Depending on the agreement between CNAF and experiments, data transfers can be performed with or without Storage Resource Manager (SRM), which at Tier-1 is StoRM. SRM is typically used when the experiment maintains a Virtual Organization (VO).
Other protocols which are commonly used at INFN-Tier-1 are posix, GridFTP, XrootD, WebDAV/http.
Data transfers without SRM
To transfer a file without SRM, globus-url-copy
is commonly used. It is a command line program for file transfers which implements different protocols, among which gridFTP, an extension of FTP for file transfers. It supports parallel transfer streams and third-party-copy.
A personal certificate is required in order to use gridFTP. Also, the user DN has to be enabled on the gridFTP server by the sysadmin. The DN can be obtained from the certificate using the command:
openssl x509 -noout -in $HOME/.globus/usercert.pem -subject
Then, it should be communicated to the User Support team in order to be enabled.
Before performing the actual file transfer, it is necessary to generate a proxy with the command:
grid-proxy-init
By default, the proxy lasts 12 hours. In order to extend proxy life time, the following options can be used:
-valid HOURS:MINUTES
-hours HOURS
For example:
-bash-4.2$ grid-proxy-init -hours 48 Your identity: /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it Enter GRID pass phrase for this identity: Creating proxy ...................................... Done Your proxy is valid until: Sun Aug 2 17:47:32 2020
After that, we can perform the transfers. This depends on the permissions and the access control list on the filesystem.
To write:
globus-url-copy <local_path>/file gsiftp://gridftp-plain-virgo.cr.cnaf.infn.it:2811/<remote_path>/file
To read, i.e. to get a local copy:
globus-url-copy gsiftp://gridftp-plain-virgo.cr.cnaf.infn.it:2811/<remote_path>/file local_copy
The <remote_path
> (something like: /storage/gpfs_data/experiment) will be communicated to the user by the User Support team.
Also, the globus-url-copy
command allows to do a third-party-copy of a file without getting a local copy on your own device.
This works with a simple concatenation of read and write:
globus-url-copy gsiftp://gridftp-plain-virgo.cr.cnaf.infn.it:2811/<source_remote_path_>/file gsiftp://gridftp-plain-virgo.cr.cnaf.infn.it:2811/<destination_remote_path>/new_file
The full list of the additional options is available using:
man globus-url-copy
Some useful options:
-f FILENAME
: read a list of URL pairs from filename. Each line should contain sourceURL destURL. Enclose URLs with spaces in double qoutes ("). Blank lines and lines beginning with # will be ignored.-df FILENAME, -dumpfile FILENAME
: path to a file where untransferred URLs will be saved for later restarting. Resulting file is the same format as the -f input file. If file exists, it will be read and all other URL input will be ignored.-cd, -create-dest
: create destination directory if needed.-r
: copy files in subdirectories-v, -verbose :
display URLs being transferred-p PARALLELISM, -parallel PARALLELISM :
specify the number of parallel data connections should be used.-list URL :
list the files located at URL.-sync :
only transfer files where the destination does not exist or differs from the source. -sync-level controls how to determine if files differ.-sync-level number :
criteria for determining if files differ when performing a sync transfer. The default sync level is 2.
The available levels are:- Level 0: will only transfer if the destination does not exist.
- Level 1: will transfer if the size of the destination does not match the size of the source.
- Level 2: will transfer if the time stamp of the destination is older than the time stamp of the source.
- Level 3: will perform a checksum of the source and destination and transfer if the checksums do not match.
You can also use the gfal tools, that are explained in the following paragraphs, for example to list the files of a directory or remove a file, respectively:
gfal-ls gsiftp://gridftp-plain-virgo.cr.cnaf.infn.it:2811/<remote_path>/directory gfal-rm gsiftp://gridftp-plain-virgo.cr.cnaf.infn.it:2811/<remote_path>/file
Data transfers with SRM
All the SRM specifications are available here [13].
In this case, a voms-proxy is needed (see in the previous sections for details on proxy generation).
