Difference between revisions of "EMI gLExec release test plan and report"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 241: Line 241:
 
Execute the script as '''root''' after properly configuring the script. See previous section for details:
 
Execute the script as '''root''' after properly configuring the script. See previous section for details:
 
  sh glexec-lcas-lcmaps-compound-test.sh
 
  sh glexec-lcas-lcmaps-compound-test.sh
 
Output:
 
http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out
 
  
 
=== Regression tests ===
 
=== Regression tests ===

Revision as of 13:56, 14 May 2012

This test plan is following the EMI SA2 template.

gLExec Test Plan

Service Description

gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.

More information on gLExec.

Yum Installation

To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.

GLExec depends directly on:

  • LCAS
  • LCMAPS
  • (g)libc

GLExec therefore inherits dependencies on:

  • VOMS, in particular the voms-api
  • Globus libraries
  • OpenSSL

GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:

  • GridSite
  • Arguc PEP C

Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.1.1-2.sl5 which will pull in the following packages:

  • glexec
  • glexec-wrapper-scripts
  • mkgltempdir
  • lcas
  • lcas-plugins-basic
  • lcas-plugins-check-executable
  • lcas-plugins-voms
  • lcmaps
  • lcmaps-plugins-basic
  • lcmaps-plugins-c-pep
  • lcmaps-plugins-tracking-groupid
  • lcmaps-plugins-verify-proxy
  • lcmaps-plugins-voms
  • nagios-plugins-glexec


And our required dependencies:

  • argus-pep-api-c
  • edg-mkgridmap
  • emi-version
  • emi.sac.GLEXEC_wn
  • glite-yaim-core
  • gridsite-shared
  • voms
  • yaim-glexec-wn

This is the EMI-2 release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. It upgrades the EMI-1 release.

YAIM installation

To configure gLExec on the worker node with YAIM, use the following command:

/opt/glite/yaim/bin/yaim -c -s siteinfo/site-info.def -n GLEXEC_wn

An example site-info configuration can be found here:

http://www.nikhef.nl/grid/ndpf/files/site-info.tar.gz

Documentation on specific variables can be found here:

https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn

Note: due to a bug in /opt/glite/yaim/defaults/glite-glexec_wn.post in version 2.0.3-1.sl5 the following settings need to be done in site-info.def:

CONFIG_GRIDMAPDIR=no

to disable gridmapdir creation when SCAS or ARGUS is used.

SCAS_PORT for the port of the SCAS server
GLEXEC_WN_PEPC_RESOURCEID for the ARGUS resource ID.
GLEXEC_WN_PEPC_ACTIONID for the ARGUS action ID.

System tests

Test setup

First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.

yum install emi-glexec_wn
yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3
ntpdate ntp.xs4all.nl
fetch-crl3 

The base installation is now done. Moving forward to more system specific steps:

chmod 4111 /usr/sbin/glexec
useradd glexec

Populate a useable VOMSDIR with .lsc files:

scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/


Test setup (manual test)

gLExec preparation

The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.

Whitelist yourself in the /etc/glexec.conf:

user_white_list              = okoeroo

LCMAPS preparation

lcmaps_db_file               = /etc/lcmaps/lcmaps-testing.db
lcmaps_get_account_policy    = test_policy
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 5

The /etc/lcmaps/lcmaps-testing.db would then look like:

# LCMAPS policy file/plugin definition

# default path for the modules
path = /usr/lib64/lcmaps/

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"
                   " --dummy-username nobody"
                   " --dummy-group nobody"
                   " --dummy-sec-group nobody"

posix_enf        = "lcmaps_posix_enf.mod"
                   " -maxuid 1"
                   " -maxpgid 1"
                   " -maxsgid 32"

verifyproxy = "lcmaps_verify_proxy.mod"
              " -certdir /etc/grid-security/certificates"

# Policies:
test_policy:
verifyproxy -> good
good -> posix_enf

Basic functionality tests (manual)

Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:

#!/bin/sh

GLEXEC_BIN="/usr/sbin/glexec"
if [ ! -f ${GLEXEC_BIN} ]; then
    GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec"
    if [ ! -f ${GLEXEC_BIN} ]; then
        echo "No glexec found"
        exit 1
    fi
fi

if [ "${X509_USER_PROXY}" = "" ]; then
    export X509_USER_PROXY=$HOME/mkproxy-x509-voms
fi

export GLEXEC_CLIENT_CERT=${X509_USER_PROXY}
export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY}

#echo "------------"
cmd="${GLEXEC_BIN} /usr/bin/id -a"

$cmd
echo $?
exit 0

Run the test script and the following result is expected:

[okoeroo@localhost ~]$ ./test-glexec.sh 
uid=99(nobody) gid=99(nobody) groups=99(nobody)
0

Test setup (automated)

Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.


WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.


Edit the script to configure it. Here is what was used for this certification:

#################
# Setup options #
#################
CONTINUEONERROR=no

TEST_ACCOUNT="okoeroo"

GLEXEC_EXEC="/usr/sbin/glexec"
GLEXEC_OWNERSHIP_SETUID="root.root"
GLEXEC_FILE_PERM_SETUID="6555"
GLEXEC_OWNERSHIP_NON_SETUID="root.root"
GLEXEC_FILE_PERM_NON_SETUID="0555"

CONF_OWNERSHIP_SETUID="glexec.glexec"
CONF_FILE_PERM_SETUID="0440"
CONF_OWNERSHIP_NON_SETUID="root.root"
CONF_FILE_PERM_NON_SETUID="0444"

test_glexec_conf="/etc/glexec.conf"
test_lcas_db="/etc/lcas/lcas-testing.db"
test_lcas_db_path="/usr/lib64/modules/"
test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcas_userban_file="/etc/lcas/userban.db"
test_lcas_debug_level="0"

test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db"
test_lcmaps_db_path="/usr/lib64/modules/"
test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcmaps_debug_level="0"

priv_sep_file="/tmp/glexec_priv_sep_test.sh"
CAPATH="/etc/grid-security/certificates"
PEPD_ENDPOINT="https://argus.testbed:8154/authz"
GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile"

LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT"
#LOCALACCOUNT_TEST_MAP_USER="pool001"
POOLACCOUNT_TEST_MAP_USER=".pool"

### Test selection ###
USE_SCAS="No"
USE_SCAS=""

#################
# Setup proxies #
#################
CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms"
USER_PROXY="$CLIENT_CERT"
SOURCE_PROXY="$CLIENT_CERT"
TARGET_PROXY="/tmp/target_proxy"

Basic functionality tests (automated)

Execute the script as root after properly configuring the script. See previous section for details:

sh glexec-lcas-lcmaps-compound-test.sh

Regression tests

Savannah bug 53192: scas-client: segfaults with malformed lcmaps-glexec.db (implemented):

The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.