Difference between revisions of "EMI-1 gLExec release test report"
Line 106: | Line 106: | ||
The '''/etc/lcmaps/lcmaps-testing.db''' would then look like: | The '''/etc/lcmaps/lcmaps-testing.db''' would then look like: | ||
− | + | <pre> | |
+ | # LCMAPS policy file/plugin definition | ||
− | + | # default path for the modules | |
− | + | path = /usr/lib64/modules/ | |
− | + | # Plugin definitions: | |
− | + | good = "lcmaps_dummy_good.mod" | |
− | + | " --dummy-username nobody" | |
− | + | " --dummy-group nobody" | |
− | + | " --dummy-sec-group nobody" | |
− | + | posix_enf = "lcmaps_posix_enf.mod" | |
− | + | " -maxuid 1" | |
− | + | " -maxpgid 1" | |
− | + | " -maxsgid 32" | |
− | + | verifyproxy = "lcmaps_verify_proxy.mod" | |
− | + | " -certdir /etc/grid-security/certificates" | |
− | + | # Policies: | |
− | + | test_policy: | |
− | + | verifyproxy -> good | |
− | + | good -> posix_enf | |
=== Basic functionality tests (manual) === | === Basic functionality tests (manual) === | ||
Line 284: | Line 285: | ||
Savannah bug [https://savannah.cern.ch/bugs/?80900 80900]: '''LCAS fails to find the VOMS credentials on a GridFTPd''' (implemented): | Savannah bug [https://savannah.cern.ch/bugs/?80900 80900]: '''LCAS fails to find the VOMS credentials on a GridFTPd''' (implemented): | ||
− | The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api. | + | The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.</pre> |
Revision as of 12:15, 29 April 2011
This test plan is following the EMI SA2 template.
gLExec Test Plan
Service Description
gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.
More information on gLExec.
Yum Installation
To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.
GLExec depends directly on:
- LCAS
- LCMAPS
- (g)libc
GLExec therefore inherits dependencies on:
- VOMS, in particular the voms-api
- Globus libraries
- OpenSSL
GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:
- GridSite
- Arguc PEP C
Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.0.0-1.sl5 which will pull in the following packages:
- glexec
- glexec-wrapper-scripts
- mkgltempdir
- lcas
- lcas-plugins-basic
- lcas-plugins-check-executable
- lcas-plugins-voms
- lcmaps
- lcmaps-plugins-basic
- lcmaps-plugins-c-pep
- lcmaps-plugins-scas-client
- lcmaps-plugins-tracking-groupid
- lcmaps-plugins-verify-proxy
- lcmaps-plugins-voms
- saml2-xacml2-c-lib
And our required dependencies:
- argus-pep-api-c
- edg-mkgridmap
- emi-version
- emi.sac.GLEXEC_wn
- glite-yaim-core
- gridsite-shared
- voms
- yaim-glexec-wn
This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from.
System tests
Test setup
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.
yum install emi-glexec_wn yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3 ntpdate ntp.xs4all.nl fetch-crl3
The base installation is now done. Moving forward to more system specific steps:
chmod 4111 /usr/sbin/glexec useradd glexec
Populate a useable VOMSDIR with .lsc files:
scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/
Test setup (manual test)
gLExec preparation
The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.
Whitelist yourself in the /etc/glexec.conf:
user_white_list = okoeroo
LCAS preparation
Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet:
use_lcas = yes lcas_db_file = /etc/lcas/lcas-testing.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 5
The /etc/lcas/lcas-testing.db would then look like:
# LCAS policy file/plugin definition pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db
Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.
