Cern Computer

CERN COMPUTER

NEWSLETTERVolume 44, issue 3 July–September 2009 Contents CINBAD keeps an eye Editorial CINBAD keeps an eye on the CERN network 1 ETICS 2 offers guidance to software professionals 3 on the CERN network Announcements and news CERN welcomes 13 Intel ISEF pre-college winners 4 The CINBAD (CERN Investigation of Network network infrastructure misuse, violation of Computer team advises reviewing your Behaviour and Anomaly Detection) project a local network security policy and device security now and frequently 5 was launched in 2007 as a collaboration misconfiguration. In addition, the expected EGEE-III project is on track for EGI between CERN openlab, IT-CS and HP network behaviour never remains static transition 5 ProCurve Networking. The project’s aim because it can vary with the time of day, the Grid news is to understand the behaviour of large number of users connected and network Scientists demonstrate the role of CMS in computer networks in the context of services deployed. As a consequence, computing Grid 6 high-performance computing and campus anomalies are not easy to detect. Technical brief Indico’s new face goes live 7 installations such as those at CERN. The CERN updates Wi-Fi network 9 goals are to detect traffic anomalies in Network sniffing Conference and event reports such systems, perform trend analysis, To acquire knowledge about the network Prague hosts CHEP conference 10 automatically take counter measures and status and behaviour, CINBAD collects and Workshop identifies steps to reap provide post-mortem analysis facilities. analyses data from numerous sources. benefits from multicore and virtualization Alarms from different network monitoring technologies 11 CERN’s network systems, logs from network services like HEPiX event arrives in Sweden 12 Calendar 12 CERN’s campus network has more than Domain Name System (DNS), Dynamic 50 000 active user devices interconnected Host Configuration Protocol (DHCP), user by 10 000 km of cables and fibres, with feedback, etc – all of these constitute a more than 2500 switches and routers. solid base of information. A naive approach The potential 4.8 Tbps throughput might be to look at all of the packets flying within the network core and 140 Gbps over the CERN network. However, if we did connectivity to external networks offers this we would need to analyse even more countless possibilities to different network data than the LHC could generate. The LHC applications. The bandwidth of modern data are only a subset of the total data networks is growing much faster than crossing via these links. the performance of the latest processors. CINBAD overcomes this issue by applying This fact combined with the CERN specific statistical analysis and using sFlow, a configuration and topology makes network technology for monitoring high-speed behaviour analysis a very challenging and switched networks that provides randomly daunting task. sampled packets from the network traffic. The information that we collect is based CINBAD in a nutshell on the traffic from around 1000 switches The CINBAD project addresses many and routers and gives a representative Editor Natalie Pocock, CERN IT Department, 1211 aspects associated with the CERN network. sample of the CERN network traffic with Geneva 23, Switzerland. E-mail cnl.editor@cern. First, it provides facilities for a better more than 3 Terabytes of data per month. ch. Fax +41 (22) 766 8500. understanding and improved maintenance The multistage collection system was Web cerncourier.com/articles/cnl. of the CERN network infrastructure. designed and implemented in consultation Advisory board Frédéric Hemmer (head of IT Department), Alberto Pace (group leader, Data This includes analysing various network with experts from the LHC experiments and Management), Christine Sutton (CERN Courier statistics and trends, traffic flows and Oracle, to benefit from their data-analysis editor), Tim Smith (group leader, User and protocol distributions. Other factors and storage experience. The system has Document Services). that might have an impact on the current now been up and running for more than a Produced for CERN by IOP Publishing Dirac House, Temple Back, Bristol BS1 6BE, UK. network status or influence its evolution year (figure 1). Tel +44 (0)117 929 7481. E-mail jo.nicholas@iop. are also studied, such as connectivity, org. Fax +44 (0)117 930 0733. Web iop.org. bottleneck and performance issues. Network operation enhancements Published by CERN IT Department When we have learnt and understood The field of network monitoring and ©2009 CERN the network behaviour, CINBAD can help planning can greatly benefit from the The contents of this newsletter do not necessarily to identify various abnormalities and CINBAD activities. We provide tools and represent the views of CERN management. determine their causes. Because there are data that simplify the operation and many factors that can be used to describe problem-diagnosing process. In addition, the network status, anomaly definition our statistics help in understanding the is also very domain specific and includes network evolution and design.

