Latest revision as of 11:10, 17 February 2022

Lancaster Xroot Server setup

Useful Pages

(list in progress)

https://twiki.cern.ch/twiki/bin/view/AtlasComputing/StorageSetUp#Recommendation

(new) https://xrootd-howto.readthedocs.io/en/latest/

https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/

Configs

main config

starting with systemctl start xrootd@server, puts https on port 1094 too

# cat /etc/xrootd/xrootd-server.cfg 
##basics

all.export /cephfs/grid
all.sitename UKI_NORTHGRID_LANCS_HEP

all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd

#checksum - prob safe
xrootd.chksum adler32

#logging
all.trace all

## auth stuff
#largely from Sam
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \
                    -cert:/etc/grid-security/xrdcert.pem \
                    -key:/etc/grid-security/xrdkey.pem \
                    -crl:1 \
                    -authzfun:libXrdSecgsiAUTHZVO.so \
                    -gmapopt:10 -gmapto:0 \
                    -vomsat:extract -vomsfun:libXrdVoms.so
#point to our authdb
acc.authdb /etc/grid-security/authdb
ofs.authorize

# Config TLS
#from https://xrootd-howto.readthedocs.io/en/latest/tpc/#an-example-of-wlcg-tpc-configuration-with-x509-authentication
xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
#xrootd.tls capable all


#xrd tpc just in case
ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/xrdcp-tpc.sh

## http stuff

#kick off xroot http, on 1094
if exec xrootd
xrd.protocol http:1094 /usr/lib64/libXrdHttp.so
fi
http.selfhttps2http no


#from James
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt


# Require the use of the xrd.tls certificates (alternative is to use manual)
http.httpsmode auto

##old way from first config, if above set to manual
#http.cadir /etc/grid-security/certificates
#http.cert /etc/grid-security/xrdcert.pem
#http.key /etc/grid-security/xrdkey.pem


# HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy
http.secxtractor libXrdVoms.so
http.exthandler xrdtpc libXrdHttpTPC.so
http.header2cgi Authorization authz

# Please install libmacaroons rpm from EPEL.
# Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support
http.exthandler xrdmacaroons libXrdMacaroons.so

# secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440
macaroons.secretkey /etc/xrootd/macaroon-secret

## token stuff
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so

notes

The path needs to be writable by the xroot user. If it isn't it will protest and fail on startup.

authdb

/etc/grid-security/certificates, fetch-crl, vomsdir set up as normal.


# cat /etc/grid-security/authdb
### Define users
## o - organisation/VO r - role g - group
#test users
= xgridppusr o: gridpp 
= xdteamusr o: dteam
= xopsuser o: ops
= xwlcguser o: wlcg
= wlcgtknusr o: https://wlcg.cloud.cnaf.infn.it/ g: /wlcg
#atlas
= xatlasprd o: atlas r: production
= xatlasplt o: atlas r: pilot
= xatlasukprd o: atlas r: production g: uk
= xatlasukusr o: atlas g: uk
= xatlasusr o: atlas
#hyperk
= xhyperkprd o: hyperk.org r: production
= xhyperkusr o: hyperk.org
### Define acceses
## a - all-rights l - list (don't forget) r - read w - write
x xgridppusr /cephfs/grid/gridpp a /cepfs/grid/srr lr
x xdteamusr /cephfs/grid/dteam a /cephfs/grid/wlcg a /cepfs/grid/srr lr
x xatlasprd /cephfs/grid/atlas a /cepfs/grid/srr lr
x xatlasplt /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasukprd /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk a /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr  /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xopsuser /cephfs/grid/ops a /cepfs/grid/srr lr
x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr
x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr
x xhyperkprd /cephfs/grid/hyperk.org a /cepfs/grid/srr lr
x xhyperkusr /cephfs/grid/hyperk.org/ lr /cepfs/grid/srr lr

notes

On server start up if the authdb is misconfigured xroot will most likely error and fail to get going.

