SFT group meeting

Desktop Forum report

Alberto AIMARalberto.aimar@cern.ch

2

Desktop Forum, September 15th 2005

•CNIC project update•CRA, project status•Linux update •PC rental phase-out•Fax services

• http://agenda.cern.ch/fullAgenda.php?ida=a055754

Computing and Network Infrastructure for Controls

CNIC

• What is CNIC?

• Why is CNIC necessary?

• CNIC definitions

• Changes for users once the CNIC policy is in place

• Network tools and policies for CNIC

CNIC-WG 4

What is CNIC

• CNIC-WG

– Working Group delegated by the CERN Controls Board

• Mandate covers only control systems, not office computing

– Definition of

• Security policy

• Networking aspects

• Operating systems (Windows and Linux)

• Services and support

– Members should cover all CERN controls domains and activities

• Service providers

• Service users

CNIC-WG 5

Networking (1/2)• General Purpose Network (GPN)

– Desktop Computing, testing, access from outside, …

• Technical and Experiment Network (TN and EN)– Only operational devices

– Authorization procedure

• Inter domain communications– Application Gateways

– Trusted services

• Dependencies– File systems (DFS, …),

– databases (CERNDB, …),

– servers (DNS, …)

CNIC-WG 6

Networking (2/2)

• Domain Gateway filters: – Only allow network traffic

from trusted hosts

• Trusted hosts by controls networks:– IT/CS network services

– Central IT services (e.g. AFS, DFS, NICE domain controllers, TSM backup servers, Oracle.....)

– Application Gateways (e.g. Windows Terminal Servers, Linux gateway servers)

CNIC-WG 7

Use Case - Office connection

• Connection to controls monitoring system (e.g. PVSS) from office PC– Connection to

application gateway (e.g. Windows Terminal Server).

– Open session to application (e.g. PVSS) with connection to controls machine and PLCs.

8

Administrative Information Services

CERN - Organisation Européenne pour la Recherche Nucléaire

Wim van Leersum/IT-AIS-F

CRA Status

• First release (end of October ?):– Current CCDB functionality (account mgmt)– Data cleanup– Automatic account expiration

• Design finished• Data base schema/User Interface implemented• AIS and Nice account management tested

9

Administrative Information Services

CERN - Organisation Européenne pour la Recherche Nucléaire

Wim van Leersum/IT-AIS-F

CRA current activities

• Data cleanup– Accounts review– Admin groups– Primary/Secondary account group– Ais/Nice Synchronization– Expired accounts removal

• Migration of Oracle users• EDMS account management• Training accounts mgmt

SLC4 certification Responsible for OS certification:

Linux Certification Committee

http://cern.ch/linux/documentation/LXCERT/

Responsible for physics compilers/software stack certification:

LCG Architects Forum http://lcgapp.cern.ch/project/mgmt/af.html

system compiler still preferred choice, but now may change during OS lifetime --> some divergence recently ..

commercial libraries and products, as well as overlaps with system libraries have to be carefully watched ...

SLC4 certification Responsible for OS certification:

Linux Certification Committee

http://cern.ch/linux/documentation/LXCERT/

Responsible for physics compilers/software stack certification:

LCG Architects Forum http://lcgapp.cern.ch/project/mgmt/af.html

system compiler still preferred choice, but now may change during OS lifetime --> some divergence recently ..

commercial libraries and products, as well as overlaps with system libraries have to be carefully watched ...

Scientific Linux CERN 3

Nov04 Dec04 J an05 Feb05 Mar05 Apr05 May05 J un05 J ul05 Aug05 Sep050

250

500

750

1000

1250

1500

1750

2000

2250

2500

2750

3000

3250

3500

3750

4000Total SLC3

"Desktop" SLC3

CC SLC3

Total 7.3

1010

Linux SLC5Linux SLC5

Red Hat Enterprise Linux 5 / Scientific Red Hat Enterprise Linux 5 / Scientific Linux 5:Linux 5:– up-to-date, including stable 2.6 kernelup-to-date, including stable 2.6 kernel– BUTBUT: release 2nd Q 2006: release 2nd Q 2006

Add 2-4 weeks for building SL5Add 2-4 weeks for building SL5– Another 2-4 for building SLC5Another 2-4 for building SLC5

RedHat does not commit to any release date – RedHat does not commit to any release date – but but their product lifecycle is 12-18 monthstheir product lifecycle is 12-18 months

– ... may be ... may be too late for CERN full certification.too late for CERN full certification.

1111

Linux SLC4Linux SLC4

Responsible for OS certification: Responsible for OS certification: – Linux Certification CommitteeLinux Certification Committee

http://cern.ch/linux/documentation/LXCERT/http://cern.ch/linux/documentation/LXCERT/

Responsible for physics compilers/software stack Responsible for physics compilers/software stack certification:certification:– LCG SPI (approved by Architects Forum)LCG SPI (approved by Architects Forum)

Certify twiceCertify twice– SLC4 – 'slowly' Q3/Q4 2005SLC4 – 'slowly' Q3/Q4 2005– SLC5 – 'fast' Q2 2006 (Q3 2006 ?) SLC5 – 'fast' Q2 2006 (Q3 2006 ?)

Use 'split certification'Use 'split certification'– Operating systemOperating system– Experiments compilers plus softwareExperiments compilers plus software

Decide deployment late ... and then do it quickly !Decide deployment late ... and then do it quickly !

DTF: Tim.Smith@cern.ch 12 of 7

Summary

No new rental agreements (Already frozen 2 DTFs ago)

Consider all past payments as capital repayments

Send proposals to buy-out (by completing capital repayment) or return Immediately (rather than wait for next

contract renewal)

13

An opportunity for a better An opportunity for a better serviceservice

A bi-directional FAX-EMAIL gateway Outgoing fax sent from email

Supports Text, HTML, and all major file formats (including PDF, Office, drawings, etc)

Robust decoding of attachments NEW: must be registered to use the service

http://cern.ch/fax (part of the CERN mail services) Cover page can be customized

Email Syntax for fax:First.Lastname@number.mail2fax.cern.ch

14

… … a better service …a better service …

Incoming fax When registering (http://cern.ch/fax) every user obtains

a unique phone number for his/her “virtual” fax machine 0041 22 766 xxxx,

All faxes sent to the unique phone number will be digitized to PDF format and sent to the email of the user

The default “cover page” contains the user name and the virtual fax number (so people can reply directly to a fax)

15

Status of the serviceStatus of the service

The new service is production since beginning of September Already 270 users registered ! Over 1100 faxes sent, 600 received

Only staff members, fellows and service accounts can become registered user of the service This can change Telephone cost is not recharged but accounted. Abuses are monitored

Work is being done to add the assigned “Fax number” in the CERN phone book

16

Desktop Forum, October 13th 2005

• CNIC / NICEFC - NICE For Controls

• CNIC / LINUXFC - LINUX For Controls

• Videoconferencing with VRVS/EVO (not reported here)

• AOB

• http://agenda.cern.ch/fullAgenda.php?ida=a056481

• By A.Pfeiffer

17

NICEFC strategyNICEFC strategy

Three directions followed … Improve the Windows installation services in a way

where the configuration is read entirely from a central database (reinstalling a device restores its assigned applications)

Simplify the installation of Custom Terminal Servers to allow cloning of the current production service (application gateways)

Build a “Management Framework” where owners of machines can define and manage the exact configuration of computers under their control

Web based User Interfaces for administration Central Configuration & Reporting Database Client Service running on each participating Windows PC

18

Concrete results so far …Concrete results so far …

Installation “from the network” in production since June No need for floppy disk or CDs anymore No need to preload disk images on new computers See: http://cern.ch/Win/Services/Installation/Diane

Application gateway “service” being prepared Already 2 Terminal service gateways installed (AB/CO, TS/CV)

Starting point: a “clone” of the general purpose terminal server configuration

The service is not free and is charged on a yearly base This ensures its scalability and focuses the effort on real needs

See: http://cern.ch/Win/docs/serverservice http://cern.ch/terminalservices

19

Concrete results so far …Concrete results so far …

The “Management Framework” is available for test Provides complete delegation of system administration to “locally

managed” Sets It allows the definition of “Named Set of Computers” It allows to control which patches and applications are installed on

these sets Either “standard” centrally provided packages or created by local

administrators It allows to control WHEN the deployments take place It allows to define specific policies for all sets

Hardware and Software Inventory and Metering possible using standard mechanisms

A general solution for locally managed computers with a maximum reuse of standard packages prepared centrally

20

Linux For Controls Requirements

• R1 The computers shall have well defined configurations

– Only defined versions of defined packages shall be installed

– It must be possible to have additional packages/versions on computers dedicated to test or development activities

– Equipment responsible persons (at domain, NSC or node level) or the CERN CSO must be able to determine when to install patches and upgrades

• R2 It must be possible to do a version rollback

– It must be possible to go back to previous versions of configurations

– It must be possible to go back to previous versions of packages installed

21

Linux For Controls Requirements

• R3 It must be possible to manage computers by user-definable groups

– It must be possible to define the responsibility for computers according to their functionality (NSC)

– The configuration parameters must be definable according to the domain and NSC of the computer

• R4 It must be possible to clone computer(s) and re-install from scratch

– It must be possible to give a new computer the same configuration as an existing configured computer

– For replacements or troubleshooting it must be possible to reinstall a computer from scratch

22

Linux For Controls Requirements

• R5 It must be possible to validate changes before applying them

• R6 It must be possible to verify the configuration

– It must be possible to test if the real configuration is identical to the desired configuration

– It must be possible to change the real configuration to the desired configuration

• R7 It must be possible to manage user installed packages and patches

23

Linux For Controls Requirements

• R8 It must be possible to do remote system management

• R9 Minimal Execution Rights– It must be possible to restrict the execution rights of the accounts for

certain applications

• R10 It must be possible to disable or restrict data transfer peripherals

– To avoid that extra software that could compromise the security or functionality of a computer can be installed via CDs, DVDs, USB or similar devices, it must be possible to restrict or disable these devices.

24

AOB

Skype problem with "supernodes" which kicks in at CERN (high bandwidth)

causing high network traffic and legal issues (as we then become a telecom operator)

There are requests for having a VoIP service is on working list (not with high priority) needs to be moved to high priority in a common effort between IT and PH

Windows 2000 is supported if it is patched (at least SP4) ... from MicroSoft until 2009 IT would like to reduce support earlier (beginning from next year)

VPN requirements (feedback) most people were misunderstanding on other ways to work few cases where VPN is needed (see document on agenda page) users have to use the less convenient ways of viewing web pages which

are only visible from within cern (e.g. through terminalservices) no performance issue even over low (non-ADSL/modem connections.

CRA : accounts will keep alive for one year controls group: unix uid should never be reused (present policy is reusing) another discussion in DTF is needed to iterate on the requirements/needs