wiki:TaipeiWorkshop2013

Version 25 (modified by bernardt, 8 years ago) (diff)

--

| dCache Hands-on Taipei |

Prerequisites

We would like to ask every participant to bring a notebook that has some kind of ssh client installed. Please check on your machine.

You need to login to your virtual machines (VMs). You have two VMs, one server and one client:

  • <user number>_ws_server.grid.sinica.edu.tw
  • <user number>_ws_client.grid.sinica.edu.tw

You will have to use two consoles, one for the server and one for the client. Use your ssh-client to connect to the machines using the following commands.

Client:

ssh dcache-user@<user number>_ws_client.grid.sinica.edu.tw -A -X

Server:

ssh root@<user number>_ws_server.grid.sinica.edu.tw -A -X

After this step you should have to consoles with ssh connections to server and client. Make sure you know which console is the client, which is the server.

Content of the hands-on

In this hands-on we will cover the following topics

  • Installation of dCache server
  • Interaction with dCache
  • Certificates and dCache
  • Hardware Lifecycle (adding storage, migrating)
  • Interfacing with Tertiary Storage

Installation of dCache server

(SERVER)

I this part we install dCache and at the end have a running dCache that can be mounted locally as well as on your client.

  1. Find the dcache server rpm on your server in /root/: dcache-2.5.0-1.noarch.rpm
  2. Install the rpm on your server machine:
    rpm -ivh dcache-2.5.0-1.noarch.rpm
    

dCache server has two dependencies: java-1.7.0-openjdk, postgresql-server (version >8.4). You will find that openjdk and postgresql-server are already installed on your machine and postgresql setup was done for you already.

rpm -qa |grep -E "postgresql-server|java-1.7.0-openjdk"

For more information on this please see dCache Book - Prerequisites. There are also several trivial steps that you have to do to setup postgresql, but they are not part of this tutorial and can be found in dCache Book - Readying the PostgreSQL server for the use with dCache

There are several configuration files that can be used to configure dCache:

  • General Configuration: /etc/dcache/dcache.conf
  • Layout Configuration: /etc/dcache/layouts/head.conf
  • Security Configuration: /etc/dcache/gplazma.conf

Details on what configuration can done in dCache can be found in these files: /usr/share/dcache/defaults/*.properties. The properties described in these files should not directly be altered in the files, but should rather be taken to /etc/dcache/dcache.defaults or to the layout file in /etc/dcache/layouts/ and modified there.

We would like to have our own layout file that we just use for this hands-on, therefor we create it from a template:

cp /etc/dcache/layouts/single.conf /etc/dcache/layouts/taipei.conf

We need to add this to /etc/dcache/dcache.conf so that dCache knows which layout file to use. Do not make the mistake of entering the entire file name there.

dcache.layout=taipei

Adjust the layout file

Firstly we need to tell dCache that there will be many domains communicating with each other:

vi /etc/dcache/layouts/taipei.conf

Change the line:

broker.scheme=none

to

broker.scheme=cells

These lines need to be added at the end of the file. They add a domain to dCache - [nfs-Domain] - that holds the nfsv41.

[nfs-Domain]
[nfs-Domain/nfsv41]

Before we can start dCache we have to empty /etc/dcache/gplazma.conf as there is no security configured in a blank dCache:

echo "" > /etc/dcache/gplazma.conf

Now start dCache by:

dcache start

Check if dCache has started up correctly by first entering:

dcache status

Then also check the log files:

tail -F /var/log/dcache/*

First Contact

Now that we have a running dCache that does nothing we would like to make a first contact. This will be achieved by mounting dCache locally via NFSv41. First edit the /etc/dcache/dcache.conf so it looks like this

dCache needs something that holds that actual data, the pools. So we first create a pool that is stored on a certain path, set its maximum size.

dcache pool create --size=419430400 /pools/nfsPool nfsPool poolDomain

After we created the pool we need to start the domain it was created in:

dcache start poolDomain

This now enables us to actually store files in dCache, but how? ... via a mounted NFSv41.

dcache.layout=taipei
nfs.domain = taipei

Now we need to create a directory in dCache:

chimera-cli mkdir /data

Then we restart dCache:

dcache restart

Now we have to give the directory the right permissions:

chimeral-cli chown /data dcache

After this we can mount dCache locally by doing the following:

mkdir -p /nfs/4
mount -o intr,minorversion=1 localhost:/data /nfs/4

If you now switch to /nfs/4 you can create some file e.g.:

vi /nfs/4/myFirstNfsFile00001

Write something inside and quit vi with the following command. Be careful that you are not in edit mode.

:wq

Congratulations you wrote your first file into dCache.

Interaction with dCache

In this section we will look at the different ways of interacting with dCache to make use of its functionality. There is a multitude of ways to access dCache. For now we want to have a look at the simple and straight forward ways. One way you have seen in the chapter before - NFSv41. A different way to access dCache is WebDAV and the so called dcache.kpwd file.

You will have to have a webDav cell running so please add the following lines to your layout fiel:

[webdavDomain]
[webdavDomain/webdav]

Now you need to restart your webDavDomain:

dcache start webdavDomain

Check your WebDAV settings: enable the HTTP access, disallow the anonymous access, disable requesting and requiring the client authentication and activate basic authentication.

webdavProtocol=http
webdavAnonymousAccess=NONE
webdavWantClientAuth=false
webdavNeedClientAuth=false
webdavBasicAuthentication=true

Adjust the /etc/dcache/gplazma.conf to use the kpwd plug-in (for more information see also the section called “Plug-ins”).

It will look something like this:

auth     optional kpwd
map      optional kpwd
session  optional kpwd
identity optional nsswitch

The /etc/dcache/dcache.kpwd file is the place where you can specify the username/password record. It should contain the username and the password hash, as well as UID, GID, access mode and the home, root and fsroot directories:

# set passwd
passwd dcacheuser <some hash> read-write 500 100 / / /

The passwd-record could be automatically generated by the dCache kpwd-utility, for example:

[root] # dcache kpwd dcuseradd -u 2000 -g 2000 -h / -r / -f / -w read-write -p test dcacheuser

Now you need to restart your webDavDomain:

dcache restart 

Certificates and dCache

This part will have a look at the security mechanisms that are used within the Grid.

For certificate based access we need one certificate that identifies the server, one for the client and we need to know whether we can trust the authority that issued the certificate. The server certificate was installed on your machine in /etc/grid-security. The client certificate is also already present in /home/dcacheuser0xx/.globus on the CLIENT.

To use WebDAV with certificates you change the entry in /etc/dcache/layouts/taipei.conf from the entries that were used for kpwd to the entries below:

[webdavDomain]
[webdavDomain/webdav]
webdavAnonymousAccess=NONE
webdavRootPath=/data/world-writable
webdavProtocol=https

Then you will need to import the host certificate into the dCache keystore using the command

[root] # dcache import hostcert

and initialise your truststore by

[root] # dcache import cacerts

Now you need to restart the WebDAV domain

[root] # dcache restart webdavDomain

and access your files via https://<dcache.example.org>:2880 with your browser.

Important

If the host certificate contains an extended key usage extension, it must include the extended usage for server authentication. Therefore you have to make sure that your host certificate is either unrestricted or it is explicitly allowed as a certificate for TLS Web Server Authentication. 

Hardware Lifecycle (adding storage, migrating)

Here you will see how to maintain a dCache that is in production. This part will include adding storage and migrating data.

Interfacing with Tertiary Storage

Finally we will look at how dCache can be used to access archive media (tape archives)