@@ Line 17: / Line 17: @@
 <pre>
 # cat /etc/xrootd/xrootd-server.cfg
-###########################################################################
+##basics
-# This is a very simple sample configuration file sufficient to start an  #
-# xrootd data server using the default port 1094. This server runs by     #
-# itself (stand-alone) and does not assume it is part of a cluster. You   #
-# can then connect to this server to access files in '/tmp'.              #
-# Consult the the reference manuals on how to create more complicated     #
-# configurations.                                                         #
-#                                                                         #
-# On successful start-up you will see 'initialization completed' in the   #
-# last message. You can now connect to the xrootd server.                 #
-#                                                                         #
-# Note: You should always create a *single* configuration file for all    #
-# daemons related to xrootd.                                              #
-###########################################################################
-# The export directive indicates which paths are to be exported. While the
 all.export /cephfs/grid
-all.sitename UKI-NORTHGRID-LANCS-HEP
+all.sitename UKI_NORTHGRID_LANCS_HEP
-# The adminpath and pidpath variables indicate where the pid and various
-# IPC files should be placed
-#
 all.adminpath /var/spool/xrootd
-all.pidpath /run/xrootd
+all.pidpath /var/run/xrootd
-#chksumming
+#checksum - prob safe
 xrootd.chksum adler32
-#root tpc
+#logging
-ofs.tpc  ttl 7 15 xfr 9 pgm /usr/bin/xrdcp --server
+all.trace all
-#auth stuff largely from Sam
+## auth stuff
+#largely from Sam
 xrootd.seclib /usr/lib64/libXrdSec.so
 sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \
@@ Line 56: / Line 41: @@
                     -gmapopt:10 -gmapto:0 \
                     -vomsat:extract -vomsfun:libXrdVoms.so
+#point to our authdb
 acc.authdb /etc/grid-security/authdb
 ofs.authorize
-#token stuff from https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/
+# Config TLS
+#from https://xrootd-howto.readthedocs.io/en/latest/tpc/#an-example-of-wlcg-tpc-configuration-with-x509-authentication
+xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem
+xrd.tlsca certdir /etc/grid-security/certificates
+#xrootd.tls capable all
-ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
-ofs.authlib ++ libXrdMacaroons.so
-ofs.authorize 1
-# Pass the bearer token to the Xrootd authorization framework.
+#xrd tpc just in case
-http.header2cgi Authorization authz
+ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/xrdcp-tpc.sh
+## http stuff
-#http stuff
+#kick off xroot http, on 1094
-# In order to enable the xrdhttp.socket run:
+if exec xrootd
-#	systemctl enable xrdhttp@http.socket
-# In order to start the xrdhttp.socket run:
-#	systemctl start xrdhttp@http.socket
-#
 xrd.protocol http:1094 /usr/lib64/libXrdHttp.so
-#xrd.protocol https:1094 /usr/lib64/libXrdHttp.so
+fi
-#xrd.protocol http:80 /usr/lib64/libXrdHttp.so
+http.selfhttps2http no
-http.secxtractor libXrdHttpVOMS.so
-#https
+#from James
-#basics
+http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
-http.cadir /etc/grid-security/certificates
-http.cert /etc/grid-security/xrdcert.pem
-http.key /etc/grid-security/xrdkey.pem
-http.secretkey areallygoodsecret
-http.cipherfilter ALL:!LOW:!EXP:!MD5:!MD2
-#other http stuff
+# Require the use of the xrd.tls certificates (alternative is to use manual)
-http.listingdeny yes
+http.httpsmode auto
-http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
-http.desthttps yes
+##old way from first config, if above set to manual
+#http.cadir /etc/grid-security/certificates
+#http.cert /etc/grid-security/xrdcert.pem
+#http.key /etc/grid-security/xrdkey.pem
+# HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy
+http.secxtractor libXrdVoms.so
+http.exthandler xrdtpc libXrdHttpTPC.so
+http.header2cgi Authorization authz
+# Please install libmacaroons rpm from EPEL.
+# Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support
+http.exthandler xrdmacaroons libXrdMacaroons.so
+# secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440
+macaroons.secretkey /etc/xrootd/macaroon-secret
+## token stuff
+ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
+ofs.authlib ++ libXrdMacaroons.so
 </pre>
@@ Line 132: / Line 130: @@
 x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
 x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr  /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
-x xopsuser /cephfs/grid/ops lrw /cepfs/grid/srr lr
+x xopsuser /cephfs/grid/ops a /cepfs/grid/srr lr
 x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr
 x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr

Difference between revisions of "LancsXrd"

Latest revision as of 11:10, 17 February 2022

Contents

Lancaster Xroot Server setup

Useful Pages

Configs

main config

notes

authdb

notes

Navigation menu

Personal tools

Namespaces

Variants

Views

Actions

Search

Main GridPP website

Navigation

Tools