Project

General

Profile

Bug #4616

Frontend RPM frontend.xml population of Certs incorrect in v2.7.2.rc2

Added by John Weigand about 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
RPM - Frontend/Factory
Target version:
Start date:
09/04/2013
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

In v2.7.2.rc2 (and prior), the rpm installed frontend.xml has several places
where the DN for services is pre-populated. It assumes a DOE certificate is
being used and formats the following attributes with:

/DC=org/DC=doegrids/OU=Services/CN=$(hostname --fqdn)

It does this for these element attributes:

<schedds>
   <schedd DN=
<collectors>
   <collector DN=

This is on a single node VO Frontend install where frontend, collector
and schedd/submit services are install on the same node.

If this particular case, the condor config template assumes /etc/grid-security/hostcert.pem
for the 03_gwms_local.config GSI_DAEMON_CERT attribute.

It would make more sense for the rpm install to check for the hostcert.pem file and populate
the template with that. If it does not exist, then maybe it should populate those attributes
with "CHANGE ME" or something similar so it makes it obvious a change is required.

This has caught me on every fermicloud install as they all contain digicert certificates
and a cursory glance at the xml looks good.

I also noticed that the template contains the DN for the UCSD factory and it is
a DOE certificate. Has this changed? Or is it still using DOE certs?

John Weigand

History

#1 Updated by John Weigand about 7 years ago

Some clarification after an IM conversation with Parag.

This is not intended to advocate that we should necessarily
check for the /etc/grid-security/hostcert.pem file for the population
of the DNs in the frontend.xml file for the user collector and schedds.

The problem with that approach is that Condor by default will be using
that cert and it must be owned by root. The frontend has to use another
cert or a clone of the host cert with ownership by the frontend user
(default: frontend).

I guess what I am advocating is that we mark those DN's in the template
with something like "CHANGE ME" so it is obvious that these must be edited.

John Weigand

#2 Updated by Parag Mhashilkar almost 7 years ago

  • Status changed from New to Closed
  • Target version changed from v2_7_x to v2_7_2

Also available in: Atom PDF