ARC CE Hints

From GridPP Wiki
Jump to: navigation, search

Mapping to pool accounts

Argus in combination with lcmaps can be used to map DNs to pool accounts. In the [gridftpd] section of /etc/arc.conf include the following: 

unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms"
unixmap="nobody:nobody all"

The second line above ensures that DNs which are not mapped successfully are mapped to nobody. The LRMS can be configured to not accept jobs from nobody. The file /etc/lcmaps/lcmaps.db is 

path = /usr/lib64/lcmaps

verify_proxy = "lcmaps_verify_proxy.mod"
                    "-certdir /etc/grid-security/certificates"
                    "--discard_private_key_absence"
                    "--allow-limited-proxy"

pepc = "lcmaps_c_pep.mod"
            "--pep-daemon-endpoint-url https://argus.domain:8154/authz"
            "--resourceid http://authz-interop.org/xacml/resource/resource-type/arc"
            "--actionid http://glite.org/xacml/action/execute"
            "--capath /etc/grid-security/certificates/"
            "--certificate /etc/grid-security/hostcert.pem"
            "--key /etc/grid-security/hostkey.pem"

# Policies:
arc:
verify_proxy -> pepc

where argus.domain should be replace with the hostname of your Argus server. The Argus default policy should contain an appropriate section for the ARC CE, for example: 

resource "http://authz-interop.org/xacml/resource/resource-type/arc" {
      obligation
"http://glite.org/xacml/obligation/local-environment-map" {}
       action ".*" {
         rule permit { pfqan="/cms/Role=pilot/Capability=NULL" }
         rule permit { pfqan="/cms/Role=pilot" }
         rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" }
         rule permit { pfqan="/cms/Role=lcgadmin" }
         rule permit { pfqan="/cms/Role=production/Capability=NULL" }
         rule permit { pfqan="/cms/Role=production" }
         rule permit { pfqan="/cms/Role=t1production/Capability=NULL" }
         rule permit { pfqan="/cms/Role=t1production" }
         rule permit { pfqan="/cms/Role=t1access/Capability=NULL" }
         rule permit { pfqan="/cms/Role=t1access" }
     }
}

How to get EMI WMS jobs to work

Create an empty file on all worker nodes called /usr/etc/globus-user-env.sh

Changes required for LHCb

In the [grid-manager] section of /etc/arc.conf include the following line: 

authplugin="PREPARING timeout=60,onfailure=pass,onsuccess=pass /usr/local/bin/default_rte_plugin.py %S %C %I ENV/GLITE"

where default_rte_plugin.py can be found here https://raw.githubusercontent.com/alahiff/ral-arc-ce-plugins/master/default_rte_plugin.py

Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=ARC_CE_Hints&oldid=4861"