@@ -17,11 +17,29 @@ In all of the following, commands prompted ```by VO-Box>``` are to be issued onc
...
@@ -17,11 +17,29 @@ In all of the following, commands prompted ```by VO-Box>``` are to be issued onc
VO-Box> vobox-proxy register -t 48
VO-Box> vobox-proxy register -t 48
```
```
*Then define the correct proxy in your environment before (re)starting AliEn services on the VOBOX (replace the dots with the long file name of your registered proxy):
*Define the correct proxy in your environment if you need to submit test jobs or get job outputs manually (replace the dots with the long file name of your registered proxy):
@@ -33,7 +51,7 @@ The VO-Box uses several proxies for different tasks. Apart from the proxy used b
...
@@ -33,7 +51,7 @@ The VO-Box uses several proxies for different tasks. Apart from the proxy used b
2. The user stores a long-lived (e.g. one month) myProxy on ```myproxy.cern.ch```.
2. The user stores a long-lived (e.g. one month) myProxy on ```myproxy.cern.ch```.
3. From the VO-Box, the user registers the _login_ proxy to the VO-Box Proxy Renewal Service. The proxy thus generated will be called, in the following, the _user proxy_. Since gLite 3.1, this needs do be a VOMS-extended proxy (i.e. a proxy that carries extra VO-specific information).
3. From the VO-Box, the user registers the _login_ proxy to the VO-Box Proxy Renewal Service. The proxy thus generated will be called, in the following, the _user proxy_. Since gLite 3.1, this needs do be a VOMS-extended proxy (i.e. a proxy that carries extra VO-specific information).
4. The VO-Box Proxy Renewal Service keeps the _user proxy_ alive by periodically getting a new one from the MyProxy server. To authenticate to the latter, it uses its copy of the machine proxy.
4. The VO-Box Proxy Renewal Service keeps the _user proxy_ alive by periodically getting a new one from the MyProxy server. To authenticate to the latter, it uses its copy of the machine proxy.
5. The AliEn CE running on the VO-Box uses the _user proxy_ to submit jobs to the CREAM CE. Just before submitting a bunch of job agents, the AliEn CE will itself check lifetime of the _user proxy_ and try to restart the proxy renewal daemon if the duration is significantly less than 48h.
5. The JAliEn CE running on the VO-Box uses the _user proxy_ to submit jobs to the site CE(s). Just before submitting a bunch of job agents, the JAliEn CE will itself check lifetime of the _user proxy_ and try to restart the proxy renewal daemon if the duration is significantly less than 48h.
!!! hint "Summary"
!!! hint "Summary"
The proxy certificates involved in the management of an LCG VO-Box for ALICE are as follows:
The proxy certificates involved in the management of an LCG VO-Box for ALICE are as follows:
...
@@ -41,17 +59,17 @@ The VO-Box uses several proxies for different tasks. Apart from the proxy used b
...
@@ -41,17 +59,17 @@ The VO-Box uses several proxies for different tasks. Apart from the proxy used b
* the __[login proxy](#the-login-proxy)__, which is used by the manager to login (via ```gsissh```) to the VO-Box
* the __[login proxy](#the-login-proxy)__, which is used by the manager to login (via ```gsissh```) to the VO-Box
* the __[myProxy](#the-myproxy)__ registered on the MyProxy server (```myproxy.cern.ch```)
* the __[myProxy](#the-myproxy)__ registered on the MyProxy server (```myproxy.cern.ch```)
* the __[machine proxy](#the-machine-proxy)__, which is used by the VO-Box to authenticate to the myproxy server
* the __[machine proxy](#the-machine-proxy)__, which is used by the VO-Box to authenticate to the myproxy server
* the __[user proxy](#the-user-proxy-and-the-proxy-renewal-service)__ (a VOMS proxy), which is used by AliEn to submit jobs to LCG.
* the __[user proxy](#the-user-proxy-and-the-proxy-renewal-service)__ (a VOMS proxy), which is used by JAliEn to submit jobs to the site CE(s).
Proxies can be examined in two ways:
Proxies can be examined in a few ways:
* By using Globus tools (possibly wrapped in AliEn commands). If you don't specify the proxy file name, the ```$X509_USER_PROXY``` environment variable will be used. By default (i.e. if neither is specified) proxies are stored in ```/tmp/x509up_uXXXX```, where XXXX is the local numeric userid of the user owning the proxy.
* By using Globus tools (possibly wrapped in JAliEn commands). If you don't specify the proxy file name, the ```$X509_USER_PROXY``` environment variable will be used. By default (i.e. if neither is specified) proxies are stored in ```/tmp/x509up_uXXXX```, where XXXX is the local numeric userid of the user owning the proxy.
```bash
```bash
LCG-UI> grid-proxy-info [-f]
LCG-UI> grid-proxy-info [-f]
```
```
* By directly using ```openssl``` tools (```man openssl``` for more detailed help, probably more than you will ever want to know), e.g.:
* By directly using ```openssl``` tools (```man openssl``` for more detailed help, probably more than you will ever want to know), e.g.:
```bash
```bash
VO-Box> openssl x509 -in-noout-text
VO-Box> openssl x509 -noout-text-in .....
```
```
* However, in order to show also the VOMS extensions, you'll need a different command:
* However, in order to show also the VOMS extensions, you'll need a different command:
On the VO-Box, upon login the ```$X509_USER_PROXY``` variable will point to it, i.e. to a file in the ```/tmp``` directory called something like ```/tmp/x509up_p17069.fileuEDDS2.1```. Please note that this proxy is __not__ the one used to start services or submit jobs, nor it is in any way automatically managed. If this proxy expires, the AliEn services should take no exception (they shouldn't even notice).
