TWiki> LCG Web>WLCGVOCCoordination>WLCGVOC20100329 (revision 1)EditAttachPDF

Meeting March 29, 2010

This is the first WLCG VOC Coordination meeting

Agenda

  1. Introduction of the goals of this group
  2. Discussion of the IT/PES proposal to close access to lxvoadm from lxplus
  3. Security recommendations
  4. RPMs repositories for VOCs
  5. Support for VOCs
  6. AOB

Minutes

  • Attendees:
    • ALICE - Patricia
    • ATLAS - Flavia
    • CMS - Peter, Patricia, Jorge
    • LHCb - Joel, Roberto

  1. Goals of the VOC Coordination effort:
    • Find commonalities in order to avoid replication of work;
    • Present a coherent view to IT in terms of needs;
    • Create a self-supporting infrastructure with the help and the support of IT/ES and other IT groups.
  2. The proposal from IT/PES to close access to lxvoadm from lxplus was discussed. Many concerns and questions were raised. Some clarifications came from IT/PES:
    1. The proposal affects only access to lxvoadm from lxplus through ssh.
    2. Access to lxvoadm is possible from outside CERN.
    3. The implementation plan will not start till the OK from the experiments is received. Starting from that moment, it will take about 2 weeks for the proposal to go into production.
      To answer specific questions:
    • Patricia (Alice) raised the issue that login to Alice VOBOXes happens through gsissh and this should continue to work.
      Answer: Access to the VOBOXes is configured by the VOCs. Therefore everything that used to work for Alice will continue to work since lxvoadm is not involved in the login process through gsissh
    • Peter (CMS) raised the issue of the need to login onto WNs from CMS VOBOXes through the generic account cmsprod for Tier-0 activities. More details are needed in order to better understand the need.
    • Joel and Roberto (LHcb) said that the proposal should be OK with LHCb since this would avoid one hop while logging onto the VOBOXes. However, they expressed some concern about the change taking place during data taking.
  3. The issue about the recommendation coming from the security team to allow access to VOBOXes only through lxvoadm was discussed. ATLAS and LHCb enforce this recommendation while CMS and Alice do not. Flavia checked with the CERN Security Team and the VOCs are strongly adviced to enforce the recommendation above. iprules templates are available for this. In the rules_vobox_prologue section of your templates you just need to include the following:
   include components/iptables/rules_lxvoadm_ssh; 
Actions::
    1. Flavia to follow up with the experts in IT/PES and the VOCs about point 2. A meeting can be held with the experts in case more clarifications are needed.
    2. Peter to provide more details about CMS about point 2.

-- FlaviaDonno - 06-Apr-2010

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 2010-04-06 - FlaviaDonno
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback