
> > > >
> > > > The solution to this is to apply a "fake change" to the
> > configuration
> > > > for the updaterpms object. The trick we use is to add/remove an
> > > > innocuous (but existing) directory, /tmp, to the list of
> > directories
> > > > where updaterpms should look for rpms. This is done but going
> > > > at the end
> > > > of the redhat73-cfg.h file and replacing line
> > > >
> > > > RPMDIR/apps_common
> > > >
> > > > with
> > > >
> > > > RPMDIR/apps_common:/tmp
> > > >
> > > > or viceversa. This will append /tmp to the list of dirs
> > loaded on the
> > > > updaterpms.rpmdir parameter.
> > > >
> > > > Cheers
> > > >
> > > > Emanuele
> > > >
> > > > "Bly, MJ (Martin)" wrote:
> > > > >
> > > > > Hi All,
> > > > >
> > > > > OK,
> > > > >
> > > > > RAL is updated to LCG1-1_0_1, after some trial and error.
> > > > >
> > > > > After discovering that we'd somehow managed NOT to
> > update the rpmcfg
> > > > > directory, we remade the configs (we use the mkxprofd
> > > > service rather than
> > > > > do_mkxprofd.sh) and waited. And waited.
> > > > >
> > > > > I got bored and forced the nodes to do the update by issuing
> > > > > '/etc/obj/updaterpms run' on each one. How long should one
> > > > have to wait for
> > > > > them do update themselves?
> > > > >
> > > > > Martin.
> > > > > --
> > > > > -------------------------------------------------------
> > > > > Martin Bly | +44 1235 446981 | [log in to unmask]
> > > > > Systems Admin, Tier 1/A Service, RAL PPD CSG
> > > > > -------------------------------------------------------
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Emanuele LEONARDI [mailto:[log in to unmask]]
> > > > > > Sent: Friday, September 19, 2003 5:30 PM
> > > > > > To: [log in to unmask]
> > > > > > Subject: [LCG-ROLLOUT] Critical security upgrade: new tag
> > > > LCG1-1_0_1
> > > > > >
> > > > > >
> > > > > > Dear LCG1 site administrators,
> > > > > >
> > > > > > in the past few days a few security patches for the
> > > > openssh, sendmail
> > > > > > and pine packages have been released.
> > > > > >
> > > > > > I just finished including them in the LCG1 rpm lists and
> > > > created a new
> > > > > > tag named LCG1-1_0_1
> > > > > >
> > > > > > The only difference with tag LCG1-1_0_0 are the patched rpms
> > > > > > so you only
> > > > > > need to check out the new tag, run updarep on the
> > LCFG server, and
> > > > > > trigger a node update. Be aware that, due to the internal
> > > > > > functioning of
> > > > > > LCFG, you may have to edit the redhat73-cfg.h file adding
> > > > the ":/tmp"
> > > > > > string at the end of the updaterpms.rpmdir definition
> > > > before running
> > > > > > mkxprof.
> > > > > >
> > > > > > Note 1: as the pathced rpms are part of the basic operating
> > > > > > system, ALL
> > > > > > nodes need to be updated.
> > > > > >
> > > > > > Note 2: services should be automatically restarted by the rpm
> > > > > > update but
> > > > > > it does not hurt if you give a look and make sure
> > this was done.
> > > > > >
> > > > > > Please report to lcg-rollout when you are done.
> > > > > >
> > > > > > Cheers
> > > > > >
> > > > > > Emanuele
> > > > > >
> > > > > > P.S. for the curious characters, this is the list of new rpms:
> > > > > >
> > > > > > openssh-3.1p1-14.i386.rpm
> > > > > > openssh-askpass-3.1p1-14.i386.rpm
> > > > > > openssh-askpass-gnome-3.1p1-14.i386.rpm
> > > > > > openssh-clients-3.1p1-14.i386.rpm
> > > > > > openssh-server-3.1p1-14.i386.rpm
> > > > > > pine-4.44-19.73.0.i386.rpm
> > > > > > sendmail-8.11.6-27.73.i386.rpm
> > > > > > sendmail-cf-8.11.6-27.73.i386.rpm
> > > > > > sendmail-devel-8.11.6-27.73.i386.rpm
> > > > > > sendmail-doc-8.11.6-27.73.i386.rpm
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > /------------------- Emanuele Leonardi -------------------\
> > > > > > | eMail: [log in to unmask] - Tel.: +41-22-7674066 |
> > > > > > | IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
> > > > > > \---------------------------------------------------------/
> > > > > >
> > > >
> > > > --
> > > > /------------------- Emanuele Leonardi -------------------\
> > > > | eMail: [log in to unmask] - Tel.: +41-22-7674066 |
> > > > | IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
> > > > \---------------------------------------------------------/
> > > >
> >
> > --
> > /------------------- Emanuele Leonardi -------------------\
> > | eMail: [log in to unmask] - Tel.: +41-22-7674066 |
> > | IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
> > \---------------------------------------------------------/
> >
--
/------------------- Emanuele Leonardi -------------------\
| eMail: [log in to unmask] - Tel.: +41-22-7674066 |
| IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
\---------------------------------------------------------/
|