Problem with the SSL CA cert

Message boards : Number crunching : Problem with the SSL CA cert
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3 · Next

AuthorMessage
Profile BilBg
Volunteer tester
Avatar

Send message
Joined: 27 May 07
Posts: 3720
Credit: 9,385,827
RAC: 0
Bulgaria
Message 1666075 - Posted: 16 Apr 2015, 20:01:13 UTC - in response to Message 1666028.  

For the moment the admins have turned it back to HTTP since this now causes the troubles with older clients.

Question remains why some computers have/had no problem despite using "older clients"?
Does BOINC use (also) the root certificates installed in the OS?

My ca-bundle.crt begins with:

##
## $Id: ca-bundle.crt 11866 2007-01-15 21:39:43Z rwalton $
##
## ca-bundle.crt -- Bundle of CA Root Certificates
## Last Modified: Thu Mar 2 09:32:46 CET 2000
 


- ALF - "Find out what you don't do well ..... then don't do it!" :)
 
ID: 1666075 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14650
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1666085 - Posted: 16 Apr 2015, 20:27:51 UTC - in response to Message 1666070.  

From Rom Walton:
It probably has to do more with what is supported in the specific version of OpenSSL included with BOINC than the CA Bundle.

Backwards compatibility has been in decline on the web with Heartbleed and Freak being discovered. It would not surprise me if older BOINC clients were having problems connecting to up-to-date BOINC servers over SSL.

I mentioned the ca-bundle.crt file right at the start of this discussion, because it had certainly been implicated in a GPUGrid upload problem. But I can fully accept that there may well have been different problems in different places at different times, what with different projects, different server OSs, varying patch times, different administrator policies, changing server configurations over time, and different client versions. All I can offer in support is this log from a v6.12.34 installation:

19-Mar-2015 18:05:19 [---] [http] HTTP_OP::libcurl_exec(): ca-bundle 'C:\Program Files\BOINC\ca-bundle.crt'
19-Mar-2015 18:05:19 [---] [http] HTTP_OP::libcurl_exec(): ca-bundle set
19-Mar-2015 18:05:19 [GPUGRID] Started upload of e12s7_e4s10f193-GERARD_CXCL12_Ctl9_m1_GAAMPGAFF1-1-2-RND1086_0_0
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Info: About to connect() to www.gpugrid.org port 80 (#1)
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Info: Trying 193.146.190.61...
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Info: Connected to www.gpugrid.org (193.146.190.61) port 80 (#1)
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: POST /PS3GRID_cgi/file_upload_handler HTTP/1.1
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: User-Agent: BOINC client (windows_intelx86 6.12.34)
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: Host: www.gpugrid.org
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: Accept: */*
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: Accept-Encoding: deflate, gzip
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: Content-Type: application/x-www-form-urlencoded
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server: Content-Length: 318
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Sent header to server:
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: HTTP/1.1 301 Moved Permanently
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Date: Thu, 19 Mar 2015 18:02:30 GMT
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Server: Apache/2.2.3 (CentOS)
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Info: the ioctl callback returned 0
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Location: https://www.gpugrid.net/PS3GRID_cgi/file_upload_handler
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Cache-Control: max-age=3600
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Expires: Thu, 19 Mar 2015 19:02:30 GMT
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Content-Length: 343
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server: Content-Type: text/html; charset=iso-8859-1
19-Mar-2015 18:05:20 [---] [http] [ID#5314] Received header from server:
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: Ignoring the response-body
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: Connection #1 to host www.gpugrid.org left intact
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: Issue another request to this URL: 'https://www.gpugrid.net/PS3GRID_cgi/file_upload_handler'
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: About to connect() to www.gpugrid.net port 443 (#4)
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: Trying 193.146.190.61...
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: Connected to www.gpugrid.net (193.146.190.61) port 443 (#4)
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: successfully set certificate verify locations:
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: CAfile: C:\Program Files\BOINC\ca-bundle.crt
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: CApath: none
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: SSLv3, TLS handshake, Client hello (1):
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: SSLv3, TLS handshake, Server hello (2):
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: SSLv3, TLS handshake, CERT (11):
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: SSLv3, TLS alert, Server hello (2):
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: SSL certificate problem, verify that the CA cert is OK. Details:
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
19-Mar-2015 18:05:21 [---] [http] [ID#5314] Info: Closing connection #4
19-Mar-2015 18:05:21 [---] [http] HTTP error: Peer certificate cannot be authenticated with known CA certificates

