Upload
ling
View
23
Download
0
Tags:
Embed Size (px)
DESCRIPTION
HEPiX Spring 2013 Report. Luis FERNANDEZ ALVAREZ (IT-OIS). Security and Networking. Overview. Total of 7 talks in Wednesday session Spring2011 (4)2012 (6) Fall 2011 (7) 2012 (11) Topics: IPv6 Network monitoring Identity management Security DNS HA Institutes & Others: - PowerPoint PPT Presentation
Citation preview
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
HEPiX Spring 2013Report
Luis FERNANDEZ ALVAREZ
(IT-OIS)
SECURITY AND NETWORKING
Security and Networking - 2
Overview
• Total of 7 talks in Wednesday sessionSpring2011 (4) 2012 (6)
Fall 2011 (7) 2012 (11)
• Topics:– IPv6– Network monitoring
– Identity management– Security– DNS HA
• Institutes & Others:– INFN, Indiana University, CNAF, University of Michigan,
BrightLite Information Security, STFC, CERN.
Security and Networking - 3
IPv6 (I)
TalksThe HEPiX IPv6 working group
The last year of IPv6 HEPiX test bed operation
•IPv4 exhaustion, it will also hit CERN–Adoption of IPv6 for applications and WLCG
•Have IPv6-only WNs by 2014–Big challenge => more resources (people + equipment)
•HEPiX distributed test bed in progress–LHC Experiments on board: CMS, LHCb, ALICE & ATLAS–Configuration validation: DNS entries, ping6,…–Simple data transfers between all nodes simultaneously
•2013–Include all Tier 1, decide services running dual stack, testing (volunteers),…
Security and Networking - 4
IPv6 (II)
• Technologies used in the testbed:– Globus/GridFTP, UberFTP, glibc, DHCPv6, RAs…
• The workgroup highlights some issues:– IPv6 seems still not to be taken seriously when it comes
to writing/patching software.– Tracking and keeping traction on issues resolution has
proved to be slow and expensive– Protocol specification mesh, minor infrastructure rethink
Security and Networking - 5
Network Monitoring
TalkWLCG Network Monitoring using perfSONAR-PS
•perfSONAR network monitoring framework–Provide a single source of network metrics to WLCG
–Targeting full deployment at all Tier-2 sites (150 locations)
•perfSONAR-PS deployment based on 2 instances–Central mesh configuration for node and tests to perform
–Measurements between WLCG resources: latency, bandwidth, traceroute.
•Modular dashboard as a central source of info
•How to exploit all the metrics?
Security and Networking - 6
Identity Management
TalksIdentity Federation – HEP/WLCG
eXtreme Scale Identity Management (XSIM) for Scientific Collaborations
•Identity Federation (FIM4R), use cases–Web-based grid portals for job submission.–CLI-based job submission.
•Working group: proof-of-concept pilot service for CLI–WLCG resources through home-issued credentials–ECP, CILogon–CLI tool working, promising results
•Blocking issues–ECP profile is not widely supported among IdPs–No further work on current pilot based on ECP
•Discussion on trust, LoA, Web use case, ECP alternatives…
Security and Networking - 7
Identity Management (II)
• XSIM: trustworthy extreme-scale scientific collaborations– Understand and formalize a model of IdM
• Method– Understand the core elements of trust relationship– How those relations would be expressed in IdM?– Model validation, software and applied research
• Interviews with VOs and RPs– Constitution of VOs, relation with RPs and users, threats,
policies, lessons learned…
• No results in raw format– Unstructured format, privacy– Next target: publication of results at CHEP/eScience
Security and Networking - 8
Security
TalkSecurity Update
•Botnets & SSH attacks–Citadel (Man-in-the-browser) compromised 11730 hosts –Ebury sshd Trojan: compiled for each victim, stealth,…
•WLCG–Risk Analysis: misused identities, attack propagation, OS vulnerabilities–Incidents 10-12 per year (2012 quieter than usual)
•Paradigm shift–Control mechanisms: from local users to federation with good reputation sites–Security perimeters: from ensuring attackers to never run any kind of arbitrary code to allow it in an isolated VM environment
•VMs isolation impossible & traditional mechanisms obsolete–Traceability for containing, resolving and preventing issues–Store and analyze data
Security and Networking - 9
DNS HA
TalkDNS multi master architecture for High Availability services
•Resilient DNS, guarantee full functionality–Modify IP of a service during the downtime of a site hosting one authoritative DNS
•Nagios + BIND9-DLZ + MySQL (circular replication)–BIND9 Limitations: Reads data from text files, stores it in memory, changes implies reloading
•It permits to change the IP addresses even if one of the sites is down
Security and Networking - 10
GRID, CLOUD AND VIRTUALIZATION
Grid, cloud and virtualization - 11
Overview
• Total of 5 talks in Thursday sessionSpring2011 (8) 2012 (6)
Fall 2011 (8) 2012 (7)
• Topics:– IaaS– Federated Clouds
• Institutes & Others:– FermiLab, RAL, STFC, CERN.
Grid, cloud and virtualization - 12
IaaS (I)
TalksVirtualisation Cloud Computing at the RAL Tier 1
The CMS openstack, opportunistic, overlay, online-cluster CloudFermiGrid and FermiCloud Updates
Vmcaster and Vmcatcher
•Virtualization @ RAL (Hyper-V Platform)–~200VMs over 3 years (provisioning more responsive)–HA shared storage (minimize important data on VMs)–Not wedded to Hyper-V
•Prototype StratusLab private cloud (~300 cores)–WiP: Federation, Evaluating CEPH & Integrate the cloud into Tier 1–Rethink the platform itself
•WLCG: dynamically-provisioned worker nodes–Tested with: HTCondor & Slurm
Grid, cloud and virtualization - 13
IaaS (II): CMS
• Cloud Architecture – 1 Controller + 1 Image Store + 1300 Compute nodes– 1000 VMs running stable 3 weeks / 250VMs in ~ 5min
• Network virtualization– No physical reconfiguration / encapsulations overhead– Logical cloud network schema easier to understand
• Work in progress– Integration as a CERN’s GRID resource– Migration to Grizzly (HA)– Increase network bandwidth to CERN Tier0 (40GBit/s)
• Highlights– Zero impact on data taking– ~1.5FTE for ~6months
Grid, cloud and virtualization - 14
IaaS (III)
• FermiGrid– FermiGrid-HA(2)– WiP: IPv6, SHA-2, merge services into FermiCloud
• FermiCloud based on OpenNebula– Distributed fault tolerance highly desirable– VM Acceptance process (security probes, sandbox,…)– Idle VM detection & suspension when needed– Virtualized MPI results: >96% of the bare metal
performance
• Starting… – Interoperability and federation– Reevaluate OpenStack and other stacks
Grid, cloud and virtualization - 15
IaaS (IV)
• vmcaster and vmcatcher– Repository for VM images (rpm/deb style)
• Deployments– OpenStack @ CC-IN2P3– OpenNebula @ CESGA– EGI Federated Cloud Task Force
• Contextualisation based on archiveoverlays– Images are public,
overlays are private
• Status– Vmcatcher work needed– Vmcaster production
Grid, cloud and virtualization - 16
Federated Cloud
TalkEGI Federated Cloud Infrastructure status
•Create an uniform access to the cloud
–Federation system agnostic about a particular stack
•Standard interfaces: –OCCI, CDMI,…
•30 active individuals in FedCloud VO
Grid, cloud and virtualization - 17
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
HEPiX Spring 2013Report
Thanks