Difference between revisions of "RucioBastion"

From GridPP Wiki
Jump to: navigation, search
(Setting up for the first time)
 
(9 intermediate revisions by one user not shown)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
* The Rucio bastion server can be found at [http://rucio-bastion.gridpp.rl.ac.uk/ http://rucio-bastion.gridpp.rl.ac.uk/] you will not be able to access this without a cert / key combination
+
* The Rucio bastion server can be found at 'http://rucio-bastion.gridpp.rl.ac.uk/' you will not be able to access this without a cert / key combination or through your browser
 
+
  
 
== Setting up for the first time ==
 
== Setting up for the first time ==
Line 11: Line 10:
  
  
* The public key then needs to be sent to [mailto:Ian.Johnson@stfc.ac.uk Ian Johnson]
+
* The public key then needs to be sent to [mailto:Ian.Johnson@stfc.ac.uk Ian Johnson] or [mailto:Timothy.Noble@stfc.ac.uk Timothy Noble]
  
* Once this is set up with your key on the server you can SSH into the server as root via:
+
* Once this is set up with your key on the server, you can SSH into the server as <your username> via:
  ssh -v -i <your path to private key>.rsa root@rucio-bastion.gridpp.rl.ac.uk
+
  ssh -v -i <your path to private key>.rsa <your username>@rucio-bastion.gridpp.rl.ac.uk
  
* You then need to set up a new user for yourself
 
  
* Switch user to yourself
+
* Copy your x509 certificate (*.pfx) or certificate and key pair to the bastion into your home directory in a new directory .globus within your home directory(~/.globus).
  
* Copy your x509 certificate (*.pfx) to the bastion into your home directory in a new directory .globus
+
* From the .globus directory unpack this certificate package (if you placed the whole certificate on the system) using the following commands:
 
+
* Unpack this certificate package using the following commands:
+
 
  openssl pkcs12 -in <*.pfx> -out usercert.pem -clcerts -nokeys
 
  openssl pkcs12 -in <*.pfx> -out usercert.pem -clcerts -nokeys
 
  openssl pkcs12 -in <*.pfx> -out userkey.pem -nocerts -nodes
 
  openssl pkcs12 -in <*.pfx> -out userkey.pem -nocerts -nodes
Line 30: Line 26:
 
* Run the command to create a proxy:
 
* Run the command to create a proxy:
 
  grid-proxy-init
 
  grid-proxy-init
 +
or
 +
voms-proxy-init --voms <your VO>
  
 
* If you have issues here it may be necessary to run the command in debug mode:
 
* If you have issues here it may be necessary to run the command in debug mode:
Line 35: Line 33:
  
 
* You will now have a grid proxy for the next 11 hours
 
* You will now have a grid proxy for the next 11 hours
 +
 +
* Activate the Rucio Environment with:
 +
source /opt/rucio-env/bin/activate
 +
 +
* Export variables
 +
export RUCIO_VO=<your VO>
 +
export RUCIO_ACCOUNT=<your Rucio username>
 +
export X509_USER_PROXY=/tmp/x509up_u$(id -u)
 +
 +
*Verify that it is all set up correctly
 +
rucio ping
 +
or
 +
rucio whoami
  
 
== Repeat Use ==
 
== Repeat Use ==
Line 40: Line 51:
 
Once set up you will only need to run the following command to renew your proxy:
 
Once set up you will only need to run the following command to renew your proxy:
 
  grid-proxy-init
 
  grid-proxy-init
 +
or
 +
voms-proxy-init --voms <your VO>
  
 
== Activating Rucio ==
 
== Activating Rucio ==
Line 45: Line 58:
 
When you are set up, and on the server, to use the Rucio commands, you need to activate the environment:
 
When you are set up, and on the server, to use the Rucio commands, you need to activate the environment:
 
  source /opt/Rucio-env/bin/activate
 
  source /opt/Rucio-env/bin/activate
 +
 +
You will also need to export the variables for Rucio:
 +
export RUCIO_VO=<your VO>
 +
export RUCIO_ACCOUNT=<your Rucio username>
 +
export X509_USER_PROXY=/tmp/x509up_u$(id -u)
 +
 +
Or you can use the following script to streamline use:
 +
#!/bin/bash
 +
# A Script to set up Rucio to connect
 +
# TNoble 2021-04-12
 +
source /opt/rucio-env/bin/activate
 +
voms-proxy-init -voms <longname of VO>
 +
export RUCIO_VO=<VO>
 +
export RUCIO_ACCOUNT=<USERNAME>
 +
export X509_USER_PROXY=/tmp/x509up_u$(id -u)
 +
rucio whoami
 +
rucio ping

Latest revision as of 13:52, 10 September 2021

Introduction

Setting up for the first time

In order to get access to the Bastion service you must:

  • Have been issued a grid certificate
  • Generate an SSH key pair


  • Once this is set up with your key on the server, you can SSH into the server as <your username> via:
ssh -v -i <your path to private key>.rsa <your username>@rucio-bastion.gridpp.rl.ac.uk


  • Copy your x509 certificate (*.pfx) or certificate and key pair to the bastion into your home directory in a new directory .globus within your home directory(~/.globus).
  • From the .globus directory unpack this certificate package (if you placed the whole certificate on the system) using the following commands:
openssl pkcs12 -in <*.pfx> -out usercert.pem -clcerts -nokeys
openssl pkcs12 -in <*.pfx> -out userkey.pem -nocerts -nodes
  • Ensure that the new user owns these files, then edit the permissions of the cert to 644 and the permissions for the key to 600
  • Run the command to create a proxy:
grid-proxy-init

or

voms-proxy-init --voms <your VO>
  • If you have issues here it may be necessary to run the command in debug mode:
grid-proxy-init -debug
  • You will now have a grid proxy for the next 11 hours
  • Activate the Rucio Environment with:
source /opt/rucio-env/bin/activate
  • Export variables
export RUCIO_VO=<your VO>
export RUCIO_ACCOUNT=<your Rucio username>
export X509_USER_PROXY=/tmp/x509up_u$(id -u)
  • Verify that it is all set up correctly
rucio ping

or

rucio whoami

Repeat Use

Once set up you will only need to run the following command to renew your proxy:

grid-proxy-init

or

voms-proxy-init --voms <your VO>

Activating Rucio

When you are set up, and on the server, to use the Rucio commands, you need to activate the environment:

source /opt/Rucio-env/bin/activate

You will also need to export the variables for Rucio:

export RUCIO_VO=<your VO>
export RUCIO_ACCOUNT=<your Rucio username>
export X509_USER_PROXY=/tmp/x509up_u$(id -u)

Or you can use the following script to streamline use:

#!/bin/bash
# A Script to set up Rucio to connect
# TNoble 2021-04-12
source /opt/rucio-env/bin/activate
voms-proxy-init -voms <longname of VO>
export RUCIO_VO=<VO>
export RUCIO_ACCOUNT=<USERNAME>
export X509_USER_PROXY=/tmp/x509up_u$(id -u)
rucio whoami
rucio ping