A few minutes later, with the only change being the update of ca-bundle.crt, I got:

19-Mar-2015 18:07:01 [---] [http] HTTP_OP::libcurl_exec(): ca-bundle 'C:\Program Files\BOINC\ca-bundle.crt'
19-Mar-2015 18:07:01 [---] [http] HTTP_OP::libcurl_exec(): ca-bundle set
19-Mar-2015 18:07:01 [GPUGRID] Started upload of e12s7_e4s10f193-GERARD_CXCL12_Ctl9_m1_GAAMPGAFF1-1-2-RND1086_0_0
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: Re-using existing connection! (#1) with host www.gpugrid.org
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: Connected to www.gpugrid.org (193.146.190.61) port 80 (#1)
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: POST /PS3GRID_cgi/file_upload_handler HTTP/1.1
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: User-Agent: BOINC client (windows_intelx86 6.12.34)
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: Host: www.gpugrid.org
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: Accept: */*
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: Accept-Encoding: deflate, gzip
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: Content-Type: application/x-www-form-urlencoded
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server: Content-Length: 318
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Sent header to server:
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: HTTP/1.1 301 Moved Permanently
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Date: Thu, 19 Mar 2015 18:04:11 GMT
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Server: Apache/2.2.3 (CentOS)
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: the ioctl callback returned 0
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Location: https://www.gpugrid.net/PS3GRID_cgi/file_upload_handler
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Cache-Control: max-age=3600
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Expires: Thu, 19 Mar 2015 19:04:11 GMT
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Content-Length: 343
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server: Content-Type: text/html; charset=iso-8859-1
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Received header from server:
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: Ignoring the response-body
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: Connection #1 to host www.gpugrid.org left intact
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: Issue another request to this URL: 'https://www.gpugrid.net/PS3GRID_cgi/file_upload_handler'
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: About to connect() to www.gpugrid.net port 443 (#3)
19-Mar-2015 18:07:01 [---] [http] [ID#5318] Info: Trying 193.146.190.61...
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: Connected to www.gpugrid.net (193.146.190.61) port 443 (#3)
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: successfully set certificate verify locations:
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: CAfile: C:\Program Files\BOINC\ca-bundle.crt
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: CApath: none
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Client hello (1):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Server hello (2):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, CERT (11):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Server key exchange (12):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Server finished (14):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Client key exchange (16):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS change cipher, Client hello (1):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Finished (20):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS change cipher, Client hello (1):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSLv3, TLS handshake, Finished (20):
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSL connection using DHE-RSA-AES256-SHA
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: Server certificate:
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: subject: C=ES; CN=www.gpugrid.net; emailAddress=giadefa@gmail.com
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: start date: 2015-03-03 02:20:40 GMT
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: expire date: 2016-03-03 08:51:14 GMT
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: subjectAltName: www.gpugrid.net matched
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 1 Primary Intermediate Server CA
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: SSL certificate verify ok.
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: POST /PS3GRID_cgi/file_upload_handler HTTP/1.1
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: User-Agent: BOINC client (windows_intelx86 6.12.34)
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: Host: www.gpugrid.net
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: Accept: */*
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: Accept-Encoding: deflate, gzip
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: Referer: http://www.gpugrid.org/PS3GRID_cgi/file_upload_handler
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: Content-Type: application/x-www-form-urlencoded
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server: Content-Length: 318
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Sent header to server:
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: HTTP/1.1 200 OK
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: Date: Thu, 19 Mar 2015 18:04:11 GMT
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: Server: Apache/2.2.3 (CentOS)
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: Cache-Control: max-age=300
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: Expires: Thu, 19 Mar 2015 18:09:11 GMT
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: Transfer-Encoding: chunked
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server: Content-Type: text/plain; charset=UTF-8
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Received header from server:
19-Mar-2015 18:07:02 [---] [http] [ID#5318] Info: Connection #3 to host www.gpugrid.net left intact
19-Mar-2015 18:07:37 [GPUGRID] Finished upload of e12s7_e4s10f193-GERARD_CXCL12_Ctl9_m1_GAAMPGAFF1-1-2-RND1086_0_0

