Traceability Isolation WG Vincent BRILLAULT CERNEGICSIRT GDB June

Traceability & Isolation WG Vincent BRILLAULT, CERN/EGI-CSIRT GDB June 2016, CERN

Kick-off meeting (May Pre-GDB) • Participation from all VOs, thanks! • Main topics: – Review the current VO traceability & isolation – Learn from OSG recent work GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 2

Current traceability & isolation • CMS: Fully relies on glexec: – For isolation – For host-user matching (at sites) – For emergency suspension – No central collection of pilot logs (no manpower) Any glexec replacement should provide: • A drop-in isolation replacement • A log collection infrastructure? GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 3

Current traceability & isolation • ATLAS: – Has its own logging infrastructure • But lots of logs produced, hard to centrally process/search – No multi-user payload, only two mode: • One single job per pilot • Several jobs of the same user pilot – No full pilot/user isolation • But pilot credentials hidden in memory only Containers could fully isolate pilots GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 4

Current traceability & isolation • ALICE: – Has its own logging infrastructure – No full pilot/user isolation • User could theoretically steal pilot credentials • Currently working on cgroup/namespaces isolation Containers could fully isolate pilots GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 5

Current traceability & isolation • LHCb: – Has its own logging infrastructure – Isolation: supports glexec, but not enabled • Malicious payload could subvert the system – Developing a fully isolated VM environment: • Full uid isolation between root, pilot & users Containers could merge grid & cloud isolation designs GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 6

OSG investigations • “If you add all the existing policy and technical requirements together, you get today’s glexec” • Isolation is hard: – Unix relied on UID -> need suid binary – Persistent storage can prevent UID re-use – Containers not mature enough • Especially concerning shared storage • OSG User Separation without User Certificates – Still based glexec – Can simplify glexec deployment GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 7

Next steps • Evaluate VOs logs • Check unprivileged namespace support – Red Hat 7. 2 seems to support part of it – Mount namespace missing? – Any critical piece missing? • Next meeting, end of June: – https: //foodl. org/foodle/WLCG-Traceability-Isolation-WG-574 ee – Join us: https: //e-groups. cern. ch/e-groups/Egroup. do? egroup. Id=10209515 GDB Mars 2015, Amsterdam Vincent Brillault, CERN/EGI-CSIRT 8

Thanks for your attention! Any questions ? Vincent Brillault, CERN/EGI-CSIRT 9