-bash-4.2$ voms-proxy-init --voms virgo:/virgo/virgo Enter GRID pass phrase for this identity: Contacting voms-01.pd.infn.it:15009 [/DC=org/DC=terena/DC=tcs/C=IT/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/CN=voms-01.pd.infn.it] "virgo"... Remote VOMS server contacted succesfully. Created proxy in /tmp/x509up_u10162. Your proxy is valid until Tue Aug 18 22:45:07 CEST 2020 -bash-4.2$ voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it/CN=1185352064 issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it type : RFC3820 compliant impersonation proxy strength : 1024 path : /tmp/x509up_u10162 timeleft : 11:57:53 key usage : Digital Signature, Key Encipherment === VO virgo extension information === VO : virgo subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it issuer : /DC=org/DC=terena/DC=tcs/C=IT/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/CN=voms-01.pd.infn.it attribute : /virgo/virgo/Role=NULL/Capability=NULL attribute : /virgo/Role=NULL/Capability=NULL timeleft : 11:57:53 uri : voms-01.pd.infn.it:15009
In contrast to the gridFTP protocol, we have to contact a StoRM frontend on the port 8444. Then the frontend communicates the request to a backend [14].
The Virual Organizations use dedicated storm endpoint for data managemant and data transfer:
https://www.cnaf.infn.it/~usersupport/StorageAreas.html.
For example, AMS uses storm-fe-ams for the disc area (/storage/gpfs_ams), but storm-archive to write on the buffer tape (/storage/gpfs_archive/ams).
Also, the path to read or write is not the real path on the filesystem, but all the experiments use a singular access path to the storage area.
Now we consider two tools for the SRM protocol: Gfal and ClientSRM.
Gfal utils
Documentation is available here [15]. However the user can get the full list using the command man gfal-copy
.
Most used commands are:
gfal-ls:
List information about the filegfal-xattr:
Display attributes of a file or set them to a new valuegfal-cat:
Concatenate file to standard outputgfal-mkdir:
Create the DIRECTORY(ies), if they do not already existgfal-stat:
Display extended information about a file or directorygfal-chmod:
Change the permissions of a filegfal-rename:
Renames SOURCE to DESTINATIONgfal-sum:
Calculates the checksum of the specified file, using a specified checksum algoritmgfal-rm:
Removes each specified file or directorygfal-save:
Reads from stdin and writes to a file until it finds EOF
These are the steps to install Gfal assuming the machine is CentOS7:
Enable epel repo:
curl http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm >/tmp/epel-release-latest-7.noarch.rpm sudo rpm -ivh /tmp/epel-release-latest-7.noarch.rpm
Enable egi repo:
echo '\[EGI-trustanchors\]name=EGI-trustanchorsbaseurl=http://repository.egi.eu/sw/production/cas/1/current/gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3gpgcheck=1enabled=1' | sudo tee /etc/yum.repos.d/egi.repo
Install several tools:
sudo yum install -y gfal2-util gfal2-all fetch-crl ca-policy-egi-core globus-proxy-utils
Install personal certificate on the machine:
cd $HOME mkdir -p .globus cd .globus openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem chmod 600 usercert.pem chmod 400 userkey.pem
To check all is correctly working:
grid-proxy-init -valid 168:00 gfal-copy --version
The last command should produce a list of the available protocols. The list should include gridftp. If this is not the case, try to do: yum update.
Some examples of gfal utils below.
-bash-4.2$ gfal-ls srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4 generated virgo RomePSS virgoin virgoout_O2LH_01_0127_067_-81.305_-90.000_.mat prova_lucia2 prova_lucia3 vedovato virgojob_summary_O2LH_01_0127_067_-81.305_-90.000_.mat virgoRomePSS testalbe vdbroeck prova_lucia prova_andrea -bash-4.2$ gfal-rm srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea DELETED -bash-4.2$ gfal-copy /home/USER-SUPPORT/arendina/sleep.sub srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea Copying file:///home/USER-SUPPORT/arendina/sleep.sub [DONE] after 2s -bash-4.2$ gfal-sum srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea ADLER32 srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea 2bca5372
For all the gfal commands see [16].
ClientSRM utils
In case of local to remote transfer, you have to request the storage space in the destination filesystem and this is done with the command clientSRM PtP
, where PtP stands for Prepare to Put. For example:
$ clientSRM PtP -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea
where:
- -e is used to specify the endpoint.
- -s is used to specify the destination surl, which is composed by a space token (virgo4 in the example) and the file path. The space token will be communicated by the Experiment Support group.
- -v is the verbose level, further.
and the complete list of the options is listed by the command clientSRM PtP
-help
or in [17].
