Dario

Members
  • Content count

    2
  • Joined

  • Last visited

  1. DESCRIPTION: Altair Engineering is releasing this advisory to customers running PBS Works (Compute Manager, Display Manager, Results Visualization Service, Simulation Manager, Access Management Service, PBS Application Services) to alert them of a security vulnerability. This vulnerability affects customers whose network policies allow arbitrary systems to directly connect to the PBS Works server when encrypted connections (HTTPS) to the PBS Works services are enabled. The vulnerability affects the SSL 3.0 protocol and is known as POODLE Bug or POODLEbleed. An attacker who successfully exploits this vulnerability could intercept data that’s supposed to be encrypted. SEVERITY RATING: Critical RECOMMENDATION: Altair recommends that customers who allow arbitrary systems to have direct network access to the PBS Works system either apply an updated version or fix their configuration as outlined below in a timely fashion. AFFECTED SOFTWARE: All versions of PBS Works prior to v12.1.0 SCHEDULE OF AVAILABILITY OF UPDATE: PBS Works 12.1.0 Available Nov 2nd NOTE: Altair advises customers running any release prior to v12.1.0 to update. SECURITY UPDATE: The updates and packages are being made available to all customers running PBS Works with current maintenance and support contracts. INSTRUCTIONS TO OBTAIN UPDATE: Please send an email to: pbssupport@altair.com OR pbssales@altair.com Or use https://connect.altair.com/ to request the latest version. Please include the version of PBS Professional you are running, the operating system you are using, and the hardware/platform you are running on. This will help us expedite your request. SUGGESTED SECURITY FIX WHEN UPGRADE IS NOT POSSIBLE: In <PORTAL_HOME>/thirdparty/apache/tomcat/conf/server.xml file of installed Compute Manager find the following section: <Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${HWE_INSTALLATION_DIRECTORY}/config/ams.keystore" keystorePass="changeit”/> Modify the above to list only the following SSL protocols: sslProtocols="TLSv1, TLSv1.1, TLSv1.2" As in this sample: <Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2" keystoreFile="${HWE_INSTALLATION_DIRECTORY}/config/ams.keystore" keystorePass="changeit”/> In order to verify the fix one can use e.g. the tool provided by Symantec: (http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed) or some other similar tool, which are now widely available. For further information see also: http://ww3.digicert.com/G0P0Kv30ZnGKW0sJ0000YOY http://ww3.digicert.com/p0G00W00oK0Y0LOPsJ0YZv3 https://www.digicert.com/ssl-support/disabling-browser-support-ssl-v3.htm Please contact pbssupport@altair.com or pbssales@altair.com if you need additional information.
  2. Hello, I've found that SWIG-PBS Professional interface is working pretty well for me, thought I post some notes here on how it can be used. What's SWIG? SWIG is an acronym for Simplified Wrapper and Interface Generator. It's a tool for providing various scripting languages with interfaces to code written in C or C++. How Do I Use It? Thanks to the interface information included in PBS Professional it's now very simple to use SWIG with PBS Professional. Ignoring for the moment any complex interface (caused by C language constructs in the PBS Professional APIs that do not have exact translations to Python), one can build a Python module with interfaces to PBS Professional using this interface file /* File : pbs.i */ %module pbs %{ #define SWIG_FILE_WITH_INIT #include "pbs_ifl.h" %} %include "pbs_ifl.h" and compiling it using pypath="/usr/local/bin" # path to python binary pyincludepath="/usr/local/include/python2.5" # Python include path conf=${PBS_CONF_FILE:-/etc/pbs.conf} # PBS configuration file . $conf swig -I$PBS_EXEC/include -python pbs.i gcc -shared -fPIC -I$pyincludepath -I $PBS_EXEC/include pbs_wrap.c $PBS_EXEC/lib/libpbs.a -o _pbs.so -L/lib -lcrypto -lssl If using an SELinux-configured version of Linux, you may also need to chcon -t texrel_shlib_t _pbs.so Example: a simple pbsnodes Let's apply the above to build a very simple version of the pbsnodes utility, call it pbs_statnode.py. This one will support only the -a, -s, and -v flags. from pbs import pbs_connect, pbs_stathost, pbs_statvnode from optparse import OptionParser import sys def print_nodes(batch_status_list): while batch_status_list != None: print "%s" % batch_status_list.name print_node(batch_status_list.attribs) batch_status_list = batch_status_list.next def print_node(attrlist): while attrlist != None: if attrlist.resource != None: print " %s.