Attending: Daniel, Duncan, Gareth, John H, Marcus, Matt, Winnie, Jens, Ewan, Elena, David, Raul, Sam

Apols: Tom, and Brian is on leave


0. OPerational blog posts!  Still none since end of Jan...!

   Raul's problem - could it be caused by running the head node on a
   virtual system?  But it is not virtual.  Nobody else has seen the
   problem but Raul has sent core dumps to DPM and they have confirmed
   that it is a DPM problem.  There is a release candidate of 1.8.11
   which has a patch which Raul is currently testing.  (So the problem
   is not related to the standalone xrootd.)

1. Update on stuff
  - GridPP as a data infrastructure.  Some of the background to this
    discussion is the notion of a "Science DMZ" (but also on ensuring
    GridPP is available as a data infrastructure for VOs)
  - T2C testing - CMS tickets against Glasgow and QM.  Glasgow was
    blacklisted by CMS after volunteering for the testing so one hand of
    CMS does not know what the other is doing.
  - "New VO" data problems/progress? LSST, LIGO, DiRAC
    - LSST moving data, now using DFC.  Good to access data via LFN but
      finding it confusing to upload to a site - maybe we should have a
      generic endpoint like data.gridpp.ac.uk
    - LIGO seem more interested in CPU at the moment?
    - DiRAC - still debugging blocked ports at Leicester.
  - Catalogues - any remaining problems?  We had instructions for most
    systems; but DPM and CASTOR generate (with nsls) directory listings
    individually and the file listing needs glueing back together.
    Most sites just need to make sure they upload the catalogues...

Regarding the firewalls, there is a security argument that you may wish
to protect your office environment from the grid cluster (Ewan).

So there are sort of four different flavours of site firewallness.

a. Packet inspecting - here be dragons
b. Some ACLs, some ports blocked, but no packet inspection
c. There is a firewall but nothing is blocked, packets pass through
d. No firewall, but network monitoring using a firewall (or other)
e. No firewall (other than the machine's own, or site router)

Most sites are b.-d. and are seeing good performance.

Brunel, Lancaster, Bristol, GlasgowPP, Sheffield - mostly firewalled

QMUL, Imperial, Oxford, Glasgow, Durham, Cambridge - mostly not

...xroot uses the control channel for data transfers if it cannot open
a data channel.  Ouch.

We have an example of a zealous packet inspection dropping packets that
should have negotiated the SSL connections.  Also when we get IPv6 we
will have a lot of fun again when configuring firewalls - "extra
hilarious"

The JISC (JANET) E2E workshops and Networkshop is relevant; however,
Networkshop is coming up in only three week's time (in Manchester)
and is slightly pricey - is someone speaking on behalf of GridPP?

https://www.jisc.ac.uk/events/networkshop43-31-mar-2015/programme


2. Not-quite-monthly round table updates on storage related activities
that *you* are doing (or would hope to be doing if you had the time?)

   Postponed to next week.  They are good to have in the sense they
   give a feeling for what's going on and people who usually don't
   say much get to say something, but we don't quite get one each
   month.

3. AOB

   Oxford - Ewan has SE hd node down for reinstall; all pool nodes
   upgraded on Sl6-7.  Has the schema changed with the DPM upgrade?
   Sam thinks there is only unused things in the schema being used
   - directory size - so should be safe.


Ewan Mac Mahon: (02/03/2016 10:03:39)
I think we just need to spin this as "we're running a stable service"
The DPM xrootd is, of course, very nearly the same xrootd.
Gareth Douglas Roy: (10:07 AM)
Oh sorry got confused, my mistake...
Ewan Mac Mahon: (10:07 AM)
It's tweaked, it's not an independent implementation.
Gareth Douglas Roy: (10:07 AM)
thought it was virtualised
Ewan Mac Mahon: (10:13 AM)
We really should make this not firewalling the sodding storage thing an actual policy.
So, hands up who's a total numty and firewalls their storage?
:-)
Matt Doidge: (10:14 AM)
Me! Never had a problem with it.
(by firewalling I mean iptables on the nodes)
Paige Winslowe Lacesso: (10:14 AM)
Bristol's StoRM SE was sort of outside fw (only ports <1024 blocked by Uni, had to ask for any openings), but new dmlite is def behind Uni fw, have to ask for any openings at all.
raul: (10:14 AM)
Brunel has always run behing the university firewall
John Hill: (10:14 AM)
We don't
Duncan Rand: (10:15 AM)
RHUL not.
raul: (10:15 AM)
Always. No problems. We get 18Gbps
Duncan Rand: (10:15 AM)
IC not
Matt Doidge: (10:15 AM)
We go through a site firewall that IIRC does nothing for us.
(so we're technically outside of it).
Ewan Mac Mahon: (10:17 AM)
There's two kinds of 'outside' here though - one of the reasons that the Oxford grid subnet is outside the Physics dept firewall is for the grid's benefit, the other is so that the grid WNs are considered external to the departmental machines - we don't want them being considered as in any way trusted or internal.
It's a better security design as well as being faster.
Marcus Ebert: (10:18 AM)
For ECDF, the only thing that is firewall blocked is port22, everything else was handed over to us to make sure we only have ports open that we need
Daniel Peter Traynor: (10:19 AM)
http://fasterdata.es.net/science-dmz/
Ewan Mac Mahon: (10:19 AM)
The one thing they chose to block was SSH? That's an, er, unusual, choice.
Daniel Peter Traynor: (10:19 AM)
the surgestion from janet is a science dmz
Marcus Ebert: (10:19 AM)
yeah...
Matt Doidge: (10:19 AM)
That's what we're looking at at Lancaster
Samuel Cadellin Skipsey: (10:20 AM)
Ewan: that might be historical, I think
Daniel Peter Traynor: (10:22 AM)
https://www.jisc.ac.uk/rd/projects/janet-end-to-end-performance-initiative
Paige Winslowe Lacesso: (10:23 AM)
That would be Bristol!
Daniel Peter Traynor: (10:32 AM)
I belive Terry is going, chris W is giving a talk as well
Duncan Rand: (10:32 AM)
And Brian.
https://ggus.eu/index.php?mode=ticket_info&ticket_id=119013
raul: (10:36 AM)
problem?
Daniel Peter Traynor: (10:38 AM)
for posix file systems the supplied script does not output the required format for atlasgroupdisk (which lustre sites still have). I've asked them to provide a correted script as I'm not a regexpresion expert
Paige Winslowe Lacesso: (10:39 AM)
GOOD LUCK EWAN!
Ewan Mac Mahon: (10:40 AM)
Thanks.
Matt Doidge: (10:41 AM)
I'm hoping you have a boring, boring day.
Ewan Mac Mahon: (10:43 AM)
That's the hope. If it all goes to plan, and there are reasonable grounds to think it should, it should be a fairly quick and simple process.