From GridPP Wiki
Jump to: navigation, search

Lancaster Xroot Server setup

Useful Pages

(list in progress)



main config

starting with systemctl start xrootd@server, puts https on port 1094 too

# cat /etc/xrootd/xrootd-server.cfg 

all.export /cephfs/grid

all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd

#checksum - prob safe
xrootd.chksum adler32

all.trace all

## auth stuff
#largely from Sam
xrootd.seclib /usr/lib64/
sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \
                    -cert:/etc/grid-security/xrdcert.pem \
                    -key:/etc/grid-security/xrdkey.pem \
                    -crl:1 \
                    -gmapopt:10 -gmapto:0 \
#point to our authdb
acc.authdb /etc/grid-security/authdb

# Config TLS
xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
#xrootd.tls capable all

#xrd tpc just in case
ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/

## http stuff

#kick off xroot http, on 1094
if exec xrootd
xrd.protocol http:1094 /usr/lib64/
http.selfhttps2http no

#from James
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt

# Require the use of the xrd.tls certificates (alternative is to use manual)
http.httpsmode auto

##old way from first config, if above set to manual
#http.cadir /etc/grid-security/certificates
#http.cert /etc/grid-security/xrdcert.pem
#http.key /etc/grid-security/xrdkey.pem

# HTTP TPC, see
http.exthandler xrdtpc
http.header2cgi Authorization authz

# Please install libmacaroons rpm from EPEL.
# Macaroons support, see:
http.exthandler xrdmacaroons

# secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440
macaroons.secretkey /etc/xrootd/macaroon-secret

## token stuff
ofs.authlib ++ config=/etc/xrootd/scitokens.cfg
ofs.authlib ++


The path needs to be writable by the xroot user. If it isn't it will protest and fail on startup.


/etc/grid-security/certificates, fetch-crl, vomsdir set up as normal.

# cat /etc/grid-security/authdb
### Define users
## o - organisation/VO r - role g - group
#test users
= xgridppusr o: gridpp 
= xdteamusr o: dteam
= xopsuser o: ops
= xwlcguser o: wlcg
= wlcgtknusr o: g: /wlcg
= xatlasprd o: atlas r: production
= xatlasplt o: atlas r: pilot
= xatlasukprd o: atlas r: production g: uk
= xatlasukusr o: atlas g: uk
= xatlasusr o: atlas
= xhyperkprd o: r: production
= xhyperkusr o:
### Define acceses
## a - all-rights l - list (don't forget) r - read w - write
x xgridppusr /cephfs/grid/gridpp a /cepfs/grid/srr lr
x xdteamusr /cephfs/grid/dteam a /cephfs/grid/wlcg a /cepfs/grid/srr lr
x xatlasprd /cephfs/grid/atlas a /cepfs/grid/srr lr
x xatlasplt /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasukprd /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk a /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr  /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xopsuser /cephfs/grid/ops a /cepfs/grid/srr lr
x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr
x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr
x xhyperkprd /cephfs/grid/ a /cepfs/grid/srr lr
x xhyperkusr /cephfs/grid/ lr /cepfs/grid/srr lr


On server start up if the authdb is misconfigured xroot will most likely error and fail to get going.