 |
 |
Hi Sorry, didn't realise i hadn't replied to the list this time. Cheers Stuart On Mon, Oct 20, 2008 at 3:33 PM, Stuart Wakefield <[log in to unmask]> wrote: > Hi all > > Sorry, meant this to go to a local list so I could canvas opinions > before replying. Unfortunately with the gmail ui its easy to change a > fwd to a reply all. > > My concerns would have been: > > First the oddities of forcing sites to change their configuration for > a security challenge - surely we should test the deployed setup not > change our setup to fit the needs of a challenge. > > Second, it seems admins are going to be asked to track/stop/examine a > job in progress (one wonders how likely that would be in real life > anyway) and anyway surely the job is the least of out concerns at that > point, surely we should rather look at: > > ssh keys etc added to the user account, other user processes spawned > that may escape the batch system killer. Sites with passwordless ssh - > which nodes has the affected job contacted i.e. head node, other > workers etc.. > > And last of all, root exploit on any machine that the job had access to. > > Clearly the details aren't being spread around - but these would > strike me as important points for any challenge and I wonder if they > are covered in the proposed (secret) plan. > > Cheers > Stuart > > On Mon, Oct 20, 2008 at 3:16 PM, Coles, J (Jeremy) > <[log in to unmask]> wrote: >> P.S If I didn't know better I'd think that perhaps Kostas was sending >> messages through you (or your account!). >> >> P.P.S Seriously, if there are suggestions from you guys at IC then I >> think the community would listen. I can imagine the coffee room >> conversations at the moment... but would rather they were progressive! >> >> Cheers, >> Jeremy >> >> -----Original Message----- >> From: Testbed Support for GridPP member institutes >> [mailto:[log in to unmask]] On Behalf Of Coles, J (Jeremy) >> Sent: 20 October 2008 15:04 >> To: [log in to unmask] >> Subject: Re: Enabling the gridpp VO (and providing a 72hr queue) >> >> Hi Stuart >> >> That's not a helpful thread to start. Please bear in mind when >> considering this topic that we are running the challenges to IMPROVE >> security for everyone. The challenges themselves have been thought >> through but I'm sure afterwards there will be experiences that mean we >> can improve them. Starting out with a negative attitude will not improve >> the security. If you have (sensible and reasonable) suggestions for >> making the sites and grid more secure then please share them but don't >> undermine the efforts that are being made. >> >> Thanks, >> Jeremy >> >> >> -----Original Message----- >> From: Testbed Support for GridPP member institutes >> [mailto:[log in to unmask]] On Behalf Of Stuart Wakefield >> Sent: 20 October 2008 14:41 >> To: [log in to unmask] >> Subject: Re: Enabling the gridpp VO (and providing a 72hr queue) >> >> Who else thinks this will be a complete waste of time? >> >> >> ---------- Forwarded message ---------- >> From: Graeme Stewart <[log in to unmask]> >> Date: Mon, Oct 20, 2008 at 2:34 PM >> Subject: Re: Enabling the gridpp VO (and providing a 72hr queue) >> To: [log in to unmask] >> >> >> Well, obviously I now have an inkling that I will need to intercept a >> running job; but, as I said, Glasgow are going to move to a 48 hour >> maximum wallclock for our new kit and we're not going to change this. >> >> Cheers >> >> Graeme >> >> On Mon, Oct 20, 2008 at 3:20 PM, Ma, M (Mingchao) >> <[log in to unmask]> wrote: >>> Hi Graeme, >>> >>> I understood what you had said. But I can't tell you why. You will >>> understand it once you complete the challenge :-) >>> >>> Cheers, >>> >>> Mingchao >>> >>> >>>> -----Original Message----- >>>> From: Testbed Support for GridPP member institutes [mailto:TB- >>>> [log in to unmask]] On Behalf Of Graeme Stewart >>>> Sent: 20 October 2008 14:15 >>>> To: [log in to unmask] >>>> Subject: Re: Enabling the gridpp VO (and providing a 72hr queue) >>>> >>>> This makes no sense to me. What does having a certain time to respond >>>> to the security challenge have to do with the wallclock time on the >>>> site's queues? >>>> >>>> If I can compromise your site it will probably happen <5s after my >> job >>>> starts to run, even if I run it in a 7 day queue. >>>> >>>> Graeme >>>> >>>> On Mon, Oct 20, 2008 at 3:11 PM, Ma, M (Mingchao) >>>> <[log in to unmask]> wrote: >>>> > Hi All, >>>> > >>>> > What I can say at this stage is 72 hours mean sites have 