The output should be something like this:
-bash-4.2$ clientSRM PtP -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea ============================================================ Sending PtP request to: httpg://storm-fe-archive.cr.cnaf.infn.it:8444 Before execute: Afer execute: Request Status Code 17 Poll Flag 0 ============================================================ Request status: statusCode="SRM_REQUEST_QUEUED"(17) ============================================================ SRM Response: requestToken="51e58c63-afdd-4ccb-8a6d-8551b4261c33" arrayOfFileStatuses (size=1) [0] SURL="srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea" [0] status: statusCode="SRM_REQUEST_QUEUED"(17) explanation="" ============================================================
It is important to pay attention to the request token (in this case 51e58c63-afdd-4ccb-8a6d-8551b4261c33
), which will be used later. Then it is necessary to check the status of the request with clientSRM SPtP
(Status of Prepare to Put) :
clientSRM SPTP -v -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -t 51e58c63-afdd-4ccb-8a6d-8551b4261c33
where with -t
you provide the token shown in the output of the clientSRM PtP
command. The output will show you whether the request is successful in the status field.
-bash-4.2$ clientSRM SPTP -v -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -t 51e58c63-afdd-4ccb-8a6d-8551b4261c33 ============================================================ Sending StatusPtP request to: httpg://storm-fe-archive.cr.cnaf.infn.it:8444 Before execute: Afer execute: Request Status Code 0 Poll Flag 0 ============================================================ Request status: statusCode="SRM_SUCCESS"(0) explanation="All chunks successfully handled!" ============================================================ SRM Response: arrayOfFileStatuses (size=1) [0] SURL="srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea" [0] status: statusCode="SRM_SPACE_AVAILABLE"(24) explanation="srmPrepareToPut successfully handled!" [0] TURL="gsiftp://ds-815.cr.cnaf.infn.it:2811//storage/gpfs_virgo4/virgo4/prova_andrea" ============================================================
It is important to remember the TURL which will be used in transfer command with the globus-url-copy
command. After that, we can perform the file transfer:
bash-4.2$ globus-url-copy /home/USER-SUPPORT/arendina/sleep.sub gsiftp://ds-815.cr.cnaf.infn.it:2811//storage/gpfs_virgo4/virgo4/prova_andrea
Actually, with this command we overwrite the file "prova_andrea", prepared with the clientSRM PtP
command, with the local file "sleep.sub".
At the end, in order to avoid the open request in the StoRM database, we have to finish with the clientSRM Pd
command where Pd stands for Put done:
-bash-4.2$ clientSRM Pd -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -t 51e58c63-afdd-4ccb-8a6d-8551b4261c33 -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea ============================================================ Sending PutDone request to: httpg://storm-fe-archive.cr.cnaf.infn.it:8444 Before execute: Afer execute: Request Status Code 0 Poll Flag 0 ============================================================ Request status: statusCode="SRM_SUCCESS"(0) explanation="All file requests are successfully completed" ============================================================ SRM Response: arrayOfFileStatuses (size=1) [0] SURL="srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea" [0] status: statusCode="SRM_SUCCESS"(0) explanation="Success" ============================================================
Similarly, in case of remote to local transfer the command is clientSRM PtG
, where PtG stands for Prepare to Get, and to check the preparation status is clientSRM SPtG
:
-bash-4.2$ clientSRM PTG -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea ============================================================ Sending PtG request to: httpg://storm-fe-archive.cr.cnaf.infn.it:8444 Before execute: Afer execute: Request Status Code 17 Poll Flag 0 ============================================================ Request status: statusCode="SRM_REQUEST_QUEUED"(17) ============================================================ SRM Response: requestToken="fe633fd3-de07-4a3e-a388-3cc2adf1fd3a" arrayOfFileStatuses (size=1) [0] status: statusCode="SRM_REQUEST_QUEUED"(17) explanation="" [0] sourceSURL="srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea" ============================================================ -bash-4.2$ clientSRM SPtG -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -t fe633fd3-de07-4a3e-a388-3cc2adf1fd3a ============================================================ Sending StatusPtG request to: httpg://storm-fe-archive.cr.cnaf.infn.it:8444 Before execute: Afer execute: Request Status Code 0 Poll Flag 0 ============================================================ Request status: statusCode="SRM_SUCCESS"(0) explanation="All chunks successfully handled!" ============================================================ SRM Response: arrayOfFileStatuses (size=1) [0] status: statusCode="SRM_FILE_PINNED"(22) explanation="srmPrepareToGet successfully handled!" [0] sourceSURL="srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4/prova_andrea" [0] fileSize=280 [0] transferURL="gsiftp://ds-915.cr.cnaf.infn.it:2811//storage/gpfs_virgo4/virgo4/prova_andrea" ============================================================
So we can perform the transfer with a globus-url-copy command:
-bash-4.2$ globus-url-copy gsiftp://ds-915.cr.cnaf.infn.it:2811//storage/gpfs_virgo4/virgo4/prova_andrea copia -bash-4.2$ ls ce_testp308.sub copia pass sleep.sh sleep.sub test.sub
Finally, to list the file in a directory you can use the command clientSRM
Ls:
-bash-4.2$ clientSRM Ls -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444 -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/virgo4
More information on using SRM clients can be found here [18].