CERN Computer Newsletter • July–September 2009 1 Editorial

A very basic piece of information that configurator configure rules is of interest for network operations is for analysis knowledge about the host’s activity. (live tcpdump, CINBAD is able to provide detailed configuration via data for adjusting fingerprints) statistics about the traffic sent and SNMP sFlow configuration received by a given host, it facilitates inference about the nature of the traffic on a given outlet/port and can thus identify collector the connected machine. This information level II raw storage could also be used to diagnose routing sFlow problems by looking at all of the packets datagrams unpacked aggregated outbound or inbound to a particular host. data data CINBAD is also able to provide CINBAD DB information about the traffic at CERN. The sampled data collected by the project are sufficient to obtain the switching/ routing/transport protocol information redundant collector as well as gaining information about the application data. This provides valuable network level I level I disk level II level III input for an understanding of the current devices processing storage processing processing network behaviour. Here the CINBAD team uses descriptive statistics. The potential Fig. 1. The CINBAD sFlow data collector receives and processes the CERN network traffic. set of metrics that we can provide to characterize the traffic at CERN is very (if no-one can get to it, no-one can would not scale. extensive and specific needs are currently harm it). Nowadays, we cannot avoid A second approach is to build various being discussed. For example, we can communicating with others and therefore network profiles by learning from the enumerate protocol-type distributions, we expose our machine to outside past. The selection of robust metrics that packet size distributions, etc. Depending on threats. Although CERN centrally managed are resistant to data randomness plays the requirements, these statistics can be desktops have up-to-date anti-virus an important role in characterizing the tailored even further. software and firewalls, this does not expected network behaviour. Once these Top n-list is another form of network guarantee that our machines and data are normal profiles are well established, the summary that might be of interest. Such shielded from attacks. These tools are statistical approach can detect new and lists would allow the identification of the usually designed to detect known patterns unknown anomalies. most popular application servers, either (signatures) and there are also other The CINBAD project combines inside or outside CERN. Although this machines (unmanaged desktops, PDAs, the statistical approach with the information might be available on each etc) connected to the CERN network that signature-based analysis to benefit from individual CERN server, CINBAD provides might be less protected. the synergy of the two techniques. While the possibility to collect these statistics Currently, detailed analysis is only the latter provides the detection system for all servers of a given type, whether performed at critical points on the with a fast and reliable detection rate, or not they are centrally managed by the network (firewall and gates between the former is used to detect the unknown IT Department. This information may be network domains). The CINBAD team has anomalies and to produce new signatures. of value to both network engineers and been investigating various data-analysis The CINBAD team constantly monitors application-server administrators. approaches that could overcome both the campus and internet traffic These statistics can also be useful for this limitation. These studies can be using this method. This has already led to network design and provisioning. The categorized into two main domains: the identification of various anomalies, CINBAD project can provide valuable statistical and signature-based analysis. e.g. DNS abuse, p2p applications, information about the nature of the The former depends on detecting rogue DHCP servers, worms, trojans, traffic on the links. These statistics can deviations from normal network behaviour unauthorized wireless base stations, etc. also be used to detect the trunks with while the latter uses existing problem Some of these findings have resulted in potential bottlenecks. This information signatures and matches them against the refinements to current security policies. can be compared with the service-level current state of the network. agreements that specify the conditions for The signature-based approach has The future link usage, enabling appropriate corrective numerous practical applications, The CINBAD project offers many actions to be taken. for example SNORT (an open-source opportunities to improve CERN’s network With all of these improvements, CINBAD intrusion-detection system). The CINBAD operation, and it also provides a unique offers a comprehensive system to facilitate team has successfully ported SNORT opportunity for the CERN Computer day-to-day operations, diagnose network and adapted various rules to work with Security Team to identify (and protect problems and extend our understanding sampled data. It seems to perform well and against) incidents that might not be of network evolution and design. The provides a low false-positive rate. However, seen otherwise. It also enables other CINBAD team is currently working in close the system is blind and can yield false groups concerned with varying network collaboration with IT-CS on a visualization negatives in cases of unknown anomalies. applications, such as web services and mail model of this information that is suitable This problem can be addressed by the servers, to understand their behaviour. for network operation and troubleshooting. statistical approach. Expected network activity can be established by specifying Useful links Security enhancements the allowed patterns in certain parts of The CINBAD project: http://cern.ch/ Security is another area that benefits the network. While this method works well openlab-cinbad from the CINBAD project. The only safe for a DNS or web server that can only be CERN openlab: http://cern.ch/openlab computer is a dead computer, or at least contacted on a given protocol port number, Milosz Hulbój and Ryszard Jurga, IT-CS (CERN one disconnected from the network for more general purposes this approach openlab)

2 CERN Computer Newsletter • July–September 2009 Editorial ETICS 2 offers guidance to software professionals

Software professionals have been known repository to describe the task of building, configuring web service build/test and integrating new software in as little as web portal two words: “nightmare activity”. artefacts However, with E-infrastructure for report/metric Testing, Integration and Configuration DB of Software Phase 2 – or ETICS 2 – they have an all-in-one solution that helps to configure and build software, and at the configuration configuration web service DB same time check its quality. As the result of three years of project activities, this system virtual provides tools and resources to build and physical OS images test runs, thereby simplifying complex and worker nodes often repetitive activities. “By automating many day-to-day tasks, ETICS 2 supports software professionals to obtain higher-quality software, a shorter time to market, a lower risk on schedule and reduced project costs,” web portal execution engines said Alberto Di Meglio, ETICS 2 project user interface (metronome, manager at CERN. gLite, UNICORE, etc.)

ETICS 2 advantages The ETICS 2 project is run according to the guidelines laid down in the Consortium and The ETICS 2 system exploits Grid software European Commission Grant Agreement. Image courtesy of ETICS 2. and distributed computing infrastructures. It is highly customizable, multi-platform team is now working together with Informatica S.p.A., responsible for the and independent from any build or test members of EGI, such as UNICORE, ARC and quality-certification model. tool. Project data and results from daily, gLite, to enhance ETICS interoperability On 21–23 October, ETICS 2 testing and nightly and continuous builds and tests testing features. ETICS 2 is also developing quality-verification features will be shown can be viewed and edited through a rich a new functionality to design and run at the Q&ATEST conference in Bilbao, web application. complex tests over distributed networks, a Spain, during a hands-on tutorial session. The system’s Automated-Quality feature that is rare to find even in high-end Meanwhile, users can download the Certification Model, known as A-QCM, commercial test management applications. software from the ETICS 2 website. provides a way to automatically evaluate The ETICS 2 system user community and certify aspects such as functionality, now includes 35 projects that are using or Useful links reliability, maintainability and portability evaluating its services. ETICS 2 website: http://cern.ch/etics of any kind of software, while following “A-QCM trial certifications are now Q&ATEST conference: www.qatest.org/ current ISO software-quality guidelines. starting and whoever is interested in Isabel Matranga, Engineering Ingegneria Continuous refinements have been a issuing their software with one can contact Informatica S.p.A., ETICS 2 hallmark of ETICS 2, thanks to collaboration our support team at etics-support@ • This article was published online with its users, which include organizations cern.ch,” said Jorgen Boegh, a senior in iSGTW on 27 May (www.isgtw. such as EGEE and D4Science. The ETICS 2 consultant from Engineering Ingegneria org/?pid=1001819).

