[Swift-devel] Notes from 0.93 meeting

Mihael Hategan hategan at mcs.anl.gov
Thu Aug 25 17:31:34 CDT 2011


On Thu, 2011-08-25 at 17:18 -0500, Jonathan Monette wrote:
> I can send mail to ci support and cc mike to it and ask what they can
> do. 
> 
> Mihael, is there anyway for Swift to give a little more feedback
> besides unknown CA or is that a jglobus problem?

It's a jglobus problem.

That in itself may not be a big issue, but jglobus is now being heavily
re-organized by the globus team, so I'm not sure what the best long-term
strategy is here.
> 
> ----- Reply message -----
> From: "Sarah Kenny" <skenny at uchicago.edu>
> Date: Thu, Aug 25, 2011 5:11 pm
> Subject: [Swift-devel] Notes from 0.93 meeting
> To: "Jonathan Monette" <jonmon at mcs.anl.gov>
> Cc: "Mihael Hategan" <hategan at mcs.anl.gov>, "swift-devel Devel"
> <swift-devel at ci.uchicago.edu>
> 
> 
> 
> if i had a nickel for every time i dealt with this i'd be rich! :)
> actually, now that i'm looking at our uci machines i actually have
> them updating hourly...so, maybe you want to ask the admins to do that
> to avoid a full day of confusion whenever they expire :P
> 
> *usually* i can't gsissh either if the certs have expired but, yeah,
> they must be using different CA's now for that on ranger as mihael
> suggests... 
> 
> On Thu, Aug 25, 2011 at 2:46 PM, Jonathan Monette <jonmon at mcs.anl.gov>
> wrote:
>         True.  I did not think that each mechanism would use different
>         CAs.  We might want to ask ci support to update the grid certs
>         more frequently then to avoid this situation.
>         
>         
>         On Aug 25, 2011, at 4:42 PM, Mihael Hategan wrote:
>         
>         > On Thu, 2011-08-25 at 16:40 -0500, Jonathan Monette wrote:
>         >> That is weird.  If you were able to gsissh to ranger I
>         would assume
>         >> that you are able to globus-url-copy to ranger.
>         >
>         > Not if the two use different CAs. Or if a password was typed
>         at the ssh
>         > login.
>         >
>         >>  Anyways, what Sarah said should work.  I would assume that
>         ci would
>         >> update more frequently to avoid this problem.
>         >> On Aug 25, 2011, at 4:38 PM, Sarah Kenny wrote:
>         >>
>         >>> communicado's certs (/etc/grid-security/certificates) are
>         >>> out-of-date...if you copy
>         ranger's /etc/grid-security/certificates
>         >>> directory to communicado and point yr X509_CERT_DIR to it
>         you can
>         >>> get a job thru (a simple globus-job-run with my vaild cert
>         fails
>         >>> from communicado at the moment if i don't do this).
>         >>>
>         >>> i set our machines at uci to update daily...i think it's
>         less
>         >>> frequently at ci...
>         >>>
>         >>> On Thu, Aug 25, 2011 at 2:17 PM, Mihael Hategan
>         >>> <hategan at mcs.anl.gov> wrote:
>         >>>        Can you try a globus-url-copy to gridftp.ranger?
>         >>>
>         >>>        gridftp.ranger seems to have the NCSA myproxy CA.
>         You say
>         >>>        you have the
>         >>>        proper certificates dir in your X509_CERT_DIR, and
>         that
>         >>>        directory
>         >>>        contains the TACC root cert. So it should work. And
>         so
>         >>>        should swift.
>         >>>
>         >>>        Though I think that jglobus should be more clear
>         about
>         >>>        "Unknown ca"
>         >>>        errors. At least the name of the unknown CA should
>         be part
>         >>>        of the error
>         >>>        message.
>         >>>
>         >>>
>         >>>        On Thu, 2011-08-25 at 15:55 -0500, David Kelly
>         wrote:
>         >>>> $ grid-proxy-info -all
>         >>>> subject  : /C=US/O=National Center for Supercomputing