XrootD (extended ROOT daemon)
To use the XrootD protocol a voms-proxy is needed.
-bash-4.2$ voms-proxy-init --voms ams02.cern.ch Enter GRID pass phrase for this identity: Contacting voms-02.pd.infn.it:15008 [/DC=org/DC=terena/DC=tcs/C=IT/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/CN=voms-02.pd.infn.it] "ams02.cern.ch"... Remote VOMS server contacted succesfully. Created proxy in /tmp/x509up_u25071. Your proxy is valid until Tue Sep 08 23:12:00 CEST 2020 -bash-4.2$ voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it/CN=451777284 issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it type : RFC3820 compliant impersonation proxy strength : 1024 path : /tmp/x509up_u25071 timeleft : 11:59:48 key usage : Digital Signature, Key Encipherment === VO ams02.cern.ch extension information === VO : ams02.cern.ch subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it issuer : /DC=org/DC=terena/DC=tcs/C=IT/L=Frascati/O=Istituto Nazionale di Fisica Nucleare/CN=voms-02.pd.infn.it attribute : /ams02.cern.ch/Role=NULL/Capability=NULL timeleft : 11:59:48 uri : voms-02.pd.infn.it:15008
Some VOs make use of dedicated xrootd endpoints which alias are in the public web page https://www.cnaf.infn.it/~usersupport/XrootD_SA.html.
In this case the user can contact directly the server or otherwise a redirector. Also, the starting part of the file system path, named local root, should be known. For instance, the server for the AMS experiment can be contacted at the 8082 port whereas 8083 is the port to contact the redirector. The local root is /storage/gpfs_ams/xrootd.
Let's see some examples of the xrd clients.
Listing directory
-bash-4.2$ xrdfs root://xrootd-ams.cr.cnaf.infn.it:8082// ls / /eos /storage /test /test_1906 /test_1906_2 /test_1906_3 /test_2105 /test_2105_2 /test_etc_0205 -bash-4.2$ xrdfs root://xrootd-ams.cr.cnaf.infn.it:8082// ls /eos/ams /eos/ams/Data /eos/ams/MC /eos/ams/cnaf-groups /eos/ams/cnaf-users
Download
-bash-4.2$ xrdcp root://xrootd-ams.cr.cnaf.infn.it:8082//test_1906 copia_locale [654.6kB/654.6kB][100%][==================================================][654.6kB/s]
Upload
-bash-4.2$ xrdcp copia_locale root://xrootd-ams.cr.cnaf.infn.it:8082//test_0809 [654.6kB/654.6kB][100%][==================================================][654.6kB/s]
Removing a file
-bash-4.2$ xrdfs root://xrootd-ams.cr.cnaf.infn.it:8083// rm /test_0809
Data transfers using http endpoints
Proxies
At INFN-Tier-1, valid WebDAV endpoints for the experiments’ storage areas are provided with StoRM WebDAV (third-party-copy supported) or Apache.
Then, the most common WebDAV clients can be used to access the storage areas, namely browsers and command-line tools such as curl
and davix
.
When StoRM WebDAV is used, VOMS proxies are supported only by command-line tool, and browsers can be used to navigate into the storage area content if anonymous read-only access is enabled (HTTP endpoint) or if VO users access by their X509 certificate is enabled (HTTPS endpoint).
A few useful commands follow and more info are available in the wiki [19]. Some examples follow below.