The deadline for submissions to the next issue of CNL is 16 October Please e-mail your contributions to [email protected]

CERN Computer Newsletter • July–September 2009 3 Announcements and news CERN welcomes 13 Intel ISEF pre-college winners

At the end of June, CERN hosted the visit of had contact with CERN through Jim Virdee, 13 pre-college students who won “Best of CMS experiment spokesperson, who Category” awards at the Intel International attended the Intel ISEF in Reno this year Science and Engineering Fair this spring in and gave the keynote speech at its Grand Reno, US. The young students spent four Opening Ceremony. Wolfgang von Rüden, days at CERN, visiting the Large Hadron head of CERN openlab, who accompanied Collider (LHC) facility and enjoying a range the students during their stay at CERN, of presentations. explained: “When Craig Barrett visited The Intel International Science and CERN in January we talked about ISEF. I Engineering Fair (Intel ISEF) is the world’s proposed a visit to CERN as an additional largest international pre-college science prize to some of the best students, which competition and annually provides a forum Craig immediately accepted. We were for more than 1500 high-school students very impressed by the highly competent from more than 50 countries to showcase students and their interaction with us. We their independent research. The Intel ISEF enjoyed the visit as much as they did.” organizer – Society for Science and the Since the start of CERN openlab in Public – partners with Intel, along with January 2003, Intel and CERN have not dozens of other corporate, academic, only been collaborating on scientific government and science-focused sponsors. projects but also on educational activities. The partners provide support and awards Every year, young IT students participate each year. The Intel ISEF encourages in the CERN openlab Summer Student students to tackle challenging scientific Programme to work on the joint projects questions, using authentic research and attend lectures given by CERN experts practices. In fact, despite their young The 13 students in the CMS cavern with and openlab partners. Workshops on age, the 13 students were already well Jim Virdee and Wolfgang von Rüden during advanced topics are also jointly organized acquainted with science. their visit. Image courtesy of Michael Hoch. to disseminate the knowledge created The students won Best of Category through these projects. awards in fields as diverse as cellular and Thomas H Osburg, director of Europe molecular biology, computer science, corporate affairs for Intel Corporation, Useful links Earth and planetary science, electrical and was present at CERN to meet the students Visit programme: http://indico.cern.ch/ mechanical engineering, environmental and to discuss education activities. He conferenceDisplay.py?confId=62155 management, microbiology, medicine and stated that: “Supporting tomorrow’s CERN openlab news: http://cern.ch/ health, and materials and bioengineering. innovators is a priority for both Intel and openlab-news In physics and astronomy, Nilesh CERN, and I am glad that this co-operation More information about the winners and the Tripuraneni did research on “a relativistic complements what we do jointly in organization: www.intel.com/education/ generalization of the Navier-Stokes research and technology.” ISEF/ and www.societyforscience.org/ISEF/ equations to quark-gluon plasmas”. Prior to their visit, the students already Mélissa Le Jeune, IT-DI (CERN openlab) Look out for the September issue of CERN Courier, featuring the story of the Gargamelle experiment.

4 CERN Computer Newsletter • July–September 2009 Announcements and news Computer team advises reviewing your security now and frequently

The start-up of the LHC is foreseen to take be obtained from the relevant IT groups software for PCs (but also for embedded place in the autumn and CERN will be in or members of the security team, but devices like oscilloscopes), upgrade the public spotlight again. This increases here we include a basic list of items to be Scientific Linux CERN from SLC3 to SLC5, the necessity to be vigilant with respect to considered by all CERN computer users. use local firewalls to block both incoming computer security and the defacement of • Review access rights to your computers and outgoing traffic that is not expected. an experiment’s webpage last September and documents (InDiCo, EDMS, TWiki, etc), • Protect private SSH keys. shows that we should be particularly as well as files and directories on AFS, DFS • For experiment networks, review central attentive. Attackers are permanently and local disks. Don’t give write access if firewall openings and whether devices need probing CERN and so we must all do the read access is sufficient and limit access to be trusted or exposed. maximum to reduce future risks. only to those who need it. Security is a hierarchical responsibility • Protect websites. Very few should Further information about how to improve and requires us to balance the allocation be publicly accessible and those that computer security can be found on the of resources between making systems are should not reveal details of system internet at http://cern.ch/security/ and work and making them secure. All of architecture and design, computer www.isseg.eu. These websites include us, whether users, developers, system configurations or source code. material on risk analysis, training and experts, administrators or managers, are • Ensure that accounts have been closed recommendations for general users, responsible for securing our computing for individuals who have left. developers and system administrators. assets. These include computers, software • Reduce the number of service accounts As well as the many security awareness applications, documents, accounts and where possible. presentations that are available, training passwords. There is no “silver bullet” for • Harden computers by removing courses can also be found on writing secure securing systems, it can only be achieved unnecessary applications, disable code and secure web applications (see by a painstaking search for all possible unneeded services such as for web, FTP, http://cern.ch/security/training). vulnerabilities followed by their mitigation. etc, use automated update and patching CERN Computer Security Team, e-mail Additional advice on particular topics can services as well as up-to-date anti-virus [email protected] EGEE-III project is on track for EGI transition

