Bugzilla – Bug 4188
trigger/container faisl on just expired proxy and can not recover
Last modified: 2006-02-15 15:01:14
You need to
before you can comment on or make changes to this bug.
I have a small monitoring setup for esg that runs on X509_USER_PROXY instead
of the default host container cert/key. That proxy is being refreshed everyday
at the same time. It seems if container with trigger hit that time exactly
right that it detects invalid proxy but even with that proxy being refreshed,
container never recovers. I have seen this on solaris 10 box using stock GT4.0.1
and also on a linux box (Using HEAD).
Created an attachment (id=836) [details]
The proxy expired around 2006-01-24 16:12:09
replaced it with a long-live one around Jan 24 17:45
Created an attachment (id=839) [details]
container log with HEAD GT
the time when the proxy got renewed is:
Feb 2 12:35 x509_mei
I installed a similar setup with HEAD. It looks like the problem
is not there anymore. So, I think there is no need to track this and
I just have to wait for a new release of GT.
So you only see this problem with GT 4.0.1 but not HEAD? It needs to be fixed
Yes. only on stock 4.0.1 release. On HEAD, there are some MDS warnings coming
out after the recovery . Mike will be looking at them to make sure they
I just committed a potential fix to the 4.0 branch code. Can you please retest
and see if you still see this error ?
This should be fixed now in trunk & globus_4_0_branch. The main reason for this
bug was improper socket closing in case of expired credentials. This bug also
uncovered a number of other issues in trunk & branch, all of them should be
The container code in branch was fixed to close the right socket in case of an
credential error (trunk was ok). The JGlobus secure socket code was updated to
automatically close the socket in case of error during authentication.
Also, trunk & branch was made to behave in the same way when dealing with
expired credentials and credential refresh. For example, if server has an
expired credential, the client will now get a nice error message indicating so.
Also the branch credential refresh code was improved to match trunk's.