With a valid voms-proxy:
-bash-4.2$ voms-proxy-init --voms dteam Enter GRID pass phrase for this identity: Contacting voms2.hellasgrid.gr:15004 [/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr] "dteam"... Remote VOMS server contacted succesfully. Created proxy in /tmp/x509up_u10162. Your proxy is valid until Thu Aug 20 00:22:39 CEST 2020 -bash-4.2$ voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it/CN=1933593968 issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it type : RFC3820 compliant impersonation proxy strength : 1024 path : /tmp/x509up_u10162 timeleft : 11:59:11 key usage : Digital Signature, Key Encipherment === VO dteam extension information === VO : dteam subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Andrea Rendina arendina@infn.it issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr attribute : /dteam/Role=NULL/Capability=NULL timeleft : 11:59:10 uri : voms2.hellasgrid.gr:15004
Listing directory
-bash-4.2$ davix-ls -P grid https://xfer.cr.cnaf.infn.it:8443/dteam/ smoke-test-storage-ops.cr.cnaf.infn.it-113972 smoke-test-storage-ops.cr.cnaf.infn.it-23261
Upload
-bash-4.2$ davix-put -P grid /home/USER-SUPPORT/arendina/sleep.sub https://xfer.cr.cnaf.infn.it:8443/dteam/andrea1908 -bash-4.2$ davix-ls -P grid https://xfer.cr.cnaf.infn.it:8443/dteam/ smoke-test-storage-ops.cr.cnaf.infn.it-113972 smoke-test-storage-ops.cr.cnaf.infn.it-23261 andrea1908
Download
-bash-4.2$ davix-get -P grid https://xfer.cr.cnaf.infn.it:8443/dteam/andrea1908 copia_andrea_locale Performing Read operation on: https://xfer.cr.cnaf.infn.it:8443/dteam/andrea1908 [======================] 100% 280B/280B 0B/s
Removing a file
-bash-4.2$ davix-rm -P grid https://xfer.cr.cnaf.infn.it:8443/dteam/andrea1908
Third-party-copy
To make a transfer between two storage areas agfal-copy
command occurs, for instance:-bash-4.2$ gfal-copy https://xfer-archive.cr.cnaf.infn.it:8443/juno/test0906 https://ccdcacli303.in2p3.fr:2880/juno/dirac/juno/test_0906 Copying https://xfer-archive.cr.cnaf.infn.it:8443/juno/test0906 [DONE] after 2s
Tokens
StoRM WebDAV also supports OpenID connect authentication and authorization on storage areas, so tokens can be used instead of proxies [20]. Dedicated IAM (Identity and Access Management) instances can be configured for the experiments upon requests (please contact the user support).
Also, a catch-all IAM instance is available at iam-t1-computing.cloud.cnaf.infn.it where specific groups can be created for different communities, and users can register and request group membership. In this case, exploiting the support for fine-grained authorization within StoRM WebDAV, users can browse their data after OIDC login, and/or they can access storage from command line using davix or curl with JWT tokens.
Once registered within IAM, an access token can be retrieved using OIDC-agent, which is available in ui-tier1. A full set of commands follows below.
At first, we have to start the process with the command
[arendina@ui-tier1 ~]$ eval `oidc-agent` Agent pid 20578
Then, one needs to register his own client (this has to be done just the first time to create a new account):
[arendina@ui-tier1 ~]$ oidc-gen
following the steps required by the application, and namely:
- initialize his OIDC client's name
- insert IAM URL (e.g. https://iam-t1-computing.cloud.cnaf.infn.it/)
- when a web page for authentication opens, enter the credentials of the IAM account
- authorize the new client
- insert your client's password twice.
Whereas, from the second time it is enough typing:
[arendina@ui-tier1 ~]$ oidc-add <your-client-name> Enter decryption password for account config '<your-client-name>': success
To get the access token and save it an environment variable:
[arendina@ui-tier1 ~]$ TOKEN=$(oidc-token <your-client-name>)
The token will be valid for 60 minutes. It can be obtained a new token issuing the oidc-token command again.
