Difference between revisions of "Adoption of Backup GridPP Voms Servers"
(→Test status - testing by VOs: Format after import) |
|||
Line 286: | Line 286: | ||
* [[Adoption of Backup GridPP Voms Servers - CERN@school status|CERN@school status]]. | * [[Adoption of Backup GridPP Voms Servers - CERN@school status|CERN@school status]]. | ||
− | {|border="1" | + | {|border="1" cellpadding="1" |
|+CE and SE - GridPP Sites | |+CE and SE - GridPP Sites | ||
|-style="background:#7C8AAF;color:white" | |-style="background:#7C8AAF;color:white" |
Revision as of 11:46, 9 April 2014
Contents
Introduction
The GridPP voms server hosted at voms.gridpp.ac.uk has been augmented by additional servers at Oxford (voms02.gridpp.ac.uk) and Imperial (voms03.gridpp.ac.uk). Through late September/October 2013, sites should configure the use of these servers for VOs they support.
During the transition, special measures will be used to maintain continuity of service. As it's practically impossible to update the UIs (which produce credentials) and CE/SEs (etc.) (which read them) with the new VOMS server records simultaneously, it's better to update the UIs only after the CE/SEs (etc.) have been done first. Only update the UIs once that is complete (else a UI could make proxies from the new Voms Servers which would fail if they landed on a CE/SE (etc.) that has not been updated yet).
The services which read credentials (i.e. which should be updated first) are:
- CE
- SE
- ARGUS (or equivalent credential servers)
- WMS
- LFC
- WN (???)
- GOCDB (???)
Once this is complete, UIs can be updated (see below).
Sequence of events
The sections below describe the sequence of events that site and VO managers should follow.
- Site managers update their services, except the UIs, to contain the new records (goal: 31 Oct 2013)
- Site managers can do a local test to show that records are OKish. Suitable tests are detailed below in the VOs section, or here: "grid course". (goal: 31 Oct 2013)
- VO managers then have a short window of time to conduct their own tests if they wish.
- Once tests are complete (enough) Chris will declare that it's time to update the UIs and the VOID Operations Portal Records
- Site managers will then update the residual services (namely UIs)
- VO managers will then update their records in the operations portal.
The sites, operations portal etc. will then be capable of normal operations. Steps for each of these operations is given below.
INFORMATION FOR SITE MANAGERS
Intermediate Voms Server Records
This wiki page will be used to coordinate these changes. Eventually new Voms Server information will be added to OPS portal. But during the transition (while the update is being coordinated) the new records will be published as an "intermediate patch" that sites should use to update their CE/SE (etc.) systems, not any UI systems.
Only once that phase is done should the UIs be changed. The records will be added to the operations portal and the Approved VOs will be updated to reflect the new reality.
The Intermediate Voms Server Records should be applied by sites to CE/SE (etc.) systems as soon as reasonably possible after this project starts. The records, in vo.d format, are available here.
http://www-pnp.physics.ox.ac.uk/~mohammad/vo.d/
For tracking purposes it would be useful if sites noted the change in this table. Once everyone has updated their CE/SE (etc.) systems, we can go ahead with the next phase and do the UIs.
Site Name | Date CE/SE (etc.) systems updated | Date UI systems updated |
---|---|---|
RAL Tier-1 | Done 22/10/13 | Not done |
EFDA-JET | Done 2013-11-04 | Not done |
UKI-LT2-Brunel | done | Not done |
UKI-LT2-IC-HEP | Done 18/9/13 | Done 3/2/14 |
UKI-LT2-QMUL | Done 2013-10-23 | Not done |
UKI-LT2-RHUL | Done | Not done |
UKI-LT2-UCL-HEP | Done (not necessary) | Not done |
UKI-NORTHGRID-LANCS-HEP | Done 29/10/13 | Not done |
UKI-NORTHGRID-LIV-HEP | Done 2013-10-23 | Done 2014-02-04 |
UKI-NORTHGRID-MAN-HEP | Done 08/10/13 | Not done |
UKI-NORTHGRID-SHEF-HEP | Done | Not done |
UKI-SCOTGRID-DURHAM | Done | Done |
UKI-SCOTGRID-ECDF | Done | Not done |
UKI-SCOTGRID-GLASGOW | CE, SE, WMS(1),Argus Done | Done (03/02/14) |
UKI-SOUTHGRID-BHAM-HEP | Done 2013-10-11 | Not done |
UKI-SOUTHGRID-BRIS-HEP | Done 21.11.2013 | Done 21.11.2013 |
UKI-SOUTHGRID-CAM-HEP | Done 08/10/13 | Done 30/01/14 |
UKI-SOUTHGRID-OX-HEP | Done 14/10/13 | Done 30/01/14 |
UKI-SOUTHGRID-RALPP | 6/11/13 | Not done |
UKI-SOUTHGRID-SUSX | Done (2013-11-13) | Not done |
INFORMATION FOR VO MANAGERS
VO managers should:
- Update their VOID card to include the new VOMS servers
- Test sites (see below) to ensure they have correctly configured these backup VOMS servers
- File GGUS tickets for problem sites
- Update the wiki to record status
Updating VOID card
To end the conversion project, VOs should finally update their VOID card to add:
- voms02.gridpp.ac.uk
- voms03.gridpp.ac.uk
To do this:
- Go to http://operations-portal.egi.eu/vo
- Click on "Manage VO"
- Select VO you want to alter
- Click "Add a VOMS server"
- Voms server: voms02.gridpp.ac.uk
- https port: 8443
- vomses port: same as for voms.gridpp.ac.uk
- Is Vomsadmin server: Leave unchecked
- Port is the same port as on voms.gridpp.ac.uk
- List members URL: Same as for voms.gripp.ac.uk (don't change the host to voms02, leave at voms.gridpp.ac.uk)
- Now add voms03.gridpp.ac.uk using the same procedure.
