Hi All,
I don't know whether other people mentioned or not. There is another
workaround for the previous version of glite-info-update-endpoints on
CentOS 7, i.e., changing 'verify' to 'disabled' for https in
/etc/python/cert-verification.cfg.
Cheers,
Di
On 2018-11-26 9:09 a.m., Baptiste Grenier wrote:
> Hi all,
> So with the latest version of the glite-info-update-endpoints it should
> work for both CentOS 6 and CentOS 7, you can find updated code and
> packages here:
> https://github.com/EGI-Foundation/glite-info-update-endpoints/releases/tag/3.0.0 but
> as reported by Vincenzo it is being pushed to UMD.
>
> For CentOS 6 the certificate is never validated, and for CentOS 7 the
> cert is only validated if capath or cafile are set in the conf file. And
> in this case it's required to have the IGTF CA installed. See
> https://github.com/EGI-Foundation/glite-info-update-endpoints/blob/master/bin/glite-info-update-endpoints#L111-L126
>
> Was the GOCDB really accessible over http without any redirection, or is
> just that before the cert validation was transparently by-passed?
> I was under the impression that https was an old requirement for the GOCDB.
>
> Cheers,
> Baptiste
>
> On Mon, 26 Nov 2018 at 17:33 Cyril L'ORPHELIN
> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
>
> Hi all
>
> I've notified this problem in February 2018 to EGI Operations.
> The latest version of Top Bdii is using a more recent version of
> Python than the previous version .
> This version is less permissive and doesn't authorize the connection
> to GOC DB .
>
> Cheers,
>
> --
> Cyril L'Orphelin
> IN2P3/CNRS Computing Centre
> Phone : +33 4 72 69 52 50 <tel:04%2072%2069%2052%2050>
>
> ------------------------------------------------------------------------
> *De: *"Maarten Litmaath" <[log in to unmask]
> <mailto:[log in to unmask]>>
> *À: *[log in to unmask] <mailto:[log in to unmask]>
> *Envoyé: *Lundi 26 Novembre 2018 16:52:29
> *Objet: *Re: [LCG-ROLLOUT] We must have changed our Site-BDII wrong
> :[ help?
>
> Hi all,
> was that GOCDB change announced somewhere?
>
> ------------------------------------------------------------------------
> *From:* LHC Computer Grid - Rollout [[log in to unmask]
> <mailto:[log in to unmask]>] on behalf of Laurence Field
> [[log in to unmask] <mailto:[log in to unmask]>]
> *Sent:* 26 November 2018 16:44
> *To:* [log in to unmask] <mailto:[log in to unmask]>
> *Subject:* Re: [LCG-ROLLOUT] We must have changed our Site-BDII
> wrong :[ help?
>
> Hi Bruce,
>
> The original script uses http. At some point the GOCDB has been
> changed to redirect http to https. This broke the update script as
> although it redirects to https, the environment has not been setup
> for SSL. So in the short term, that is until the update is
> available, that redirect should be reverted.
>
> Cheers,
>
> Laurence
>
> On 26.11.18 16:19, Bruce Becker wrote:
>
> I like what Daniela suggests - we can add the cron and
> environment variable, as well as the tests to assert that the CA
> Certs are present and that connection to the GOC API works with
> https. The main thing is that the "bdii" is actually spread over
> many repos. We're discussing how to fix this.
>
> Laurence, can you help us understand why you consider undoing
> the HTTP->HTTPS redirect a fix?
> Is SSL consuming too many resources?
> Is it more difficult to configure ?
>
> thanks!
> Bruce
>
> On Mon, 26 Nov 2018 at 16:01, Daniela Bauer
> <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
> Our local security team representative disapproves of this
> "solution".
> On Mon, 26 Nov 2018 at 14:58, Laurence Field
> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
> >
> > This also works.
> >
> >
> https://stackoverflow.com/questions/36600583/python-3-urllib-ignore-ssl-certificate-verification/36601223
> >
> > Something for EGI to discuss and roll out. It would be
> good to undo the
> > http => https redirect in the GOC to fix things in the
> meantime.
> >
> > Cheers,
> >
> > Laurence
> >
> >
> > On 26.11.18 15:50, Daniela Bauer wrote:
> > > We installed ca-policy-egi-core and changed the http in
> the script
> > > (/usr/bin/glite-info-update-endpoints) to https (for
> bonus security
> > > ;-) and set
> SSL_CERT_DIR=/etc/grid-security/certificates in the cron
> > > job and now it works (and of course OSG=False in the
> config file).