On the VO-Box, upon login the ```$X509_USER_PROXY``` variable will point to it, i.e. to a file in the ```/tmp``` directory called something like ```/tmp/x509up_p17069.fileuEDDS2.1```. Please note that this proxy is __not__ the one used to start services or submit jobs, nor it is in any way automatically managed. If this proxy expires, the JAliEn services should take no exception (they shouldn't even notice).
!!! info ""
!!! info ""
You will need ```$X509_USER_PROXY``` to point to a valid [__user__ proxy](#the-user-proxy-and-the-proxy-renewal-service) in order to make the AliEn services work.
You will need ```$X509_USER_PROXY``` to point to a valid [__user__ proxy](#the-user-proxy-and-the-proxy-renewal-service) in order to make the JAliEn services work, as documented above.
### The _myProxy_
### The _myProxy_
...
@@ -97,7 +115,7 @@ The command lines options are important, and the meaning is as follows:
...
@@ -97,7 +115,7 @@ The command lines options are important, and the meaning is as follows:
!!! info "Note"
!!! info "Note"
The default value for the ```-t``` option (12 hours) is too short for our application, so it is important not to forget this option.
The default value for the ```-t``` option (12 hours) is too short for our application, so it is important not to forget this option.
One fishy issue with this is that if you forget the option and the system tries to obtain a longer proxy, no error message will be issued and the derived proxy will just be of the maximum allowable length.
One fishy issue with this is that if you forget the option and the system tries to obtain a longer proxy, no error message will be issued and the derived proxy will just be of the maximum allowable length.
There is a check in the AliEn code (since v2-10), so one way to diagnose this problem is to check the CE log file ```~/ALICE/alien-logs/CE.log``` and look for something like this:
There is a check in the JAliEn code, so one way to diagnose this problem is to check the CE log file ```~/ALICE/alien-logs/CE.log.0``` and look for something like this:
```console
```console
Dec 31 21:30:23 info Proxy timeleft is 43188 (threshold is 165600)
Dec 31 21:30:23 info Proxy timeleft is 43188 (threshold is 165600)
### The _user proxy_ and the Proxy Renewal Service
### The _user proxy_ and the Proxy Renewal Service
This is the most important proxy, since it is the one used by AliEn to start the services and to submit jobs to the LCG.
This is the most important proxy, since it is the one used by JAliEn to start the services and to submit jobs to the site CE(s).
It is generated by registering the login proxy to a database, which is managed by the VO-Box Proxy Renewal Service (PRS) which will take care of renewing it:
It is generated by registering the login proxy to a database, which is managed by the VO-Box Proxy Renewal Service (PRS) which will take care of renewing it:
```console
```console
...
@@ -132,10 +150,6 @@ There's a couple more options to vobox-proxy other that can be useful:
...
@@ -132,10 +150,6 @@ There's a couple more options to vobox-proxy other that can be useful:
| ```--myproxy-safe 864000``` | Tells the PRS to warn you 10 days before the long-lived proxy stored on the server expires.<br> If you get such a message, you are supposed to generate a fresh one by [```myproxy-init```](#the-myproxy). |
| ```--myproxy-safe 864000``` | Tells the PRS to warn you 10 days before the long-lived proxy stored on the server expires.<br> If you get such a message, you are supposed to generate a fresh one by [```myproxy-init```](#the-myproxy). |
| ```--email your-address``` | The email address for the alert messages.<br>Please note that site firewall rules in most cases will prevent mail messages from the VO-Box to be sent. |
| ```--email your-address``` | The email address for the alert messages.<br>Please note that site firewall rules in most cases will prevent mail messages from the VO-Box to be sent. |
The _user certificate_ owner must match the AliEn user declared in ```~alicesgm/.alien/Environment```.
!!! warning "Important"
If you change the ```ALIEN_USER``` in ```~alicesgm/.alien/Environment```, it is __mandatory__ to restart all the services, in order to have them running with the appropriate credentials.<br><br>
Upon such registration, in ```/var/lib/vobox/alice/proxy_repository``` a delegated proxy will be put with a file name that matches the DN of the user.<br><br>
Upon such registration, in ```/var/lib/vobox/alice/proxy_repository``` a delegated proxy will be put with a file name that matches the DN of the user.<br><br>
This proxy is periodically renewed by the PRS, each time obtaining a fresh proxy with the requested duration, by default 12h.
This proxy is periodically renewed by the PRS, each time obtaining a fresh proxy with the requested duration, by default 12h.
This being too short for most of ALICE jobs, please use the ```-t 48``` arguments of the ```vobox-proxy register``` command, to allow the PRS to handle all renewals.
This being too short for most of ALICE jobs, please use the ```-t 48``` arguments of the ```vobox-proxy register``` command, to allow the PRS to handle all renewals.
...
@@ -148,12 +162,10 @@ VO-Box> vobox-proxy query -dn all
...
@@ -148,12 +162,10 @@ VO-Box> vobox-proxy query -dn all
The script that ```starts/stops``` the Proxy Renewal Service is ```/etc/init.d/alice-box-proxyrenewal```.
The script that ```starts/stops``` the Proxy Renewal Service is ```/etc/init.d/alice-box-proxyrenewal```.
This should be already in the init.d services list, so you should not need to do anything. <br><br>
This should be already in the init.d services list, so you should not need to do anything. <br><br>
When you log in on the VO-Box, the ```$X509_USER_PROXY``` points to your [login proxy](#the-login-proxy). Please define the correct proxy to be used before (re)starting AliEn services (replace the dots with the long file name of your registered proxy):
When you log in on the VO-Box, the ```$X509_USER_PROXY``` points to your [login proxy](#the-login-proxy). Please define in ```~/.alien/config/{CE,ml}.env```the correct proxy to be used before (re)starting JAliEn services, as documented above:
