Notes from the Spring 2004 HEPiX

Agenda: http://hepwww.rl.ac.uk/hepix/nesc/agenda.htm
Site:  http://www.nesc.ac.uk/esi/events/291/

This is not a trip report. Please consider it as informal notes of a few points that I found interesting. I was there in May 24-26. Potential action items for us are written in italics in the text. Please go to the actual talks linked from the agenda to see the full context and other useful links.

Welcome talk by David Berry (NeSC)
The UK e-Science programme covers the period 2001-2006. The total budget is 213M£ (UK pounds). The one of NeSC exceeds 20M£. This can be compared to the EGEE budget which is around 32M€/2years (euros). NeSC welcomes suggestions for additional events to be held at their premises, especially in the area of data management.
A VOMS-related GridPP activity at Manchester was mentioned, with future intention to bring up a VOMS server for use by BaBar. I asked for more information on this activity but nobody knew anything apart from the name of Andrew McNab, who I plan to contact.

Curiosities from the Site reports' day

• Tony Chan (BNL): They are using Afs with Storage Area Network (SAN). Still studying OpenAfs. They use a Condor-based batch system in addition to LSF. Job submission to both systems is being done via Globus. They offer a US Atlas Grid testbed for DC02 support. In terms of Linux they use RH7.3 and RH8.
• J.Baschnagel (PSI.CH): They are using Afs with Storage Area Network (SAN). They plan to move to (Heimdal) Kerberos 5 this Fall. In terms of Linux they use RH9.
• Ch.Boeheim (SLAC): The LSF company (Platform) issued special prices with excellent discount offer for HEP sites. This is because SLAC is now the 1st or 2nd biggest LSF installation on a single cluster world-wide. Platform is currently asking for 55US$ (dollars) per box but if they get a few more offers they 'll drop down to 47$.I informed the LSF responsibles at CERN by email immediately. We are now waiting for a Platform contact for, possibly, further negotiations. In terms of Linux they use RH Enterprise Server (ES) 3.
• St. Wiesand (DESY): There is a HERA experiment VO. I couldn't get the information whether it is an LDAP installation or other. They face problems with some LCG-2 nodes at Zeuten which don't use RH7.3. They are happy with dCache's capability to detect data corruption up to the 1E-12 level.
• H.Meinhard (CERN): A record network throughput was measured between Los Angeles and Geneva of 6.26Gbps. The new Oracle contract allows remote access to CERN databases for authorised users. In terms of Linux, RH ES 3 will be certified this month.
• H. Kreiser (GSI, Darmstadt): A new circular accelerator project is approved with estimated cost 1-billion € (euros). They still have systems on-site running DEC/VMS, still migrating out of IBM/AIX to Linux and still upgrading their Window systems from WNT to W2K and considre WXP migration later.
• C.Kost (Triumf): They decided to use Squirrel web mail for travelling members of the lab.
• S.Salih (Manchester): They built a Apple G5 cluster and they are happy using it to run physics applications. A call for tender went out recently to purchase 1500 future LCG nodes. The community is asked to support Scientific Linux. This request comes from Fermilab, Triumf and Oxford, amongst others. Many sites (also reported by NERSC and Oxford) face scaling problems of Computer Centre expansion due to insufficient power and cooling condition. Maybe we should share our experience with others via relevant talks in future HEPiX events.
• A.Sansum (RAL): This talk was completely Grid-centered. GOC reports on monitoring and accounting were shown from R-GMA per site and per VO. I asked which was the criterion for deciding the VO and they told me: the Unix group.
• Nathan Jones (One of the RH Sales Directors, reachable as njones@redhat.com): Migration to RH ES3 is recommended due to its stability, reliability and slow evolution. The Fedora project is dear to RH but it is very flexible, changing very fast and can lead to instabilities in a requiring operational environment. RH ES for Workstations is available at a yearly cost of 30 US$. The "Satellite Server" set-up costs 13K US$ for the server and 20 US$ per connection per year. The Global File System (GFS) will be downloadable with RH ES. Very few customers have 64-bit Linux installations already.

