EMI gLExec release test plan and report
This test plan is following the EMI SA2 template.
gLExec Test Plan
Service Description
gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.
More information on gLExec.
Yum Installation
To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.
GLExec depends directly on:
- LCAS
- LCMAPS
- (g)libc
GLExec therefore inherits dependencies on:
- VOMS, in particular the voms-api
- Globus libraries
- OpenSSL
GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:
- GridSite
- Arguc PEP C
Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.1.1-2.sl5 which will pull in the following packages:
- glexec
- glexec-wrapper-scripts
- mkgltempdir
- lcas
- lcas-plugins-basic
- lcas-plugins-check-executable
- lcas-plugins-voms
- lcmaps
- lcmaps-plugins-basic
- lcmaps-plugins-c-pep
- lcmaps-plugins-tracking-groupid
- lcmaps-plugins-verify-proxy
- lcmaps-plugins-voms
- nagios-plugins-glexec
And our required dependencies:
- argus-pep-api-c
- edg-mkgridmap
- emi-version
- emi.sac.GLEXEC_wn
- glite-yaim-core
- gridsite-shared
- voms
- yaim-glexec-wn
This is the EMI-2 release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. It upgrades the EMI-1 release.
YAIM installation
To configure gLExec on the worker node with YAIM, use the following command:
/opt/glite/yaim/bin/yaim -c -s siteinfo/site-info.def -n GLEXEC_wn
An example site-info configuration can be found here:
http://www.nikhef.nl/grid/ndpf/files/site-info.tar.gz
Documentation on specific variables can be found here:
https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn
Note: due to a bug in /opt/glite/yaim/defaults/glite-glexec_wn.post in version 2.0.3-1.sl5 the following settings need to be done in site-info.def:
CONFIG_GRIDMAPDIR=no
to disable gridmapdir creation when SCAS or ARGUS is used.
SCAS_PORT for the port of the SCAS server
GLEXEC_WN_PEPC_RESOURCEID for the ARGUS resource ID.
GLEXEC_WN_PEPC_ACTIONID for the ARGUS action ID.
System tests
Test setup
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.
yum install emi-glexec_wn yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3 ntpdate ntp.xs4all.nl fetch-crl3
The base installation is now done. Moving forward to more system specific steps:
chmod 4111 /usr/sbin/glexec useradd glexec
Populate a useable VOMSDIR with .lsc files:
scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/
Test setup (manual test)
gLExec preparation
The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.
Whitelist yourself in the /etc/glexec.conf:
user_white_list = okoeroo
LCMAPS preparation
lcmaps_db_file = /etc/lcmaps/lcmaps-testing.db lcmaps_get_account_policy = test_policy lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 5
The /etc/lcmaps/lcmaps-testing.db would then look like:
# LCMAPS policy file/plugin definition # default path for the modules path = /usr/lib64/lcmaps/ # Plugin definitions: good = "lcmaps_dummy_good.mod" " --dummy-username nobody" " --dummy-group nobody" " --dummy-sec-group nobody" posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32" verifyproxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates" # Policies: test_policy: verifyproxy -> good good -> posix_enf
Basic functionality tests (manual)
Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:
#!/bin/sh GLEXEC_BIN="/usr/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then echo "No glexec found" exit 1 fi fi if [ "${X509_USER_PROXY}" = "" ]; then export X509_USER_PROXY=$HOME/mkproxy-x509-voms fi export GLEXEC_CLIENT_CERT=${X509_USER_PROXY} export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY} #echo "------------" cmd="${GLEXEC_BIN} /usr/bin/id -a" $cmd echo $? exit 0
Run the test script and the following result is expected:
[okoeroo@localhost ~]$ ./test-glexec.sh uid=99(nobody) gid=99(nobody) groups=99(nobody) 0
Test setup (automated)
Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.
WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.
Edit the script to configure it. Here is what was used for this certification:
################# # Setup options # ################# CONTINUEONERROR=no TEST_ACCOUNT="okoeroo" GLEXEC_EXEC="/usr/sbin/glexec" GLEXEC_OWNERSHIP_SETUID="root.root" GLEXEC_FILE_PERM_SETUID="6555" GLEXEC_OWNERSHIP_NON_SETUID="root.root" GLEXEC_FILE_PERM_NON_SETUID="0555" CONF_OWNERSHIP_SETUID="glexec.glexec" CONF_FILE_PERM_SETUID="0440" CONF_OWNERSHIP_NON_SETUID="root.root" CONF_FILE_PERM_NON_SETUID="0444" test_glexec_conf="/etc/glexec.conf" test_lcas_db="/etc/lcas/lcas-testing.db" test_lcas_db_path="/usr/lib64/modules/" test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcas_userban_file="/etc/lcas/userban.db" test_lcas_debug_level="0" test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" test_lcmaps_db_path="/usr/lib64/modules/" test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcmaps_debug_level="0" priv_sep_file="/tmp/glexec_priv_sep_test.sh" CAPATH="/etc/grid-security/certificates" PEPD_ENDPOINT="https://argus.testbed:8154/authz" GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" #LOCALACCOUNT_TEST_MAP_USER="pool001" POOLACCOUNT_TEST_MAP_USER=".pool" ### Test selection ### USE_SCAS="No" USE_SCAS="" ################# # Setup proxies # ################# CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms" USER_PROXY="$CLIENT_CERT" SOURCE_PROXY="$CLIENT_CERT" TARGET_PROXY="/tmp/target_proxy"
Basic functionality tests (automated)
Execute the script as root after properly configuring the script. See previous section for details:
sh glexec-lcas-lcmaps-compound-test.sh
Regression tests
Savannah bug 53192: scas-client: segfaults with malformed lcmaps-glexec.db (implemented):
The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.