 |
 |
Hi Erik, Indeed, there was a bug in how the "xrd.allow" directive was handled. This was something that fell through the cracks when we added IPv6 support. The problem was that ot all addresses associated with a host (specifically here IPv6 addresses) were added to the allow list. A patch has been submited and should appear in release 4.2.0. The bypass until then is to change the entries such as "xrd.allow host xrootd.unl.edu" to be of the form "xrd.allow host *xrootd.unl.edu" (notice the addition of the asterisk). This will loosen security but probably not enough to matter. The allow directive appears in the redirector you are connecting to so it will mean co-ordinating with whoever runs that redirector. Andy On Tue, 24 Feb 2015, Erik Gough wrote: > Hello, > > We recently upgraded to xrootd 4.0.4 at Purdue and enabled IPv6 on our > xrootd redirector and servers. We see an issue where cmsd is unable to > connect to xrootd.unl.edu (another IPv6 enabled redirector). I attached > our xrootd config. We point to the FNAL redirector for AAA. > > If I simply restart xrootd/cmsd on our redirector, any connection from > either the CERN or FNAL redirector ends with a '[3011] No servers are > available to read the file'. > > In the cmsd log I see this repeated every few seconds: > 150220 10:27:34 34373 Login: xrootd.unl.edu login failed; > rejected > 150220 10:27:34 34373 Remove completed xrootd.unl.edu manager > 1.17 > 150220 10:27:34 34373 Manager: manager.0:[log in to unmask] removed; lost > connection > > If I disable ipv6 on our redirector, cmsd will immediately connect to > xrootd.unl.edu using ipv4. > > 150220 10:28:01 34373 Add xrootd.unl.edu to manager config; > id=1 > 150220 10:28:01 34373 ManTree: Now connected to 2 root > node(s) > 150220 10:28:01 34373 Protocol: Logged into xrootd.unl.edu > > Then if I enable ipv6 and restart the network service I am able to do > both v4/v6 transfers using both CERN/FNAL redirectors. > > It seems like for AAA access, there is a requirement for me to have a > cmsd connection to xrootd.unl.edu and it does not work over IPv6. > > Before I do the disable/enable v6 thing, I do not see a connection open > between Purdue and UNL. I do see an ipv4 one between Purdue and FNAL > without intervention on my part. > > After I disable/enable v6, I see this and things start working. > > cmsd 26416 xrootd 23u IPv4 2179617 0t0 TCP > xrootd.rcac.purdue.edu:47154->xrootd.unl.edu:mpc-lifenet (ESTABLISHED) > > If the UNL redirector gets restarted, that connection is lost and I have > to the restart/enable/disable steps again for redirection from CERN or > FNAL to work. > > It seems like there is some ipv6 weirdness between the UNL and Purdue > redirector. Is this a known issue? Perhaps it is already solved in the > 4.1.1 release? If so, we can just wait for OSG to release it and > upgrade. But, I figured I should let you know what I found just in case > you had not seen this issue before. > > Thanks, > -Erik > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1