In late June, as part of the first EGEE-III milestones – were approved. EGI and planning the activity for the final review, an EC-appointed review panel While the full details of how EGI will six months of the project. The community listened to two days of presentations come in are still being finalized, this will also be elaborating details of the EC about the state and direction of the project endorsement gives the project added projects that will be submitted to continue and followed the live demonstrations of confidence that it is headed in the right the work started within EGEE. applications and software developments. direction to meet its goals. The most After this event we will have a clearer The large scale of the infrastructure, important of which is to work with the picture of which NGIs will be contributing to the scope of the engagement with a projects coming after EGEE to ensure that the infrastructure and who will be providing diverse user community and a successful there is a smooth, continued support of the critical EGI services. The Specialized comprehensive training programme were the infrastructure into EGI. The project is Support Centres will have established their commended by the review panel. The rated as having made “good to excellent links with their European-wide community progress made on interoperability, the progress” (the top rating available) stakeholders and the support they will adoption of OGF standards in production and 19 recommendations were made, be obtaining from interested NGIs. The grids, IPv6 support and the better balance which will be the subject of a dedicated middleware consortia will also be able between middleware development, testing face-to-face meeting of the activity to present their view as to how European and deployment were also noted. managers in early September. middleware will evolve in the EGI era. The panel commended the project for An important checkpoint in preparing planning in advance for the transition to for EGI will be the EGEE’09 conference in Useful links the European Grid Initiative (EGI). All of Barcelona on 21–25 September. Many of EGEE-III first review: http://indico.cern.ch/ the suggested changes to the Description the activities will be using the meeting to conferenceDisplay.py?confId=53198 of Work for transitioning to EGI during the report on their progress in implementing EGI: http://web.eu-egi.eu/ next year – as well as the deliverables and the changes needed for the transition to Danielle Venton, IT-EGE

If you want to be informed by e-mail when a new CNL is available, subscribe to the mailing list cern-cnl-info. You can do this from the CERN CNL website at http://cern.ch/cnl.

CERN Computer Newsletter • July–September 2009 5 Grid news Scientists demonstrate the role of CMS in computing Grid

The LHC@FNAL Remote Operations Centre at Fermilab is located on the first floor of Wilson Hall. Image courtesy of Fermilab.

Last autumn’s unplanned shutdown of schedule”. It also showed how the system Jamie Shiers of CERN, who organized the Large Hadron Collider (LHC) was a will function under simultaneous demands the computing tests, including STEP09, disappointment for physicists around the from the LHC’s three other detectors. said: “Many of the Tier 1s, and the Tier 0, world. But for organizers of the computing A primary STEP09 goal was testing the sustained a load that was artificially high Grid supporting the collider’s detectors, tape systems at CERN and Tier 1 computing – certainly higher than early data taking it was an opportunity to keep working centres. When the LHC is operating, – with generally smooth and sustainable hard. For the first two weeks of June, computers at CERN will need to record – operations. But a few sites did not and this instead of flooding the Grid with data “write to tape” – at least 15 Petabytes of has triggered us to undertake a perhaps from actual particle collisions, experiment data per year. Thanks to this run-through, overdue analysis of the root causes with collaborators at CERN and remote Gutsche said: “We are confident that CERN a clear desire to fix and retest. We saw computing sites in Europe, Asia, and North could write to tape at the speeds needed”, significant progress since a year ago.” America joined up to test the ability of when data from collisions begin pouring in. Shiers added: “For Tier 2s, the the collider’s Worldwide LHC Computing Another key goal was gauging the results were more variable: Monte Carlo Grid (WLCG) to record, transfer and analysis capabilities of Tier 2 computing production is clearly a largely solved analyse simulated data in a step-by-step centres. CMS aimed to employ 50% of the problem. As for analysis, some sites – even “production demonstration”. Grid’s analytical power and while only an very large ones – did extremely well, while Scientists conducted a series of ongoing study can prove that it succeeded, others did not. Once again, we need to challenges, collectively called the Scale Gutsche says that the prognosis looks understand the root causes and fix them. Test of the Experimental Program 2009 good. During STEP09’s 13-day run, Tier 2 In some cases, this may be hard: there has (STEP09). All four LHC experiments centres performed more than 900 000 been a feeling for quite some time that the participated in the test. For example, at analysis jobs. However, the test revealed external network bandwidth for at least the CMS experiment, they first tested that there is room for improvement. some sites is not large enough and that the the archiving of older recorded data from internal bandwidth all the way to the data CERN to CMS’ seven Tier 1 computing Making a good thing better is also too small. Most likely they will need sites. There, scientists checked the Operators at CERN and the remote major configuration changes.” Tier 1 central processing power as they computing sites were forced to work long Starting in July, CMS scientists have been shuttled data to Tier 2 sites. Finally, hours, particularly in the pre-staging using the Grid to analyse cosmic ray data, they challenged the full physics analysis process. But their efforts revealed principles which stream into the detector even when capacity of the Tier 2 sites. On 15 June, that will ease the future automation of these the accelerator is off. When the LHC turns on as the curtains closed on STEP09, Oliver procedures. “Sites are happy because we – in November, says CERN’s director-general Gutsche, a Fermilab physicist who was stressed them and they learned how to run – the real challenge will begin. one of those participating in the effort for more efficiently,” said Gutsche. “Now they the CMS experiment, declared the overall have ideas for what they can improve.” Useful links performance “very good”. Echoing this observation was Ian Fisk, WLCG: http://cern.ch/LCG/ While the CMS portion of this Grid – like a CMS collaborator at Fermilab. “We CMS FNAL Remote Operations Centre: www. the rest of the WLCG – was ready to take wanted to show that we could run on uscms.org/roc data last September, says Gutsche, the ‘non-hero-mode’, ” he said. “We want to Rachel Carr, Fermilab, for iSGTW test “gave us an opportunity to test parts finish a test saying, ‘That was easy. We • This article was published online in that could not be tested on the previous could run for a year at that level.’ ” iSGTW on 8 July.

6 CERN Computer Newsletter • July–September 2009 Technical brief Indico’s new face goes live

Indico has become a ubiquitous application at CERN, hosting (at the time of writing) almost 80 000 events and more than 300 000 contributions. It is a precious tool that allows users to benefit from a common platform that goes beyond a simple agenda system, and encompasses a complete event lifecycle-management tool. In spite of its uniqueness and rich Fig. 1. A French translation of Indico is already available and other languages will follow. feature set, Indico has not escaped the effects of time: it was conceived at the beginning of this decade, based on the web technology available at the time, and was not really focused on user-friendliness or intuitiveness. In 2007, at the peak of the social web revolution, the differences between state-of-the-art web applications and the likes of Indico became evident. Criticisms centred on the complexity of the tool and the excessive number of mouse clicks required to perform any operation. In addition, the overall look and feel of the application was a little dated. Fig. 3. Inline editing, in editing mode. To address these problems, a series of studies was conducted. In the first phase, Indico was evaluated against the usability Fig. 2. The event-creation form. guidelines and best practices; and in the second phase, user feedback was carefully analysed, so that particular cases could be identified and user expectations addressed.

