Closed chrisburr closed 1 year ago
@arrabito @andresailer @hmiyake @atsareg @marianne013 with this PR we will:
We need your "OK" before continuing.
For our internal discussion in Belle2, what will be incompatible with v7r2 python3 client?
For our internal discussion in Belle2, what will be incompatible with v7r2 python3 client?
Anything involving RPC or proxies (i.e. everything). The fix for it is https://github.com/DIRACGrid/DIRAC/pull/6645.
Thank you so much! I understand what will happen with coming DIRACOS2 releases...
We are using in production rel 8.0.5 so it's fine for us wrt to break v7r2 python3 releases. Concerning DB, it seems that it's also fine for us. We have 2 DB servers with MariaDB 10.6.8 and 1 with MariaDB 10.4.2.
The last point you mentioned is using TLS. How can I check that?
Thank you.
The last point you mentioned is using TLS. How can I check that?
@arrabito If you connect with the mysql CLI and run status
you should see a line like this if you're using TLS:
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
You can also check which TLS versions the server is configured to allow using:
mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| tls_version | TLSv1.2,TLSv1.3 |
+---------------+-----------------+
1 row in set (0.01 sec)
Thank you so much! I understand what will happen with coming DIRACOS2 releases...
@hmiyake Does this mean that it's okay for us to break v7r2 support from your perspective? Or would it be preferable to re-open https://github.com/DIRACGrid/DIRAC/pull/6645?
@chrisburr thank you. So I've just tried and I get:
MariaDB [(none)]> status
--------------
mysql Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 140685194
Current database:
Current user: cta_dirac@134.158.240.241
SSL: Not in use
.....
which seems to indicate that we don't use TSL, right?
Even if I also get:
mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-------------------------+
| Variable_name | Value |
+---------------+-------------------------+
| tls_version | TLSv1.1,TLSv1.2,TLSv1.3 |
+---------------+-------------------------+
1 row in set (0.01 sec)
Thank you.
@chrisburr No, that was not final answer to your original question...just wanted to consider our solutions. I've informed this situation and possible scenario to my colleagues...could you wait a bit? At the latest we will answer during next week.
If re-open of #6645 is one of the options, that's reassuring...of course it should be a kind of last resort...for example when severe security issue occurs in existing DIRACOS2...
By the way, when is the earliest date do you switch to OpenSSL3? Just after all VOs agreed?
@arrabito Yup, that looks all good so you shouldn't have any issues. Thanks for checking! 😄
By the way, when is the earliest date do you switch to OpenSSL3? Just after all VOs agreed?
As soon as possible. Since yesterday conda-forge is no longer building against OpenSSL 3 so we can't update any packages until we switch.
I'm sorry to have kept you waiting...we concluded to give a green light to drop v7r2 support from DIRACOS2.
Just for sure, do you think if we can deploy v7r2 with existing DIRACOS2 (i.e. 2.31-), even after OpenSSL3 DIRACOS2 is released? Naively we can take the package from https://github.com/DIRACGrid/DIRACOS2/releases, but I wonder if we have any pitfall...
In any case, we agreed to move on supported v7.3 and v8.0 as soon as possible.
Thanks for looking into it and confirming 😄
Naively we can take the package from https://github.com/DIRACGrid/DIRACOS2/releases, but I wonder if we have any pitfall...
Yes you can, the only catch is that you're stuck on the current release. (Though you could use micromamba
to change versions of specific packages if you really needed to.)
Thank you for prompt confirmation! I see, then we will use 2.30 by default...
BEGINRELEASENOTES
CHANGE: Use OpenSSL 3.0.0 CHANGE: Use latest mysql client. This will break the use of TLS with servers older than MySQL v5.7.10+ (MariaDB 5.5.41+/MariaDB 10.0.15+). See https://github.com/DIRACGrid/DIRACOS2/pull/95. CHANGE: Use latest arc client libs
ENDRELEASENOTES