So the bundle change worked, on that day, to that project, on this host.
ID: 1666085 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1666088 - Posted: 16 Apr 2015, 20:35:44 UTC

David Anderson:
The SSL certificate used for this is issued by a UC Berkeley CA, which I imagine is not included in older CA bundles.

Not worth pursuing this point; we're fine with HTTP.

(read: costly)

Apropos, it's not possible to release new versions of old clients with new OpenSSL, or just an updated OpenSSL for older clients.

Rom:
OpenSSL would have to be re-built using the same version of Visual Studio (with all the patches) used to build that version of BOINC, e.g. with 5.10 we were probably still using Visual Studio 2003.
ID: 1666088 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14650
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1666097 - Posted: 16 Apr 2015, 20:48:52 UTC - in response to Message 1666088.  

David Anderson:
The SSL certificate used for this is issued by a UC Berkeley CA, which I imagine is not included in older CA bundles.

Not worth pursuing this point; we're fine with HTTP.

(read: costly)

Apropos, it's not possible to release new versions of old clients with new OpenSSL, or just an updated OpenSSL for older clients.

Rom:
OpenSSL would have to be re-built using the same version of Visual Studio (with all the patches) used to build that version of BOINC, e.g. with 5.10 we were probably still using Visual Studio 2003.

That makes sense. But could we have a version from current sources, built with current tools, which removes two BOINC developer decisions so we can upgrade on two classes of host:

1) To allow installation on Windows Domain Controllers (that's an installer problem, not a client/manager problem)

2) To allow BOINC to run as a service, and still use GPUs, on Windows versions which support direct interaction with video drivers (most notably, Windows XP)
ID: 1666097 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1666123 - Posted: 16 Apr 2015, 21:49:21 UTC - in response to Message 1666097.  

I'll settle for a newer version of BOINC for Domain Controllers. I'm sure I can fix whatever security group issues there are on my own. At least that way I can avoid Frankensteining an upgrade to a newer version.
ID: 1666123 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1666133 - Posted: 16 Apr 2015, 22:27:10 UTC - in response to Message 1666097.  

But could we have a version from current sources, built with current tools

A current version of what? OpenSSL? For what?
When building the BOINC client, it's built against a couple of libraries. OpenSSL is one of those libraries. So it's not possible to just update OpenSSL on the older clients, because that then breaks that client, as it's expecting the older OpenSSL library. Then you get what Charlie (Ozzfan) had, that the client just crashes.

So the only option would be to build a new OpenSSL using the older compiling tools and libraries, but with the newer OpenSSL libraries. That's not undoable, but won't be done by the developers. Perhaps that if the community feels it needs to be done, that someone, or some people can do it.
ID: 1666133 · Report as offensive
Profile BilBg
Volunteer tester
Avatar

Send message
Joined: 27 May 07
Posts: 3720
Credit: 9,385,827
RAC: 0
Bulgaria
Message 1666139 - Posted: 16 Apr 2015, 22:35:58 UTC - in response to Message 1666133.  
Last modified: 16 Apr 2015, 22:41:06 UTC

But could we have a version from current sources, built with current tools

A current version of what? OpenSSL?

