EMI-1 gLExec release test report
This test plan is following the EMI SA2 template.
gLExec Test Plan
Service Description
gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.
More information on gLExec.
Yum Installation
To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.
GLExec depends directly on:
- LCAS
- LCMAPS
- (g)libc
GLExec therefore inherits dependencies on:
- VOMS, in particular the voms-api
- Globus libraries
- OpenSSL
GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:
- GridSite
- Arguc PEP C
Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.0.0-1.sl5 which will pull in the following packages:
- glexec
- glexec-wrapper-scripts
- mkgltempdir
- lcas
- lcas-plugins-basic
- lcas-plugins-check-executable
- lcas-plugins-voms
- lcmaps
- lcmaps-plugins-basic
- lcmaps-plugins-c-pep
- lcmaps-plugins-scas-client
- lcmaps-plugins-tracking-groupid
- lcmaps-plugins-verify-proxy
- lcmaps-plugins-voms
- saml2-xacml2-c-lib
And our required dependencies:
- argus-pep-api-c
- edg-mkgridmap
- emi-version
- emi.sac.GLEXEC_wn
- glite-yaim-core
- gridsite-shared
- voms
- yaim-glexec-wn
This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from.
YAIM installation
To configure gLExec on the worker node with YAIM, use the following command:
/opt/glite/yaim/bin/yaim -c -s siteinfo/site-info.def -n GLEXEC_wn
An example site-info configuration can be found here:
http://www.nikhef.nl/grid/ndpf/files/site-info.tar.gz
Documentation on specific variables can be found here:
https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn
Note: due to a bug in /opt/glite/yaim/defaults/glite-glexec_wn.post in version 2.0.3-1.sl5 the following settings need to be done in site-info.def:
CONFIG_GRIDMAPDIR=no
to disable gridmapdir creation when SCAS or ARGUS is used.
SCAS_PORT for the port of the SCAS server
GLEXEC_WN_PEPC_RESOURCEID for the ARGUS resource ID.
GLEXEC_WN_PEPC_ACTIONID for the ARGUS action ID.
System tests
Test setup
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.
yum install emi-glexec_wn yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3 ntpdate ntp.xs4all.nl fetch-crl3
The base installation is now done. Moving forward to more system specific steps:
chmod 4111 /usr/sbin/glexec useradd glexec
Populate a useable VOMSDIR with .lsc files:
scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/
Test setup (manual test)
gLExec preparation
The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.
Whitelist yourself in the /etc/glexec.conf:
user_white_list = okoeroo
LCAS preparation
Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet:
use_lcas = yes lcas_db_file = /etc/lcas/lcas-testing.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 5
The /etc/lcas/lcas-testing.db would then look like:
# LCAS policy file/plugin definition pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db
Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.
LCMAPS preparation
lcmaps_db_file = /etc/lcmaps/lcmaps-testing.db lcmaps_get_account_policy = test_policy lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 5
The /etc/lcmaps/lcmaps-testing.db would then look like:
# LCMAPS policy file/plugin definition # default path for the modules path = /usr/lib64/modules/ # Plugin definitions: good = "lcmaps_dummy_good.mod" " --dummy-username nobody" " --dummy-group nobody" " --dummy-sec-group nobody" posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32" verifyproxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates" # Policies: test_policy: verifyproxy -> good good -> posix_enf
Basic functionality tests (manual)
Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:
#!/bin/sh GLEXEC_BIN="/usr/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then echo "No glexec found" exit 1 fi fi if [ "${X509_USER_PROXY}" = "" ]; then export X509_USER_PROXY=$HOME/mkproxy-x509-voms fi export GLEXEC_CLIENT_CERT=${X509_USER_PROXY} export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY} #echo "------------" cmd="${GLEXEC_BIN} /usr/bin/id -a" $cmd echo $? exit 0
Run the test script and the following result is expected:
[okoeroo@localhost ~]$ ./test-glexec.sh uid=99(nobody) gid=99(nobody) groups=99(nobody) 0
Test setup (automated)
Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.
WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.
Edit the script to configure it. Here is what was used for this certification:
################# # Setup options # ################# CONTINUEONERROR=no TEST_ACCOUNT="okoeroo" GLEXEC_EXEC="/usr/sbin/glexec" GLEXEC_OWNERSHIP_SETUID="root.root" GLEXEC_FILE_PERM_SETUID="6555" GLEXEC_OWNERSHIP_NON_SETUID="root.root" GLEXEC_FILE_PERM_NON_SETUID="0555" CONF_OWNERSHIP_SETUID="glexec.glexec" CONF_FILE_PERM_SETUID="0440" CONF_OWNERSHIP_NON_SETUID="root.root" CONF_FILE_PERM_NON_SETUID="0444" test_glexec_conf="/etc/glexec.conf" test_lcas_db="/etc/lcas/lcas-testing.db" test_lcas_db_path="/usr/lib64/modules/" test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcas_userban_file="/etc/lcas/userban.db" test_lcas_debug_level="0" test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" test_lcmaps_db_path="/usr/lib64/modules/" test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcmaps_debug_level="0" priv_sep_file="/tmp/glexec_priv_sep_test.sh" CAPATH="/etc/grid-security/certificates" SCAS_ENDPOINT="https://eir.nikhef.nl:8443" PEPD_ENDPOINT="https://argus.testbed:8154/authz" GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" #LOCALACCOUNT_TEST_MAP_USER="pool001" POOLACCOUNT_TEST_MAP_USER=".pool" ### Test selection ### USE_SCAS="yes" USE_SCAS="" ################# # Setup proxies # ################# CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms" USER_PROXY="$CLIENT_CERT" SOURCE_PROXY="$CLIENT_CERT" TARGET_PROXY="/tmp/target_proxy"
Basic functionality tests (automated)
Execute the script as root after properly configuring the script. See previous section for details:
sh glexec-lcas-lcmaps-compound-test.sh
Output:
http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out
Regression tests
Savannah bug 53192: scas-client: segfaults with malformed lcmaps-glexec.db (implemented):
The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.
Savannah bug 77130 : [lcmaps-plugins-scas] crashes on invalid -capath (implemented):
Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value.
Savannah bug 80927: bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute (implemented):
Added VOMS generic attributes to the VO registration in the VOMS service.
Savannah bug 80882: LCMAPS-plugins-c-pep cannot read proxy from NFS partition (not implemented):
Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases.
Savannah bug 80815: GLExec support for tracking group ids (implemented):
The gLExec and LCMAPS suite now has a plugin called the LCMAPS_Tracking_GroupID_plugin and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems.
Savannah bug 80548: GLExec possible segfault when reading proxy (implemented):
When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error.
Savannah bug 80547: GLExec segfaults if argc == 0'' (implemented):
When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults.
Savannah bug 79988: gLExec crashes when no explicit linger option is set in the glexec.conf (implemented):
When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around.
Savannah bug 57746: Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works (implemented):
The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this.
Savannah bug 60825: Strange characters in LCAS plugin string (implemented):
A fix was made in the LCAS framework and the problem doesn't occur anymore.
Savannah bug 64535: no lcmaps/lcas logs for gridftp (implemented):
The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works.
Savannah bug 80647: LCAS authorizes me but reports that I am not (implemented):
This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface.
Savannah bug 80900: LCAS fails to find the VOMS credentials on a GridFTPd (implemented):
The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.