> > >
> > > Cheers,
> > > Daniela
> > > On Mon, 26 Nov 2018 at 14:24, Laurence Field
> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
> > >> The script uses a http URL but gets redirect to https.
> Was there a
> > >> recent change to the GOCDB?
> > >>
> > >> On 26.11.18 15:18, Laurence Field wrote:
> > >>> It is wrong in top-bdii.cern.ch <http://top-bdii.cern.ch>
> > >>>
> > >>> ldapsearch -LLL -x -H ldap://
> <http://UrlBlockedError.aspx>top-bdii.cern.ch:2170
> <http://top-bdii.cern.ch:2170> -b o=grid
> > >>>
> '(&(objectClass=GlueService)(GlueServiceType=bdii_site)(GlueServiceEndpoint=*bris*))'
> > >>> GlueServiceEndpoint
> > >>> dn:
> > >>>
> GlueServiceUniqueID=lcgbdii02.phy.bris.ac.uk_bdii_site_3059482004,Mds-Vo-n
> > >>> ame=UKI-SOUTHGRID-BRIS-HEP,Mds-Vo-name=local,o=grid
> > >>> GlueServiceEndpoint:
> > >>> ldap://
> <http://UrlBlockedError.aspx>lcgbdii02.phy.bris.ac.uk:2170/mds-vo-name=UKI-SOUT
> <http://lcgbdii02.phy.bris.ac.uk:2170/mds-vo-name=UKI-SOUT>
> > >>> HGRID-BRIS-HEP,o=grid
> > >>>
> > >>> The update endpoint script is failing.
> > >>>
> > >>> /glite-info-update-endpoints.conf-endpoints -c /etc/glite
> > >>> 2018-11-26 15:15:34,398 WARNING EGI GOCDB could not
> be contacted or
> > >>> returned no information about EGI sites. Using cache
> file for EGI URLs.
> > >>>
> > >>>
> > >>>
> > >>> On 26.11.18 15:00, Daniela Bauer wrote:
> > >>>> We fixed topbdii.grid.hep.ph.ic.ac.uk
> <http://topbdii.grid.hep.ph.ic.ac.uk>
> > >>>>
> > >>>> deathstar:~ :~] ldapsearch -x -H
> > >>>> ldap://
> <http://UrlBlockedError.aspx>topbdii.grid.hep.ph.ic.ac.uk:2170
> <http://topbdii.grid.hep.ph.ic.ac.uk:2170> -b o=grid | grep -c
> > >>>> lcgbdii.phy.bris.ac.uk <http://lcgbdii.phy.bris.ac.uk>
> > >>>> 9
> > >>>>
> > >>>> Cheers,
> > >>>> Daniela
> > >>>> On Mon, 26 Nov 2018 at 13:56, Winnie Lacesso
> > >>>> <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
> > >>>>> Bonjour!
> > >>>>>
> > >>>>> Stephen Burke wrote
> > >>>>>> if a specific top BDII is missing a site
> completely you should
> > >>>>>> ticket the
> > >>>>>> site that hosts it to see what's gone wrong.
> > >>>>> The top-BDII is not missing our site; it just names
> the OLD
> > >>>>> Site-BDII not
> > >>>>> the NEW one. We'd like to retire the old one &
> ditto the venerable
> > >>>>> old VM
> > >>>>> host it's on, but can't while the top-bdii says the
> OLD Site-BDII
> > >>>>> *is* our
> > >>>>> Site-BDII!
> > >>>>>
> > >>>>> (ticket 138461 is assigned to RAL-LCG2)
> > >>>>>
> > >>>>>> There is another possibility: your site BDII
> configuration should list
> > >>>>>> every service at your site, *including* the site
> BDII itself. Look at
> > >>>>> Good point, but it looks that this is done
> correctly - confirm?