At the end, stop oidc-agent daemon:
oidc-agent --kill
Some useful examples:
Listing directory
[arendina@ui-tier1 ~]$ davix-ls -H "Authorization: Bearer $TOKEN" --capath /etc/grid-security/certificates https://xfer-archive.cr.cnaf.infn.it:8443/virgowd V-raw-1212476800-100.gwf V-raw-1212474700-100.gwf
Upload
[arendina@ui-tier1 ~]$ davix-put /home/USER-SUPPORT/arendina/sleep.sub -H "Authorization: Bearer $TOKEN" --capath /etc/grid-security/certificates https://xfer-archive.cr.cnaf.infn.it:8443/virgowd/andrea2008 [arendina@ui-tier1 ~]$ davix-ls -H "Authorization: Bearer $TOKEN" --capath /etc/grid-security/certificates https://xfer-archive.cr.cnaf.infn.it:8443/virgowd V-raw-1212476800-100.gwf V-raw-1212474700-100.gwf andrea2008
Download
[arendina@ui-tier1 ~]$ davix-get -H "Authorization: Bearer $TOKEN" --capath /etc/grid-security/certificates https://xfer-archive.cr.cnaf.infn.it:8443/virgowd/andrea2008 copia_locale Performing Read operation on: https://xfer-archive.cr.cnaf.infn.it:8443/virgowd/andrea2008 [======================] 100% 280B/280B 0B/s
Removing a file
[arendina@ui-tier1 ~]$ davix-rm -H "Authorization: Bearer $TOKEN" --capath /etc/grid-security/certificates https://xfer-archive.cr.cnaf.infn.it:8443/virgowd/andrea2008
Data transfers inside a job
[fornariclas12@ui-tier1 ~]$ eval `oidc-agent` Agent pid 16049 [fornariclas12@ui-tier1 ~]$ oidc-gen Enter short name for the account to configure: fornariclas12 [1] https://iam-test.indigo-datacloud.eu/ [2] https://iam.deep-hybrid-datacloud.eu/ [3] https://iam.extreme-datacloud.eu/ [4] https://b2access.eudat.eu/oauth2/ [5] https://b2access-integration.fz-juelich.de/oauth2 [6] https://unity.eudat-aai.fz-juelich.de/oauth2/ [7] https://unity.helmholtz-data-federation.de/oauth2/ [8] https://login.helmholtz-data-federation.de/oauth2/ [9] https://services.humanbrainproject.eu/oidc/ [10] https://accounts.google.com/ [11] https://aai.egi.eu/oidc/ [12] https://aai-dev.egi.eu/oidc [13] https://login.elixir-czech.org/oidc/ [14] https://oidc.scc.kit.edu/auth/realms/kit/ Issuer [https://iam-test.indigo-datacloud.eu/]: https://iam-t1-computing.cloud.cnaf.infn.it/ Space delimited list of scopes or 'max' [openid profile offline_access]: Registering Client ... Generating account configuration ... accepted To continue and approve the registered client visit the following URL in a Browser of your choice: https://iam-t1-computing.cloud.cnaf.infn.it/authorize?response_type=code&client_id=d70f9284-c371-4ce2-90e9-1cd3d6201329&redirect_uri=http://localhost:13481&scope=openid profile offline_access&access_type=offline&prompt=consent&state=0:2s4EBiNy_Z0a835JBiaw_cGG:33:L3RtcC9vaWRjLTRzMjdBOS9vaWRjLWFnZW50LjExMTY2&code_challenge_method=S256&code_challenge=cL1sKfZAgVO7rV5PGm5XXFKgPiM-Dbnj_Bf3BpzEoR4 /bin/xdg-open: line 881: www-browser: command not found /bin/xdg-open: line 881: links2: command not found /bin/xdg-open: line 881: elinks: command not found /bin/xdg-open: line 881: links: command not found Polling oidc-agent to get the generated account configuration ...success The generated account config was successfully added to oidc-agent. You don't have to run oidc-add. Enter encryption password for account configuration 'fornariclas12': Confirm encryption Password: [fornariclas12@ui-tier1 ~]$ oidc-token fornariclas12 eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkODFhNTQ5OC01ODlhLTQwYjItODJhMi04M2U2MjY3NTQwMDQiLCJpc3MiOiJodHRwczpcL1wvaWFtLXQxLWNvbXB1dGluZy5jbG91ZC5jbmFmLmluZm4uaXRcLyIsIm5hbWUiOiJGZWRlcmljbyBGb3JuYXJpIiwiZ3JvdXBzIjpbImZhemlhIiwiamxhYjEyIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImZmb3JuYXJpIiwib3JnYW5pc2F0aW9uX25hbWUiOiJ0MS1jb21wdXRpbmciLCJleHAiOjE2MjA5MDYxNDksImlhdCI6MTYyMDkwMjU0OSwianRpIjoiNjM0Y2VjNzMtMDAwMC00MGU0LTg5YjgtZjI2NjFjMGZiZmE3IiwiY2xpZW50X2lkIjoiZDcwZjkyODQtYzM3MS00Y2UyLTkwZTktMWNkM2Q2MjAxMzI5In0.irwbiCxdHZWOpyv1l9jbmGExeVl_gyB9fhHEnlSjbFOL4WV--vrh3E3pLu-e1FV8c23TexwbHvnJGEZxaOqVNJMO3VUaso2i0zIz2oPTsEmxJpa52goNTYrbRm2TRGErkAE0vaEqJbbI3wDoCJ_BPkdDLAT0YL5-AbHTkum8Ovs [fornariclas12@ui-tier1 ~]$ export AT=$(oidc-token fornariclas12) [fornariclas12@ui-tier1 ~]$ cat test.sub universe = vanilla executable = test.sh getenv = true log = test.log output = outfile.txt error = errors.txt should_transfer_files = YES when_to_transfer_output = ON_EXIT queue [fornariclas12@ui-tier1 ~]$ cat test.sh #!