> Yes,
>
> Many of these things are (what I would call) expert level.
>
> In the wiki, we would want to find some intermediate level, where (a) novices
> don't despair, while (b) experts don't wince.
In which case I'd ask the person who gave you the commands to use to
retrieve the credential using myproxy-logon/myproxy-get-delegation to give you
the analogous command to load it there (using myproxy-init). Myproxy-init isn't
an advanced routine, it is a pre-requisite for being able to use myproxy-logon.
I agree that although "advanced", automatic updating proxies is a key part of long-running grid jobs and transfers
and as I think we all agree the options do seem a bit confusing so we need
appropriate recipes for people to use.
JK
> When standards emerge, we can drop the details and (I hope) encapsulate the
> options while giving the experts access if they demand it.
>
> It's very tough to walk this ridge well!
>
> Cheers,
>
> Steve
>
>
>
> On 02/03/2014 03:07 PM, John Kewley wrote:
> >> One of us can change that - I'd prefer you to do it as you are an
> >> authority on this. But, if you have any problems, I'd do it on your say so.
> >>
> >> So, assuming the options are identical (which they appear to be), pls
> >> feel free to make the change to:
> >>
> >> https://www.gridpp.ac.uk/wiki/Long_running_jobs_using_myproxy
> > OK I'll give it a go - it is a drop in substitution, in fact the
> > releases may even have symbolic links between the files. Since it has
> > been deprecated for so long though it might just vanish anytime so it
> > is best to move over - command is shorter (and IMO better understood,
> although I'd have chosen "login" rather than "logon") in any case.
> >
> >>> I couldn't find the analogous command to upload the [limited
> >>> lifetime] credential to myproxy, presumably you have to use the
> >>> credential name
> >> "renew" (and the use of -d too I believe) so the command to upload
> >> would be useful too.
> >>
> >> Pls see above (I'm not quite sure of the meaning there, to be brutally
> honest).
> > -d uses the DN as a username for the certificate, -k is the actual credential
> name.
> > You can therefore store several credentials with different credential names
> under a given username.
> > You can also choose a username that isn't your DN (not always easy to
> > type in). -d at least ensure that there isn't another "JK" trying to store
> credentials under the same username (which can be a DoS attack).
> >
> >>> FYI a non-password based form of myproxy renewal is described on
> >>> http://cvs.ncsa.uiuc.edu/viewcvs.cgi/*checkout*/myproxy-web.old/renew.
> >>> html?rev=1.12&cvsroot=myproxy#gram
> >> I suggest we note that as an option. Can we work it into the
> >> procedure as background/workaround?
> > We can maybe add that link "for further information"!
> >
> >> e.g. For users who wish to avoid hardcoded password, this workaround
> >> exists <link to document suggested>
> > Using no password might be considered less secure than a hardcoded
> > password in a file (as long as of course that hardcoded password is
> > ONLY used for that myproxy credential and NOT also for your full UK
> > eScience CA certificate!)
> >
> > Such passwordless renewals can be protected by only giving certain
> > trusted machines the right to download in that manner (and it'd need
> > to be done before expiry of the previous proxy). I think you also have
> > to setup the myproxy server itself to allow such behaviour, and from certain
> machines.
> >
> > Cheers
> >
> > JK
> >
> >>> cheers
> >>>
> >>> JK
> >>>
> >>>> -----Original Message-----
> >>>> From: Stephen Jones [mailto:[log in to unmask]]
> >>>> Sent: Monday, February 03, 2014 12:03 PM
> >>>> To: [log in to unmask]
> >>>> Subject: Re: myproxy and file transfers
> >>>>
> >>>> All,
> >>>>
> >>>> I've just put in a wiki document for myproxy and file transfers
> >>>> (almost
> >>>> verbatim) here:
> >>>>
> >>>> https://www.gridpp.ac.uk/wiki/Long_running_jobs_using_myproxy
> >>>>
> >>>> I've actioned myself to test it some time. GridPPers can find it
> >>>> (or change it) as
> >>>> so:
> >>>>
> >>>> Go to GridPP wiki (https://www.gridpp.ac.uk/wiki/)
> >>>>
> >>>> Scroll to "Getting up and running on the grid - users" section.
> >>>>
> >>>> Under there is a (messy) "Job management - managing the life-cycle
> >>>> of jobs", where the new entry resides.
> >>>>
> >>>> That will do for now - someday I hope to give "managing the
> >>>> life-cycle of
> >> jobs"
> >>>> a good cleaning up.
> >>>>
> >>>> Many thanks,
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Steve
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 02/01/2014 11:36 AM, Christopher J. wrote:
> >>>>> As a side note, the script came from CMS originally.
> >>>>>
> >>>>> On a train so can't check, but MYPROXY_SERVER is probably in your
> >>>>> environment already, but lcg-infosites myproxy can tell you the
> >>>>> answer if it isn't
> >>>>>
> >>>>> I guess you can do similar for the fts.