New Indico is now online We are proud to announce that the new Fig. 5. The grey box at the bottom can be Indico is ready for use, albeit in beta form, clicked to display the full list of events. at http://indicobeta.cern.ch. As with any new interface, users will need to familiarize Simplified event creation themselves with it. However, we feel that With the old Indico interface, a user people will find this investment worthwhile. would need to browse to the correct Most should find it intuitive and simple category and select the kind of event Fig. 4. The new user search dialog. because we have reused existing concepts before creating an event. Now things are and practices that have become de facto much easier. The “Create event” option settings” page (figure 3). For now, users standards on the web. is available everywhere, and the creation can still use the old style to edit event data, form (figure 2) is much simpler. It is a but this will be discontinued if feedback Internationalization two-step process that involves choosing remains positive. Nowadays, internationalization a target category and filling in some basic is an essential feature for all web information about the event (an option to Pop-up dialog boxes applications. With a large community toggle to some “advanced” parameters One of the cornerstones of the new Indico of non-English-speaking users, the is also available). The target category interface is the idea that simple operations availability of different languages is a can be selected using an interactive should not require a lot of page transitions. request that needs to be filled. The new category-browsing widget but if the To achieve this goal, we have replaced Indico interface offers internationalization operation is performed within a specific some of the “auxiliary” forms with pop-up and a French translation is already category, then this will be taken as default. dialog boxes, reducing page transitions. available (other languages will follow). Various operations such as “adding The tools that are being used allow Inline editing minutes”, “uploading files” and “searching other people to contribute and to easily Lots of modern web applications make use for users” (figure 4) have been greatly translate the interface to any conceivable of a technique called “inline editing”, which simplified by this new approach. language. This important improvement will allows the user to change information meet the demands of several educational directly without having to switch to a Shorter event list institutions around the world. Figure 1 modification view/form. We decided to give The list of events inside a category can demonstrates that it is easy to switch it a try with Indico and the results have be quite long, for example in the case of languages in Indico and shows the final so far been very positive. Inline editing long-standing periodic meetings. To make result after switching to French. is currently available from the “General it easier and faster for the user, we have

CERN Computer Newsletter • July–September 2009 7 Technical brief

Fig. 6. Category search suggestion box. limited the number of events displayed to only the current month, and if there is space, its neighbours (figure 5). If other events are required, simply click on “Show Fig. 7. The new timetable display interface. The pop-up contains extra information. them” and the display will be updated.

Improved category search Searching for a particular event or category used to be a tedious task. Searching for a category was not possible and meant that the user had to browse through the categories to reach the required target. To solve this issue, we have introduced an “auto-suggest” feature in the search box (figure 6), which suggests category names matching the text input so far. Both the mouse and the arrow keys can be used to select the desired category.

New graphical conference timetable The brand new timetable display interface is a groundbreaking feature (figure 7). It was completely rewritten from scratch, with flexibility and user-friendliness in mind. It now allows the user to browse the sessions and contributions in a graphical way that can be filtered by session and room. All of the information and functionality that was available in the old interface remains accessible, but in a simpler, more intuitive way. In management mode, the timetable view has been improved as well, and research is currently in progress to make Fig. 8. Examples of the default templates. Styles and element positions can be changed. drag and drop possible. new Indico conference site will better meet and thought into this new interface, trying Customizable conference portals user’s expectations. Indico now allows to make it as simple to use as current web Over the years, we have often been asked the conference organizers to upload their technology allows. We hope that you feel for more layout flexibility. In particular, own Cascading Style Sheet files, making it as enthusiastic about it as we do. Send any many conference organizers did not want possible to customize the look and feel of feedback to [email protected]. to use the default Indico layout. They the pages. Some default templates are also would choose to create a “general site” for available (figure 8). Useful links the conference and then link to the Indico Indico beta: http://indicobeta.cern.ch/ page. From our perspective this was a great Conclusions CHEP’09 presentation “Indico Central loss for both parties. It was possible for The modifications to Indico are the result – Events Organisation, Ergonomics and event managers to create custom pages of two years of work and go from simple Collaboration Tools Integration”: http:// with Indico before, but this feature was changes to the web interface to rethinking cdsweb.cern.ch/record/1177417 rarely used. We believe that by providing processes and operations deep in the core José Benito Gonzalez and José Pedro Ferreira, an additional level of customization, the of Indico. We have put a lot of dedication IT-UDS, on behalf of the Indico team

8 CERN Computer Newsletter • July–September 2009 Technical brief CERN updates Wi-Fi network Wi-Fi, a well known trademark for certified products based on the IEEE 802.11 standards, has become a widely used technology. The recent rise in the use of laptops, PDAs and other devices operating wirelessly has further increased the demand for Wi-Fi connectivity. It is an adequate solution for staying connected outside the office in places such as conference rooms and libraries, but also in hallways, cafeterias and open spaces. IT-CS operates more than 500 wireless Fig. 1. The data rate in Building 31-S when the access points work on three independent base stations around CERN, mainly in public channels. The maximum rate is achievable in most of the floor with no coverage hole. areas. This is progressively being improved. With the successive improvements to 802.11 technology and its increased popularity, some believe that Wireless Local Area Networks (LANs) can replace classical wired LANs. Is this the case? Wi-Fi technology is designed to extend the wired network by providing wireless connectivity but it suffers from a certain number of limitations because it is impossible to master the communications medium, i.e. the air. Therefore, one weakness will come from the way in which Fig. 2. The maximum data rate when the access points work on the same channel, the radio waves propagate. creating large interference areas (white) where connectivity is unstable or impossible.

Radio-frequency obstacles and interferences Table 1. IEEE standards As for mobile telephony (e.g. GSM) or other IEEE standards Maximum physical Maximum typical Release date radio technologies, no radio frequency (RF) rate (Mbps) throughput (Mbps) coverage can be perfect. As such, during their propagation, radio waves are affected 802.11a 54 23 1999 by several phenomena such as reflection, 802.11b 11 4.3 1999 refraction, diffraction or absorption, which 802.11g 54 23 2003 will distort the original wave pattern. When dealing with indoor environments, like the 802.11n (draft) 450 140 expected late 2009 CERN buildings, the effects are even worse due to the high number of obstacles such on the same channel or overlapping ones is shared in an unfair way between all as walls, ceilings, doors and cabinets. (a particular problem with the 802.11b/g of the clients in the same area. Serious Moreover, this coverage evolves due to where only three channels are usable). performance degradation can be observed changes in the surrounding environment, Adding more base stations is not a solution due to reduced available throughput and an such as opening of doors and movement because in most cases this will degrade the increase in latency and jitter. of elevators or furniture. When planning communication even further. In Wi-Fi communications, many factors RF deployments, we attempt to optimize reduce the expected performance of wireless coverage, but this coverage is not Wi-Fi performance wireless connections, e.g. location, homogeneous around the access points The connection data rate indicated on a interference, station density and limitations and potentially degraded areas will appear wireless device corresponds to the nominal in the technology. Wi-Fi does provide at some places. As a consequence, the bandwidth of the physical layer. This is mobility and will continue to be deployed Wi-Fi client will decrease its data rate to different from the payload throughput at CERN as technology advances are made. reduce the bit error ratio and preserve the available for transferring data. Before However, the CERN wired infrastructure quality of the connection as far as possible. transmitting any payload packet, a complex remains better in terms of performance and Because Wi-Fi uses radio waves on mechanism takes place to establish and reliability. Consequently, you are strongly unlicensed bands, the transmission is manage the wireless communication. This recommended to use wired connections likely to interact and be disturbed by consumes a lot of time and dramatically in offices where possible to benefit from other sources operating at the same increases the transport overhead. network rates up to 1 Gbps. If all of the frequency, such as microwave ovens and Consequently, the available payload plugs are in use at a location, it is possible cordless phones. However, IEEE 802.11 throughput is reduced by more than 50%. to connect several computers to the same devices may also interfere with each other, Table 1 shows the most common IEEE socket using a FANOUT, available from the e.g. stations connected to the same radio 802.11 standards and their typical rates. CERN Stores (SCEM: 80.02.08.030.0). cell facing the hidden node issue. But the The 802.11a/b/g/n standards are most disastrous impact on the RF quality is half-duplex, which means that a device can Useful link caused by co-channel interferences coming either transmit or receive data, but not at the Wi-Fi site: http://cern.ch/wireless from neighbouring access points, working same time. In the Wi-Fi world, the bandwidth Sebastien Ceuterickx, IT-CS

CERN Computer Newsletter • July–September 2009 9 Conference and event reports Prague hosts CHEP conference

The old city of Prague blends with its modern aspects to provide a suitable setting for CHEP’09. Image courtesy of CHEP’09 organizers.

The CHEP series of conferences, held the experiment has stopped data-taking), grids have developed and matured, and every 18 months, covers the wide field KEK in Japan and DESY in Germany. an increasing number of sciences and of computing in high-energy and nuclear The conference was preceded by a industrial applications have made use of physics. CHEP’09 was the 17th meeting and Worldwide LHC Computing Grid (WLCG) them. But Robertson thinks that we should attracted 615 attendees from 41 countries. workshop, which was summarized by Harry now be looking at locating Grid centres It was held on 23–27 March in Prague. The Renshall (CERN). There was a good mix of where energy is cheap, using virtualization conference was co-organized by CESNET, Tier 0, Tier 1 and Tier 2 representatives. It to share processing power better and Charles University in Prague – Faculty of started with a review of each experiment’s starting to look at clouds. Mathematics and Physics, Czech Technical plans, all of which include more stress The theme of using clouds came up University, the Institute of Physics and testing in some form before the restart of several times later in the meeting, for the Nuclear Physics Institute. Throughout the LHC. EGEE to EGI transition is an issue, example the Belle experiment at KEK is the week some 560 papers and posters as is the lack of a winter shutdown in the experimenting with the use of clouds for were presented. As usual, given the CHEP LHC plans. The workshop summary was Monte Carlo simulations in its planning tradition of devoting the morning sessions that ongoing emphasis should be put on for SuperBelle; and the STAR experiment to plenary talks and limiting the number of stability, preparing for a 44-week run and at BNL (Brookhaven) is also considering afternoon parallel sessions to around six continuing the good work on data analysis. using clouds for Monte Carlo production. or seven, the organizers found themselves Sergio Bertolucci, CERN director for Another of Robertson’s suggestions for short of capacity for oral presentations. research and scientific computing, gave the future work – virtualization – was one of This time 500 offers were received for opening talk of the conference, reviewing the most common topics throughout the 200 programme slots with the rest being the LHC start-up and initial running, the week in terms of contributions. Different shown as posters, split into three full-day steps being taken for the repairs after the uses of it cropped up time and again in sessions of around 100 each day. The incident of 19 September and how to avoid multiple streams. morning coffee break was lengthened to any repetition, and the plans for the restart. Among the other notable plenary talks permit the attendees to browse the posters He compared the work being done currently was that by Neil Geddes (STFC, Rutherford and discuss them with the authors. at Fermilab and how CERN will learn from Laboratory) who asked “can WLCG deliver?” Given the timing of the event, a large this in the Higgs search. Les Robertson and deduced that it can, and it does, but number of the presentations related (CERN), who led the WLCG project through that there are many challenges left to face. to computing for the LHC experiments the first six years of its life, discussed Kors Bos (ATLAS) compared the different but there was also a healthy number of how we got here and what’s next. A very approaches to computing across the LHC contributions from experiments taking simple grid was first presented at CHEP in experiments, pointing out similarities place elsewhere in the world, including the Padova in 2000 and he labelled the 2000s and differences. Ruth Pordes (Fermilab), US labs BNL, Fermilab and SLAC (where as the decade of the Grid. Thanks to the executive director of the Open Science Grid BaBar is still analysing its data although development and adoption of standards, (OSG), described work happening in the

10 CERN Computer Newsletter • July–September 2009 Conference and event reports

US with regard to evolving grids, making floating ship-based computing centres. was “data”, sometimes linked with them easier to use and more accessible to a It is impossible to summarize the “access”, “management” or “analysis”. wider audience. seven streams of material presented He noted that users want simple access The conference had a number of in the afternoon sessions but some to data so we need to provide easy-to-use commercial sponsors, in particular IBM, highlights deserve to be mentioned. The tools to hide the complexity of the Grid. Intel and Sun Microsystems, and part of CERN-developed Indico conference tool Of course “grid” was another of the most the Wednesday morning was devoted to was presented and statistics showed common words but the word “cloud” did speakers from these firms. IBM used its that it has been adopted by more than not appear in the top-100 although it was slot to describe a machine that it says 40 institutes and manages material for an much discussed in plenary and parallel offers cooler, denser and more-efficient impressive 80 000 events. The summary of talks. For Barberis, a major theme was computing power. Intel focused on the 44 Grid middleware talks and 76 poster performance, at all levels from individual an effort to get more computing for presentations was that production grids are software codes to global Grid performance. less energy, noting work done under here, Grid middleware is usable, standards He felt that networking is a neglected but the openlab partnership with CERN. are evolving but have a long way to go, important topic (for example, the famous Intel hopes to partially address this by and network bandwidth use seems to keep digital divide and end-to-end access times). increasing computing energy efficiency pace with technology. From the Distributed His conclusion was that performance (denser packaging, more cores, more Processing and Analysis stream of talks will be a major area of work in the future parallelism) because they realize that came the message that a lot of work has and a topic at the next CHEP in Taipei on power is constraining growth in every part been done on user-analysis tools since 17–22 October 2010. of computing. The Sun speaker presented the last CHEP, with some commonalities some ideas on building state-of-the-art between the LHC experiments. Data Useful links data centres. He claims that raised floors management and access protocols for CHEP’09 trip report: http://cdsweb.cern. are dead – he proposed “containers” or a analysis are a major concern and the ch/record/1173073?ln=en similar pod architecture that has built-in storage fabric is expected to be stressed CHEP’09 programme including cooling and a modular structure connecting when the LHC starts running. presentations: http://indico.cern.ch/ to overhead hot-pluggable busways. Dario Barberis (ATLAS) presented the conferenceTimeTable.py?confId=35523 Another issue is to build “green” centres conference summary. He had searched Alan Silverman, IT-DI and he quoted solar farms in Abu Dhabi for the most common words in the • A version of this article was published in and a scheme to use free ocean cooling for 500 submitted abstracts and the winner CERN Courier, July 2009. Workshop identifies steps to reap benefits from multicore and virtualization technologies

Driven by advances in two of its research creates opportunities for a more flexible • include the capability to run CernVM and development projects (Parallelization approach to offering computing services. images in CERN’s virtualized batch of Software Frameworks to Exploit Both technologies are rapidly maturing, initiative. Multicore Processors and Portable particularly in terms of performance and • test scheduling options for parallel jobs Analysis Environment using Virtualization management tools. Physics applications in mixed workload environments. Technology) CERN organized a workshop can benefit from these advances but Actions requiring Grid-wide on 24–26 June about adapting applications computing services need to adapt to collaboration: and computing services to multicore and support them. • establish procedures for creating images virtualization technologies. The workshop Application requirements were presented that can be trusted and run at Grid sites. brought together experts from industry, in terms of the promising experience so This is needed for Virtual Organizations to developers using these technologies and far using multicore and virtualization be able to run their images at Grid sites. IT service providers at CERN. It provided together with requests for support beyond • investigate scenarios for reducing the an understanding of what can be achieved test environments. As expressed by Paolo need for public IPv4 addresses on Worker and identified a set of actions required Calafiura: “ATLAS is ready to transition Nodes. Virtualization is increasing IP for physics applications to further exploit from prototypes to production.” The address usage and given the IPv4 address multicore and virtualization technologies. presentations on IT and Grid services limitations (www.ipv6actnow.org) public The workshop was structured into completed the picture with information IPv4 addresses need to be used wisely. sessions on technology, application about available and planned services. • deploy multicore performance and requirements, computing services and From the fruitful discussions that monitoring tools (e.g. KSM, PERFMON) at Grid services. Although they had a CERN ensued, the follow-up actions below were CERN and at other Grid sites. focus, presentations and discussions identified. These, together with increased • provide input to initiatives for running were enhanced by contributions from understanding and collaboration, represent multicore jobs Grid-wide, e.g. EGEE’s MPI representatives of institutes elsewhere in the results of the workshop. (Message Passing Interface) Working Group Europe and from North America. Actions at CERN: recommendations. From a technology viewpoint, the • provide infrastructure in CERN’s Interoperability with clouds: number of cores per machine will continue computer centre for the preparation • prototype a solution to run Grid jobs on to increase in the near future and the of CernVM images and the Virtual cloud resources. challenge becomes implementing software Organization’s application software Further information can be obtained in ways that can efficiently exploit them. delivery to them. CernVM images are from the slides and an executive summary The increased number of cores per machine generated by tools of the CernVM project, of the workshop, which are linked from has helped to drive the rapid adoption of http://cern.ch/CernVM, which provides a the agenda page: http://indico.cern.ch/ virtualization. In addition to its benefits virtual software appliance for developing conferenceDisplay.py?confId=56353. for resource consolidation, virtualization and running LHC data analysis. Denise Heagerty, IT-FIO

