-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbiomed-technicals.html
executable file
·246 lines (210 loc) · 13.1 KB
/
biomed-technicals.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<title>Life-Science Grid Community - biomed</title>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="bootstrap/3.3.5/css/bootstrap.min.css">
<link rel="stylesheet" href="css/styles.css">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<script src="js/jquery.1.11.3.min.js"></script>
</head>
<body>
<script>
$(document).ready(function(){ $('#sidebar').load('biomed-technicals-sidebar.html'); });
</script>
<div class="globcontainer">
<div class="row">
<!-- Left menu -->
<div id="sidebar" class="col-sm-3"></div>
<!-- Body -->
<div class="col-sm-8">
<!-- Title -->
<title><a id="title" class="anchor" href="#title" aria-hidden="true"><span class="octicon octicon-link"></span></a>Technical Information - biomed VO</title>
<h2><span id="DIRAC_service">DIRAC service</span></h2>
<p>The French NGI, <a href="http://www.france-grilles.fr">France-Grilles</a>, offers a <a href="http://diracgrid.org">DIRAC</a> service to the biomed VO. This is the recommended solution to access computing resources of the VO.</p>
<p>DIRAC provides a pilot-job execution mechanism. You may be interested in using it in case:</p>
<ul>
<li>you experience long queuing delays by submitting with glite-wms-job-submit</li>
<li>you use glite-ce-job-submit, but have difficulties to select the CE where to submit your jobs</li>
<li>you are using your own pilot-job system, but you have difficulties to maintain it at a production level</li>
</ul>
<p>To get started, read the <a href="/en/Usage_instructions" title="usage instructions">usage instructions</a>.</p>
<p><a href="/en/DIRAC4biomed" title="DIRAC4biomed">On-going discussion about the adoption of DIRAC in the VO.</a></p>
<!---------------------------------------------------------------------------------------------------------->
<h2><span id="CVMFS">CVMFS</span></h2>
<h4><span id="What_is_it">What is it?</span></h4>
<p>CVMFS is a convenient alternative to the VO software area (VO_BIOMED_SW_DIR): with CVMFS, VO software is deployed in one place only and is automatically replicated and made available through a mount point to all worker nodes that support the service.</p>
<p>RAL Tier-1 UK now hosts a CVMFS stratum 0 repository for biomed. As of today, half of the grid sites supporting biomed have the CVMFS client configured for biomed. Computing elements are identified with tag <b>VO-biomed-CVMFS</b>. On their worker nodes, the CVMFS biomed repository is accessed at either <code>/cvmfs/biomed.egi.eu</code> or <code>/cvmfs/biomed.gridpp.ac.uk</code>. Path <code>/cvmfs/biomed.gridpp.ac.uk</code> is planned for retirement. In time, the egi.eu replacement should take over. So far however, jobs should check which path actually exists on the Worker Nodes where they land.</p>
<h4><span id="How_to_use_it">How to use it?</span></h4>
<p>1. You first need to deploy your files on CVMFS. To do this, you need to contact Catalin Condurache ([email protected]) and send him your DN so that he gives you access to the repository. Don't forget to mention you are a biomed user.</p>
<p>2. Once validated, you shall be allowed to connect to server cvmfs-upload01.gridpp.rl.ac.uk: create a proxy certificate (voms-proxy-init --voms biomed), then:<br>
<code>$ gsissh -p 1975 cvmfs-upload01.gridpp.rl.ac.uk</code>
</p>
<p>CD to cvmfs_repo (link to /cvmfs-mirror/biomed.gridpp.ac.uk), create your own folder, then deploy your files (gsiscp)</p>
<p>3. Once files are replicated (a matter of hours), submit grid jobs at Computing Elements where CVMFS client is configured for biomed, using VO software tag <b>VO-biomed-CVMFS</b>:<br>
<code>Requirements = Member("VO-biomed-CVMFS", other.GlueHostApplicationSoftwareRunTimeEnvironment)</code>
</p>
<p>Files are accessed in mount point <code>/cvmfs/biomed.egi.eu</code> or <code>/cvmfs/biomed.gridpp.ac.uk</code>: the job needs to check which one actually exists.</p>