Attractive points from the 2nd and 3rd day

• M.Guijarro (CERN, on CVS): The CVS software package is already 15-years old. The Central CVS servers at CERN are on afs and the one hosting LCG is not. This was LCG's choice. There was a security incident on our CVS servers but it was not revealed. It only came out when B.Cowles (SLAC Security officer) reported that they were attacked the day after us.
• S.Wiesand (DESY, on Unix application software): They decided to install common packages like pine, perl etc from rpm in /opt/products/bin rather than /usr/local. The appropriate location for executables and relevant libraries gets in the user's path automatically. They are migrating from DESY Linux 4 (DL4) to DL5. What is it?
• B.Cowles (SLAC, on recent computer security threats and vulnerabilities):
  • Mac OSX was compromised mid-May. MacOS was not a target in the past but it is becoming now due to its power and popularity.
  • There was a WNT and W2K source code leak.
  • SLAC recommends the use of CITRIX for Windows access from remote locations. It is possible to open one specific application or the whole desktop.
  • Beware of email containing zipped viruses with a password, offered, supposingly by the security_team@your_site, claiming that "if you don't install this patch, you'll be cut off from the network". Proceeding with the proposed installation with bring up spam engines.
  • "One-time" password tokens are probably the solutin for the future.
  • Attempted CVS attacks on SGI and Linux, didn't affect the SGIs.
  • People running Acrobat Reader 5.1 should upgrade. It contains a hole that lets foreign users into your system.
  • Read HTML email as plain text. MS Outlook users can configure this option via the Preferences menu.
  • Share more information via the hepix-securtiy mailing list. Had the CERN CVS attack been announced, it could have been avoided at SLAC!
• C.Whitney (NERSC, on PDSF news):
  • 'chos' stands for 'chroot os'. It is a tool that gives the user the environment of a given OS. It is suggested for adoption by the Grid community so that every VO can propagate its preferred OS flavour to all Grid nodes.
  • SGE Enterprise manages batch jobs faster than LSF. Sources are available. NERSC will, most probably, move to it.
  • Yet another monitoring tool for system administrators was recently developed and presented. My comment was that this community doesn't seem to really wish to share expertise, after all.
• M.Kaletka (FNAL, on Linux plans): Event reconstruction and analysis farms run Fermi Linux 7.3. Commercial Linux is also available for support purposes, i.e. to avoid users calling Connie Sieh.
• Discussion on the future of RH Linux (chaired by A.Silverman):
  • C. Boeheim and R.Mount made a HEP-wide deal with RH for a good support price.
  • A.Silverman obtained a HEP-wide 25US$(dollars) = 28 €(euros) price per box, affordable by all labs.
  • The Manchester University representative asked what Linux flavour will LCG use and repeated the request, that he made during his site report, for Scientific Linux (FNAL) support.
  • The chairman insisted that HEPiX is not a body that makes decisions. He also said that the people who certify and deploy Linux in all major labs are present in this discussion.
  • A proposal was written on recommendation by the LCG Project Leader following this discussion.
• W.Friebel (DESY, on Afs): Kerberos 4 is now insecure. arc (authenticated remote control) by R.Toebbicke uses Kerberos 4 and needs to be replaced by arcx. k5cron, developed at DESY, is a successor to acron, extensively tested at DESY, with sources available. People are invited to test it. The speaker then explained the advantages of SASL (Simple Authentication & Security Layer) as an API with plugins masking other authentication mechanisms (Kerberos 4, Kerberos 5, gsi etc). More information and downloads at their Zeuten web site.
• A.Wachsmann (SLAC, on Afs Best Practices Workshop): The 1st ever such workshop was held at SLAC. There were 100 participants, 30% of who had never used afs and another 30% had had very little exposure to it. Just one IBMer (one of the 8 afs Elders) was there. The commercial company Sine Nomine Associates, which provides afs support but feeds customer-ordered fixes back to the public domain seem promising. Some common HEP-wide effort is suggested to help the afs community to survive. This suggestion remained very vague but there will be another such workshop, probably soon, containing a Kerberos 5 tutorial.
• M.Draper (CERN, on IndiCo): This is a EU-funded project with Italian, Dutch and CERN partners for conference organising. Code gets fed to OpenSource. It will be used for CHEP and it is offered for use by EGEE events.
  

Please read Silverman's report for additional information, especially on the Mass Storage Workshop, for which, unfortunately, I couldn't stay.

Maria Dimou, IT/GD, Grid Infrastructure Services