>         >>>        Applications/CN=David Kelly
>         >>>> issuer   : /C=US/O=National Center for Supercomputing
>         >>>        Applications/OU=Certificate Authorities/CN=MyProxy
>         >>>> identity : /C=US/O=National Center for Supercomputing
>         >>>        Applications/CN=David Kelly
>         >>>> type     : end entity credential
>         >>>> strength : 1024 bits
>         >>>> path     : /tmp/x509up_u1878
>         >>>> timeleft : 9:56:53
>         >>>>
>         >>>>
>         >>>> ----- Original Message -----
>         >>>>> From: "Mihael Hategan" <hategan at mcs.anl.gov>
>         >>>>> To: "David Kelly" <davidk at ci.uchicago.edu>
>         >>>>> Cc: "Ketan Maheshwari" <ketancmaheshwari at gmail.com>,
>         >>>        "swift-devel Devel" <swift-devel at ci.uchicago.edu>
>         >>>>> Sent: Thursday, August 25, 2011 3:42:57 PM
>         >>>>> Subject: Re: [Swift-devel] Notes from 0.93 meeting
>         >>>>> Odd. Can you paste the output of 'grid-proxy-info -all'?
>         >>>>>
>         >>>>> On Thu, 2011-08-25 at 15:18 -0500, David Kelly wrote:
>         >>>>>> Sure, here is the full log:
>         >>>>>>
>         >>>>>>
>         >>>
>          http://www.ci.uchicago.edu/~davidk/001-catsn-ranger-20110825-1515-5tydro91.log
>         >>>>>>
>         >>>>>> ----- Original Message -----
>         >>>>>>> From: "Mihael Hategan" <hategan at mcs.anl.gov>
>         >>>>>>> To: "David Kelly" <davidk at ci.uchicago.edu>
>         >>>>>>> Cc: "Ketan Maheshwari" <ketancmaheshwari at gmail.com>,
>         >>>        "swift-devel
>         >>>>>>> Devel" <swift-devel at ci.uchicago.edu>
>         >>>>>>> Sent: Thursday, August 25, 2011 2:43:31 PM
>         >>>>>>> Subject: Re: [Swift-devel] Notes from 0.93 meeting
>         >>>>>>> It's possible that the CA dir on Ranger is not
>         >>>        properly set up.
>         >>>>>>> Can
>         >>>>>>> you
>         >>>>>>> post the full log?
>         >>>>>>>
>         >>>>>>> On Thu, 2011-08-25 at 13:56 -0500, David Kelly
>         >>>        wrote:
>         >>>>>>>> Those environment variables were not set up. I
>         >>>        have them defined
>         >>>>>>>> now, but I'm still getting the same error.
>         >>>>>>>>
>         >>>>>>>> [davidk at communicado ranger]$ env |grep 509
>         >>>>>>>> X509_CERT_DIR=/opt/osg-1.2.16/globus/TRUSTED_CA
>         >>>>>>>> X509_CADIR=/opt/osg-1.2.16/globus/TRUSTED_CA
>         >>>>>>>>
>         >>>>>>>> [davidk at communicado ranger]$ swift -sites.file
>         >>>        sites.xml
>         >>>>>>>> -tc.file
>         >>>>>>>> tc.data 001-catsn-ranger.swift
>         >>>>>>>> Swift svn swift-r4987 (swift modified locally)
>         >>>        cog-r3229
>         >>>>>>>>
>         >>>>>>>> RunID: 20110825-1352-f1v940b4
>         >>>>>>>> Progress: time: Thu, 25 Aug 2011 13:52:59 -0500
>         >>>>>>>> Progress: time: Thu, 25 Aug 2011 13:53:00 -0500
>         >>>        Selecting site:7
>         >>>>>>>> Initializing site shared directory:3
>         >>>>>>>> Execution failed:
>         >>>>>>>>      Authentication failed [Caused by: Failure
>         >>>        unspecified at
>         >>>>>>>>      GSS-API
>         >>>>>>>>      level [Caused by: Unknown CA]]
>         >>>>>>>>
>         >>>>>>>>
>         >>>>>>>> ----- Original Message -----
>         >>>>>>>>> From: "Ketan Maheshwari"
>         >>>        <ketancmaheshwari at gmail.com>
>         >>>>>>>>> To: "David Kelly" <davidk at ci.uchicago.edu>
>         >>>>>>>>> Cc: "Jonathan Monette" <jonmon at mcs.anl.gov>,
>         >>>        "swift-devel
>         >>>>>>>>> Devel"
>         >>>>>>>>> <swift-devel at ci.uchicago.edu>
>         >>>>>>>>> Sent: Thursday, August 25, 2011 1:32:50 PM
>         >>>>>>>>> Subject: Re: [Swift-devel] Notes from 0.93
>         >>>        meeting
