search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
291 stars 136 forks source link

pool.mover.xrootd.security.tls.mode default setting break pool nodes without host certificate #7130

Open ahaupt opened 1 year ago

ahaupt commented 1 year ago

We just upgraded dCache from 7.2 to latest 8.2.20 version. Pools without a host certificate did not come up afterwards - they crashed and were restarted all the time with errors like:

Apr 20 12:19:00 papaya03 dcache@papaya03Domain: 20 Apr 2023 12:19:00 (icecube-tier1-papaya03-0) [] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pool' defined in class path resource [org/dcache/pool/classic/pool.xml]: Cannot resolve reference to bean 'transfer-services' while setting bean property 'transferServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'transfer-services' defined in class path resource [org/dcache/pool/classic/pool.xml]: Cannot resolve reference to bean 'xrootd-transfer-service' while setting bean property 'factories' with key [TypedStringValue: value [Xrootd-2], target type [null]]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xrootd-transfer-service' defined in class path resource [org/dcache/pool/classic/pool.xml]: Cannot create inner bean 'org.dcache.xrootd.spring.ChannelHandlerFactoryFactoryBean#372c5491' of type [org.dcache.xrootd.spring.ChannelHandlerFactoryFactoryBean] while setting bean property 'sslHandlerFactories'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.dcache.xrootd.spring.ChannelHandlerFactoryFactoryBean#372c5491': FactoryBean threw exception on object creation; nested exception is java.io.FileNotFoundException: /etc/grid-security/hostkey.pem (No such file or directory)
Apr 20 12:19:00 papaya03 dcache@papaya03Domain: 20 Apr 2023 12:19:00 (System) [] Failure at startup: (666) URL [file:/usr/share/dcache/services/pool.batch]: line 135: (3) Failed to create bean 'pool' : /etc/grid-security/hostkey.pem (No such file or directory)

@christianvoss did point me to the dcache.conf setting:

pool.mover.xrootd.security.tls.mode=OFF

which is needed now to run a pool without a host cert. This should be at least documented prominently somewhere, I guess. Maybe even think about changing the default or make it dependent on other hostcert-related settings?

Cheers, Andreas

kofemann commented 1 year ago

It is in the Incompatibility changes section of 8.1 release.

https://www.dcache.org/old/downloads/1.9/release-notes-8.1.shtml

alrossi commented 1 year ago

Hi Andreas,

I don't believe turning on TLS contingent upon the presence of a host cert is correct (it should be the other way around).

I will bring up the default with the team again.

Al

ahaupt commented 1 year ago

It is in the Incompatibility changes section of 8.1 release.

https://www.dcache.org/old/downloads/1.9/release-notes-8.1.shtml

Hi Tigran,

you're right. I just checked the "Golden Release" notes. It was mentioned some times at dCache workshops one should not do that - but read all of the in-between notes as well, I remember now again :-)