[Discuss] Globus retirement considerations in WLCG
Maarten Litmaath
Maarten.Litmaath at cern.ch
Mon Apr 20 23:15:05 CEST 2020
Hi Mischa, all,
thanks for that detailed reply!
I have started summarizing the various considerations here:
https://twiki.cern.ch/twiki/bin/view/LCG/GlobusRetirement
Please check it out and let me know if something needs to be
added or changed, or update the page yourself and let us know.
If you do not have a CERN account, you can get one as follows:
https://twiki.cern.ch/twiki/bin/view/LCG/WLCGExternalAccounts
________________________________________
From: Mischa Salle [msalle at nikhef.nl]
Sent: 20 April 2020 10:19
To: Maarten Litmaath via discuss
Cc: Brian Hua Lin; Maarten Litmaath
Subject: Re: [Discuss] Globus retirement considerations in WLCG
Hi all,
On Tue, Apr 07, 2020 at 10:00:23PM +0000, Maarten Litmaath via discuss wrote:
> Hi Brian, all,
> it is good that we still have more than 1.5 years to sort things out, thanks!
>
> My main concern is with MyProxy: I suspect WLCG and/or various other
> communities we care about will still be needing it beyond that time frame.
>
> We probably will need to revisit this business in the course of next year.
I think there are several separate issues we have to keep in mind:
- first of all, many especially smaller communities in Europe will
probably not easily move from proxy certs to some form of tokens.
- There are several parts of the gridcf that are still quite widely used
I think:
- gridftp (server and client)
- myproxy
- gsi-openssh
plus several of the gsi-based libraries that are dependencies for
tools like LCMAPS and probably others.
In particular the client tools need to be supported until all the
relevant services are no longer using (only) proxies.
- I actually don't know how the ARC-CE is doing things, and whether they
have plans to move away from certificates. If not, that most probably
requires support for (part of) the gct.
I doubt that we can expect all these dependencies to be solved before
January 2022, but perhaps I'm too pessimistic.
Concerning support, I think one of the bigger problem is that we'll at
some point need to patch to accept TLS1.3 (and higher), which is less
trivial than just doing minor updates. Several tools can be made gct
free (such as most of LCMAPS and myproxy) but that also would take
effort.
Mischa
>
> ________________________________________
> From: Brian Lin [blin at cs.wisc.edu]
> Sent: 07 April 2020 21:18
> To: discuss at gridcf.org
> Cc: Maarten Litmaath
> Subject: Re: [Discuss] Globus retirement considerations in WLCG
>
> Hi Maarten,
>
> FWIW, with the current OSG timeline, the OSG will continue to support
> the GCT until January 2022 so that's the earliest you can expect OSG
> effort to drop off.
>
> As for MyProxy, Dave Dykstra has been investigating HashiCorp's Vault,
> which seems like it could be a token-based replacement and hopefully
> that would require less effort than removing the GSI dependencies.
>
> Thanks,
> Brian
>
> On 4/7/20 12:28 PM, Maarten Litmaath via discuss wrote:
> > Hi all,
> > does anyone have comments / thoughts about this matter? Thanks!
> >
> > ________________________________________
> > From: discuss [discuss-bounces at gridcf.org] on behalf of Maarten Litmaath via discuss [discuss at gridcf.org]
> > Sent: 30 March 2020 22:45
> > To: discuss at gridcf.org
> > Cc: Maarten Litmaath
> > Subject: [Discuss] Globus retirement considerations in WLCG
> >
> > Dear Grid Community Forum,
> > in the WLCG Management Board meeting of March 17 there was a discussion about
> > a possible retirement timeline for the remaining WLCG dependencies on Globus:
> >
> > https://indico.cern.ch/event/870359/#9-globus-retirement-planning
> >
> > Prompted by the plans and timelines that already exist in OSG:
> >
> > https://opensciencegrid.org/technology/policy/gridftp-gsi-migration/
> >
> > For WLCG, removing the dependency on GridFTP is being tackled in the TPC WG
> > of the DOMA project:
> >
> > https://twiki.cern.ch/twiki/bin/view/LCG/ThirdPartyCopy
> >
> > Currently, GridFTP is also being used for job submissions to CREAM instances,
> > which should all be gone by the end of this year, and ARC CE instances,
> > which already support HTTPS as an alternative.
> >
> > While it looks viable for WLCG not to depend on GridFTP by the end of 2021,
> > can we actually remove Globus as a build dependency from the various storage
> > service implementations (which ones?) that currently make use of it?
> >
> > Also taking into account that other communities may be unable to replace
> > X509 certificates with tokens as "quickly" as WLCG hopes to do, implying
> > there may need to remain code in the affected implementations that is able
> > to deal with X509 somehow?
> >
> > Next we come to GSI. Besides its use in conjunction with GridFTP and SRM,
> > WLCG has a critical dependency on it through MyProxy! For as long as we
> > need the latter, I suspect it would not be a big deal to support GSI in
> > addition, but it would be nicer if MyProxy were made independent of it...
> >
> > Next we come to the Grid CF build infrastructure: what would be the plan
> > for when it can no longer make use of OSG effort or resources?
> >
> > What are your thoughts about these matters? Was anything missed? Thanks!
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at gridcf.org
> > https://mailman.egi.eu/mailman/listinfo/discuss
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at gridcf.org
> > https://mailman.egi.eu/mailman/listinfo/discuss
>
>
> _______________________________________________
> discuss mailing list
> discuss at gridcf.org
> https://mailman.egi.eu/mailman/listinfo/discuss
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
More information about the discuss
mailing list