Difference between revisions of "Adoption of Backup GridPP Voms Servers"

From GridPP Wiki
Jump to: navigation, search
Line 1: Line 1:
== Adoption of Backup GridPP Voms Servers ==
=== Introduction ===
=== Introduction ===

Revision as of 11:33, 9 April 2014


The GridPP voms server hosted at voms.gridpp.ac.uk has been augmented by additional servers at Oxford (voms02.gridpp.ac.uk) and Imperial (voms03.gridpp.ac.uk). Through late September/October 2013, sites should configure the use of these servers for VOs they support.

During the transition, special measures will be used to maintain continuity of service. As it's practically impossible to update the UIs (which produce credentials) and CE/SEs (etc.) (which read them) with the new VOMS server records simultaneously, it's better to update the UIs only after the CE/SEs (etc.) have been done first. Only update the UIs once that is complete (else a UI could make proxies from the new Voms Servers which would fail if they landed on a CE/SE (etc.) that has not been updated yet).

The services which read credentials (i.e. which should be updated first) are:

  • CE
  • SE
  • ARGUS (or equivalent credential servers)
  • WMS
  • LFC
  • WN (???)
  • GOCDB (???)

Once this is complete, UIs can be updated (see below).

Sequence of events

The sections below describe the sequence of events that site and VO managers should follow.

  • Site managers update their services, except the UIs, to contain the new records (goal: 31 Oct 2013)
  • Site managers can do a local test to show that records are OKish. Suitable tests are detailed below in the VOs section, or here: "grid course". (goal: 31 Oct 2013)
  • VO managers then have a short window of time to conduct their own tests if they wish.
  • Once tests are complete (enough) Chris will declare that it's time to update the UIs and the VOID Operations Portal Records
  • Site managers will then update the residual services (namely UIs)
  • VO managers will then update their records in the operations portal.

The sites, operations portal etc. will then be capable of normal operations. Steps for each of these operations is given below.


Intermediate Voms Server Records

This wiki page will be used to coordinate these changes. Eventually new Voms Server information will be added to OPS portal. But during the transition (while the update is being coordinated) the new records will be published as an "intermediate patch" that sites should use to update their CE/SE (etc.) systems, not any UI systems.

Only once that phase is done should the UIs be changed. The records will be added to the operations portal and the Approved VOs will be updated to reflect the new reality.

The Intermediate Voms Server Records should be applied by sites to CE/SE (etc.) systems as soon as reasonably possible after this project starts. The records, in vo.d format, are available here.


For tracking purposes it would be useful if sites noted the change in this table. Once everyone has updated their CE/SE (etc.) systems, we can go ahead with the next phase and do the UIs.

GridPP Sites
Site Name Date CE/SE (etc.) systems updated Date UI systems updated
RAL Tier-1 Done 22/10/13 Not done
EFDA-JET Done 2013-11-04 Not done
UKI-LT2-Brunel done Not done
UKI-LT2-IC-HEP Done 18/9/13 Done 3/2/14
UKI-LT2-QMUL Done 2013-10-23 Not done
UKI-LT2-RHUL Done Not done
UKI-LT2-UCL-HEP Done (not necessary) Not done
UKI-NORTHGRID-LANCS-HEP Done 29/10/13 Not done
UKI-NORTHGRID-LIV-HEP Done 2013-10-23 Done 2014-02-04
UKI-NORTHGRID-MAN-HEP Done 08/10/13 Not done
UKI-SCOTGRID-GLASGOW CE, SE, WMS(1),Argus Done Done (03/02/14)
UKI-SOUTHGRID-BHAM-HEP Done 2013-10-11 Not done
UKI-SOUTHGRID-BRIS-HEP Done 21.11.2013 Done 21.11.2013
UKI-SOUTHGRID-CAM-HEP Done 08/10/13 Done 30/01/14
UKI-SOUTHGRID-OX-HEP Done 14/10/13 Done 30/01/14
UKI-SOUTHGRID-RALPP 6/11/13 Not done
UKI-SOUTHGRID-SUSX Done (2013-11-13) Not done


VO managers should:

  • Update their VOID card to include the new VOMS servers
  • Test sites (see below) to ensure they have correctly configured these backup VOMS servers
    • File GGUS tickets for problem sites
    • Update the wiki to record status

Updating VOID card

To end the conversion project, VOs should finally update their VOID card to add:

  • voms02.gridpp.ac.uk
  • voms03.gridpp.ac.uk

To do this:

  • Go to http://operations-portal.egi.eu/vo
  • Click on "Manage VO"
  • Select VO you want to alter
  • Click "Add a VOMS server"
    • Voms server: voms02.gridpp.ac.uk
    • https port: 8443
    • vomses port: same as for voms.gridpp.ac.uk
    • Is Vomsadmin server: Leave unchecked
    • Port is the same port as on voms.gridpp.ac.uk
    • List members URL: Same as for voms.gripp.ac.uk (don't change the host to voms02, leave at voms.gridpp.ac.uk)
  • Now add voms03.gridpp.ac.uk using the same procedure.