%s = %s" % (attrlist.name, attrlist.resource, attrlist.value) else: print " %s = %s" % (attrlist.name, attrlist.value) attrlist = attrlist.next if __name__ == '__main__': parser = OptionParser() parser.add_option("-a", "--all", action="store_true", dest="allnodes", help="report all nodes") parser.add_option("-s", "--server", action="store", dest="server", default = "localhost", help="server to query (default \"localhost\")") parser.add_option("-v", "--vnodes", action="store_true", dest="do_vnodes", help="report vnodes") (options, progargs) = parser.parse_args() conn = pbs_connect(options.server) if conn < 0: print "Error connecting to %s" % options.server sys.exit(1) if options.do_vnodes: statfunc = pbs_statvnode else: statfunc = pbs_stathost if options.allnodes: print_nodes(statfunc(conn, "", None, None)) else: for node in progargs: print_nodes(statfunc(conn, node, None, None)) To use it, simply do python pbs_statnode.py -as PBShost PBShost Mom = PBShost.example.com ntype = PBS state = free license = u pcpus = 1 resources_available.arch = hpux10 resources_available.host = PBShost.example.com resources_available.mem = 1310720kb resources_available.ncpus = 2 resources_available.vnode = PBShost.example.com resources_assigned.mem = 0kb resources_assigned.ncpus = 0 resources_assigned.vmem = 0kb resv_enable = True sharing = default_shared Example: a simpler pbsnodes import pbs conn = pbs.pbs_connect(<servername>) b = pbs.pbs_statvnode(conn,<nodename>,None,None) print b.name attribs = b.attribs while attribs!=None: if attribs.resource != None: print attribs.value attribs = attribs.next Complex interfaces: pbs_selectjob Here is one example about generating complex interfaces using <pbs_ifl.h>: extern char **pbs_selectjob (int, struct attropl *, char *); We'll use the SWIG interface file and the Python C interfaces to teach SWIG how to treat the special char ** return type, // This tells SWIG to treat char ** as a special case (for pbs_selectjob()) %typemap(out) char ** { int size; int i; char **r; if ($1 == NULL) { PyRun_SimpleString("print \"%s%s is NULL\" % ( '$', '1')"); PyErr_SetString(PyExc_TypeError, "NULL $1"); } for (size = 0, r = (char **) $1; *r != NULL; r++) size++; $result = PyTuple_New(size); if ($result == NULL) { PyRun_SimpleString("print \"PyTuple_New failure\""); PyErr_SetString(PyExc_TypeError,"PyTuple_New() failure"); return NULL; } for (i = 0, r = (char **) $1; *r != NULL; i++, r++) { PyObject *o; o = PyString_FromString(*r); if (PyTuple_SetItem($result, i, o) != 0) { PyRun_SimpleString("print \"PyTuple_SetItem failure\""); PyErr_SetString(PyExc_TypeError,"PyTuple_SetItem() failure"); return NULL; } } return $result; } // This cleans up the char ** array we malloc'd before the function call %typemap(freearg) char ** { free((char *) $1); } /* File : pbs.i */ %module pbs %{ #define SWIG_FILE_WITH_INIT #include "pbs_ifl.h" %} %include "pbs_ifl.h" After building as above, try it out using this code, import pbs import sys def find_jobs(fd, state): ao = pbs.attropl() ao.next = None ao.name = pbs.ATTR_state ao.resource = None ao.value = state ao.op = pbs.EQ return pbs.pbs_selectjob(fd, ao, None) if __name__ == '__main__': conn = pbs.pbs_connect("localhost") if conn < 0: print "Error connecting to localhost" sys.exit(1) print "job list: %s" % find_jobs(conn, 'R') which we'll call pbs_selectjob.py and use like this, echo sleep 60 | qsub <jobID> python pbs_selectjob.py More information can be found into the PBS Professional Programmer's Guide: />http://www.pbsworks.com/documentation/support/PBSProProgramGuide11.1.pdf Hope this helps, Dario