72 hours >> to >>>> > complete the security challenge. And if all sites agree that 48 >> hours >>>> are >>>> > enough then I can go with it. But I have to say 24 hours are too >>>> short since >>>> > sites have only about 8 working hours to response the challenge >>>> unless you >>>> > want to work around the clock. >>>> > >>>> > As Jeremy said in his previous email: "But, we want the reference >>>> point the >>>> > same across sites to allow responsiveness (and actions taken) >> across >>>> sites >>>> > to be measured in a consistent way." Technically I can go with any >>>> hours as >>>> > long as all sites agree upon it. But I have to say that we are >> better >>>> to go >>>> > with 72, 48 is also ok, but 24 is too short. >>>> > >>>> > Cheers, >>>> > >>>> > Mingchao >>>> > >>>> >> -----Original Message----- >>>> >> From: Testbed Support for GridPP member institutes [mailto:TB- >>>> >> [log in to unmask]] On Behalf Of Brew, CAJ (Chris) >>>> >> Sent: 20 October 2008 12:39 >>>> >> To: [log in to unmask] >>>> >> Subject: Re: Enabling the gridpp VO (and providing a 72hr queue) >>>> >> >>>> >> And it doesn't have much meaning for sites that scale but CPU >> power. >>>> >> >>>> >> I have 72hr walltime queues but if you end up on a fast CPU that >> can >>>> >> actually be less than 36hrs real time. >>>> >> >>>> >> (I know this strikes me as odd as well but it's the way the T1 >> does >>>> it >>>> >> and it does sort of make sense.) >>>> >> >>>> >> Yours, >>>> >> Chris. >>>> >> >>>> >> > -----Original Message----- >>>> >> > From: Testbed Support for GridPP member institutes >>>> >> > [mailto:[log in to unmask]] On Behalf Of Alessandra Forti >>>> >> > Sent: 20 October 2008 12:16 >>>> >> > To: [log in to unmask] >>>> >> > Subject: Re: Enabling the gridpp VO (and providing a 72hr queue) >>>> >> > >>>> >> > Hi Jeremy, >>>> >> > >>>> >> > I don't understand why 72hours (apaprt from the fact that it has >>>> been >>>> >> > the default wall time in yaim for the past 2 years? >>>> >> > >>>> >> > cheers >>>> >> > alessandra >>>> >> > >>>> >> > Coles, J (Jeremy) wrote: >>>> >> > > Dear All >>>> >> > > >>>> >> > > Thank you to all sites that have now enabled the gridpp VO. A >>>> >> number >>>> >> > > have still not responded to the request made several times >>>> >> > over the last >>>> >> > > 4-6 months. If your site does not have the VO enabled >>>> >> > please could you >>>> >> > > let me know if you (do not) intend to enable it? >>>> >> > > >>>> >> > > For those sites that have enabled it, please could I ask >>>> >> > you to check >>>> >> > > the available queues? I have been asked if we can provide a >>>> >> > 72hr queue >>>> >> > > for use by some jobs submitted under the VO and the current >>>> >> > situation >>>> >> > > shows that this is only available at half the supporting >> sites: >>>> >> > > >>>> >> > > >>>> >> > > GridPP VO 72 hours queue >>>> >> > > ScotGrid >>>> >> > > UKI-SCOTGRID-DURHAM Yes Yes >>>> >> > > UKI-SCOTGRID-ECDF Yes No >>>> >> > > UKI-SCOTGRID-GLASGOW Yes Yes >>>> >> > > >>>> >> > > NorthGrid >>>> >> > > UKI-NORTHGRID-LANCS-HEP Yes No >>>> >> > > UKI-NORTHGRID-LIV-HEP Yes Yes >>>> >> > > UKI-NORTHGRID-MAN-HEP Yes Yes >>>> >> > > UKI-NORTHGRID-SHEF-HEP Yes Yes >>>> >> > > >>>> >> > > SouthGrid >>>> >> > > EDFA-JET Yes No >>>> >> > > UKI-SOUTHGRID-BHAM-HEP Yes Yes >>>> >> > > UKI-SOUTHGRID-BRIS-HEP Yes Yes >>>> >> > > UKI-SOUTHGRID-CAM-HEP No No >>>> >> > > UKI-SOUTHGRID-OX-HEP Yes Yes >>>> >> > > UKI-SOUTHGRID-RALPPD Yes Yes >>>> >> > > >>>> >> > > LondonGrid >>>> >> > > UKI-LT2-Brunel Yes No >>>> >> > > UKI-LT2-IC-HEP No No >>>> >> > > UKI-LT2-IC-LeSC Yes Yes >>>> >> > > UKI-LT2-QMUL No No >>>> >> > > UKI-LT2-RHUL Yes No >>>> >> > > UKI-LT2-UCL-CENTRAL No No >>>> >> > > UKI-LT2-UCL-HEP No No >>>> >> > > >>>> >> > > >>>> >> > > Many thanks for your help, >>>> >> > > Jeremy >>>> >> > > >>>> >> > >>>> >> > -- >>>> >> > Alessandra Forti - NorthGrid Technical Coordinator >>>> >> > http://www.hep.manchester.ac.uk/computing/tier2 >>>> >> > >>>> >> > Well you'll still need a tray >>>> >> > >>>> >> -- >>>> >> Scanned by iCritical for STFC. >>>> > >>>> >>>> >>>> >>>> -- >>>> Dr Graeme Stewart http://www.physics.gla.ac.uk/~graeme/ >>>> Department of Physics and Astronomy, University of Glasgow, Scotland >>> >> >> >> >> -- >> Dr Graeme Stewart http://www.physics.gla.ac.uk/~graeme/ >> Department of Physics and Astronomy, University of Glasgow, Scotland >> -- >> Scanned by iCritical for STFC. >> -- >> Scanned by iCritical for STFC. >> >