>         >>>>>>>>> Hi,
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> Are your CADIR and CACERT env vars set up?
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> [communicado:swiftgrid]$ echo $X509_CADIR
>         >>>>>>>>> /opt/osg-1.2.16/globus/TRUSTED_CA
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> [communicado:swiftgrid]$ echo $X509_CERT_DIR
>         >>>>>>>>> /opt/osg-1.2.16/globus/TRUSTED_CA
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> On Thu, Aug 25, 2011 at 1:29 PM, David Kelly <
>         >>>>>>>>> davidk at ci.uchicago.edu
>         >>>>>>>>>> wrote:
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> Thanks Jon,
>         >>>>>>>>>
>         >>>>>>>>> Here is what happens when I try this from
>         >>>        communicado:
>         >>>>>>>>>
>         >>>>>>>>> [davidk at communicado ~]$ myproxy-logon -l dkelly
>         >>>        -s
>         >>>>>>>>> myproxy.teragrid.org
>         >>>>>>>>> Enter MyProxy pass phrase:
>         >>>>>>>>> A credential has been received for user dkelly
>         >>>        in
>         >>>>>>>>> /tmp/x509up_u1878.
>         >>>>>>>>>
>         >>>>>>>>> [davidk at communicado ranger]$ swift -sites.file
>         >>>        sites.xml
>         >>>>>>>>> -tc.file
>         >>>>>>>>> tc.data 001-catsn-ranger.swift
>         >>>>>>>>> Swift svn swift-r4987 (swift modified locally)
>         >>>        cog-r3229
>         >>>>>>>>>
>         >>>>>>>>> RunID: 20110825-1326-o3e38fe0
>         >>>>>>>>> Progress: time: Thu, 25 Aug 2011 13:26:43 -0500
>         >>>>>>>>> Progress: time: Thu, 25 Aug 2011 13:26:44 -0500
>         >>>        Selecting
>         >>>>>>>>> site:8
>         >>>>>>>>> Initializing site shared directory:2
>         >>>>>>>>> Execution failed:
>         >>>>>>>>> Authentication failed [Caused by: Failure
>         >>>        unspecified at
>         >>>>>>>>> GSS-API
>         >>>>>>>>> level
>         >>>>>>>>> [Caused by: Unknown CA]]
>         >>>>>>>>>
>         >>>>>>>>> Any ideas?
>         >>>>>>>>>
>         >>>>>>>>> Thanks,
>         >>>>>>>>> David
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> _______________________________________________
>         >>>>>>>>> Swift-devel mailing list
>         >>>>>>>>> Swift-devel at ci.uchicago.edu
>         >>>>>>>>>
>         >>>
>          https://lists.ci.uchicago.edu/cgi-bin/mailman/listinfo/swift-devel
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>>
>         >>>>>>>>> --
>         >>>>>>>>> Ketan
>         >>>>>>>> _______________________________________________
>         >>>>>>>> Swift-devel mailing list
>         >>>>>>>> Swift-devel at ci.uchicago.edu
>         >>>>>>>>
>         >>>
>          https://lists.ci.uchicago.edu/cgi-bin/mailman/listinfo/swift-devel
>         >>>
>         >>>
>         >>>        _______________________________________________
>         >>>        Swift-devel mailing list
>         >>>        Swift-devel at ci.uchicago.edu
>         >>>
>          https://lists.ci.uchicago.edu/cgi-bin/mailman/listinfo/swift-devel
>         >>>
>         >>>
>         >>>
>         >>>
>         >>> --
>         >>> Sarah Kenny
>         >>> Programmer ~ Brain Circuits Laboratory ~ Rm 2224 Bio Sci
>         III
>         >>> University of California Irvine, Dept. of Neurology ~
>         773-818-8300
>         >>>
>         >>> _______________________________________________
>         >>> Swift-devel mailing list
>         >>> Swift-devel at ci.uchicago.edu
>         >>>
>         https://lists.ci.uchicago.edu/cgi-bin/mailman/listinfo/swift-devel
>         >>
>         >
>         >
>         
>         
> 
> 
> 
> -- 
> Sarah Kenny
> Programmer ~ Brain Circuits Laboratory ~ Rm 2224 Bio Sci III
> University of California Irvine, Dept. of Neurology ~ 773-818-8300
> 





More information about the Swift-devel mailing list