dcache icon indicating copy to clipboard operation
dcache copied to clipboard

Published 20 hours ago verified publisher icon dCache

pool.mover.xrootd.security.tls.mode default setting break pool nodes without host certificate

Open ahaupt opened this issue 1 year ago • 3 comments

We just upgraded dCache from 7.2 to latest 8.2.20 version. Pools without a host certificate did not come up afterwards - they crashed and were restarted all the time with errors like:

Apr 20 12:19:00 papaya03 dcache@papaya03Domain: 20 Apr 2023 12:19:00 (icecube-tier1-papaya03-0) [] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pool' defined in class path resource [org/dcache/pool/classic/pool.xml]: Cannot resolve reference to bean 'transfer-services' while setting bean property 'transferServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'transfer-services' defined in class path resource [org/dcache/pool/classic/pool.xml]: Cannot resolve reference to bean 'xrootd-transfer-service' while setting bean property 'factories' with key [TypedStringValue: value [Xrootd-2], target type [null]]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xrootd-transfer-service' defined in class path resource [org/dcache/pool/classic/pool.xml]: Cannot create inner bean 'org.dcache.xrootd.spring.ChannelHandlerFactoryFactoryBean#372c5491' of type [org.dcache.xrootd.spring.ChannelHandlerFactoryFactoryBean] while setting bean property 'sslHandlerFactories'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.dcache.xrootd.spring.ChannelHandlerFactoryFactoryBean#372c5491': FactoryBean threw exception on object creation; nested exception is java.io.FileNotFoundException: /etc/grid-security/hostkey.pem (No such file or directory)
Apr 20 12:19:00 papaya03 dcache@papaya03Domain: 20 Apr 2023 12:19:00 (System) [] Failure at startup: (666) URL [file:/usr/share/dcache/services/pool.batch]: line 135: (3) Failed to create bean 'pool' : /etc/grid-security/hostkey.pem (No such file or directory)

@christianvoss did point me to the dcache.conf setting:

pool.mover.xrootd.security.tls.mode=OFF

which is needed now to run a pool without a host cert. This should be at least documented prominently somewhere, I guess. Maybe even think about changing the default or make it dependent on other hostcert-related settings?

Cheers, Andreas

ahaupt avatar Apr 20 '23 12:04 ahaupt

It is in the Incompatibility changes section of 8.1 release.

https://www.dcache.org/old/downloads/1.9/release-notes-8.1.shtml

kofemann avatar Apr 20 '23 12:04 kofemann

Hi Andreas,

I don't believe turning on TLS contingent upon the presence of a host cert is correct (it should be the other way around).

I will bring up the default with the team again.

Al

alrossi avatar Apr 20 '23 12:04 alrossi

It is in the Incompatibility changes section of 8.1 release.

https://www.dcache.org/old/downloads/1.9/release-notes-8.1.shtml

Hi Tigran,

you're right. I just checked the "Golden Release" notes. It was mentioned some times at dCache workshops one should not do that - but read all of the in-between notes as well, I remember now again :-)

ahaupt avatar Apr 20 '23 12:04 ahaupt