ICE's known issue related on Proxy Renewal

This issue affects ICE when proxy renewal is activated by the specification of the MyProxyServer attribute in the submitted JDL (if the attribute is not present or its value is an empty string ("") the issue doesn't occur).

The issue consists on a crash of the ICE process triggered by an un-intercepted exception raised by the function boost::match. This boost::match function is invoked to validate the MyProxy endpoint. We've seen some particular hexadecimal strings that if specified as MyProxy address can trigger the exception raising. Examples of these strings are:

b6f0a29ae27c61a8a04bd0ca3eb2c514
adf8ea9c420e48b67c8fcffa8ebce72f
f6492d99eec8abad9fdcf3ea8c521407
We've also noted that if those strings would have the domain appended to them (e.g. f6492d99eec8abad9fdcf3ea8c521407.mydomain.ch ) the boost::match doens't raise any exception.

Last consideration leads quite easily to an immediate workaround the admin can apply to the ICE's database.

Before applying the workaround the admin must make sure the crash has been triggered by the "funny" myproxy server strings. To do this the site-admin has to grep for the last VersionID string in the ICE's log files (/var/log/wms/ice.log[.1-10]). VersionID is printed at the ICE's start. Then if the last log line before VersionID is something like:

2012-07-19 08:38:39,234 DEBUG - iceCommandDelegationRenewal::renewAllDelegations() - Contacting MyProxy server [e0b8a4bb6d7bde9ae73415710b7d5fa4] for user dn [<OMITTED>] with proxy certificate [/var/ice/persist_dir/C4D0B164B28D48AE01906393113A299F56078279.betterproxy] to renew it...

The workaround consists on modifying that string "e0b8a4bb6d7bde9ae73415710b7d5fa4" by concatenating a domain name (that can be even fake).

The workaround is applied by a script generated by the following chain of commands:

sqlite3 ice.db "select myproxyurl from delegation where myproxyurl not like '%.%';"|grep -v ^$|gawk '{print "sqlite3 /var/ice/persist_dir/ice.db \"update delegation set myproxyurl=\x27"$0".cern.ch\x27 where myproxyurl=\x27"$0"\x27;\""}' > script.sh

Then add the header #!/bin/sh at the begging of the file script.sh and change its permission: chmod 744 script.sh. then run it.

-- AlviseDorigo - 2012-07-19

Topic revision: r1 - 2012-07-19 - AlviseDorigo
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback