From: Charles Bacon <[EMAIL PROTECTED]> Subject: Re: [gt-user] globusrun-ws -monitor fails Date: Wed, 30 Jul 2008 16:32:44 -0500
> I'm not sure, but when you don't specify a hostname to globusrun-ws, > you get "localhost". So there is a difference between when you submit > and when you monitor: > I try regain with -factory option of globusrun-ws. But result is same. > 1) During submit, the client uses the name you provided, which in this > case is localhost or 127.0.0.1. Your certificates and hosts appear to > be setup to make that work > 2) During the monitor, the client subscribes to the endpoint provided > by the container. In this case, the container is providing a name, > which you are later changing with the logicalHost. > > As to what's really going on between 4.0 and 4.2, it will be hard to > figure that out if you're unwilling to provide the real values in > these messages and container startups and /etc/hosts. Do your > containers print out a different address when started from 4.0 vs. 4.2? > I see source code of globusrun-ws, so I understood the followings. - In GT4.0.x, globusrun-ws uses GLOBUS_SOAP_MESSAGE_AUTHZ_HOST for host authorization. - In GT 4.2, globusrun-ws uses GLOBUS_SOAP_MESSAGE_AUTHZ_IDENTITY and uses hostname in EPR or factory as target name for host authorization. (globus_l_setup_attribute() in source-trees/ws-gram/client/c/source/globusrun_ws.c) Therefore, when hostname in EPR and factory is IP address, globusrun-ws fails. I executed globusrun-ws with IP address, this result is as follows. * GT4.0.x: $ globusrun-ws -submit -F 192.168.0.100 -c /bin/hostname Submitting job...Done. Job ID: uuid:d2d8c392-5eca-11dd-b542-0030482e6650 Termination time: 08/01/2008 06:35 GMT Current job state: Active Current job state: CleanUp Current job state: Done Destroying job...Done. * GT4.0.x: $ globusrun-ws -submit -F 192.168.0.100 -c /bin/hostname Submitting job...Failed. globusrun-ws: Error submitting job globus_xio_gsi: gss_init_sec_context failed. GSS Major Status: Unexpected Gatekeeper or Service Name globus_gsi_gssapi: Authorization denied: The name of the remote host (example.org), and the expected name for the remote host (192.168.0.100) do not match. This happens when the name in the host certificate does not match the information obtained from DNS and is often a DNS configuration problem. # When subject is specified, globusrunws in GT4.2.0 succeeds. $ globusrun-ws -submit -F 192.168.0.100 -subject-authz '/O=Grid/OU=GlobusTest/OU=simpleCA-example.org/CN=host/example.org' -c /bin/hostname Submitting job...Done. Job ID: uuid:03ecab06-5ed0-11dd-874f-000bdb62a15b Termination time: 07/31/3008 07:12 GMT Current job state: Active Current job state: CleanUp Current job state: Done Destroying job...Done. The remote host is shown by IP address in EPR that the globusrun-ws command with "-batch" option returns by default. However, IP address cannot be used in EPR passed to globusrun-ws. I think that there is a problem in this behavior. How about you? ---- Tatsuhiko Inoue [EMAIL PROTECTED]