/bin/bash echo "this is a test by F. Fornari" | tee test-fornari davix-put -H "Authorization: Bearer $AT" --capath /etc/grid-security/certificates/ test-fornari https://xfer-archive.cr.cnaf.infn.it:8443/jlab12/test-fornari davix-ls -H "Authorization: Bearer $AT" --capath /etc/grid-security/certificates/ https://xfer-archive.cr.cnaf.infn.it:8443/jlab12 ls -lrth /storage/gpfs_data/class12vo/data/ davix-rm -H "Authorization: Bearer $AT" --capath /etc/grid-security/certificates/ https://xfer-archive.cr.cnaf.infn.it:8443/jlab12/test-fornari [fornariclas12@ui-tier1 ~]$ condor_submit -spool -name sn-01 test.sub Submitting job(s). 1 job(s) submitted to cluster 15750247. [fornariclas12@ui-tier1 ~]$ watch condor_q -name sn-01 15750247 [fornariclas12@ui-tier1 ~]$ condor_transfer_data -name sn-01 15750247 Fetching data files... [fornariclas12@ui-tier1 ~]$ cat outfile.txt this is a test by F. Fornari test-fornari total 512 -rw-r-----+ 1 storm storm 29 May 13 15:29 test-fornari [fornariclas12@ui-tier1 ~]$ cat errors.txt [fornariclas12@ui-tier1 ~]$ cat test.log 000 (15750247.000.000) 05/13 15:28:44 Job submitted from host: <131.154.192.58:9618?addrs=131.154.192.58-9618&noUDP&sock=703648_945d_3> ... 001 (15750247.000.000) 05/13 15:29:29 Job executing on host: <131.154.208.195:9618?addrs=131.154.208.195-9618&noUDP&sock=14671_aa08_3> ... 006 (15750247.000.000) 05/13 15:29:30 Image size of job updated: 237380 0 - MemoryUsage of job (MB) 0 - ResidentSetSize of job (KB) ... 005 (15750247.000.000) 05/13 15:29:30 Job terminated. (1) Normal termination (return value 0) Usr 0 00:00:00, Sys 0 00:00:00 - Run Remote Usage Usr 0 00:00:00, Sys 0 00:00:00 - Run Local Usage Usr 0 00:00:00, Sys 0 00:00:00 - Total Remote Usage Usr 0 00:00:00, Sys 0 00:00:00 - Total Local Usage 136 - Run Bytes Sent By Job 544 - Run Bytes Received By Job 136 - Total Bytes Sent By Job 544 - Total Bytes Received By Job Partitionable Resources : Usage Request Allocated Cpus : 0.02 1 1 Disk (KB) : 25 1 3400414 Memory (MB) : 0 1 128 ... [fornariclas12@ui-tier1 ~]$ oidc-agent -k unset OIDC_SOCK; unset OIDCD_PID; echo Agent pid 16049 killed;
Tape
Data on tape need to be copied on a disk buffer to be accessed.
The buffer is a disk (detached and generally different from the actual disk) that serves as a temporary platform for files that must be migrated or have been recalled from tape. This is not a static disk but once it is full, the oldest and already migrated files are deleted by the garbage collector (however the files remain on tape).
Tape area path will be provided by CNAF. In particular, you can check the list of storage areas at the following page: https://www.cnaf.infn.it/~usersupport/StorageAreas.html where you can find the correspondence between the storage area and the real path on the filesystem.
Check if the file is on the disk (using local POSIX commands)
To know if a file is on the disk, when the user is provided with POSIX access, one can check the file dimension using a command like this:
-bash-4.2$ ls -ls /storage/gpfs_archive/argo/argo-cnaf/testkaren/provaka1_1.txt 0 -rw-r----- 1 argoprod argo 27 Dec 15 2010 /storage/gpfs_archive/argo/argo-cnaf/testkaren/provaka1_1.txt
If the file has null dimension (field number 1 of the output), it is not physically present on the disk, whereas if the actual size (field number 6) is not 0, the file is on tape.
