 |
 |
> One of us can change that - I'd prefer you to do it as you are an authority on > this. But, if you have any problems, I'd do it on your say so. > > So, assuming the options are identical (which they appear to be), pls feel free > to make the change to: > > https://www.gridpp.ac.uk/wiki/Long_running_jobs_using_myproxy OK I'll give it a go - it is a drop in substitution, in fact the releases may even have symbolic links between the files. Since it has been deprecated for so long though it might just vanish anytime so it is best to move over - command is shorter (and IMO better understood, although I'd have chosen "login" rather than "logon") in any case. > > I couldn't find the analogous command to upload the [limited lifetime] > > credential to myproxy, presumably you have to use the credential name > "renew" (and the use of -d too I believe) so the command to upload would be > useful too. > > Pls see above (I'm not quite sure of the meaning there, to be brutally honest). -d uses the DN as a username for the certificate, -k is the actual credential name. You can therefore store several credentials with different credential names under a given username. You can also choose a username that isn't your DN (not always easy to type in). -d at least ensure that there isn't another "JK" trying to store credentials under the same username (which can be a DoS attack). > > FYI a non-password based form of myproxy renewal is described on > > http://cvs.ncsa.uiuc.edu/viewcvs.cgi/*checkout*/myproxy-web.old/renew. > > html?rev=1.12&cvsroot=myproxy#gram > > I suggest we note that as an option. Can we work it into the procedure as > background/workaround? We can maybe add that link "for further information"! > e.g. For users who wish to avoid hardcoded password, this workaround exists > <link to document suggested> Using no password might be considered less secure than a hardcoded password in a file (as long as of course that hardcoded password is ONLY used for that myproxy credential and NOT also for your full UK eScience CA certificate!) Such passwordless renewals can be protected by only giving certain trusted machines the right to download in that manner (and it'd need to be done before expiry of the previous proxy). I think you also have to setup the myproxy server itself to allow such behaviour, and from certain machines. Cheers JK > > cheers > > > > JK > > > >> -----Original Message----- > >> From: Stephen Jones [mailto:[log in to unmask]] > >> Sent: Monday, February 03, 2014 12:03 PM > >> To: [log in to unmask] > >> Subject: Re: myproxy and file transfers > >> > >> All, > >> > >> I've just put in a wiki document for myproxy and file transfers > >> (almost > >> verbatim) here: > >> > >> https://www.gridpp.ac.uk/wiki/Long_running_jobs_using_myproxy > >> > >> I've actioned myself to test it some time. GridPPers can find it (or > >> change it) as > >> so: > >> > >> Go to GridPP wiki (https://www.gridpp.ac.uk/wiki/) > >> > >> Scroll to "Getting up and running on the grid - users" section. > >> > >> Under there is a (messy) "Job management - managing the life-cycle of > >> jobs", where the new entry resides. > >> > >> That will do for now - someday I hope to give "managing the life-cycle of > jobs" > >> a good cleaning up. > >> > >> Many thanks, > >> > >> Cheers, > >> > >> Steve > >> > >> > >> > >> > >> On 02/01/2014 11:36 AM, Christopher J. wrote: > >>> As a side note, the script came from CMS originally. > >>> > >>> On a train so can't check, but MYPROXY_SERVER is probably in your > >>> environment already, but lcg-infosites myproxy can tell you the > >>> answer if it isn't > >>> > >>> I guess you can do similar for the fts. > >>> > >>> Chris > >>> > >>> Sent from my iPad > >>> > >>>> On 31 Jan 2014, at 12:56, Stephen Jones <[log in to unmask]> wrote: > >>>> > >>>> Gentlemen, > >>>> > >>>> I'm just going over this before putting it in the wiki. Matt has a > >>>> requirement at SNO+ to prevent proxies expiring and causing file > >>>> transfers > >> to fail, and Jon proposes the solution below. > >>>> I assume this has been tested and is known to work OK. There are > >>>> quite a > >> few variables in here that we should (maybe) resolve to real names so > >> it works out of the box for someone else. Let me know their values, > >> and I'll test it myself and make a wiki entry out of it on your behalf. > >>>> Cheers, > >>>> > >>>> Steve s > >>>> > >>>> Manually delegate your proxy to the FTS servers by running the > >>>> following > >> script every 8 hrs via cron: > >>>> #!/bin/bash > >>>> > >>>> # Set environment, depending on your site conventions # source > >>>> /home/perkin/t2k/GRID/nd280Computing/data_scripts/cronGRID.sh > >>>> > >>>> echo "Refreshing credentials" > >>>> > >>>> # Destroy any existing voms credentials (optional) # > >>>> voms-proxy-destroy -debug > >>>> > >>>> # Retrieve a new short term proxy to my UI from the myproxy server > >>>> with password myproxy-get-delegation -v -d -s $MYPROXY_SERVER_RAL > >>>> -k renew --stdin_pass < ~/.glite/myproxy > >>>> > >>>> # Stamp the delegated credentials with voms attributes > >>>> voms-proxy-init -voms t2k.org:/t2k.org/Role=production -valid 24:0 > >>>> -noregen > >>>> > >>>> # Delegate the short term voms proxy to the FTS server(s) > >>>> glite-delegation-init -f -s $FTS_DELEGATION -e 840 > >>>> glite-delegation-init -f -s $FTS3_DELEGATION -e 840 > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>> On 01/30/2014 06:03 PM, Christopher J. Walker wrote: > >>>>> Steve, > >>>>> You seem much better than I do at getting this sort of > >>>>> thing on the wiki. > >>>>> > >>>>> How to renew a proxy on the wms in this case... > >>>>> > >>>>> Chris... > >>>>> > >>>>> Not at all, it is derived from this ticket: > >>>>> https://ggus.eu/ws/ticket_info.php?ticket=72358 > >>>>> > >>>>> > >>>>> > >>>>>>>> Hi Matt, > >>>>>>>> > >>>>>>>> > >>>>>>>> Cheers, > >>>>>>>> Matt > >>>>>>>> > >>>>>>>> > >> > ________________________________________________________________ > >> ___________ > >>>>>>>> Jonathan Perkin Department of Physics, University of Sheffield. > >>>>>>>> +44 (0)1142 223547 Hicks Building, Hounsfield Road, Sheffield; S3 > 7RH. > >>>>>>>> Times Higher Education University of the > >>>>>>>> Year > >>>>>>>> 2011 > >> > ________________________________________________________________ > >> ___________ > >>>>> Jonathan Perkin Department of Physics, University of Sheffield. > >>>>> +44 (0)1142 223547 Hicks Building, Hounsfield Road, Sheffield; S3 7RH. > >>>>> Times Higher Education University of the > >>>>> Year > >>>>> 2011 > >>>> -- > >>>> Steve Jones [log in to unmask] > >>>> System Administrator office: 220 > >>>> High Energy Physics Division tel (int): 42334 > >>>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334 > >>>> University of Liverpool http://www.liv.ac.uk/physics/hep/ > >>>> > >>>> > >>>> > >> > >> -- > >> Steve Jones [log in to unmask] > >> System Administrator office: 220 > >> High Energy Physics Division tel (int): 42334 > >> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334 > >> University of Liverpool http://www.liv.ac.uk/physics/hep/ > > > -- > Steve Jones [log in to unmask] > System Administrator office: 220 > High Energy Physics Division tel (int): 42334 > Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334 > University of Liverpool http://www.liv.ac.uk/physics/hep/ > > -- Scanned by iCritical.