> >>>>>
> >>>>> Chris
> >>>>>
> >>>>> Sent from my iPad
> >>>>>
> >>>>>> On 31 Jan 2014, at 12:56, Stephen Jones <[log in to unmask]>
> wrote:
> >>>>>>
> >>>>>> Gentlemen,
> >>>>>>
> >>>>>> I'm just going over this before putting it in the wiki. Matt has
> >>>>>> a requirement at SNO+ to prevent proxies expiring and causing
> >>>>>> file transfers
> >>>> to fail, and Jon proposes the solution below.
> >>>>>> I assume this has been tested and is known to work OK. There are
> >>>>>> quite a
> >>>> few variables in here that we should (maybe) resolve to real names
> >>>> so it works out of the box for someone else. Let me know their
> >>>> values, and I'll test it myself and make a wiki entry out of it on your
> behalf.
> >>>>>> Cheers,
> >>>>>>
> >>>>>> Steve s
> >>>>>>
> >>>>>> Manually delegate your proxy to the FTS servers by running the
> >>>>>> following
> >>>> script every 8 hrs via cron:
> >>>>>> #!/bin/bash
> >>>>>>
> >>>>>> # Set environment, depending on your site conventions # source
> >>>>>> /home/perkin/t2k/GRID/nd280Computing/data_scripts/cronGRID.sh
> >>>>>>
> >>>>>> echo "Refreshing credentials"
> >>>>>>
> >>>>>> # Destroy any existing voms credentials (optional) #
> >>>>>> voms-proxy-destroy -debug
> >>>>>>
> >>>>>> # Retrieve a new short term proxy to my UI from the myproxy
> >>>>>> server with password myproxy-get-delegation -v -d -s
> >>>>>> $MYPROXY_SERVER_RAL -k renew --stdin_pass < ~/.glite/myproxy
> >>>>>>
> >>>>>> # Stamp the delegated credentials with voms attributes
> >>>>>> voms-proxy-init -voms t2k.org:/t2k.org/Role=production -valid
> >>>>>> 24:0 -noregen
> >>>>>>
> >>>>>> # Delegate the short term voms proxy to the FTS server(s)
> >>>>>> glite-delegation-init -f -s $FTS_DELEGATION -e 840
> >>>>>> glite-delegation-init -f -s $FTS3_DELEGATION -e 840
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On 01/30/2014 06:03 PM, Christopher J. Walker wrote:
> >>>>>>> Steve,
> >>>>>>> You seem much better than I do at getting this sort of
> >>>>>>> thing on the wiki.
> >>>>>>>
> >>>>>>> How to renew a proxy on the wms in this case...
> >>>>>>>
> >>>>>>> Chris...
> >>>>>>>
> >>>>>>> Not at all, it is derived from this ticket:
> >>>>>>> https://ggus.eu/ws/ticket_info.php?ticket=72358
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>>> Hi Matt,
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Cheers,
> >>>>>>>>>> Matt
> >>>>>>>>>>
> >>>>>>>>>>
> >>
> ________________________________________________________________
> >>>> ___________
> >>>>>>>>>> Jonathan Perkin Department of Physics, University of Sheffield.
> >>>>>>>>>> +44 (0)1142 223547 Hicks Building, Hounsfield Road,
> >>>>>>>>>> +Sheffield; S3
> >> 7RH.
> >>>>>>>>>> Times Higher Education University of
> >>>>>>>>>> the Year
> >>>>>>>>>> 2011
> >>
> ________________________________________________________________
> >>>> ___________
> >>>>>>> Jonathan Perkin Department of Physics, University of Sheffield.
> >>>>>>> +44 (0)1142 223547 Hicks Building, Hounsfield Road, Sheffield; S3
> 7RH.
> >>>>>>> Times Higher Education University of the
> >>>>>>> Year
> >>>>>>> 2011
> >>>>>> --
> >>>>>> Steve Jones [log in to unmask]
> >>>>>> System Administrator office: 220
> >>>>>> High Energy Physics Division tel (int): 42334
> >>>>>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
> >>>>>> University of Liverpool http://www.liv.ac.uk/physics/hep/
> >>>>>>
> >>>>>>
> >>>>>>
> >>>> --
> >>>> Steve Jones [log in to unmask]
> >>>> System Administrator office: 220
> >>>> High Energy Physics Division tel (int): 42334
> >>>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
> >>>> University of Liverpool http://www.liv.ac.uk/physics/hep/
> >>
> >> --
> >> Steve Jones [log in to unmask]
> >> System Administrator office: 220
> >> High Energy Physics Division tel (int): 42334
> >> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
> >> University of Liverpool http://www.liv.ac.uk/physics/hep/
> >>
> >>
>
>
> --
> Steve Jones [log in to unmask]
> System Administrator office: 220
> High Energy Physics Division tel (int): 42334
> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
> University of Liverpool http://www.liv.ac.uk/physics/hep/
>
>
|