<h4><span id="How_to_have_more_sites_supporting_CVMFS_for_biomed">How to have more sites supporting CVMFS for biomed?</span></h4>
<p>There are 3 kinds of sites : (i) sites not supporting CVMFS at all, (ii) sites supporting CVMFS for some VOs, but not biomed, and (iii) sites supporting CVMFS for biomed. Getting from (ii) to (iii) is supposed to be relatively simple, since it only requires a change in the CVMFS configuration from the sites admins.</p>
<p>The biomed support team has run a lobbying campaign on sites from the second category mostly. We had many positive answers, as of today the service is provided to biomed by 44 sites, accounting for 66 CEs an 110 CE queues.</p>
<p>Contact the biomed technical support team if you would like specific sites to provide biomed with CVMFS.</p>
<h4><span id="Known_limitations">Known limitations</span></h4>
<p><b>CVMFS space is public, anyone can access it</b> => do not deploy sensitive material.</p>
<p><b>Copyrighted software is not not acceptable</b>, unless you have a (unlikely proper) license that would potentially apply to any biomed user.</p>
<p>Uploading big files may hamper CVMFS performances: big files are likely not to be cached on local Squids, therefore they'd be downloaded from Stratum-1 each time they are needed. If uploaded files are tarballs, it is <u>strongly recommended</u> that they be extracted locally on the repository.</p>
<!---------------------------------------------------------------------------------------------------------->
<h2><span id="EMI2_UI">VirtualBox EMI2 UI Image</span></h2>
<p>A VirtualBox image containing a fully functional EMI2 user interface running CentOS 6 is available for testing.</p>
<h4><span id="Image_download_and_installation">Image download and installation</span></h4>
<p>The EMI2 VirtualBox image is available on the biomed LFC. Assuming that your VirtualBox VM directory is at ${HOME}/VirtualBox\ VMs:</p>
<pre>
cd ${HOME}/VirtualBox\ VMs
lcg-cp lfn:/grid/biomed/emi2-ui-biomed.tgz file:emi2-ui-biomed.tgz
tar zxvf emi2-ui-biomed.tgz
</pre>
<p>You should now have a "EMI2 UI - biomed" image in your VirtualBox.</p>
<h4><span id="Accounts">Accounts</span></h4>
<p>You can login as user "biomed", with password "biomed". The root password is "biomed2012".</p>
<h4><span id="UI_testing">UI testing</span></h4>
<p>You will have to install your own biomed grid credentials. The following commands have been tested:</p>
<pre>
voms-proxy-init -voms biomed
lfc-*
lcg-cr, lcg-cp, lcg-del
glite-wms-job-submit
glite-wms-job-status
glite-wms-job-logging-info
glite-wms-job-output (you will have to create /tmp/jobOutput if used with no option)
</pre>
<p>A sample JDL file is available in ${HOME}/hello.jdl</p>
<!---------------------------------------------------------------------------------------------------------->
<h2><span id="UI_configuration">UI configuration</span></h2>
<p>For installing a UI, here are some configuration parameters you will need for accessing the biomed VO services:</p>
<h3><span id="glite_wmsui.conf">/opt/glite/etc/biomed/glite_wmsui.conf</span></h3>
<pre>
[
NSAddresses = {"egee-wms-01.cnaf.infn.it:7443"};
LBAddresses = [[Template:"egee-wms-01.cnaf.infn.it:9003"]];
WMProxyEndPoints = {"https://marwms.in2p3.fr:7443/glite_wms_wmproxy_server"};
OutputStorage = "/tmp/jobOutput";
JdlDefaultAttributes = [
RetryCount = 3;
rank = - other.GlueCEStateEstimatedResponseTime;
PerusalFileEnable = false;
AllowZippedISB = true;
requirements = other.GlueCEStateStatus == "Production";
ShallowRetryCount = 10;
SignificantAttributes = {"Requirements", "Rank", "FuzzyRank"};
MyProxyServer = "lxn1179.cern.ch";
];
]
</pre>
<h3><span id="glite_wms.conf">/opt/glite/etc/biomed/glite_wms.conf</span></h3>
<pre>
[
NSAddresses = {"egee-wms-01.cnaf.infn.it:7443"};
LBAddresses = [[Template:"egee-wms-01.cnaf.infn.it:9003"]];
WMProxyEndPoints = {"https://marwms.in2p3.fr:7443/glite_wms_wmproxy_server"};
OutputStorage = "/tmp/jobOutput";
JdlDefaultAttributes = [
RetryCount = 3;
rank = - other.GlueCEStateEstimatedResponseTime;
PerusalFileEnable = false;
AllowZippedISB = true;
requirements = other.GlueCEStateStatus == "Production";