> > >>>>>
> > >>>>> root@lcgbdii> nice -n 19 grep -ri lcgbdii /etc/bdii
> > >>>>> /etc/bdii/gip/site-urls.conf:BDII
> > >>>>> ldap://
> <http://UrlBlockedError.aspx>lcgbdii.phy.bris.ac.uk:2170/mds-vo-name=resource,o=grid
> <http://lcgbdii.phy.bris.ac.uk:2170/mds-vo-name=resource,o=grid>
> > >>>>>
> /etc/bdii/gip/glite-info-site-defaults.conf:SITE_BDII_HOST=lcgbdii.phy.bris.ac.uk
> <http://lcgbdii.phy.bris.ac.uk>
> > >>>>>
> > >>>>>
> > >>>>> (Old Site-BDII is lcgbdii02.phy.bris.ac.uk
> <http://lcgbdii02.phy.bris.ac.uk>, new is
> > >>>>> lcgbdii.phy.bris.ac.uk <http://lcgbdii.phy.bris.ac.uk>)
> > >>>>>
> > >>>>> And from ldapsearch output (trimmed)
> > >>>>>
> > >>>>> # lcgbdii.phy.bris.ac.uk_bdii_site_3059482004,
> > >>>>> UKI-SOUTHGRID-BRIS-HEP, grid
> > >>>>> dn:
> > >>>>>
> GlueServiceUniqueID=lcgbdii.phy.bris.ac.uk_bdii_site_3059482004,Mds-Vo-nam
> > >>>>> GlueServiceStatusInfo: BDII Runnning [ OK ]
> > >>>>> GlueServiceUniqueID:
> lcgbdii.phy.bris.ac.uk_bdii_site_3059482004
> > >>>>> GlueServiceEndpoint:
> > >>>>> ldap://
> <http://UrlBlockedError.aspx>lcgbdii.phy.bris.ac.uk:2170/mds-vo-name=UKI-SOUTHG
> <http://lcgbdii.phy.bris.ac.uk:2170/mds-vo-name=UKI-SOUTHG>
> > >>>>> GlueServiceName: UKI-SOUTHGRID-BRIS-HEP-bdii_site
> > >>>>> GlueServiceType: bdii_site
> > >>>>>
> > >>>>> Does that look ok?
> > >>>>>
> > >>>>> root@lcgui02> ldapsearch -x -H ldap://
> <http://UrlBlockedError.aspx>lcgbdii.gridpp.rl.ac.uk:2170
> <http://lcgbdii.gridpp.rl.ac.uk:2170>
> > >>>>> -b o=grid > /tmp/r; wc /tmp/r
> > >>>>> 916595 1733664 37427712 /tmp/r
> > >>>>> root@lcgui02> grep -c lcgbdii02.phy.bris.ac.uk
> <http://lcgbdii02.phy.bris.ac.uk> /tmp/r
> > >>>>> 9
> > >>>>> root@lcgui02> grep -c lcgbdii.phy.bris.ac.uk
> <http://lcgbdii.phy.bris.ac.uk> /tmp/r
> > >>>>> 0
> > >>>>>
> > >>>>> root@lcgui02> ldapsearch -x -H
> > >>>>> ldap://
> <http://UrlBlockedError.aspx>topbdii.grid.hep.ph.ic.ac.uk:2170
> <http://topbdii.grid.hep.ph.ic.ac.uk:2170> -b o=grid >
> /tmp/h; wc /tmp/h
> > >>>>> 914286 1729007 37489753 /tmp/h
> > >>>>> root@lcgui02> grep -c lcgbdii02.phy.bris.ac.uk
> <http://lcgbdii02.phy.bris.ac.uk> /tmp/h
> > >>>>> 9
> > >>>>> root@lcgui02> grep -c lcgbdii.phy.bris.ac.uk
> <http://lcgbdii.phy.bris.ac.uk> /tmp/h
> > >>>>> 0
> > >>>>>
> > >>>>> The UK Top-BDII outputs only includes the OLD
> Site-BDII! :[
> > >>>>>
> > >>>>>
> ########################################################################
> > >>>>>
> > >>>>>
> > >>>>> To unsubscribe from the LCG-ROLLOUT list, click the
> following link:
> > >>>>>
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
> > >>>>
> > >>
> ########################################################################
> > >>
> > >> To unsubscribe from the LCG-ROLLOUT list, click the
> following link:
> > >>
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
> > >
> > >
> >
> >
> ########################################################################
> >
> > To unsubscribe from the LCG-ROLLOUT list, click the
> following link:
> >
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]
> <mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> London, SW7 2BW
> Tel: +44-(0)20-75947810 <tel:+44%2020%207594%207810>
> http://www.hep.ph.ic.ac.uk/~dbauer/
>
> ########################################################################
>
> To unsubscribe from the LCG-ROLLOUT list, click the
> following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
>
>
> --
> Dr. Bruce Becker
> Senior Operations Officer, EGI <http://EGI.eu> Foundation
>
> brusisceddu <https://twitter.com/brusisceddu> brucellino
> <https://github.com/brucellino> 0000-0002-6607-7145
> <http://orcid.org/0000-0002-6607-7145>
>
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
>
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
> --
> Baptiste Grenier
> EGI Foundation - Operations Officer
> Phone: +31 627 860 852
> Skype: baptiste.grenier.egi
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
########################################################################
To unsubscribe from the LCG-ROLLOUT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
|