LCMAPS preparation
lcmaps_db_file = /etc/lcmaps/lcmaps-testing.db lcmaps_get_account_policy = test_policy lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 5
The /etc/lcmaps/lcmaps-testing.db would then look like:
# LCMAPS policy file/plugin definition # default path for the modules path = /usr/lib64/modules/ # Plugin definitions: good = "lcmaps_dummy_good.mod" " --dummy-username nobody" " --dummy-group nobody" " --dummy-sec-group nobody" posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32" verifyproxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates" # Policies: test_policy: verifyproxy -> good good -> posix_enf === Basic functionality tests (manual) === Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate: #!/bin/sh GLEXEC_BIN="/usr/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then echo "No glexec found" exit 1 fi fi if [ "${X509_USER_PROXY}" = "" ]; then export X509_USER_PROXY=$HOME/mkproxy-x509-voms fi export GLEXEC_CLIENT_CERT=${X509_USER_PROXY} export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY} #echo "------------" cmd="${GLEXEC_BIN} /usr/bin/id -a" $cmd echo $? exit 0 Run the test script and the following result is expected: [okoeroo@localhost ~]$ ./test-glexec.sh uid=99(nobody) gid=99(nobody) groups=99(nobody) 0 === Test setup (automated) === Download the [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?view=markup gLExec (and LCAS/LCMAPS) compound test script]. The [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?revision=15284&view=markup SVN revision number 15284 of the compound test script] was used. WARNING: The script will rewrite the '''glexec.conf''' file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in '''lcas-testing.db''' and '''lcmaps-testing.db''' files) to work. Edit the script to configure it. Here is what was used for this certification: ################# # Setup options # ################# CONTINUEONERROR=no TEST_ACCOUNT="okoeroo" GLEXEC_EXEC="/usr/sbin/glexec" GLEXEC_OWNERSHIP_SETUID="root.root" GLEXEC_FILE_PERM_SETUID="6555" GLEXEC_OWNERSHIP_NON_SETUID="root.root" GLEXEC_FILE_PERM_NON_SETUID="0555" CONF_OWNERSHIP_SETUID="glexec.glexec" CONF_FILE_PERM_SETUID="0440" CONF_OWNERSHIP_NON_SETUID="root.root" CONF_FILE_PERM_NON_SETUID="0444" test_glexec_conf="/etc/glexec.conf" test_lcas_db="/etc/lcas/lcas-testing.db" test_lcas_db_path="/usr/lib64/modules/" test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcas_userban_file="/etc/lcas/userban.db" test_lcas_debug_level="0" test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" test_lcmaps_db_path="/usr/lib64/modules/" test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcmaps_debug_level="0" priv_sep_file="/tmp/glexec_priv_sep_test.sh" CAPATH="/etc/grid-security/certificates" SCAS_ENDPOINT="https://eir.nikhef.nl:8443" PEPD_ENDPOINT="https://argus.testbed:8154/authz" GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" #LOCALACCOUNT_TEST_MAP_USER="pool001" POOLACCOUNT_TEST_MAP_USER=".pool" ### Test selection ### USE_SCAS="yes" USE_SCAS="" ################# # Setup proxies # ################# CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms" USER_PROXY="$CLIENT_CERT" SOURCE_PROXY="$CLIENT_CERT" TARGET_PROXY="/tmp/target_proxy" === Basic functionality tests (automated) === Execute the script as '''root''' after properly configuring the script. See previous section for details: sh glexec-lcas-lcmaps-compound-test.sh Output: http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out === Regression tests === Savannah bug [https://savannah.cern.ch/bugs/?53192 53192]: '''scas-client: segfaults with malformed lcmaps-glexec.db''' (implemented): The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN. Savannah bug [https://savannah.cern.ch/bugs/?77130 77130 ]: '''[lcmaps-plugins-scas] crashes on invalid -capath''' (implemented): Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value. Savannah bug [https://savannah.cern.ch/bugs/?80927 80927]: '''bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute''' (implemented): Added VOMS generic attributes to the VO registration in the VOMS service. Savannah bug [https://savannah.cern.ch/bugs/?80822 80882]: '''LCMAPS-plugins-c-pep cannot read proxy from NFS partition''' (not implemented): Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases. Savannah bug [https://savannah.cern.ch/bugs/?80815 80815]: '''GLExec support for tracking group ids''' (implemented): The gLExec and LCMAPS suite now has a plugin called the [[LCMAPS_Tracking_GroupID_plugin]] and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems. Savannah bug [https://savannah.cern.ch/bugs/?80548 80548]: '''GLExec possible segfault when reading proxy''' (implemented): When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error. Savannah bug [https://savannah.cern.ch/bugs/?80547 80547]: ''GLExec segfaults if argc == 0'''' (implemented): When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults. Savannah bug [https://savannah.cern.ch/bugs/?79988 79988]: '''gLExec crashes when no explicit linger option is set in the glexec.conf''' (implemented): When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around. Savannah bug [https://savannah.cern.ch/bugs/?57746 57746]: '''Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works''' (implemented): The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this. Savannah bug [https://savannah.cern.ch/bugs/?60825 60825]: '''Strange characters in LCAS plugin string''' (implemented): A fix was made in the LCAS framework and the problem doesn't occur anymore. Savannah bug [https://savannah.cern.ch/bugs/?64535 64535]: '''no lcmaps/lcas logs for gridftp''' (implemented): The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works. Savannah bug [https://savannah.cern.ch/bugs/?80647 80647]: '''LCAS authorizes me but reports that I am not''' (implemented): This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface. Savannah bug [https://savannah.cern.ch/bugs/?80900 80900]: '''LCAS fails to find the VOMS credentials on a GridFTPd''' (implemented): The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.