EMI-1 gLExec release test report

From PDP/Grid Wiki
Jump to navigationJump to search

This test plan is following the EMI SA2 template.

gLExec Test Plan

Service Description

gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.

More information on gLExec.

Yum Installation

To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.

GLExec depends directly on:

  • LCAS
  • LCMAPS
  • (g)libc

GLExec therefore inherits dependencies on:

  • VOMS, in particular the voms-api
  • Globus libraries
  • OpenSSL

GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:

  • GridSite
  • Arguc PEP C

Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.0.0-1.sl5 which will pull in the following packages:

  • glexec
  • glexec-wrapper-scripts
  • mkgltempdir
  • lcas
  • lcas-plugins-basic
  • lcas-plugins-check-executable
  • lcas-plugins-voms
  • lcmaps
  • lcmaps-plugins-basic
  • lcmaps-plugins-c-pep
  • lcmaps-plugins-scas-client
  • lcmaps-plugins-tracking-groupid
  • lcmaps-plugins-verify-proxy
  • lcmaps-plugins-voms
  • saml2-xacml2-c-lib

And our required dependencies:

  • argus-pep-api-c
  • edg-mkgridmap
  • emi-version
  • emi.sac.GLEXEC_wn
  • glite-yaim-core
  • gridsite-shared
  • voms
  • yaim-glexec-wn

This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from.

YAIM installation

To configure gLExec on the worker node with YAIM, use the following command:

/opt/glite/yaim/bin/yaim -c -s siteinfo/site-info.def -n GLEXEC_wn

An example site-info configuration can be found here:

http://www.nikhef.nl/grid/ndpf/files/site-info.tar.gz

Documentation on specific variables can be found here:

https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn

Note: due to a bug in /opt/glite/yaim/defaults/glite-glexec_wn.post in version 2.0.3-1.sl5 the following settings need to be done in site-info.def:

CONFIG_GRIDMAPDIR=no

to disable gridmapdir creation when SCAS or ARGUS is used.

SCAS_PORT for the port of the SCAS server
GLEXEC_WN_PEPC_RESOURCEID for the ARGUS resource ID.
GLEXEC_WN_PEPC_ACTIONID for the ARGUS action ID.

System tests

Test setup

First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.

yum install emi-glexec_wn
yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3
ntpdate ntp.xs4all.nl
fetch-crl3 

The base installation is now done. Moving forward to more system specific steps:

chmod 4111 /usr/sbin/glexec
useradd glexec

Populate a useable VOMSDIR with .lsc files:

scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/


Test setup (manual test)

gLExec preparation

The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.

Whitelist yourself in the /etc/glexec.conf:

user_white_list              = okoeroo

LCAS preparation

Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet:

use_lcas                     = yes
lcas_db_file                 = /etc/lcas/lcas-testing.db
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
lcas_debug_level             = 5

The /etc/lcas/lcas-testing.db would then look like:

# LCAS policy file/plugin definition
pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db

Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.

LCMAPS preparation

lcmaps_db_file               = /etc/lcmaps/lcmaps-testing.db
lcmaps_get_account_policy    = test_policy
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 5

The /etc/lcmaps/lcmaps-testing.db would then look like:

# LCMAPS policy file/plugin definition

# default path for the modules
path = /usr/lib64/modules/

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"
                   " --dummy-username nobody"
                   " --dummy-group nobody"
                   " --dummy-sec-group nobody"

posix_enf        = "lcmaps_posix_enf.mod"
                   " -maxuid 1"
                   " -maxpgid 1"
                   " -maxsgid 32"

verifyproxy = "lcmaps_verify_proxy.mod"
              " -certdir /etc/grid-security/certificates"

# Policies:
test_policy:
verifyproxy -> good
good -> posix_enf

Basic functionality tests (manual)

Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:

#!/bin/sh

GLEXEC_BIN="/usr/sbin/glexec"
if [ ! -f ${GLEXEC_BIN} ]; then
    GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec"
    if [ ! -f ${GLEXEC_BIN} ]; then
        echo "No glexec found"
        exit 1
    fi
fi

if [ "${X509_USER_PROXY}" = "" ]; then
    export X509_USER_PROXY=$HOME/mkproxy-x509-voms
fi

export GLEXEC_CLIENT_CERT=${X509_USER_PROXY}
export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY}

#echo "------------"
cmd="${GLEXEC_BIN} /usr/bin/id -a"

$cmd
echo $?
exit 0

Run the test script and the following result is expected:

[okoeroo@localhost ~]$ ./test-glexec.sh 
uid=99(nobody) gid=99(nobody) groups=99(nobody)
0

Test setup (automated)

Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.


WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.


Edit the script to configure it. Here is what was used for this certification:

#################
# Setup options #
#################
CONTINUEONERROR=no

TEST_ACCOUNT="okoeroo"

GLEXEC_EXEC="/usr/sbin/glexec"
GLEXEC_OWNERSHIP_SETUID="root.root"
GLEXEC_FILE_PERM_SETUID="6555"
GLEXEC_OWNERSHIP_NON_SETUID="root.root"
GLEXEC_FILE_PERM_NON_SETUID="0555"

CONF_OWNERSHIP_SETUID="glexec.glexec"
CONF_FILE_PERM_SETUID="0440"
CONF_OWNERSHIP_NON_SETUID="root.root"
CONF_FILE_PERM_NON_SETUID="0444"

test_glexec_conf="/etc/glexec.conf"
test_lcas_db="/etc/lcas/lcas-testing.db"
test_lcas_db_path="/usr/lib64/modules/"
test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcas_userban_file="/etc/lcas/userban.db"
test_lcas_debug_level="0"

test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db"
test_lcmaps_db_path="/usr/lib64/modules/"
test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcmaps_debug_level="0"

priv_sep_file="/tmp/glexec_priv_sep_test.sh"
CAPATH="/etc/grid-security/certificates"
SCAS_ENDPOINT="https://eir.nikhef.nl:8443"
PEPD_ENDPOINT="https://argus.testbed:8154/authz"
GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile"

LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT"
#LOCALACCOUNT_TEST_MAP_USER="pool001"
POOLACCOUNT_TEST_MAP_USER=".pool"

### Test selection ###
USE_SCAS="yes"
USE_SCAS=""

#################
# Setup proxies #
#################
CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms"
USER_PROXY="$CLIENT_CERT"
SOURCE_PROXY="$CLIENT_CERT"
TARGET_PROXY="/tmp/target_proxy"

Basic functionality tests (automated)

Execute the script as root after properly configuring the script. See previous section for details:

sh glexec-lcas-lcmaps-compound-test.sh

Output:

http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out

Regression tests

Savannah bug 53192: scas-client: segfaults with malformed lcmaps-glexec.db (implemented):

The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.

Savannah bug 77130 : [lcmaps-plugins-scas] crashes on invalid -capath (implemented):

Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value.

Savannah bug 80927: bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute (implemented):

Added VOMS generic attributes to the VO registration in the VOMS service.

Savannah bug 80882: LCMAPS-plugins-c-pep cannot read proxy from NFS partition (not implemented):

Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases.

Savannah bug 80815: GLExec support for tracking group ids (implemented):

The gLExec and LCMAPS suite now has a plugin called the LCMAPS_Tracking_GroupID_plugin and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems.

Savannah bug 80548: GLExec possible segfault when reading proxy (implemented):

When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error.

Savannah bug 80547: GLExec segfaults if argc == 0'' (implemented):

When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults.

Savannah bug 79988: gLExec crashes when no explicit linger option is set in the glexec.conf (implemented):

When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around.

Savannah bug 57746: Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works (implemented):

The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this.

Savannah bug 60825: Strange characters in LCAS plugin string (implemented):

A fix was made in the LCAS framework and the problem doesn't occur anymore.

Savannah bug 64535: no lcmaps/lcas logs for gridftp (implemented):

The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works.

Savannah bug 80647: LCAS authorizes me but reports that I am not (implemented):

This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface.

Savannah bug 80900: LCAS fails to find the VOMS credentials on a GridFTPd (implemented):

The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.