No, Richard means a current version of BOINC (+ included current OpenSSL of course) that can:
- install on Windows Domain Controllers (now people are forced to install <= 5.10.45)
- allow BOINC to run as a service, and still detect/use GPUs on Windows XP (now people are forced to use <= 6.12.34)
I imagine this second can be unlocked for advanced users by some switch in cc_config.xml like <force_detect_gpu>
 


- ALF - "Find out what you don't do well ..... then don't do it!" :)
 
ID: 1666139 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14650
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1666146 - Posted: 16 Apr 2015, 22:43:13 UTC - in response to Message 1666139.  

But could we have a version from current sources, built with current tools

A current version of what? OpenSSL?

No, Richard means a current version of BOINC (+ included current OpenSSL of course) that can:
- install on Windows Domain Controllers (now people are forced to install <= 5.10.45)
- allow BOINC to run as a service, and still detect/use GPUs on Windows XP (now people are forced to use <= 6.12.34)

Correct.

I imagine this second can be unlocked for advanced users by some switch in cc_config.xml like <force_detect_gpu>

However they choose to implement it.
ID: 1666146 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1667657 - Posted: 20 Apr 2015, 16:54:57 UTC
Last modified: 20 Apr 2015, 17:04:28 UTC

I finally got an answer back from Rom.

He'll test with the installer of a next BOINC (7.5.x I guess) if the check for a DC can be disabled. That way BOINC can be installed on a DC, just not as a service. Edit: But the installer will probably grey out the option to install as a service when it detects it's being installed on a DC.

As for XP, BOINC as a service and GPUs, the answer is No, that change will not be reverted.
ID: 1667657 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1667682 - Posted: 20 Apr 2015, 18:06:50 UTC - in response to Message 1667657.  

Is there a technical reason that BOINC can't be installed as a service on a DC? I know in 5.10.45 it prompts you for a service account to use for the service, so I'm guessing it has something to do with granting the service account the right to logon as a system service ... ?
ID: 1667682 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1667688 - Posted: 20 Apr 2015, 18:17:33 UTC - in response to Message 1667682.  
Last modified: 20 Apr 2015, 18:18:51 UTC

Is there a technical reason that BOINC can't be installed as a service on a DC?

The same reason as to why all of BOINC 6 and part of BOINC 7 cannot be installed on a DC: the making and using of local accounts and groups specifically for BOINC.

Since 7.3.8 there's been a change in BOINC setup that it makes and uses the BOINC accounts and groups only when installed as a service. No longer on the 'normal' or 'user' install.

DCs use global accounts, so when the BOINC installer tries to make local accounts, it'll err on that.
ID: 1667688 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1667691 - Posted: 20 Apr 2015, 18:20:27 UTC - in response to Message 1667688.  

Could the required local accounts and groups be documented so such a thing can be scripted by SysAdmins? Or is there a way to create global accounts and groups?
ID: 1667691 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1667694 - Posted: 20 Apr 2015, 18:24:09 UTC - in response to Message 1667691.  
Last modified: 20 Apr 2015, 18:24:29 UTC

Could the required local accounts and groups be documented so such a thing can be scripted by SysAdmins?

Hasn't changed (much) since BOINC Six: http://boinc.berkeley.edu/trac/wiki/ClientSetupLogicWinSix

Or is there a way to create global accounts and groups?

No, else it would've been done ages ago.
ID: 1667694 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1667696 - Posted: 20 Apr 2015, 18:27:18 UTC - in response to Message 1667694.  
Last modified: 20 Apr 2015, 18:28:15 UTC

Could the required local accounts and groups be documented so such a thing can be scripted by SysAdmins?

Hasn't changed (much) since BOINC Six: http://boinc.berkeley.edu/trac/wiki/ClientSetupLogicWinSix


Thanks for that.

Or is there a way to create global accounts and groups?

No, else it would've been done ages ago.


I'm sure the domain can be queried and ldifde can be used to created accounts.
ID: 1667696 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1667700 - Posted: 20 Apr 2015, 18:30:40 UTC - in response to Message 1667696.  

If I'm not mistaken that would also mean that you can only run BOINC as a service on the server, and no longer on any workstation on that network/domain, because only one account with the BOINC user names can be made.

But I'll ask Rom.
ID: 1667700 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14650
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1667701 - Posted: 20 Apr 2015, 18:30:45 UTC - in response to Message 1667657.  

I finally got an answer back from Rom.

He'll test with the installer of a next BOINC (7.5.x I guess) if the check for a DC can be disabled. That way BOINC can be installed on a DC, just not as a service. Edit: But the installer will probably grey out the option to install as a service when it detects it's being installed on a DC.

This would very much defeat the object of the exercise. A DC really shouldn't be running with a logged-in local user, except for the tiny proportion of the time when an administrator is actually doing some active administration. And when she's finished, she should log out again, sharpish.

So, allowing the installing human being (rather than the installer software) to make and select the account to be used for the service - either automatically, or via documentation - would be the way to go.
ID: 1667701 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1667712 - Posted: 20 Apr 2015, 18:51:33 UTC - in response to Message 1667701.  

I finally got an answer back from Rom.

He'll test with the installer of a next BOINC (7.5.x I guess) if the check for a DC can be disabled. That way BOINC can be installed on a DC, just not as a service. Edit: But the installer will probably grey out the option to install as a service when it detects it's being installed on a DC.

This would very much defeat the object of the exercise. A DC really shouldn't be running with a logged-in local user, except for the tiny proportion of the time when an administrator is actually doing some active administration. And when she's finished, she should log out again, sharpish.

So, allowing the installing human being (rather than the installer software) to make and select the account to be used for the service - either automatically, or via documentation - would be the way to go.


Precisely!
ID: 1667712 · Report as offensive
Profile HAL9000
Volunteer tester
Avatar

Send message
Joined: 11 Sep 99
Posts: 6534
Credit: 196,805,888
RAC: 57
United States
Message 1667719 - Posted: 20 Apr 2015, 19:18:36 UTC

Windows has a built in tool to install BOINC, or any app, on a server as a service. https://support.microsoft.com/en-us/kb/251192

I don't bother with the BOINC installer or any of the group/account nonesense it wants to normally create. When there is a new version of BOINC. I run the installer to get the applications folders. Then I stop BOINC, drop in the new files, & restart.
That kind of updating is also much easier for me. Given I'm running around 30 machines. Having to run an installer on each one would drive me mad.
SETI@home classic workunits: 93,865 CPU time: 863,447 hours
Join the [url=http://tinyurl.com/8y46zvu]BP6/VP6 User Group[
ID: 1667719 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14650
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1667723 - Posted: 20 Apr 2015, 19:33:01 UTC - in response to Message 1667719.  

My touchstone for this sort of discussion is what used to be called "Windows Small Business Server", now known as "Windows Server Essentials". It's designed to be managed via point-and-click with not much more knowledge than your average Windows user has, and there are probably millions of them running 24/7 in offices which are only staffed 9 to 5 - a very rich seam of spare CPU cycles, ready to be mined.
ID: 1667723 · Report as offensive
Profile HAL9000
Volunteer tester
Avatar

Send message
Joined: 11 Sep 99
Posts: 6534
Credit: 196,805,888
RAC: 57
United States
Message 1667724 - Posted: 20 Apr 2015, 19:45:01 UTC - in response to Message 1667723.  

My touchstone for this sort of discussion is what used to be called "Windows Small Business Server", now known as "Windows Server Essentials". It's designed to be managed via point-and-click with not much more knowledge than your average Windows user has, and there are probably millions of them running 24/7 in offices which are only staffed 9 to 5 - a very rich seam of spare CPU cycles, ready to be mined.

Ah OK. That makes more sense. I didn't see how this would be much of an issue for a standard admin. But the SBS/Essentials editions are geared to a slightly different audience.
SETI@home classic workunits: 93,865 CPU time: 863,447 hours
Join the [url=http://tinyurl.com/8y46zvu]BP6/VP6 User Group[
ID: 1667724 · Report as offensive
Previous · 1 · 2 · 3 · Next

Message boards : Number crunching : Problem with the SSL CA cert


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.