Certification Report for Patch #3753 (Proxy renewal for glite 3.2/SL5/64)

Authors: Daniel Kouřil, kouril@icsNOSPAMPLEASE.muni.cz

Patch: https://savannah.cern.ch/patch/?3753

Outcome: Certified

Certification Report for Patch #3753 (Proxy renewal for glite 3.2/SL5/64)

Origins

Build Report	http://etics-repository.cern.ch:8080/repository/reports/id/09a9c842-acc9-4634-919b-8147bece0683/sl5_x86_64_gcc412/-/reports/index.html
Patch	https://savannah.cern.ch/patch/?3753

Clean installation

Environment

* Clean SL5 installation according to gLite guidelines (CA certificates, ...)

Process

Install packages:

wget http://etics-repository.cern.ch:8080/repository/pm/registered/repomd/id/09a9c842-acc9-4634-919b-8147bece0683/sl5_x86_64_gcc412/etics-registered-build-by-id-protect.repo
yum -y -c etics-registered-build-by-id-protect.repo install glite-security-proxyrenewal

Start the proxy renewal daemon:

/opt/glite/etc/init.d/glite-proxy-renewald start

Full output of the installation

[root@delwin tmp]# wget http://etics-repository.cern.ch:8080/repository/pm/registered/repomd/id/09a9c842-acc9-4634-919b-8147bece0683/sl5_x86_64_gcc412/etics-registered-build-by-id-protect.repo
--2010-04-28 10:23:14--  http://etics-repository.cern.ch:8080/repository/pm/registered/repomd/id/09a9c842-acc9-4634-919b-8147bece0683/sl5_x86_64_gcc412/etics-registered-build-by-id-protect.repo
Resolving etics-repository.cern.ch... 128.142.130.60
Connecting to etics-repository.cern.ch|128.142.130.60|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 901
Saving to: `etics-registered-build-by-id-protect.repo'

100%[==========================================================================================================================>] 901         --.-K/s   in 0s      

2010-04-28 10:23:14 (50.5 MB/s) - `etics-registered-build-by-id-protect.repo' saved [901/901]

[root@delwin tmp]# yum -y -c etics-registered-build-by-id-protect.repo install glite-security-proxyrenewal
ETICS-registered-build-09a9c842-acc9-4634-919b-8147bece0683-sl5_x86_64_gcc412                                                                |  764 B     00:00     
ETICS-volatile-build-49df1aa5-193f-421f-bd94-7b101c0d9c2d-sl5_x86_64_gcc412                                                                  |  764 B     00:00     
sl-base                                                                                                                                      | 1.1 kB     00:00     
sl-security                                                                                                                                  | 1.9 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package glite-security-proxyrenewal.x86_64 0:1.3.11-4.sl5 set to be updated
--> Processing Dependency: myproxy >= VDT1.10.1x86_64_rhap_5 for package: glite-security-proxyrenewal
--> Processing Dependency: glite-security-voms-api-cpp >= 1.9.17 for package: glite-security-proxyrenewal
--> Processing Dependency: libvomsapi_gcc64dbg.so.0()(64bit) for package: glite-security-proxyrenewal
--> Processing Dependency: libmyproxy_gcc64dbg.so.0()(64bit) for package: glite-security-proxyrenewal
--> Running transaction check
---> Package glite-security-voms-api-cpp.x86_64 0:1.9.17-1.sl5 set to be updated
---> Package myproxy.x86_64 0:VDT1.10.1x86_64_rhap_5-4.2 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================================================
 Package                         Arch       Version                         Repository                                                                         Size
====================================================================================================================================================================
Installing:
 glite-security-proxyrenewal     x86_64     1.3.11-4.sl5                    ETICS-registered-build-09a9c842-acc9-4634-919b-8147bece0683-sl5_x86_64_gcc412      94 k
Installing for dependencies:
 glite-security-voms-api-cpp     x86_64     1.9.17-1.sl5                    ETICS-registered-build-09a9c842-acc9-4634-919b-8147bece0683-sl5_x86_64_gcc412     4.4 M
 myproxy                         x86_64     VDT1.10.1x86_64_rhap_5-4.2      ETICS-registered-build-09a9c842-acc9-4634-919b-8147bece0683-sl5_x86_64_gcc412     1.3 M

Transaction Summary
====================================================================================================================================================================
Install      3 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total size: 5.8 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : glite-security-voms-api-cpp                                                                                                                  1/3 
  Installing     : myproxy                                                                                                                                      2/3 
  Installing     : glite-security-proxyrenewal                                                                                                                  3/3 

