On Wed, 2 Sep 2009 17:04:53 +0100
Stephen (STFC,RAL,PPD) Burke wrote:
Hi Stephen,
Ok, lets go step by step...
> Your publication looks wrong to me, you seem to have an old and buggy
> configuration. You have VOViews for the whole VOs with no DENY rules,
from Job Priorities Implementation Plan.doc and taking lhcb (pilot
role) and gshort64 as example I should have, from ldap's output:
VOVIEW for that role:
# /VO_lhcb/Role_pilot, ce05.pic.es:2119/jobmanager-lcgpbs-gshort64, resource,
grid
dn: GlueVOViewLocalID=/VO_lhcb/Role_pilot,GlueCEUniqueID=ce05.pic.es:2119/jobm
anager-lcgpbs-gshort64,Mds-Vo-name=resource,o=grid
objectClass: GlueCETop
objectClass: GlueVOView
objectClass: GlueCEInfo
objectClass: GlueCEState
objectClass: GlueCEAccessControlBase
objectClass: GlueCEPolicy
objectClass: GlueKey
objectClass: GlueSchemaVersion
GlueVOViewLocalID: /VO_lhcb/Role_pilot
GlueCEAccessControlBaseRule: VOMS:/VO=lhcb/Role=pilot
[...wrong job info...]
VOVIEW for "global" lhcb and a DENY for all the above roles.
dn: GlueVOViewLocalID=lhcb,GlueCEUniqueID=ce05.pic.es:2119/jobmanager-lcgpbs-g
short64,Mds-Vo-name=resource,o=grid
objectClass: GlueCETop
objectClass: GlueVOView
objectClass: GlueCEInfo
objectClass: GlueCEState
objectClass: GlueCEAccessControlBase
objectClass: GlueCEPolicy
objectClass: GlueKey
objectClass: GlueSchemaVersion
GlueVOViewLocalID: lhcb
GlueCEAccessControlBaseRule: VO:lhcb
GlueCEStateRunningJobs: 0
so in the above output a DENY for VOMS:/VO=lhcb/Role=pilot is missing...
(also for prod and lcgadmin out of this example)...
am I right?
If so, could you please check my yaim's conf and try to figure out
what's wrong with it?
# grep lhcb ../groups.conf
"/lhcb"::::
"/lhcb/Role=user"::::
"/lhcb/Role=production":::prd:
"/lhcb/Role=lcgadmin":::sgm:
"/lhcb/Role=pilot":::pilot:
"/lhcb/*":::
#ce05.pic.es
GSHORT64_GROUP_ENABLE=
lhcb
VO=lhcb/Role=lcgadmin
VO=lhcb/Role=production
VO=lhcb/Role=pilot
and FQANVOVIEWS=yes ... (which will comment later).
> and other VOVIews for groups and roles with "old-fashioned" ACBRs like
> VOMS:/VO=cms/GROUP=/cms/Role=production which should now look like
> VOMS:/cms/Role=production.
I've already changed that... I thought it was still valid...
Now looks better:
$ lcg-info --list-ce --query 'CE=ce05.pic.es:2119/jobmanager-lcgpbs-glong64' --attrs CEVOs,VOCEVOs
- CE: ce05.pic.es:2119/jobmanager-lcgpbs-glong64
- CEVOs VO:lhcb
VOMS:/VO=lhcb/Role=lcgadmin
VOMS:/VO=lhcb/Role=production
VOMS:/VO=lhcb/Role=pilot
- VOCEVOs VO:lhcb
VOMS:/VO=lhcb/Role=production
VOMS:/VO=lhcb/Role=pilot
VOMS:/VO=lhcb/Role=lcgadmin
> Maybe you need to re-run yaim? As far as I
> know the current versions of YAIM (and the info provider plugin) do
> the right thing, but I don't know which version was the first one that
> worked, it was definitely wrong at one stage.
I've done so, but I see have both problems:
1.-) no DENY entries
2.-) dyanmic scheduller does not show correct job info per VOVIEW
> > We do have that var globally enabled:
> > # grep -r FQANVOVIEWS *
> > site-info.def:FQANVOVIEWS=yes
>
> There may be a problem with that anyway, it seems that lhcb don't want
> that. See this GGUS ticket where we looked at a similar thing with
> Manchester:
>
> https://gus.fzk.de/ws/ticket_info.php?ticket=49969&from=search
I'll take a look on that and see why we set that var to yes... I don't
remember now.
but without that var:
dn: GlueVOViewLocalID=lhcb,GlueCEUniqueID=ce05.pic.es:2119/jobmanager-lcgpbs-glong64,mds-vo-name=resource,o=grid
GlueVOViewLocalID: lhcb
GlueCEStateRunningJobs: 0
GlueCEStateWaitingJobs: 1659
GlueCEStateTotalJobs: 1659
GlueCEStateFreeJobSlots: 0
GlueCEStateEstimatedResponseTime: 212400
GlueCEStateWorstResponseTime: 550540800
which is correct...
# qstat|grep -c lhpilot
1785
(little delay between both queries)...
> In the past atlas and cms said that they wanted to have this enabled,
> but I haven't seen any push recently for that to happen, and I don't
> see many sites with DENY tags which would indicate that they have it.
> It seems that FQANVOVIEWS is a global setting for all VOs, so if we
> had a situation where some VOS want it and others don't it may still
> need some work ...
Yep, something about CMS and lcg-infosite could be....
have to look our internal ticket service..
> Stephen
Thanks for your reply,
Arnau
|