Tools box
From PRAGMAgridWIKI
Contents |
CA files installation and update
Install and update from IGTF distribution
- download accredited installation bundle igtf-policy-installation-bundle-<version>.tar.gz from https://dist.eugridpma.info/distribution/igtf/current/accredited
- execute the following commands as any user:
$ gunzip -c igtf-policy-installation-bundle-<version>.tar.gz | tar xvf - $ cd igtf-policy-installation-bundle-<version> $ ./configure --with-profile=classic NOTE: for multiple profiles, use multiple arguments as in: $ ./configure --with-profile=classic --with-profile=slcs
- Become a superuser and execute the actual install
# cd <path>gtf-policy-installation-bundle-<version> # make install
- Find obsolite CA files, for example, assume the current version is 1.24 and there is no ~.info files for non-IGTF CAs, run
$ grep version /etc/grid-security/certificates/*.info | grep -v '1\.24'
- The above command should print out the hash and other info of all obsolite CAs. Examine before removing the obsolite CAs files from /etc/grid-security/certificates directory.
Install and update from non-IGTF PRAGMA certs distribution
For clean install, fetch the latest bundle from https://goc.pragma-grid.net/secure/certificates/pragma-certs.tar.gz, then unzip and untar to get all non-IGTF PRAGMA CA files.
Currently, incremental update is done by announcing individual update request in Update log and pragma-grid-team mailing list. Site administrator need to manually update the CA files. When we change to IGTF distribution standard in the future, will update this procedure then.
Setup CRL auto-update
See https://dist.eugridpma.info/distribution/util/fetch-crl.
Check certificate expiration date - script by Nadya Williams
The CertTIme script checks the expiration time (next update) for certificates and crls. The output is sorted and gives the number of days till the next update. Negative number of days means the expired certificate. This script can be run periodically by any user to monitor the certificates expiration.
SGE job termination script and setup by Blair Bethwaite
When SGE kills a job, e.g. at user or admin request (this includes kill requests via Globus) the default behaviour is that it simply sends a SIGKILL to the process leader (the job script). This in many cases is inappropriate because it does not give jobs the chance to clean up - particularly if they have forked children. Fortunately though there are configuration options which let you change the default behaviour. Below I've included an example of a "terminate method" script. You can configure your SGE queues to use it as the terminate method.
SGE job termination script setup
- Copy the script (see below) to a file, for example <SGE-install-directory>/utilbin/custom-terminate.sh, make it executable.
- Run "qconf -mq <qname>" and edit the line for "terminate_method" to
terminate_method <SGE-install-directory>/utilbin/custom-terminate.sh $job_pid $job_owner
The change will take effect for jobs submitted thereafter.
SGE job termination script
####################################
#!/bin/bash
# Use this script as the termination method for SGE queues rather than the
# default which just does SIGKILL and therefore does not give jobs that have
# forked worker children the chance to kill them.
# The termination_method of the queue config can pass in other arguments to
# variations of this script such as $job_owner $queue $host
if [ $# -ne 2 ] ; then
echo "Usage:" $0 job_pid job_owner
exit 1
fi
job_pid=$1
job_owner=$2
# try and kill the session group - the group leader is the shell
# executing the job script
pkill -s $job_pid if [ $? -ne 0 ] ; then
kill $job_pid
fi
# cleanup grace period
sleep 10
pkill -9 -s $job_pid
if [ $? -ne 0 ] ; then
kill -9 $job_pid
fi
# check for detached children that weren't killed by session
# sanity check first...
#if [ $job_owner = "root" ] ; then
# exit
#else
# look for processes belonging to the user with PPID 1
# pgrep -u $job_owner -P 1
# det=$?
# while [ $det -eq 0 ] ; do
# pkill -9 -u $job_owner -P 1
# sleep 2
# pgrep -u $job_owner -P 1
# det=$?
# done
#fi
####################################
Debian OpenSSL vulnerability info and check
Sites using NAREGI CA software are NOT effected, since NAREGI CA software does not use random number generator in Debian system. Other sites should check all issued certificates. CAs should also check all future CSRs before signing to certificates.
Below is a script to check issued certificates. The blacklist can be downloaded from http://www.lysator.liu.se/~kent/ob/openssl-blacklist-0.1%2bkent-0.2.tar.gz.
Script to check issued certificates
#!/bin/sh
for f in `ls -1` ; do
tag=`openssl x509 -noout -modulus -in $f|sha1sum|cut -d ' ' -f 1|cut -c21-41`;
serial=`basename $f .pem` ;
if [ `fgrep -c $tag \
/tmp/openssl-blacklist-0.1+kent-0.2/blacklist.RSA-1024` \
-ne 0 -o \
`fgrep -c $tag \
/tmp/openssl-blacklist-0.1+kent-0.2/blacklist.RSA-2048` \
-ne 0 ] ; then
dn=`openssl x509 -noout -subject -in $f| sed -e 's/subject= //'` ;
caid=`awk '/Tag:/ { print $NF}' $f` ;
echo "$serial $caid $dn" ;
fi ;
done