VO managers should test that sites supporting their VO are correctly configured for the new VOMS servers (and file GGUS tickets for sites which are not).

Please test:

  • voms02.gridpp.ac.uk
  • voms03.gridpp.ac.uk
  • voms.gridpp.ac.uk (just in case the original config doesn't work either)

First generate a proxy using one of the new VOMS servers:

wget http://www-pnp.physics.ox.ac.uk/~macmahon/voms-testing.tar.gz
tar -xzvf voms-testing.tar.gz
cd voms-testing
export X509_VOMS_DIR=$(pwd)/vomsdir
#Get a proxy from voms02.gridpp.ac.uk (changing vo.southgrid.ac.uk to your VO):
voms-proxy-init --vomses ./voms02/vo.southgrid.ac.uk --voms vo.southgrid.ac.uk
## To generate a proxy from the other backup server do:
# voms-proxy-init --vomses ./voms03/vo.southgrid.ac.uk --voms vo.southgrid.ac.uk
# The original server can (and should) be used too:
# voms-proxy-init --voms vo.southgrid.ac.uk

More details and explanation on generating proxies from these backup servers can be found at VOMSdeployment2013.

Then test services at sites supporting your VO. Examples scripts can be found below (but are not exhaustive), and at the "grid course". When done, please report back the results.

WMS and CEs:

walker@heppc400:~/grid/vomses/voms-testing/snoplus$ cat helloworld.jdl
#############Hello World#################
Executable = "/bin/echo";
Arguments = "Hello welcome to new VOMS servers ";
StdOutput = "hello.out";
StdError = "hello.err";
#OutputSandbox = {"hello.out","hello.err"};
walker@heppc400:~/grid/vomses/voms-testing/snoplus$ cat submit-wms.sh

# remember to do:                                                                                                              
voms-proxy-init --voms $VO --vomses $VOMSES

for wms in $(lcg-infosites --vo $VO wms ); do
    for ce in $(lcg-infosites --vo $VO ce | awk '{print $6}'); do 
	glite-wms-job-submit  -a -o jobIDfile  -r $ce helloworld.jdl 

# Then to check job status do:
#glite-wms-job-status -i jobIDfile

# THen get output with:
#glite-wms-job-output -i jobIDfile


VO=snoplus.snolab.ca # Please edit to your VO
user=whateveryourusernameis # Please edit

for se in $(lcg-infosites se | awk '/SRM/{print $4}'); do

    echo "***** Creating $lfn"
    echo "lcg-cr -v -d $se -l $lfn file:cjwtestfile.txt"
    lcg-cr -v -d $se -l $lfn file:cjwtestfile.txt
    echo "****** Deleting $lfn"
    echo "lcg-del -a $lfn"
    lcg-del -a $lfn



Note: GridPP plans to test VOs on the VO Nagios instance as well. https://t2wlcgnagios.physics.ox.ac.uk/nagios/cgi-bin/status.cgi

Test status - testing by VOs

CE and SE - GridPP Sites
VO name JET RAL Bru IC QMUL RHUL UCL Lancs Liv Man Shef Dur ECDF Gla Bham Bris Cam OX RALPP SUSX
T2K n/a Done n/a Done Done n/a n/a Done Done n/a Done n/a n/a n/a n/a n/a n/a Done n/a n/a
NA62 n/a SE Done (but SE broken for all) n/a SE Done n/a n/a SE Done ( SE broken for all) n/a SE Done n/a n/a n/a n/a SE Done n/a n/a n/a n/a n/a n/a
scotgrid n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a SE Fails (for all voms servers) SE Fails (for all voms servers) SE OK n/a n/a n/a n/a n/a n/a
northgrid n/a n/a n/a n/a n/a n/a n/a 1 CE, misconfig
Site notified.
Done Done 2 CEs and SE, misconfig
Site notified.
n/a n/a n/a n/a n/a n/a n/a n/a n/a
southgrid Done
londongrid Done Done Done Done N/A

WMS and LFC and ops-portal
VO name RAL IC OX Ops portal
gridpp Done
cern@school Done
mice Done
pheno Done
SNO+ Done
T2K Done Done n/a Done
NA62 LFC not okay? Done
landslides Done
scotgrid LFC OK Done
northgrid Done Done n/a Done
southgrid Done
londongrid Done

Using a specific VOMS server

Once a UI has migrated to using any VOMS server, it is still possible to use a specific one by doing the following:

#Get a proxy from voms.gridpp.ac.uk (changing vo.southgrid.ac.uk to your VO):
voms-proxy-init --vomses /etc/vomses/vo.southgrid.ac.uk-voms.gridpp.ac.uk --voms vo.southgrid.ac.uk