Testing
VO managers should test that sites supporting their VO are correctly configured for the new VOMS servers (and file GGUS tickets for sites which are not).
Please test:
- voms02.gridpp.ac.uk
- voms03.gridpp.ac.uk
- voms.gridpp.ac.uk (just in case the original config doesn't work either)
First generate a proxy using one of the new VOMS servers:
wget http://www-pnp.physics.ox.ac.uk/~macmahon/voms-testing.tar.gz tar -xzvf voms-testing.tar.gz cd voms-testing export X509_VOMS_DIR=$(pwd)/vomsdir #Get a proxy from voms02.gridpp.ac.uk (changing vo.southgrid.ac.uk to your VO): voms-proxy-init --vomses ./voms02/vo.southgrid.ac.uk --voms vo.southgrid.ac.uk # # ## To generate a proxy from the other backup server do: # voms-proxy-init --vomses ./voms03/vo.southgrid.ac.uk --voms vo.southgrid.ac.uk # The original server can (and should) be used too: # voms-proxy-init --voms vo.southgrid.ac.uk
More details and explanation on generating proxies from these backup servers can be found at VOMSdeployment2013.
Then test services at sites supporting your VO. Examples scripts can be found below (but are not exhaustive), and at the "grid course". When done, please report back the results.
WMS and CEs:
walker@heppc400:~/grid/vomses/voms-testing/snoplus$ cat helloworld.jdl #############Hello World################# Executable = "/bin/echo"; Arguments = "Hello welcome to new VOMS servers "; StdOutput = "hello.out"; StdError = "hello.err"; #OutputSandbox = {"hello.out","hello.err"}; ######################################### walker@heppc400:~/grid/vomses/voms-testing/snoplus$ cat submit-wms.sh #!/bin/bash VO=$1 VOMSES=$2 # remember to do: voms-proxy-init --voms $VO --vomses $VOMSES for wms in $(lcg-infosites --vo $VO wms ); do export GLITE_WMS_WMPROXY_ENDPOINT=$wms for ce in $(lcg-infosites --vo $VO ce | awk '{print $6}'); do glite-wms-job-submit -a -o jobIDfile -r $ce helloworld.jdl done done # Then to check job status do: #glite-wms-job-status -i jobIDfile # THen get output with: #glite-wms-job-output -i jobIDfile
LFC/SE:
#!/bin/bash VO=snoplus.snolab.ca # Please edit to your VO user=whateveryourusernameis # Please edit for se in $(lcg-infosites se | awk '/SRM/{print $4}'); do lfn="lfn:/grid/${VO}/users/${user}/setest/$se" echo "***** Creating $lfn" echo "lcg-cr -v -d $se -l $lfn file:cjwtestfile.txt" lcg-cr -v -d $se -l $lfn file:cjwtestfile.txt echo "****** Deleting $lfn" echo "lcg-del -a $lfn" lcg-del -a $lfn echo echo echo echo echo echo done
Note: GridPP plans to test VOs on the VO Nagios instance as well.
https://t2wlcgnagios.physics.ox.ac.uk/nagios/cgi-bin/status.cgi
Test status - testing by VOs
VO name | JET | RAL | Bru | IC | QMUL | RHUL | UCL | Lancs | Liv | Man | Shef | Dur | ECDF | Gla | Bham | Bris | Cam | OX | RALPP | SUSX |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CERN@school | ||||||||||||||||||||
epic | ||||||||||||||||||||
gridpp | ||||||||||||||||||||
mice | ||||||||||||||||||||
neiss | ||||||||||||||||||||
pheno | ||||||||||||||||||||
SNO+ | ||||||||||||||||||||
T2K | n/a | Done | n/a | Done | Done | n/a | n/a | Done | Done | n/a | Done | n/a | n/a | n/a | n/a | n/a | n/a | Done | n/a | n/a |
NA62 | n/a | SE Done (but SE broken for all) | n/a | SE Done | n/a | n/a | SE Done ( SE broken for all) | n/a | SE Done | n/a | n/a | n/a | n/a | SE Done | n/a | n/a | n/a | n/a | n/a | n/a |
landslides | ||||||||||||||||||||
scotgrid | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | SE Fails (for all voms servers) | SE Fails (for all voms servers) | SE OK | n/a | n/a | n/a | n/a | n/a | n/a |
northgrid | n/a | n/a | n/a | n/a | n/a | n/a | n/a | 1 CE, misconfig Site notified. |
Done | Done | 2 CEs and SE, misconfig Site notified. |
n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a |
southgrid | Done | |||||||||||||||||||
londongrid | Done | Done | Done | Done | N/A |
VO name | RAL | IC | OX | Ops portal |
---|---|---|---|---|
gridpp | Done | |||
cern@school | Done | |||
epic | ||||
mice | Done | |||
neiss | ||||
pheno | Done | |||
SNO+ | Done | |||
T2K | Done | Done | n/a | Done |
NA62 | LFC not okay? | Done | ||
landslides | Done | |||
scotgrid | LFC OK | Done | ||
northgrid | Done | Done | n/a | Done |
southgrid | Done | |||
londongrid | Done |
Using a specific VOMS server
Once a UI has migrated to using any VOMS server, it is still possible to use a specific one by doing the following:
#Get a proxy from voms.gridpp.ac.uk (changing vo.southgrid.ac.uk to your VO): voms-proxy-init --vomses /etc/vomses/vo.southgrid.ac.uk-voms.gridpp.ac.uk --voms vo.southgrid.ac.uk