ShallowRetryCount = 10;
SignificantAttributes = {"Requirements", "Rank", "FuzzyRank"};
MyProxyServer = "lxn1179.cern.ch";
];
]
</pre>
<h3><span id="vomses">/opt/glite/etc/vomses/biomed-cclcgvomsli01.in2p3.fr</span></h3>
<pre>
"biomed" "cclcgvomsli01.in2p3.fr" "15000" "/O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr" "biomed" "24"
</pre>
<h3><span id="Environment_variables">Environment variables</span></h3>
<pre>
LFC_HOST=lfc-biomed.in2p3.fr
LCG_GFAL_INFOSYS=cclcgtopbdii02.in2p3.fr:2170
</pre>
<!---------------------------------------------------------------------------------------------------------->
<h2><span id="User_Interface_configuration_using_YAIM">User Interface configuration using YAIM</span></h2>
<p>When using <a href="https://twiki.cern.ch/twiki/bin/view/EGEE/YAIM">YAIM</a> for configuring an UI, you can use the following in your <tt>site-info.def</tt> configuration file:</p>
<pre>
RB_HOST="boszwijn.nikhef.nl"
LB_HOST="boszwijn.nikhef.nl"
WMS_HOST="egee-wms-01.cnaf.infn.it"
PX_HOST="myproxy.cern.ch"
BDII_HOST="cclcgtopbdii02.in2p3.fr"
REG_HOST="lcgic01.gridpp.rl.ac.uk"
CA_REPOSITORY="rpm http://linuxsoft.cern.ch/ LCG-CAs/current production"
VO_BIOMED_VOMS_SERVERS="'vomss://voms-biomed.in2p3.fr:8443/voms/biomed?/biomed/'"
VO_BIOMED_VOMSES="'biomed cclcgvomsli01.in2p3.fr 15000 /O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr biomed 24'"
VO_BIOMED_VOMS_CA_DN="'/C=FR/O=CNRS/CN=GRID2-FR'"
</pre>
<p>Some <tt>/etc/profile.d</tt> scripts can be useful to set some user variable used by some tools (e.g. <tt>lfc-ls(1)</tt>):</p>
<pre>
echo 'export LFC_HOST="lfc-biomed.in2p3.fr"' > /etc/profile.d/lfc-host.sh
echo 'setenv LFC_HOST "lfc-biomed.in2p3.fr"' > /etc/profile.d/lfc-host.csh
chmod +x /etc/profile.d/lfc-host.*
</pre>
<!---------------------------------------------------------------------------------------------------------->
<h2><span id="Security">Security configuraton</span></h2>
<h3><span id="Secure_SSH">Secure SSH</span></h3>
<ul>
<li>Implement the recommendations in <a href="http://wiki.centos.org/HowTos/Network/SecuringSSH">http://wiki.centos.org/HowTos/Network/SecuringSSH</a>, in particular:
<ul>
<li>Disable root logins</li>
<li>Limit user logins</li>
<li>Disable password authentication</li>
</ul>
</li>
<li>Install and start <a class="externallink" rel="nofollow" href="http://denyhosts.sourceforge.net/">denyhosts</a>:
<pre>
yum install denyhosts
service denyhosts start
chkconfig --level 2345 denyhosts on
</pre>
</li>
</ul>
<h3><span id="Secure_your_certificate">Secure your certificate(s) and proxies</span></h3>
<ul>
<li>Don't export a certificate without a passphrase</li>
<li>Don't store the passphrase of your certificate in a file</li>
<li>Don't share your certificate(s) with other users</li>
<li>Don't generate long proxies</li>
</ul>
<h3><span id="Take_care_of_user_accounts">Take care of user accounts</span></h3>
<ul>
<li>Don't create accounts for users who are not supposed to access the infrastructure</li>
<li>Remove obsolete user accounts</li>
<li>Don't share certificates or proxies between user accounts</li>
</ul>
<h3><span id="Restrict_your_firewall">Restrict your firewall</span></h3>
<ul>
<li>Restrict inbound connectivity. Most of the UI clients for job and file management don't require any open port.</li>
</ul>
<h3><span id="Keep_your_system_up-to-date">Keep your system up-to-date</span></h3>
Update your software packages regularly:
<pre>
yum update
</pre>
<h3><span id="Secure_NTP">Secure NTP</span></h3>
See documentation at <a class="externallink" rel="nofollow" href="https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html">https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html</a>, in particular section "UNIX ntpd".
<!---------------------------------------------------------------------------------------------------------->
</div> <!-- .col-sm7 -->
</div> <!-- .row -->
</div><!-- .globcontainer -->
<!-- Bootstrap core JavaScript ================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="bootstrap/3.3.5/js/bootstrap.min.js"></script>
</body>
</html>