Check if the file is on the disk (with Grid tools using VO based authentication)
To check if the file is on disk, on tape or both, a user can use the following command (to be used with a valid VOMS Proxy):
clientSRM ls -l -v NIG -e <endpoint> -s <file-SURL>
For example:
clientSRM ls -l -v NIG -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444/ -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/ams/${your_file}
Based on the information shown in the output, it is possible to locate the file by checking the value of the fileLocality line:
-[0] fileLocality=0
the the file is on disk
-[0] fileLocality=1
the file is on tape
-[0] fileLocality=2
the file is both on disk and tape
Migrate files on tape
As previously explained, when a file has to be moved to tape, one needs to put it into the buffer disk. From there, data will be automatically migrated to tape after a certain time.
The user can write a file on the buffer disk with a command like this:
gfal-copy your_file srm://storm-fe-archive.cr.cnaf.infn.it:8444/ams/your_file
The file "your_file" will be automatically migrated to tape. To check if the file has been migrated, a user can use a command like the following:
clientSRM ls -l -v NIG -e httpg://storm-fe-archive.cr.cnaf.infn.it:8444/ -s srm://storm-fe-archive.cr.cnaf.infn.it:8444/ams/your_file
If the output contains a line like this:
[0] fileLocality=0
the file has not been migrated yet. If the output contains a line like this:
[0] fileLocality=2
the file has already been migrated to tape.
Recall files from tape (using Grid tools with VO-based authentication)
If a user needs a file that is only on tape, it has to be recalled back to disk. This can be done directly with a clientSRM bol
, where "bol" stands for Bring On Line, with a command like this:
clientSRM bol -e httpg://storm-test.cr.cnaf.infn.it:8444 -s srm://storm-test.cr.cnaf.infn.it:8444/tape/file_test
then the output returns a requestToken (for example: requestToken="ea8b525d-1b12-47a5-b8d5-6935ebc53003"), which it can be used to check the status of the Bring On Line operation:
clientSRM sbol -e httpg://storm-test.cr.cnaf.infn.it:8444 -t "ea8b525d-1b12-47a5-b8d5-6935ebc53003"
When the operation is completed, the user gets a Site URL (SURL), that one can exploit to access the recalled file. Whereas, If a user needs to recall multiple files, it can be issued a multiSURL clientSRM bol
command:
clientSRM bol -e httpg://storm-test.cr.cnaf.infn.it:8444 -s srm://storm-test.cr.cnaf.infn.it:8444/tape/file_test1 srm://storm-test.cr.cnaf.infn.it:8444/tape/file_test2
After being recalled, the files get pinned. If the user is provided with POSIX access to the filesystem, they can check extended attributes of a file, for example:
getfattr -d /storage/gemss_test1/tape/file_test # file: storage/gemss_test1/tape/file_test user.TSMRecD="1606379599" user.TSMRecR="0" user.storm.migrated user.storm.pinned="1606638797"
Default pin time is 3 days on storm-test, configurable by StoRM admins. After that time, the file could be removed from disk buffer. It can be specified a custom pin lifetime in seconds with -b
option of the clientSRM bol
command, for example:
clientSRM bol -b 86400 -e httpg://storm-test.cr.cnaf.infn.it:8444 -s srm://storm-test.cr.cnaf.infn.it:8444/tape/file_test
so, this time pin lifetime will be 1 day only. In any case, the user can check extended attributes of the file with gfal-xattr
:
gfal-xattr srm://storm-test.cr.cnaf.infn.it:8444/tape/file_test user.replicas = gsiftp://transfer-test.cr.cnaf.infn.it:2811//storage/gemss_test1/tape/file_test user.status = ONLINE_AND_NEARLINE srm.type = StoRM
The user can see that the recalled file is ONLINE_AND_NEARLINE
, i.e. it's both on disk and tape. Alternatively to clientSRM bol
and clientSRM sbol
, they can use, respectively, clientSRM PtG
and clientSRM SPtG
.
NB: gfal-xattr
ALWAYS recall a file. This is a bug of the command that will be fixed by the gfal utils developers.
Recall files from tape (without Grid tools)
To recall files from tape, it is necessary to provide the list of the file to be recalled. CNAF will recall them.
Please, contact the User Support team at the mailing list user-support@lists.cnaf.infn.it.