 |
 |
Hi Andy, Erik, we do only "cms.allow host *.purdue.edu" on UNL xrootd.unl.edu. Not xrd.allow ... Are you saying we should specifically add on UNL redirector "xrd.allow host *xrootd.unl.edu"? Not "xrd.allow host *xrootd.rcac.purdue.edu"? Sorry not concentrating on the whole content and your explanation right now, just want to know what to do and we'll add it at UNL and restart xrootd.unl.edu cmsd/xrootd there. I'm currently at CERN ready go to bed, almost :). Thanks, Marian PS: Log files from xrootd.unl.edu - they rolled out, I can see no logs before 20150222 which won't help here now as we need 20150220 based on Erik's message... On 2/25/15 7:33 AM, Andrew Hanushevsky wrote: > Hi Erik, > > Indeed, there was a bug in how the "xrd.allow" directive was handled. > This was something that fell through the cracks when we added IPv6 > support. The problem was that ot all addresses associated with a host > (specifically here IPv6 addresses) were added to the allow list. A patch > has been submited and should appear in release 4.2.0. The bypass until > then is to change the entries such as "xrd.allow host xrootd.unl.edu" to > be of the form "xrd.allow host *xrootd.unl.edu" (notice the addition of > the asterisk). This will loosen security but probably not enough to matter. > The allow directive appears in the redirector you are connecting to so > it will mean co-ordinating with whoever runs that redirector. > > Andy > > On Tue, 24 Feb 2015, Erik Gough wrote: > >> Hello, >> >> We recently upgraded to xrootd 4.0.4 at Purdue and enabled IPv6 on our >> xrootd redirector and servers. We see an issue where cmsd is unable to >> connect to xrootd.unl.edu (another IPv6 enabled redirector). I attached >> our xrootd config. We point to the FNAL redirector for AAA. >> >> If I simply restart xrootd/cmsd on our redirector, any connection from >> either the CERN or FNAL redirector ends with a '[3011] No servers are >> available to read the file'. >> >> In the cmsd log I see this repeated every few seconds: >> 150220 10:27:34 34373 Login: xrootd.unl.edu login failed; >> rejected >> 150220 10:27:34 34373 Remove completed xrootd.unl.edu manager >> 1.17 >> 150220 10:27:34 34373 Manager: manager.0:[log in to unmask] removed; lost >> connection >> >> If I disable ipv6 on our redirector, cmsd will immediately connect to >> xrootd.unl.edu using ipv4. >> >> 150220 10:28:01 34373 Add xrootd.unl.edu to manager config; >> id=1 >> 150220 10:28:01 34373 ManTree: Now connected to 2 root >> node(s) >> 150220 10:28:01 34373 Protocol: Logged into xrootd.unl.edu >> >> Then if I enable ipv6 and restart the network service I am able to do >> both v4/v6 transfers using both CERN/FNAL redirectors. >> >> It seems like for AAA access, there is a requirement for me to have a >> cmsd connection to xrootd.unl.edu and it does not work over IPv6. >> >> Before I do the disable/enable v6 thing, I do not see a connection open >> between Purdue and UNL. I do see an ipv4 one between Purdue and FNAL >> without intervention on my part. >> >> After I disable/enable v6, I see this and things start working. >> >> cmsd 26416 xrootd 23u IPv4 2179617 0t0 TCP >> xrootd.rcac.purdue.edu:47154->xrootd.unl.edu:mpc-lifenet (ESTABLISHED) >> >> If the UNL redirector gets restarted, that connection is lost and I have >> to the restart/enable/disable steps again for redirection from CERN or >> FNAL to work. >> >> It seems like there is some ipv6 weirdness between the UNL and Purdue >> redirector. Is this a known issue? Perhaps it is already solved in the >> 4.1.1 release? If so, we can just wait for OSG to release it and >> upgrade. But, I figured I should let you know what I found just in case >> you had not seen this issue before. >> >> Thanks, >> -Erik >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1