CERN Computer Newsletter • July–September 2009 11 Conference and event reports HEPiX event arrives in Sweden Calendar More than 250 sites from all over the technologies. The Working Group results September world provide computing services for the included measurements of their standard 27 September – 2 October, 13th European particle-physics community, for example benchmark with the General Parallel File Conference on Digital Libraries in the framework of the Worldwide LHC System (GPFS) for clusters, complementing Corfu, Greece Computing Grid (WLCG) project. Many earlier results with Lustre, AFS and other www.ecdl2009.eu/ sites are facing the same challenges and file systems. The AFS performance is rather problems, so why not share insights and poor for large files, but can be considerably October solutions? That’s the idea behind HEPiX, improved by object extensions – the AFS 6–10, 2nd International Conference of an informal organization that holds client accesses the object store directly Security of Information and Networks workshop-style meetings twice a year. rather than through a single, bottleneck (SIN’09) The spring 2009 meeting was hosted by AFS server. CERN presentations were on Gazimagusa, North Cyprus Umeå University in Sweden on 25–29 May. Internet Small Computer System Interface www.sinconf.org/ Umeå is a town on the Baltic coast, only (iSCSI) storage and Lustre evaluation. 350 km south of the Arctic Circle. 8–9, European Computer Science Summit Academia is very important in Umeå: Operating systems and applications (ECSS 2009) little more than 100 000 people live in The presentations and discussions covered Paris, France the town and the two universities have Scientific Linux (SL): the end of SL4 support www.informatics-europe.org/ECSS09/ almost 30 000 students. The Scandinavian (confirmed for October 2010), the status countries contribute a special Tier 1 to LCG of SL5 and prospects for SL6. Addressing 12–13, 3rd International Symposium on – it is distributed among a number of sites, the need to support new hardware and Intelligent Distributed Computing (IDC 2009) one of which is Umeå. provide more up-to-date releases of desktop Ayia Napa, Cyprus Some 100 attendees registered, software, FNAL is now offering FermiLinux www.idc2009.cs.ucy.ac.cy/ surpassing the expectations of the HEPiX Short Term Support, currently based on board and the local organizing committee, Fedora 10. Another talk described an 12–14, Cracow ’09 Grid Workshop (CGW’09) led by Mattias Wadenstein. There were alternative approach to pack Grid software Krakow, Poland more than 50 scheduled presentations, for the most popular Linux distributions. www.cyfronet.krakow.pl/cgw09/ organized in tracks covering virtualization, Further presentations reported storage and file systems, operating systems experience with Puppets (a configuration 12–16, 12th International Conference on and applications, security and networking, manager), Dovecot (an smtp mail server), Accelerator and Large Experimental Physics and data centres. Full details are available OpenSharedroot (a tool to share a root file Control Systems (ICALEPCS 2009) from Indico: http://indico.cern.ch/ system across machines for high availability) Kobe, Japan conferenceDisplay.py?confId=45282. and Slurm (a resource manager). http://icalepcs2009.spring8.or.jp/

Virtualization Security and networking 12–16, Open Grid Forum (OGF27) This track attracted the most interest. Talks described the CERN tools for detecting Banff, Canada Although forward-looking presentations on abnormal network behaviour, an SMS-based www.ogf.org/OGF27/ the technology and vague usage ideas were system to provide users with a one-time still around, they were complemented by password required on top of the standard 12–17, First INFN International School on reports concerning production experience username/password combination for ssh “Architectures, tools and methodologies for and benchmarking. This showed that access, and new requirements at FNAL when developing efficient large scale scientific virtualization has matured. For example, connecting to its network (an automatic computing applications” (ESC09) it is being used in production facilities software inventory is compulsory). Bertinoro, Italy to provide high-availability services, a http://web.infn.it/esc09/ large and highly flexible test facility for Data centres software testing, the possibility to run This session saw two contrasting talks: 13–16, 17th IEEE International Conference on experiment-specific images, etc. Security one from a site that is launching a project Network Protocols (ICNP) concerns were also discussed. Detailed to build a new data centre (they are full of Princeton, US comparisons showed the strengths and optimism and faith) and one from a site that www.ieee-icnp.org/2009 weaknesses of popular hypervisors, has just finished building a centre (their such as XEN, KVM, VMware and HyperV, degree of optimism is quite a bit lower). 21–23, 8th International Conference on and demonstrated that under certain Software QA and Testing on Embedded circumstances virtual machines can even Conclusion Systems (QA&TEST 2009) perform better than physical ones. The The meeting offered a broad spectrum Bilbao, Spain track then focused on computing clouds, of presentations, which led to intense www.qatest.org/en/registration/ mentioning both commercial and academic discussions during the breaks. New registration.php solutions including first cost estimates and opportunities for commonalities and the significant security aspects. A full Grid collaborations were identified, and existing 21–23, eChallenges e-2009 Conference site has already been successfully run on a partnerships received a boost. The next Istanbul, Turkey commercial cloud. meetings are scheduled for 26–30 October www.echallenges.org/e2009/ at LBNL in Berkeley, spring 2010 in Lisbon Storage and file systems and autumn 2010 in the US. 27–29, Third National Meeting of Security Storage was a central theme. The session Industry (ENISE III) provided an overview of the HEPiX file Useful link León, Spain system Working Group activities as well HEPiX website: www.hepix.org www.enisa.europa.eu/ as presentations targeted at specific Helge Meinhard, IT-FIO

12 CERN Computer Newsletter • July–September 2009