Installed:
  glite-security-proxyrenewal.x86_64 0:1.3.11-4.sl5                                                                                                                 

Dependency Installed:
  glite-security-voms-api-cpp.x86_64 0:1.9.17-1.sl5                                   myproxy.x86_64 0:VDT1.10.1x86_64_rhap_5-4.2                                  

Complete!
[root@delwin tmp]# /opt/glite/etc/init.d/glite-proxy-renewald start
Starting ProxyRenewal Daemon: glite-proxy-renewd ... done

Tests

Prerequisities

Make sure the certificate used by the renewal daemon is properly registered in the configuration of the MyProxy server used for the test:

authorized_renewers "<subject_name>"

A VOMS server must be configured properly in your /opt/glite/etc/vomses directory. The voms commands will also be needed, you can install them from the voms-client package.

Test of renewal

su - glite
myproxy-init -s myproxy1.egee.cesnet.cz -d -n
voms-proxy-init -valid 0:40 -voms voce
proxy=`glite-proxy-renew -s myproxy1.egee.cesnet.cz -f /tmp/x509up_u155 -j https://fake.job.id/xxx start`
voms-proxy-info -file $proxy | grep timeleft; \
sleep 600; \
voms-proxy-info -file $proxy | grep timeleft
voms-proxy-info -file /tmp/x509up_u155 | grep timeleft

voms-proxy-info -file $proxy -identity; \
voms-proxy-info -file /tmp/x509up_u155 -identity

voms-proxy-info -file $proxy -fqan -actimeleft; \
voms-proxy-info -file /tmp/x509up_u155 -fqan -actimeleft

glite-proxy-renew -j https://fake.job.id/xxx stop
ls $proxy 2>&1 | grep 'No such file or directory' > /dev/null && echo OK

Full output of the test

[root@delwin tmp]# su - glite
[glite@delwin ~]$ myproxy-init -s myproxy1.egee.cesnet.cz -d -n
Your identity: /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril
Enter GRID pass phrase for this identity:
Creating proxy ................................................................ Done
Proxy Verify OK
Your proxy is valid until: Wed May  5 10:29:21 2010
A proxy valid for 168 hours (7.0 days) for user /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril now exists on myproxy1.egee.cesnet.cz.
[glite@delwin ~]$ voms-proxy-init -valid 0:40 -voms voce
Enter GRID pass phrase:
Your identity: /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril
Creating temporary proxy ................................................................... Done
Contacting  voms1.egee.cesnet.cz:7001 [/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz] "voce" Done
Creating proxy ......................................................................... Done
Your proxy is valid until Wed Apr 28 11:09:34 2010
Error: verify failed.
Cannot verify AC signature!
[glite@delwin ~]$ proxy=`glite-proxy-renew -s myproxy1.egee.cesnet.cz -f /tmp/x509up_u155 -j https://fake.job.id/xxx start`
[glite@delwin ~]$ voms-proxy-info -file $proxy | grep timeleft; \
> sleep 600; \
> voms-proxy-info -file $proxy | grep timeleft
timeleft  : 0:39:35
timeleft  : 9:54:23
[glite@delwin ~]$ voms-proxy-info -file /tmp/x509up_u155 | grep timeleft
timeleft  : 0:29:28
[glite@delwin ~]$ voms-proxy-info -file $proxy -identity; \
> voms-proxy-info -file /tmp/x509up_u155 -identity
/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril/CN=proxy/CN=proxy/CN=proxy
/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril
[glite@delwin ~]$ voms-proxy-info -file $proxy -fqan -actimeleft; \
> voms-proxy-info -file /tmp/x509up_u155 -fqan -actimeleft
42842
/voce/Role=NULL/Capability=NULL
1752
/voce/Role=NULL/Capability=NULL
[glite@delwin ~]$ glite-proxy-renew -j https://fake.job.id/xxx stop
[glite@delwin ~]$ ls $proxy 2>&1 | grep 'No such file or directory' > /dev/null && echo OK
OK

Review of Linked Bugs (manual regression tests)

For bug types see Bug Classification For Regression Tests

#66180

- bug type: 1

Make sure all the VOMS servers to be used run version at least 1.8.12 and start the renewal with the -O command-line option. Check the order of attributes using voms-proxy-info -fqan called before and after renewal.

Upgrade from production

N/A – This is the first release of Proxy Renewal for 64-bit SL5.

-- DanielKouril - 28-Apr-2010

Topic revision: r4 - 2010-04-28 - DanielKouril

EGEE

Main.WebList

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
EGEE All webs

Copyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback