ARC Configuration Reference Document ************************************ Configuration structure ======================= This is the ``arc.conf`` REFERENCE DOCUMENT defining the configuration blocks and configuration options for the ARC services. The ``arc.conf`` configuration file consists of the following blocks:: [common] [authgroup:allowedusers] [mapping] [lrms] [lrms/ssh] [arex] [arex/cache] [arex/cache/cleaner] [arex/data-staging] [arex/ws] [arex/ws/emies] [arex/ws/cache] [arex/ws/candypond] [arex/ws/argus] [arex/rest] [arex/jura] [arex/jura/archiving] [arex/jura/sgas:neic_sgas] [arex/jura/apel:egi_prod_apel] [arex/ganglia] [gridftpd] [gridftpd/jobs] [gridftpd/filedir] [infosys] [infosys/ldap] [infosys/nordugrid] [infosys/glue2] [infosys/glue2/ldap] [infosys/glue1] [infosys/glue1/site-bdii] [infosys/cluster] [queue:gridlong] [datadelivery-service] [acix-scanner] [acix-index] [userlist:biousers] [nordugridmap] A block configures an ARC service, a service interface, a utility or a subsystem. Enabling (turning on) a functionality, a service or an interface requires the presence of the appropriate configuration block. To disable a service or an interface, simply delete or comment out the related ``arc.conf`` block (you may need to rerun the corresponding startup script). The ``[common]`` block is mandatory even if not a single option is specified within. The presence of the block turns on the default values for the configuration options within the block. As an example, in order to set up a minimalistic ARC CE offering no external interfaces you need to configure at least the ``[common]``, ``[mapping]``, ``[arex]``, ``[lrms]``, ``[infosys]`` and ``[queue:name]`` blocks. As another example, an ARC-based data offloader would require the ``[common]`` and the ``[datadelivery-service]`` blocks. A block is identified by its block header. A block header may consist of keywords and optionally block identifiers. Keywords may be separated by ``/`` and used to label subblocks (e.g. ``[arex/jura]``), while block identifiers are separated by ``:`` from keywords. For example, in the ``[queue:short]`` block header 'queue' is a keyword while 'short' is an identifier, e.g. the name of the queue. Block headers must be UNIQUE. A block starts with a unique ``[keyword:identifier]`` blockheader and ends where the next block starts, that is at the next ``[blockheader]`` directive. A block may have sub-blocks e.g. the various interfaces of the AREX service are configured via sub-blocks (e.g. ``[arex/ws]``). When a sub-block is enabled then the corresponding parent block must also appear in the ``arc.conf`` file. Configuration blocks contain (config option, config value) pairs following the syntax in single line:: config_option=value element [optional value element] .. note:: quotes around the configuration value(s) must NOT be used any longer. .. note:: the ``arc.conf`` is CASE-SENSITIVE! Space handling syntax in ``arc.conf`` for configuration lines:: (stripped space)option(stripped space)=(stripped space)value(saved space)(value)(stripped space) and for block headers:: [keyword:(stripped space)space is allowed within identifier(stripped space)] Detailed textual definition: a) All trailing and leading spaces on each confiuration line are stripped and ignored. This aplies both to block headers and block content. b) All spaces around the ``=`` sign in ``option=value`` kind of string (after 'a' is applied) are stripped and ignored. For example line ``hostname = myhost.info`` is treated as identical to ``hostname=myhost.info``. c) In block headers of ``[keyword]`` kind (after 'a' is applied) no additional spaces are allowed around ``keyword`` and inside ``keyword``. d) In block headers of ``[keyword:identifier]`` kind (after 'a' is applied) no additional spaces are allowed around ``keyword`` and inside ``keyword``. The spaces ARE allowed around and inside ``identifier`` part. Those around ``identifier`` are stripped and ignored. Those inside ``identifier`` are treated as its integral part and are preserved. Mandatory configuration options are indicated by an asterix prefix to the option name e.g: ``*mandatory_configoption``. Mandatory options with undefined values will result in service stop during the startup process. Each of the configuration options have well-defined default that is specified in this reference file. The default can take either a pre-set value, a special substitution or the keyword ``undefined``. Configuration options within an enabled block take their default values in case they are missing (or commented out). Configuration parameters with ``undefined`` defaults takes no values. Furthermore, configuration options within disabled blocks takes no values either. Configuration blocks related to authorization are ORDER-DEPENDENT! The authorization blocks ``[authgroup:name]`` MUST be defined before used in the blocks such as ``[mapping]``, ``[arex]`` or ``[gridftp/jobs]``. The same rule applies to defining legacy ``[userlist:name]`` blocks. Furthermore, the order of the authorization blocks itself may have influence over authorization decisions! Configuration blocks ==================== .. _reference_common: [common] block -------------- Common configuration affecting all ARC components, usually related to networking or security or service behaviour. This block is mandatory. The common block options may be overridden by the specific sections of the components later. The ``[common]`` always appears at the beginning of the config file. The config options set within this block are available for all the other blocks thus shared by the different components of ARC. .. _reference_common_hostname: hostname ~~~~~~~~ *Synopsis:* ``hostname = string`` *Description:* The FQDN of the frontend on which the ARC services are deployed. *Default:* ``$EXEC{hostname -f}`` *Example*:: hostname=myhost.org .. warning:: CHANGE: modified semantics, not mandatory any longer .. _reference_common_http_proxy: http_proxy ~~~~~~~~~~ *Synopsis:* ``http_proxy = url`` *Description:* The http proxy server. This setting affects all client HTTP(s) requests that initiated by ARC core services, including data staging, SAML communications, and pushing SGAS accounting records. This variable is similar to setting the ARC_HTTP_PROXY environmental variable. *Default:* ``undefined`` *Example*:: http_proxy=proxy.mydomain.org:3128 .. warning:: CHANGE: moved here from the old ``[grid-manager]`` block .. _reference_common_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* (previously x509_user_key) Server credential location. Sets the full path to the host private key. These variables are similar to the GSI enviroment variable ``X509_USER_KEY`` If indicated, the variable can be set individually for each service/component in the corresponding block. *Default:* ``/etc/grid-security/hostkey.pem`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: renamed .. _reference_common_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* (previously x509_user_cert) Server credential location. Sets the full path to the host public certificate. These variables are similar to the GSI environment variable ``X509_USER_CERT`` If indicated, the variable can be set individually for each service/component in the corresponding block. *Default:* ``/etc/grid-security/hostcert.pem`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: renamed .. _reference_common_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Location of trusted CA certificates. This variable is similar to the GSI enviroment variable ``X509_CERT_DIR`` If indicated, the variable can be set individually for each service/component in the corresponding block. *Default:* ``/etc/grid-security/certificates`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. _reference_common_x509_voms_dir: x509_voms_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_voms_dir = path`` *Description:* the path to the directory containing \*.lsc files needed for verification of VOMS service signature in the proxy-certificate. *Default:* ``/etc/grid-security/vomsdir`` *Example*:: x509_voms_dir=/etc/grid-security/vomsdir .. _reference_common_voms_processing: voms_processing ~~~~~~~~~~~~~~~ *Synopsis:* ``voms_processing = keyword`` *Description:* Defines how to behave if errors in VOMS AC processing detected. The following keywords are supported: ``relaxed`` use everything that passed validation. ``standard`` same as relaxed but fail if parsing errors took place and VOMS extension is marked as critical. This is a default. ``strict`` fail if any parsing error was discovered ``noerrors`` fail if any parsing or validation error happened. *Allowed values:* ``relaxed``, ``standard``, ``strict``, ``noerrors`` *Default:* ``standard`` *Example*:: voms_processing=strict .. _reference_authgroup: [authgroup:name] block ---------------------- These configuration blocks contain authorization rules. An ``[authrgroup:name]`` block always defines a group of users where members of the group are those who satisfy the authorization rules. The rules within the block determine which user belong to the authgroup. Then, the access control of ARC services are implemented via specifying the ``[authgroup:name]`` to which certain permissions are granted. For more info please read ``Security Framework of ARC`` at http://www.nordugrid.org/documents/arc-security-documentation.pdf The authgroup should not be mistaken for a virtual organisation (VO). An authgroup may match a single VO if only a single check (rule) on VO membership is perfomed. It is however more common to allow multiple VOs in a single authgroup. IMPORTANT: Rules in an authgroup are processed in their order of appearance. The first matching rule decides the membership of the user to the authgroup being evaluated and the processing STOPS within that authgroup. This does not mean that the same user is not processed for the next authgroup: all ``[authgroup:name]`` blocks are evaluated, even if a user already has a match with one of the earlier groups. There are positively and negatively matching rules. If a rule is matched positively then the user tested is accepted into the respective group and further processing is stopped. Upon a negative match the user would be rejected for that group - processing stops too. The sign of rule is determined by prepending the rule with ``+`` (for positive) or ``-`` (for negative) signs. ``+`` is default and can be omitted. A rule may also be prepended with ``!`` to invert result of rule, which will let the rule match the complement of users. That complement operator (``!``) may be combined with the operator for positive or negative matching. .. warning:: TODO: consider implementing Roger's suggestion and introduce a ``rule`` variable All the objects used in the rules (e.g. other authgoups or userlists) MUST be defined before it may be used. .. warning:: CHANGE: renamed the block. .. _reference_authgroup_subject: subject ~~~~~~~ *Synopsis:* ``subject = certificate_subject`` *Description:* Rule to match specific subject of user's X.509 certificate. No masks, patterns and regular expressions are allowed. This option in **multivalued**. *Default:* ``undefined`` *Example*:: subject=/O=Grid/O=Big VO/CN=Main Boss subject=/O=Grid/O=Big VO/CN=Deputy Boss .. _reference_authgroup_file: file ~~~~ *Synopsis:* ``file = path`` *Description:* Processes a list of DNs stored in an external file one per line and adds those to the authgroup. This option in **multivalued**. *Default:* ``undefined`` *Example*:: file=/etc/grid-security/local_users file=/etc/grid-security/atlas_users .. warning:: CHANGE: Modified semantics. The external file should only contain DNs, no complex rules. No need to change the code. .. _reference_authgroup_voms: voms ~~~~ *Synopsis:* ``voms = vo group role capabilities`` *Description:* Match VOMS attribute in user's credential. Use ``*`` to match any value. This option in **multivalued**. *Default:* ``undefined`` *Example*:: voms=nordugrid Guests * * voms=atlas students prodman * .. _reference_authgroup_authgroup: authgroup ~~~~~~~~~ *Synopsis:* ``authgroup = group_name [group_name ...]`` *Description:* (previously group) Match user already belonging to one of specified authgroups. The authgroup referred here must be defined earlier in configuration file. Multiple authgroup names may be specified for this rule. That allows creating hierarchical structure of authorization groups like 'clients' are those which are 'users' and 'admins'. This option in **multivalued**. *Default:* ``undefined`` *Example*:: authgroup=local_admins authgroup=local_admins remote_users .. warning:: CHANGE: renamed .. _reference_authgroup_userlist: userlist ~~~~~~~~ *Synopsis:* ``userlist = ulist_name [ulist_name ...]`` *Description:* (previously vo) Match user belonging to ulist_name defined in an earlier ``[userlist:ulist_name]`` block. Multiple userlist names are allowed for this rule. This option in **multivalued**. *Default:* ``undefined`` *Example*:: userlist=biousers .. warning:: CHANGE: renamed .. _reference_authgroup_plugin: plugin ~~~~~~ *Synopsis:* ``plugin = timeout path [arg1 [arg2 [arg3...]]]`` *Description:* Run external executable or function from shared library. Rule is matched if plugin returns 0. In arguments following substitutions are supported: - ``%D`` - subject of certicate - ``%P`` - path to proxy ARC ships with LCAS plugin that can be enabled with following plugin configuration. For more information about configuring LCAS itself see section 'Using LCAS/LCMAPS' in the ARC Computing Element System Administrator Guide. This option in **multivalued**. *Default:* ``undefined`` *Example*:: plugin=10 /usr/libexec/arc/arc-lcas %D %P liblcas.so /usr/lib64 /etc/lcas/lcas.db all - Matches any user identity. This variable requires no arguments or values. *Default:* ``undefined`` *Example*:: all= .. _reference_mapping: [mapping] block --------------- This block defines the grid-identity to local unix identity mapping rules used by various ARC components. Mapping rules are processed sequentially and processing stops at first successful one. .. warning:: CHANGE: This is a new block .. _reference_mapping_maprule: maprule ~~~~~~~ *Synopsis:* ``maprule = authgroup rule [ruleargs...]`` *Description:* define the mapping rule for users belonging to specified ``authgroup``. The currently supported rules are: ``unixid unixname[:unixgroup]`` the user is assigned specified UNIX account name that may be optionally followed by a UNIX group ``mapfile file`` the user’s subject is matched against a list of subjects stored in the specified file, one per line followed by a local UNIX name. This mapping rule can be used to accomplish legacy gridmap-based aproach. ``simplepool directory`` the user is assigned one of the local UNIX names stored line-by-line in the file ``directory/pool``. Used names are stored in other files placed in the same directory. If a UNIX name was not used for 10 days, it may be reassigned to another user. ``mapplugin timeout plugin [arg1 [arg2 [arg3...]]]`` run external plugin executable with specified arguments. A rule matches if the exit code is 0 and there is a UNIX name printed on stdout. A name may be optionally followed by a UNIX group separated by colon. Execution of plugin may not last longer than timeout seconds. In the arguments the following substitutions are applied before the plugin is started: - ``%D`` – subject of user’s certificate, - ``%P`` – path to credentials’ proxy file. ARC ships with LCMAPS plugin that can be enabled with the corresponfing configuration. For more information about configuring LCMAPS refer to 'Using LCAS/LCMAPS' document. For safety reasons it is advised to finish mapping sequence with default mapping rule to nonexistent or safe account if dynamic mapping sources are used. This option in **multivalued**. *Default:* ``undefined`` *Example*:: maprule=all unixid nobody:nobody maprule=all mapfile /etc/grid-security/gridmapfile maprule=atlas simplepool /etc/grid-security/pool/atlas maprule=altas mapplugin 30 /usr/libexec/arc/arc-lcmaps %D %P liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db arc .. _reference_lrms: [lrms] block ------------ This block specifies the characteristics of the Local Resource Manager System (batch system) underneath the ARC CE. This block contains all the lrms-specific parameters and information. Configuration values in this block are available for A-REX, the backends, accounting and infosys ARC subsystems. ARC support the most common LRMS flavours. For detailed description of recommended LRMS setups for ARC please refer to ARC CE sysadmin guide: http://www.nordugrid.org/documents/arc-ce-sysadm-guide.pdf .. warning:: CHANGE: This is a new block. Contains parameters previously set in ``[common]``, ``[infosys]``, ``[cluster]``, ``[queue]`` .. _reference_lrms_lrms: lrms ~~~~ *Synopsis:* ``lrms = lrmstype [defaultqueue]`` *Description:* Sets the type of the LRMS (queue system) and optionally the default queue name. ONLY ONE LRMS IS ALLOWED. MULTIPLE lrms ENTRIES WILL TRIGGER UNEXPECTED BEHAVIOUR. For lrmstype, the following values can be chosen: - fork - simple forking of jobs to the same node as the server - sge - (Sun/Oracle) Grid Engine - condor - Condor - pbs - PBS (covers all the PBS flavours e.g. OpenPBS, PBSPro, ScalablePBS, Torque) - lsf - LSF - ll - LoadLeveler - slurm - SLURM - boinc - Boinc - slurmpy - new generation SLURM scripts (provide access to slurm via ssh too) PBS has many flavours, ARC currenly supports OpenPBS, PBSPro, ScalablePBS and Torque (the official name for ScalablePBS). There is no need to specify the flavour or the version number of the PBS, simply write 'pbs'. Similarly, there is no need to specify (Sun/Oracle) Grid Engine versions and flavours. The optional ``defaultqueue`` parameter specifies the name of an existing LRMS queue in the cluster that will be used by AREX as the default queue to submit grid jobs in case the job descriptions submitted to the ARC CE do not specify a requested queue. This queue name must match one of the ``[queue:queue_name]`` blocks. *Allowed values:* ``fork``, ``sge``, ``condor``, ``pbs``, ``lsf``, ``ll``, ``slurm``, ``boinc``, ``slurmpy`` *Default:* ``fork`` *Example*:: lrms=pbs gridlong lrms=slurm .. warning:: CHANGE: new lrmstype values added (slurmpy). .. _reference_lrms_lrmsconfig: lrmsconfig ~~~~~~~~~~ *Synopsis:* ``lrmsconfig = text`` *Description:* An optional free text field to describe the configuration of your Local Resource Management System (batch system). The value is published in the infosys, and is not used otherwise. *Default:* ``undefined`` *Example*:: lrmsconfig=single job per processor .. warning:: CHANGE: moved here from the ``[cluster]`` block .. _reference_lrms_defaultmemory: defaultmemory ~~~~~~~~~~~~~ *Synopsis:* ``defaultmemory = number`` *Description:* The LRMS memory request of job to be set by the LRMS backend scripts, if a user submits a job without specifying how much memory should be used. The order of precedence is: job description -> defaultmemory. This is the amount of memory (specified in MB) that a job will request. *Default:* ``undefined`` *Example*:: defaultmemory=512 .. warning:: CHANGE: moved here from the ``[cluster]`` block .. _reference_lrms_nodename: nodename ~~~~~~~~ *Synopsis:* ``nodename = path`` *Description:* Redefine the command to obtain hostname of LRMS worker node. By default the value is defined on buildtime and depend on the OS. In most cases /bin/hostname -f will be used. *Default:* ``undefined`` *Example*:: nodename=/bin/hostname -s .. warning:: CHANGE: moved here from the ``[arex]`` block .. _reference_lrms_gnu_time: gnu_time ~~~~~~~~ *Synopsis:* ``gnu_time = path`` *Description:* Path to the GNU time command on the LRMS worker nodes. If time command exists on the node, jobscript will write additional diagnostic information. *Default:* ``/usr/bin/time`` *Example*:: gnu_time=/usr/bin/time .. warning:: CHANGE: moved here from the ``[arex]`` block .. _reference_lrms_pbs_bin_path: pbs_bin_path ~~~~~~~~~~~~ *Synopsis:* ``pbs_bin_path = path`` *Description:* The path to the qstat,pbsnodes,qmgr etc PBS binaries, no need to set if PBS is not used *Default:* ``/usr/bin`` *Example*:: pbs_bin_path=/usr/bin .. _reference_lrms_pbs_log_path: pbs_log_path ~~~~~~~~~~~~ *Synopsis:* ``pbs_log_path = path`` *Description:* The path of the PBS server logfiles which are used by A-REX to determine whether a PBS job is completed. If not specified, A-REX will use qstat for that. *Default:* ``/var/spool/pbs/server_logs`` *Example*:: pbs_log_path=/var/spool/pbs/server_logs .. _reference_lrms_pbs_dedicated_node_string: pbs_dedicated_node_string ~~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``pbs_dedicated_node_string = string`` *Description:* (previously dedicated_node_string) The string which is used in the PBS node config to distinguish the grid nodes from the rest. Suppose only a subset of nodes are available for grid jobs, and these nodes have a common ``node property`` string, this case the string should be set to this value and only the nodes with the corresponding ``pbs node property`` are counted as grid enabled nodes. Setting the dedicated_node_string to the value of the ``pbs node property`` of the grid-enabled nodes will influence how the totalcpus, user freecpus is calculated. You don't need to set this attribute if your cluster is fully available for the grid and your cluster's PBS config does not use the ``node property`` method to assign certain nodes to grid queues. You shouldn't use this config option unless you make sure your PBS config makes use of the above described setup. *Default:* ``undefined`` *Example*:: pbs_dedicated_node_string=gridnode .. warning:: CHANGE: renamed. moved here from ``[cluster]`` .. _reference_lrms_condor_bin_path: condor_bin_path ~~~~~~~~~~~~~~~ *Synopsis:* ``condor_bin_path = path`` *Description:* Path to Condor binaries. Must be set if Condor is used. *Default:* ``/usr/bin`` *Example*:: condor_bin_path=/opt/condor/bin .. _reference_lrms_condor_config: condor_config ~~~~~~~~~~~~~ *Synopsis:* ``condor_config = path`` *Description:* Full path to Condor config file. Must be set if Condor is used and the config file is not in its default location (/etc/condor/condor_config or ~/condor/condor_config). The full path to the file should be given. *Default:* ``/etc/condor/condor_config`` *Example*:: condor_config=/opt/condor/etc/condor_config .. _reference_lrms_condor_rank: condor_rank ~~~~~~~~~~~ *Synopsis:* ``condor_rank = ClassAd_float_expression`` *Description:* If you are not happy with the way Condor picks nodes when running jobs, you can define your own ranking algorithm by optionally setting the condor_rank attribute. condor_rank should be set to a ClassAd float expression that you could use in the Rank attribute in a Condor job description. *Default:* ``undefined`` *Example*:: condor_rank=(1-LoadAvg/2)*(1-LoadAvg/2)*Memory/1000*KFlops/1000000 .. _reference_lrms_condor_requirements: condor_requirements ~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``condor_requirements = string`` *Description:* It needs to be defined for each Condor queue. Use this option to determine which nodes belong to the current queue. The value of ``condor_requirements`` must be a valid constraints string which is recognized by a ``condor_status -constraint ...`` command. It can reference pre-defined ClassAd attributes (like Memory, Opsys, Arch, HasJava, etc) but also custom ClassAd attributes. To define a custom attribute on a condor node, just add two lines like the ones below in the ``$(hostname).local`` config file on the node:: NORDUGRID_RESOURCE=TRUE STARTD_EXPRS = NORDUGRID_RESOURCE, $(STARTD_EXPRS) A job submitted to this queue is allowed to run on any node which satisfies the ``condor_requirements`` constraint. If ``condor_requirements`` is not set, jobs will be allowed to run on any of the nodes in the pool. When configuring multiple queues, you can differentiate them based on memory size or disk space, for example. *Default:* ``undefined`` *Example*:: condor_requirements=(OpSys == "linux" && NORDUGRID_RESOURCE && Memory >= 1000 && Memory < 2000) .. _reference_lrms_sge_bin_path: sge_bin_path ~~~~~~~~~~~~ *Synopsis:* ``sge_bin_path = path`` *Description:* Path to Sun Grid Engine (SGE) binaries, Default is search for qsub command in the shell PATH *Default:* ``undefined`` *Example*:: sge_bin_path=/opt/n1ge6/bin/lx24-x86 .. _reference_lrms_sge_root: sge_root ~~~~~~~~ *Synopsis:* ``sge_root = path`` *Description:* Path to SGE installation directory. MUST be set if SGE is used. *Default:* ``/gridware/sge`` *Example*:: sge_root=/opt/n1ge6 .. _reference_lrms_sge_cell: sge_cell ~~~~~~~~ *Synopsis:* ``sge_cell = name`` *Description:* The name of the SGE cell to use. This option is only necessary in case SGE is set up with a cell name different from 'default' *Default:* ``default`` *Example*:: sge_cell=default .. _reference_lrms_sge_qmaster_port: sge_qmaster_port ~~~~~~~~~~~~~~~~ *Synopsis:* ``sge_qmaster_port = port`` *Description:* The SGE port options should be used in case SGE command line clients require SGE_QMASTER_PORT and SGE_EXECD_PORT environment variables to be set. Usually they are not necessary. *Default:* ``undefined`` *Example*:: sge_qmaster_port=536 .. _reference_lrms_sge_execd_port: sge_execd_port ~~~~~~~~~~~~~~ *Synopsis:* ``sge_execd_port = port`` *Description:* The SGE port options should be used in case SGE command line clients requre SGE_QMASTER_PORT and SGE_EXECD_PORT environment variables to be set. Usually they are not necessary. *Default:* ``undefined`` *Example*:: sge_execd_port=537 .. _reference_lrms_sge_jobopts: sge_jobopts ~~~~~~~~~~~ *Synopsis:* ``sge_jobopts = string`` *Description:* Additional SGE options to be used when submitting jobs to SGE *Default:* ``undefined`` *Example*:: sge_jobopts=-P atlas -r yes .. _reference_lrms_slurm_bin_path: slurm_bin_path ~~~~~~~~~~~~~~ *Synopsis:* ``slurm_bin_path = path`` *Description:* Path to SLURM binaries, must be set if installed outside of normal PATH *Default:* ``/usr/bin`` *Example*:: slurm_bin_path=/usr/bin .. _reference_lrms_slurm_wakeupperiod: slurm_wakeupperiod ~~~~~~~~~~~~~~~~~~ *Synopsis:* ``slurm_wakeupperiod = numsec`` *Description:* How long should infosys wait before querying SLURM for new data (seconds) *Default:* ``30`` *Example*:: slurm_wakeupperiod=15 .. _reference_lrms_slurm_use_sacct: slurm_use_sacct ~~~~~~~~~~~~~~~ *Synopsis:* ``slurm_use_sacct = yes/no`` *Description:* Indicates whether ARC should use sacct instead of scontrol to obtain information about finished jobs Not supported by slurmpy. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: slurm_use_sacct=yes .. _reference_lrms_lsf_bin_path: lsf_bin_path ~~~~~~~~~~~~ *Synopsis:* ``lsf_bin_path = path`` *Description:* The PATH to LSF bin folder *Default:* ``/usr/bin`` *Example*:: lsf_bin_path=/usr/local/lsf/bin/ .. _reference_lrms_lsf_profile_path: lsf_profile_path ~~~~~~~~~~~~~~~~ *Synopsis:* ``lsf_profile_path = path`` *Description:* Path to the profile.lsf file. Infoprovider scripts will source profile.lsf to setup LSF utilites environment. *Default:* ``/usr/share/lsf/conf/profile.lsf`` *Example*:: lsf_profile_path=/usr/local/share/lsf/conf/profile.lsf .. _reference_lrms_lsf_architecture: lsf_architecture ~~~~~~~~~~~~~~~~ *Synopsis:* ``lsf_architecture = string`` *Description:* CPU architecture to request when submitting jobs to LSF. Use only if you know what you are doing. *Default:* ``undefined`` *Example*:: lsf_architecture=PowerPC .. warning:: CHANGE: moved here from ``[queue:name]`` block .. _reference_lrms_ll_bin_path: ll_bin_path ~~~~~~~~~~~ *Synopsis:* ``ll_bin_path = path`` *Description:* The PATH to the LoadLeveler bin folder *Default:* ``/usr/bin`` *Example*:: ll_bin_path=/opt/ibmll/LoadL/full/bin .. _reference_lrms_ll_consumable_resources: ll_consumable_resources ~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``ll_consumable_resources = yes/no`` *Description:* Indicates whether the LoadLeveler setup is using Consumable Resources. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: ll_consumable_resources=yes .. _reference_lrms_boinc_db_host: boinc_db_host ~~~~~~~~~~~~~ *Synopsis:* ``boinc_db_host = hostname`` *Description:* Connection strings for the boinc database: host *Default:* ``localhost`` *Example*:: boinc_db_host=localhost .. _reference_lrms_boinc_db_port: boinc_db_port ~~~~~~~~~~~~~ *Synopsis:* ``boinc_db_port = port`` *Description:* Connection strings for the boinc database: port *Default:* ``3306`` *Example*:: boinc_db_port=3306 .. _reference_lrms_boinc_db_name: boinc_db_name ~~~~~~~~~~~~~ *Synopsis:* ``boinc_db_name = db_name`` *Description:* Connection strings for the boinc database: db_name *Default:* ``undefined`` *Example*:: boinc_db_name=myproject .. _reference_lrms_boinc_db_user: boinc_db_user ~~~~~~~~~~~~~ *Synopsis:* ``boinc_db_user = user`` *Description:* Connection strings for the boinc database: db_user *Default:* ``undefined`` *Example*:: boinc_db_user=boinc .. _reference_lrms_boinc_db_pass: boinc_db_pass ~~~~~~~~~~~~~ *Synopsis:* ``boinc_db_pass = pwd`` *Description:* Connection strings for the boinc database: pwd *Default:* ``undefined`` *Example*:: boinc_db_pass=password .. _reference_lrms_ssh: [lrms/ssh] block ---------------- This sub-block configures the ssh environment for remote batch management. Currently ONLY the python slurm (slurmpy) EXPERIMENTAL batch module is able to utilize the remote ssh feature. Parameters within this block are relevant if the cluster frontend is remotely located wrt. CE frontend (machine running A-REX). If specified with the parameters below, the session, cache and runtime directories will be mounted from the cluster frontend on the CE frontend using sshfs. Job submission and management will done using ssh (Paramiko). .. warning:: CHANGE: new sub-block .. _reference_lrms_ssh_remote_host: remote_host ~~~~~~~~~~~ *Synopsis:* ``*remote_host = hostname`` *Description:* Define the remote cluster frontend machine which contains session, cache and runtime directories and where jobs should be submitted to. *Default:* ``undefined`` mandatory *Example*:: remote_host=myremotehost.org .. _reference_lrms_ssh_private_key: private_key ~~~~~~~~~~~ *Synopsis:* ``*private_key = path`` *Description:* Location of the private key which should be used establish connection to the machine specified by the 'remote_host' attribute. *Default:* ``undefined`` mandatory *Example*:: private_key=/etc/grid-security/hostkey-priv.pem .. _reference_lrms_ssh_remote_user: remote_user ~~~~~~~~~~~ *Synopsis:* ``*remote_user = user`` *Description:* User on remote cluster which should be used for mounting directories, submitting and managing jobs, and gathering information about cluster. *Default:* ``undefined`` mandatory *Example*:: remote_user=grid .. _reference_lrms_ssh_remote_sessiondir: remote_sessiondir ~~~~~~~~~~~~~~~~~ *Synopsis:* ``remote_sessiondir = path`` *Description:* Session directory on cluster frontend to be mounted (sshfs) on CE machine at directory specified by the 'sessiondir' attribute in the ``[arex]`` block. *Default:* ``undefined`` mandatory *Example*:: remote_sessiondir=/scratch/grid .. _reference_lrms_ssh_remote_runtimedir: remote_runtimedir ~~~~~~~~~~~~~~~~~ *Synopsis:* ``remote_runtimedir = path`` *Description:* Runtime environment directory on cluster frontend to be mounted (sshfs) on CE machine at directory specified by the 'runtimedir' attribute in the ``[arex]`` block. .. warning:: TODO: check if it is still relevant or work with the ARC6 RTE framework *Default:* ``undefined`` *Example*:: remote_runtimedir=/SOFTWARE/runtime .. _reference_lrms_ssh_remote_cachedir: remote_cachedir ~~~~~~~~~~~~~~~ *Synopsis:* ``*remote_cachedir = path`` *Description:* Cache directory on cluster frontend to be mounted (sshfs) on CE machine at directory specified by the 'cachedir' attribute in the ``[arex]`` block. .. warning:: TODO: why is it mandatory and why the remote_sessiondir is not mandatory? *Default:* ``undefined`` *Example*:: remote_cachedir=/scratch/cache .. _reference_lrms_ssh_ssh_timeout: ssh_timeout ~~~~~~~~~~~ *Synopsis:* ``ssh_timeout = time`` *Description:* Timeout of establishing ssh connection. Unit in seconds. *Default:* ``10`` *Example*:: ssh_timeout=10 .. _reference_arex: [arex] block ------------ The ``[arex]`` block, together with its various subblocks, configures the A-REX service hosted in ``arched``. A-REX takes care of various middleware tasks on the frontend such as job creation and management, stagein/stageout, LRMS job submission, data caching, etc... .. warning:: CHANGE: renamed block .. _reference_arex_user: user ~~~~ *Synopsis:* ``user = user[:group]`` *Description:* Switch to a non root user/group after startup. Use with caution because of limited functionality when arex is not run under root. *Default:* ``root`` *Example*:: user=grid:grid .. _reference_arex_norootpower: norootpower ~~~~~~~~~~~ *Synopsis:* ``norootpower = yes|no`` *Description:* If set to yes, all job management processes will switch to mapped user's identity while accessing session directory. This is useful if session directory is on NFS with root squashing turned on. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: norootpower=yes .. _reference_arex_delegationdb: delegationdb ~~~~~~~~~~~~ *Synopsis:* ``delegationdb = db_name`` *Description:* specify which DB to use to store delegations. Currently supported db_names are bdb and sqlite *Default:* ``sqlite`` *Example*:: delegationdb=sqlite .. warning:: CHANGE: modified. new default. .. _reference_arex_watchdog: watchdog ~~~~~~~~ *Synopsis:* ``watchdog = yes/no`` *Description:* Specifies if additional watchdog processes is spawned to restart main process if it is stuck or dies. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: watchdog=no .. _reference_arex_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = level`` *Description:* (previously debug) Set loglevel of the arched daemon hosting A-REX service between 0 (FATAL) and 5 (DEBUG). Defaults to 3 (INFO). *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``3`` *Example*:: loglevel=3 .. warning:: CHANGE: renamed .. _reference_arex_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* Specify A-REX log file location. If using an external log rotation tool be careful to make sure it matches the path specified here. *Default:* ``/var/log/arc/arex.log`` *Example*:: logfile=/var/log/arc/arex.log .. warning:: CHANGE: modified default (renamed file) .. _reference_arex_joblog: joblog ~~~~~~ *Synopsis:* ``joblog = path`` *Description:* Specifies where to store specialized log about started and finished jobs. If path is empty log is NOT written. Controlled by logrotate if deafult name is kept. This log is not used by any other part of ARC so can be safely disabled if you are not interested in storing jobs log. *Default:* ``/var/log/arc/arex-jobs.log`` *Example*:: joblog="" .. _reference_arex_fixdirectories: fixdirectories ~~~~~~~~~~~~~~ *Synopsis:* ``fixdirectories = yes/missing/no`` *Description:* Specifies during startup A-REX should create all directories needed for it operation and set suitable default permissions. If ``no`` is specified then A-REX does nothing to prepare its operational environment. In case of ``missing`` A-REX only creates and sets permissions for directories which are not present yet. For ``yes`` all directories are created and permissions for all used directories are set to default safe values. *Allowed values:* ``yes``, ``missing``, ``no`` *Default:* ``yes`` *Example*:: fixdirectories=yes .. _reference_arex_controldir: controldir ~~~~~~~~~~ *Synopsis:* ``controldir = path`` *Description:* The directory of the A-REX's internal job metadata files. For a heavy loaded computing elements you can consider to locate controldir on a dedicated partition optimized for small random reads and writes. The directory is not needed on the nodes. *Default:* ``/var/spool/arc/jobstatus`` *Example*:: controldir=/var/spool/arc/jobstatus .. _reference_arex_sessiondir: sessiondir ~~~~~~~~~~ *Synopsis:* ``sessiondir = path [drain]`` *Description:* the directory which holds the sessiondirs of the grid jobs. Multiple session directories may be specified. In this case jobs are spread evenly over the session directories. If ``sessiondir=*`` is set, the session directory will be spread over the ``${HOME}/.jobs`` directories of every locally mapped unix user. It is preferred to use common session directories. The path may be followed by ``drain``, in which case no new jobs will be assigned to that sessiondir, but current jobs will still be processed and accessible. This option in **multivalued**. *Default:* ``/var/spool/arc/sessiondir`` *Example*:: sessiondir=/scratch/arcsessions drain sessiondir=* .. _reference_arex_defaultttl: defaultttl ~~~~~~~~~~ *Synopsis:* ``defaultttl = [ttl [ttr]]`` *Description:* The ttl parameter sets the time in seconds for how long a job session directory will survive after job execution has finished. If not specified the default is 1 week. The ttr parameter sets how long information about a job will be kept after the session directory is deleted. If not specified, the ttr default is one month. *Default:* ``604800 2592000`` *Example*:: defaultttl=2592000 .. _reference_arex_shared_filesystem: shared_filesystem ~~~~~~~~~~~~~~~~~ *Synopsis:* ``shared_filesystem = yes/no`` *Description:* Specifies if computing nodes can access folders mounted with protocols like NFS with the same pathnames as the frontend. Note that the default 'yes' assumes that the paths to the session directories are the same on both frontend and nodes. If these paths are not the same, then one should set the scratchdir option. The option changes the RUNTIME_NODE_SEES_FRONTEND variable in the submission scripts. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: shared_filesystem=yes .. _reference_arex_scratchdir: scratchdir ~~~~~~~~~~ *Synopsis:* ``scratchdir = path`` *Description:* The path on computing node to move session directory to before execution. If defined should contain the path to the directory on the computing node which can be used to store a jobs' files during execution. Sets the environment variable RUNTIME_LOCAL_SCRATCH_DIR. If the variable is not set, then the session dir is not moved before execution. Don't set this parameter unless you want to move the sessiondir to scratchdir on the node. *Default:* ``undefined`` *Example*:: scratchdir=/local/scratch/ .. _reference_arex_shared_scratch: shared_scratch ~~~~~~~~~~~~~~ *Synopsis:* ``shared_scratch = path`` *Description:* The path on frontend where scratchdir can be found. If defined should contain the path corresponding to that set in scratchdir as seen on the frontend machine. Sets the environment variable RUNTIME_FRONTEND_SEES_NODE. *Default:* ``undefined`` *Example*:: shared_scratch=/mnt/scratch .. _reference_arex_tmpdir: tmpdir ~~~~~~ *Synopsis:* ``tmpdir = path`` *Description:* A temporary directory used by A-REX. *Default:* ``/tmp`` *Example*:: tmpdir=/tmp .. _reference_arex_runtimedir: runtimedir ~~~~~~~~~~ *Synopsis:* ``runtimedir = path`` *Description:* The directory which holds the additional runtimeenvironment scripts, added by system administrator. Several directories can be specified. To enable RTEs to be advertised in the information system and used during submission the arcctl tool should be used. This option in **multivalued**. *Default:* ``undefined`` *Example*:: runtimedir=/var/spool/arc/extraruntimes runtimedir=/cvmfs/vo/arcruntime .. _reference_arex_maxjobs: maxjobs ~~~~~~~ *Synopsis:* ``maxjobs = number1 number2 number3 number4 number5`` *Description:* specifies maximum allowed number of jobs. number1 - jobs which are not in FINISHED state (jobs tracked in RAM) number2 - jobs being run (SUBMITTING, INLRMS states) number3 - jobs being processed per DN number4 - jobs in whole system number5 - LRMS scripts limit (jobs in SUBMITTING and CANCELING) A parameter set to -1 means no limit. *Default:* ``-1 -1 -1 -1 -1`` *Example*:: maxjobs=10000 10 2000 -1 -1 .. warning:: CHANGE: Modified. Explicitly indicate ``no limit`` with -1. ``Missing number`` should not be allowed. .. _reference_arex_maxrerun: maxrerun ~~~~~~~~ *Synopsis:* ``maxrerun = number`` *Description:* Specifies how many times job can be rerun if it failed in LRMS. This is only an upper limit, the actual rerun value is set by the user in his xrsl. *Default:* ``5`` *Example*:: maxrerun=5 .. _reference_arex_statecallout: statecallout ~~~~~~~~~~~~ *Synopsis:* ``statecallout = state options plugin_path`` *Description:* (previously authplugin) This parameter enables a callout feature of A-REX: every time job goes to ``state`` A-REX will run ``plugin_path`` executable. Options consist of ``key=value`` pairs separated by ``,``. Possible keys are: timeout wait for result no longer that 'value' seconds, (timeout= can be omitted). onsuccess, onfailure, ontimeout what to do if plugin exited with exit code 0, not 0, timeout achieved. Possible actions are: pass continue executing job, fail cancel job, log write to log fail about problem and continue executing job. This option in **multivalued**. *Default:* ``undefined`` arc-blahp-logger: a statecallout plugin shipped with ARC: it's purpose is to write accounting log for every finished job in BLAH format. *Example*:: statecallout=FINISHED timeout=10,onfailure=pass /usr/libexec/arc/arc-blahp-logger -I %I -U %u -L %C/job.%I.local -P %C/job.%I.proxy .. warning:: CHANGE: renamed from authplugin .. _reference_arex_wakeupperiod: wakeupperiod ~~~~~~~~~~~~ *Synopsis:* ``wakeupperiod = time`` *Description:* Specifies how often A-REX checks for new jobs arrived, job state change requests, etc. That is responsiveness of A-REX. ``time`` is time period in seconds. Default is 3 minutes. Usually no need to change this parameter because important state changes are also triggering out-of-schedule checks. NOTE: This parameter does not affect responsiveness of backend scripts - especially ``scan--job``. That means that upper estimation of time for detecting job finished executing is sum of responsiveness of backend script + wakeupperiod. *Default:* ``180`` *Example*:: wakeupperiod=180 .. _reference_arex_infoproviders_timelimit: infoproviders_timelimit ~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``infoproviders_timelimit = seconds`` *Description:* (previously infoproviders_timeout) Sets the execution time limit of the infoprovider scripts started by the A-REX. Infoprovider scripts running longer than the specified timelimit are gracefully handled by the A-REX (the behaviour depends on the state of the system) Increase this value if you have many jobs in the controldir and infoproviders need more time to process. *Default:* ``10800`` *Example*:: infoproviders_timelimit=10800 .. warning:: CHANGED: rename, infoproviders_timelimit, move to ``[arex]`` block .. _reference_arex_pidfile: pidfile ~~~~~~~ *Synopsis:* ``pidfile = path`` *Description:* Specify location of file containing PID of daemon process. *Default:* ``/var/run/arc/arex.pid`` *Example*:: pidfile=/var/run/run/arex.pid .. warning:: TODO: modified pid file location and name .. _reference_arex_mail: mail ~~~~ *Synopsis:* ``mail = email_address`` *Description:* Specifies the email address from where the notification mails are sent *Default:* ``$VAR{user}@$VAR{[common]hostname}`` *Example*:: mail=grid.support@somewhere.org .. warning:: CHANGE: modified. implement a default! in the format of root@localhost. .. _reference_arex_gnu_time: gnu_time ~~~~~~~~ *Synopsis:* ``gnu_time = path`` *Description:* The gnu time command .. warning:: CHANGE: moved to ``[lrms]`` .. _reference_arex_nodename: nodename ~~~~~~~~ *Synopsis:* ``nodename = path`` *Description:* The command to obtain hostname of computing node. .. warning:: CHANGE: moved to ``[lrms]`` .. _reference_arex_helper: helper ~~~~~~ *Synopsis:* ``helper = user executable arguments`` *Description:* By enabling this parameter A-REX will run an external ``helper`` program under the user useraccount. The program will be kept running, every time the executable finishes it will be started again. As a limitation, currently only '.' is supported as username, which corresponds to the user running A-REX. *Default:* ``undefined`` *Example*:: helper=. /usr/local/bin/myutility .. _reference_arex_helperlog: helperlog ~~~~~~~~~ *Synopsis:* ``helperlog = path`` *Description:* Configuration option to specify the location of log for helpers. .. warning:: TODO: check if not in controldir *Default:* ``/var/log/arc/job.helper.errors`` *Example*:: helperlog=/var/log/arc/job.helper.errors .. warning:: CHANGE: new parameter .. _reference_arex_forcedefaultvoms: forcedefaultvoms ~~~~~~~~~~~~~~~~ *Synopsis:* ``forcedefaultvoms = VOMS_FQAN`` *Description:* specify VOMS FQAN which user will be assigned if his/her credentials contain no VOMS attributes. To assign different values to different queues put this command into ``[queue]`` block. .. warning:: TODO: was missed in queue, check it actually works with queues *Default:* ``undefined`` *Example*:: forcedefaultvoms=/vo/group/subgroup .. _reference_arex_cache: [arex/cache] block ------------------ This subblock enables and configures the cache functionality of A-REX. A-REX can cache input files downloaded as part of stagein proces of grid jobs so that subsequent jobs requiring the same file don’t have to download it again. The cached file will be symlinked (or copied) into the session directory of the job. To disable to cache functionality simply comment out the ``[arex/cache]`` config block. It is a good idea to have the cache on its own separate file system that is shared with the nodes. For more information about the cache functionality of A-REX consult the sysadmin guide. .. warning:: CHANGE: new block .. _reference_arex_cache_cachedir: cachedir ~~~~~~~~ *Synopsis:* ``*cachedir = cache_path [link_path]`` *Description:* Specifies a directory to store cached data. Multiple cache directories may be specified. Cached data will be distributed evenly over the caches. Optional ``link_path`` specifies the path at which the ``cache_path`` is accessible on computing nodes, if it is different from the path on the A-REX host. If ``link_path`` is set to ``.`` files are not soft-linked, but copied to session directory. If a cache directory needs to be drained, then ``link_path`` should specify ``drain``, in which case no new files will be added to the cache. Restart of arex also needed. This option in **multivalued**. *Default:* ``undefined`` *Example*:: cachedir=/scratch/cache cachedir=/shared/cache /frontend/jobcache cachedir=/fs1/cache drain .. _reference_arex_cache_cleaner: [arex/cache/cleaner] block -------------------------- This subblock enables the cleaning functionality of the cache. If this block is not enabled then the cache will not be cleaned by A-REX. Either cachesize or cachelifetime should also be set to enable cleaning. .. warning:: CHANGE: new block .. _reference_arex_cache_cleaner_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* (previously cachelogfile) sets the filename where output of the cache-clean tool should be logged. Defaults to /var/log/arc/cache-clean.log. *Default:* ``/var/log/arc/cache-cleaner.log`` *Example*:: logfile=/tmp/cache-clean.log .. warning:: CHANGE: renamed as logfile .. _reference_arex_cache_cleaner_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = level`` *Description:* (previously cacheloglevel) specifies the level of logging by the cache-clean tool, between 0 (FATAL) and 5 (DEBUG). Defaults to 3 (INFO). *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``3`` *Example*:: loglevel=4 .. warning:: CHANGE: renamed as loglevel .. _reference_arex_cache_cleaner_cachesize: cachesize ~~~~~~~~~ *Synopsis:* ``cachesize = max min`` *Description:* Specifies high and low watermarks for space used by cache, as a percentage of the space on the file system on which the cache directory is located. When the max is exceeded, files will be deleted to bring the used space down to the min level. It is a good idea to have the cache on its own separate file system. *Default:* ``100 100`` *Example*:: cachesize=50 20 .. _reference_arex_cache_cleaner_calculatesize: calculatesize ~~~~~~~~~~~~~ *Synopsis:* ``calculatesize = filesystem/cachedir`` *Description:* (previously cacheshared) specifies the way the space occupied by the cache will be calculated. If set to cachedir then cache-clean calculates the size of the cache instead of using filesystem used space. *Allowed values:* ``filesystem``, ``cachedir`` *Default:* ``filesystem`` *Example*:: calculatesize=cachedir .. warning:: CHANGE: renamed parameter .. _reference_arex_cache_cleaner_cachelifetime: cachelifetime ~~~~~~~~~~~~~ *Synopsis:* ``cachelifetime = time`` *Description:* Turns on time-based file cleaning. Files accessed less recently than the given time period will be deleted. Example values of this option are 1800, 90s, 24h, 30d. When no suffix is given the unit is seconds. *Default:* ``undefined`` *Example*:: cachelifetime=30d .. _reference_arex_cache_cleaner_cachespacetool: cachespacetool ~~~~~~~~~~~~~~ *Synopsis:* ``cachespacetool = path [options]`` *Description:* specifies an alternative tool to ``df`` that cache-clean should use to obtain space information on the cache file system. The output of this command must be ``total_bytes used_bytes``. The cache directory is passed as the last argument to this command. *Default:* ``undefined`` *Example*:: cachespacetool=/etc/getspace.sh .. _reference_arex_cache_cleaner_cachecleantimeout: cachecleantimeout ~~~~~~~~~~~~~~~~~ *Synopsis:* ``cachecleantimeout = time`` *Description:* the timeout in seconds for running the cache-clean tool. If using a large cache or slow file system this value can be increased to allow the cleaning to complete. Defaults to 3600 (1 hour). *Default:* ``3600`` *Example*:: cachecleantimeout=10000 .. _reference_arex_data-staging: [arex/data-staging] block ------------------------- This subblock enables and configures the data staging capabilities of A-REX. A subsystem called DTR (Data Transfer Reloaded) is responsible for collecting input data for a job before submission to the LRMS, and for staging out data after the job has finished. Automagic data staging of A-REX is a very powerful feature, disabling this functionality (by commenting out the subblock) is not recommended. .. warning:: CHANGE: RENAMED block .. _reference_arex_data-staging_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = number`` *Description:* (previously debug) Sets the log level for transfer logging in job.id.errors files, between 0 (FATAL) and 5 (DEBUG). Default is to use value set by loglevel option in ``[arex]`` section. *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``$VAR{[arex]loglevel}`` *Example*:: loglevel=4 .. warning:: CHANGE: renamed as loglevel. .. _reference_arex_data-staging_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* (previously central_logfile) A central file in which all data staging messages from every job will be collected and logged in addition to their job.id.errors files. If this option is not present or the path is empty the log file is not created. This file is not automatically controlled by logrotate unless you name it as /var/log/arc/datastaging.log. *Default:* ``undefined`` *Example*:: logfile=/var/log/arc/datastaging.log .. warning:: CHANGE: renamed .. _reference_arex_data-staging_statefile: statefile ~~~~~~~~~ *Synopsis:* ``statefile = path`` *Description:* (previously dtrlog) A file in which data staging state information (for monitoring and recovery purposes) is periodically dumped. *Default:* ``$VAR{[arex]controldir}/dtr.state`` *Example*:: statefile=/tmp/dtr.state .. warning:: CHANGE: renamed, modified: new default value .. _reference_arex_data-staging_usehostcert: usehostcert ~~~~~~~~~~~ *Synopsis:* ``usehostcert = yes/no`` *Description:* Whether the A-REX host certificate should be used for communication with remote hosts instead of the users' proxies. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: usehostcert=yes .. _reference_arex_data-staging_maxtransfertries: maxtransfertries ~~~~~~~~~~~~~~~~ *Synopsis:* ``maxtransfertries = number`` *Description:* the maximum number of times download and upload will be attempted per job (retries are only performed if an error is judged to be temporary) *Default:* ``10`` *Example*:: maxtransfertries=20 .. _reference_arex_data-staging_passivetransfer: passivetransfer ~~~~~~~~~~~~~~~ *Synopsis:* ``passivetransfer = yes/no`` *Description:* If yes, gridftp transfers are passive. Setting this option to yes can solve transfer problems caused by firewalls. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: passivetransfer=yes .. warning:: CHANGE: new default: yes .. _reference_arex_data-staging_globus_tcp_port_range: globus_tcp_port_range ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``globus_tcp_port_range = port_range`` *Description:* In a firewalled environment the software which uses GSI needs to know what ports are available. This parameter is only needed if ``passivetransfer=no`` was set. These variable are similar to the Globus enviroment variables ``GLOBUS_TCP_PORT_RANGE`` and ``GLOBUS_UDP_PORT_RANGE``. *Default:* ``9000,9300`` .. warning:: TODO: test if a space such as ``9000, 9300`` brakes gridftp in ARC? *Example*:: globus_tcp_port_range=9000,12000 .. warning:: CHANGE: moved here .. _reference_arex_data-staging_globus_udp_port_range: globus_udp_port_range ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``globus_udp_port_range = port_range`` *Description:* In a firewalled environment the software which uses GSI needs to know what ports are available. This parameter is only needed if ``passivetransfer=no`` was set. These variable are similar to the Globus enviroment variables ``GLOBUS_TCP_PORT_RANGE`` and ``GLOBUS_UDP_PORT_RANGE``. *Default:* ``9000,9300`` *Example*:: globus_udp_port_range=9000,12000 .. warning:: CHANGE: moved here .. _reference_arex_data-staging_httpgetpartial: httpgetpartial ~~~~~~~~~~~~~~ *Synopsis:* ``httpgetpartial = yes/no`` *Description:* If yes, HTTP GET transfers may transfer data in chunks/parts. If no - data is always transfered in one piece. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: httpgetpartial=no .. warning:: CHANGE: new default: no .. _reference_arex_data-staging_speedcontrol: speedcontrol ~~~~~~~~~~~~ *Synopsis:* ``speedcontrol = min_speed min_time min_average_speed max_inactivity`` *Description:* specifies how slow data transfer must be to trigger error. Transfer is cancelled if speed is below min_speed bytes per second for at least min_time seconds, or if average rate is below min_average_speed bytes per second, or no data was transferred for longer than max_inactivity seconds. Value of zero turns feature off. *Default:* ``0 300 0 300`` *Example*:: speedcontrol=0 300 100 300 speedcontrol="" .. warning:: CHANGE: modified: missing parameter ``speedcontrol=`` should also turn the feature off, not just zero value. .. _reference_arex_data-staging_maxdelivery: maxdelivery ~~~~~~~~~~~ *Synopsis:* ``maxdelivery = number`` *Description:* Maximum number of concurrent file transfers, i.e. active transfers using network bandwidth. This is the total number for the whole system including any remote staging hosts. *Default:* ``10`` *Example*:: maxdelivery=40 .. _reference_arex_data-staging_maxprocessor: maxprocessor ~~~~~~~~~~~~ *Synopsis:* ``maxprocessor = number`` *Description:* Maximum number of concurrent files in each pre- and post- processing state, eg cache check or replica resolution. .. warning:: TODO: clarify what are those post and pre states, explain it to sysadmins *Default:* ``10`` *Example*:: maxprocessor=20 .. _reference_arex_data-staging_maxemergency: maxemergency ~~~~~~~~~~~~ *Synopsis:* ``maxemergency = number`` *Description:* Maximum ``emergency`` slots which can be assigned to transfer shares when all slots up to the limits configured by the above two options are used by other shares. This ensures shares cannot be blocked by others. *Default:* ``1`` *Example*:: maxemergency=5 .. _reference_arex_data-staging_maxprepared: maxprepared ~~~~~~~~~~~ *Synopsis:* ``maxprepared = number`` *Description:* Maximum number of files in a prepared state, i.e. pinned on a remote storage such as SRM for transfer. A good value is a small multiple of maxdelivery. *Default:* ``200`` *Example*:: maxprepared=250 .. _reference_arex_data-staging_sharepolicy: sharepolicy ~~~~~~~~~~~ *Synopsis:* ``sharepolicy = grouping`` *Description:* (previously sharetype) Defines the mechanism to be used for the grouping of the job transfers. DTR assigns the transfers to shares, so that those shares can be assigned to different priorities. Possible values for ``grouping`` are dn, voms:vo, voms:role and voms:group: dn each job is assigned to a share based on the DN of the user sumbitting the job. voms:vo each job is assigned to a share based on the VO specified in the proxy. voms:role each job is assigned to a share based on the role specified in the first attribute found in the proxy. voms:group each job is assigned to a share based on the group specified in the first attribute found in the proxy. In case of the voms schemes, if the proxy is not a VOMS proxy, then a default share is used. If sharepolicy is not set then the client-defined priority is applied. *Default:* ``undefined`` *Example*:: sharepolicy=voms:role .. warning:: CHANGE: renamed .. _reference_arex_data-staging_sharepriority: sharepriority ~~~~~~~~~~~~~ *Synopsis:* ``sharepriority = share priority`` *Description:* (previously definedshare) Defines a share with a fixed priority, different from the default (50). Priority is an integer between 1 (lowest) and 100 (highest). This option in **multivalued**. *Default:* ``undefined`` *Example*:: sharepriority=myvo:students 20 sharepriority=myvo:production 80 .. warning:: CHANGE: renamed .. _reference_arex_data-staging_copyurl: copyurl ~~~~~~~ *Synopsis:* ``copyurl = url_head local_path`` *Description:* Configures that DTR should use copy instead of download in case of certain stagein files. URLs, starting from 'url_head' should be accessed in a different way (most probaly unix open). The 'url_head' part of the URL will be replaced with 'local_path' and file from obtained path will be copied to the session directory. NOTE: 'local_path' can also be of URL type. This option in **multivalued**. *Default:* ``undefined`` *Example*:: copyurl=gsiftp://example.org:2811/data/ /data/ copyurl=gsiftp://example2.org:2811/data/ /data/ .. _reference_arex_data-staging_linkurl: linkurl ~~~~~~~ *Synopsis:* ``linkurl = url_head local_path [node_path]`` *Description:* Identical to 'copyurl', configures DTR so that for certain URLs files won't be downloaded or copied (in case of copyurl), but soft-link will be created. The 'local_path' specifies the way to access the file from the frontend, and is used to check permissions. The 'node_path' specifies how the file can be accessed from computing nodes, and will be used for soft-link creation. If 'node_path' is missing - 'local_path' will be used. This option in **multivalued**. *Default:* ``undefined`` *Example*:: linkurl=gsiftp://somewhere.org/data /data linkurl=gsiftp://example.org:2811/data/ /scratch/data/ .. _reference_arex_data-staging_use_remote_acix: use_remote_acix ~~~~~~~~~~~~~~~ *Synopsis:* ``use_remote_acix = URL`` *Description:* (previously acix_endpoint) If configured then the ARC Cache Index, available at the URL, will be queried for every input file specified in a job description and any replicas found in sites with accessible caches will be added to the replica list of the input file. The replicas will be tried in the order specified by preferredpattern variable. *Default:* ``undefined`` *Example*:: use_remote_acix=https://cacheindex.ndgf.org:6443/data/index .. warning:: CHANGE: rename .. _reference_arex_data-staging_preferredpattern: preferredpattern ~~~~~~~~~~~~~~~~ *Synopsis:* ``preferredpattern = pattern`` *Description:* specifies a preferred pattern on which to sort multiple replicas of an input file. It consists of one or more patterns separated by a pipe character (|) listed in order of preference. Replicas will be ordered by the earliest match. If the dollar character ($) is used at the end of a pattern, the pattern will be matched to the end of the hostname of the replica. If an exclamation mark (!) is used at the beginning of a pattern, any replicas matching the pattern will be excluded from the sorted replicas. *Default:* ``undefined`` *Example*:: preferredpattern=srm://myhost.ac.uk|.uk$|ndgf.org$|badhost.org$ The following options are used to configure multi-host data staging deployment scenario. In that setup a couple of additional data staging boxes are enabled to off-load data transfers. deliveryservice = URL - The URL to a remote data delivery service which can perform remote data staging. *Default:* ``undefined`` *Example*:: deliveryservice=https://myhost.org:443/datadeliveryservice .. _reference_arex_data-staging_localdelivery: localdelivery ~~~~~~~~~~~~~ *Synopsis:* ``localdelivery = yes/no`` *Description:* If any deliveryservice is defined, this option determines whether local data transfer is also performed. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: localdelivery=yes .. _reference_arex_data-staging_remotesizelimit: remotesizelimit ~~~~~~~~~~~~~~~ *Synopsis:* ``remotesizelimit = size`` *Description:* Lower limit on file size (in bytes) of files that remote hosts should transfer. Can be used to increase performance by transferring small files using local processes. *Default:* ``undefined`` *Example*:: remotesizelimit=100000 .. _reference_arex_ws: [arex/ws] block --------------- A-REX exposes a set of Web Service interfaces that can be used to create and manage jobs, obtain information about the CE and the jobs, handle delegations, access cache information, so on. Comment out this block if you don't want to provide WS-interfaces for various A-REX functionalities. .. warning:: CHANGE: new block. most of the parameters originates from the old ``[grid-manager]`` block .. _reference_arex_ws_wsurl: wsurl ~~~~~ *Synopsis:* ``wsurl = url`` *Description:* (previously arex_mount_point) Specifies the base URL under which the web service intrefaces will be available. The URL argument must be a full URL consisting of protocol+host+port+path: e.g. https://:/ Make sure the chosen port is not blocked by firewall or other security rules. *Default:* ``https://$VAR{[common]hostname}:443/arex`` *Example*:: wsurl=https://piff.hep.lu.se:443/arex .. warning:: CHANGE: renamed. modified: set default as https://hostname:443/arex .. _reference_arex_ws_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* (previously wslogfile) Specify log file location for WS-interface operations. *Default:* ``/var/log/arc/ws-interface.log`` *Example*:: logfile=/var/log/arc/ws-interface.log .. warning:: CHANGE: renamed. .. _reference_arex_ws_max_job_control_requests: max_job_control_requests ~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``max_job_control_requests = number`` *Description:* The max number of simultaneously processed job management requests over WS interface - like job submission, cancel, status check etc. *Default:* ``100`` *Example*:: max_job_control_requests=100 .. _reference_arex_ws_max_infosys_requests: max_infosys_requests ~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``max_infosys_requests = number`` *Description:* The max number of simultaneously processed info requests over WS interface. *Default:* ``1`` *Example*:: max_infosys_requests=1 .. _reference_arex_ws_max_data_transfer_requests: max_data_transfer_requests ~~~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``max_data_transfer_requests = number`` *Description:* The max number of simultaneously processed data transfer requests over WS interface - like data staging. *Default:* ``100`` *Example*:: max_data_transfer_requests=100 .. _reference_arex_ws_emies: [arex/ws/emies] block --------------------- EMIES is ``The`` Web Service interface offered by A-REX to create and manage computational jobs, obtain resource and activity information, also handle delegation. EMIES is a complete set of Computing Element interface, it encapsulates all the functionality a CE should expose via its interface. See interface description at http://www.nordugrid.org/documents/EMI-ES-Specification_v1.16.odt If you don't want to offer EMIES interface, remove or comment out this block in our ``arc.conf``. .. warning:: CHANGE: new subblock .. _reference_arex_ws_emies_allownew: allownew ~~~~~~~~ *Synopsis:* ``allownew = yes/no`` *Description:* The 'allownew' config parameter sets if the Computing Element accepts submission of new jobs via the WS-interface. This parameter can be used to close down the CE. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: allownew=yes .. warning:: CHANGE: new parameter in this block. Implement support in the code for WS-interface. .. _reference_arex_ws_emies_allownew_override: allownew_override ~~~~~~~~~~~~~~~~~ *Synopsis:* ``allownew_override = [authgroup ...]`` *Description:* (previously allowsubmit) Defines which authorization groups are allowed to submit new jobs via the WS-interfaces when the CE is closed with allownew=no. Note that it requires the allownew=no to be set. This option in **multivalued**. *Default:* ``undefined`` *Example*:: allownew_override=biousers atlasusers allownew_override=yourauthgroup .. warning:: CHANGE: rename. modify behaviour: possible to specify several groups on a single line! .. _reference_arex_ws_emies_allowaccess: allowaccess ~~~~~~~~~~~ *Synopsis:* ``allowaccess = authgroup [authgroup ...]`` *Description:* (previously groupcfg) Specifies authorization groups that are allowed to access the WS EMIES - based jobsubmission interface. If this parameter is not set, then no additional restrictions are applied for authorizing user access. The matching group is also used for evaluating VOMS attributes representing the user. *Default:* ``undefined`` .. warning:: TODO: check who is authorized in case of no gridmapfile and empty allowaccess *Example*:: allowaccess=biousers atlasusers .. warning:: CHANGE: new parameter in the EMIES block .. _reference_arex_ws_emies_maxjobdesc: maxjobdesc ~~~~~~~~~~ *Synopsis:* ``maxjobdesc = size`` *Description:* specifies maximal allowed size of job description in bytes. Default value is 5MB. Use 0 to set unlimited size. *Default:* ``5242880`` *Example*:: maxjobdesc=0 .. warning:: CHANGE: new parameter in this block. Implement support in the code for WS-interface. .. _reference_arex_ws_cache: [arex/ws/cache] block --------------------- The content of the A-REX cache can be accessed via a WS-interface. Configuring this block will allow reading cache files through a special URL. For example, if the remote file gsiftp://remotehost/file1 is stored in the cache and the WS interfaces (configured above) are available via wsurl of https://hostname:443/arex/, then the cached copy of the file can be access via the following special URL: https://hostname:443/arex/cache/gsiftp://remotehost/file1 Comment out this block if you don't want to expose the cache content via WS-interface. .. warning:: CHANGE: new block .. _reference_arex_ws_cache_cacheaccess: cacheaccess ~~~~~~~~~~~ *Synopsis:* ``cacheaccess = rule`` *Description:* This parameter defines the access control rules for the cache wsinterface, the rules for allowing access to files in the cache remotely through the A-REX web interface. If not set, then noone can access anything. The default is not set that means complete denial. A rule has three parts: 1. Regular expression defining a URL pattern 2. Credential attribute to match against a client's credential 3. Regular expression defining a credential value to match against a client's credential A client is allowed to access the cached file if a URL pattern matches the cached file URL and the client's credential has the attribute and matches the value required for that pattern. Possible values for credential attribute are dn, voms:vo, voms:role and voms:group. This option in **multivalued**. *Default:* ``undefined`` *Example*:: cacheaccess=gsiftp://host.org/private/data/.* voms:vo myvo:production cacheaccess=gsiftp://host.org/private/data/bob/.* dn /O=Grid/O=NorduGrid/.* .. _reference_arex_ws_candypond: [arex/ws/candypond] block ------------------------- The CandyPond (Cache and deliver your pilot on-demand data) A-REX Web Service (previously called Cache Service) exposes various useful data-staging related operations for the pilot job model where input data for jobs is not known until the job is running on the worker node. This service is intended to be used by A-REX managed jobs. This service requires the ``[arex/data-staging]`` functionality. The CandyPond service is available via the wsurl/candypond URL (e.g. https://hostname:443/arex/candypond) .. warning:: TODO: revise packaging now that it is NOT a separate, independent service. .. warning:: CHANGE: NEW block, renamed service .. _reference_arex_ws_argus: [arex/ws/argus] block --------------------- The Web Service components of A-REX may directly use the Argus service (https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework) for requesting authorization decisions and performing client mapping to a local user account. This block turns on and configures the A-REX WS - Argus integration. When this block is enabled, A-REX will communicate to Argus PEP or PDP service for every WS interface operation! Comment out this block if you don't intend to use any external Argus service with A-REX WS interfaces. Using Argus with gridftp interface is possible only via LCMAPS callout. .. warning:: CHANGE: new block for the Argus functionality. Change code so that Argus is turned on/off based on this block .. _reference_arex_ws_argus_arguspep_endpoint: arguspep_endpoint ~~~~~~~~~~~~~~~~~ *Synopsis:* ``*arguspep_endpoint = url`` *Description:* Specifies URL of Argus PEPD service to use for authorization and user mapping. It is worth to mention that ``requireClientCertAuthentication`` (default is false) item of pepd.ini (configuration of Argus PEPD service) is set to be 'true', then https should be used, otherwise http is proper. .. note:: Argus will be contacted for every WS interface operation requested! *Default:* ``undefined`` *Example*:: arguspep_endpoint=https://somehost.somedomain:8154/authz .. _reference_arex_ws_argus_arguspep_profile: arguspep_profile ~~~~~~~~~~~~~~~~ *Synopsis:* ``arguspep_profile = profile_name`` *Description:* Defines which communication profile to use while communicating with Argus PEPD service. Possible values for profile_name are: direct - pass all authorization attributes (only for debugging) subject - pass only subject name of client emi - ARC native profile developed in EMI project. This is default option. *Allowed values:* ``direct``, ``subject``, ``emi`` *Default:* ``emi`` *Example*:: arguspep_profile=emi .. warning:: CHANGE: modified parameter values: remove cream (or at least hide from the ``arc.conf``.reference) .. _reference_arex_ws_argus_arguspep_usermap: arguspep_usermap ~~~~~~~~~~~~~~~~ *Synopsis:* ``arguspep_usermap = yes/no`` *Description:* Specifies whether response from Argus service may define mapping of client to local account. Default is 'no'. Note that Argus is contacted after all the other user mapping is performed. Hence it can overwrite all other decisions. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: arguspep_usermap=no .. _reference_arex_ws_argus_arguspdp_endpoint: arguspdp_endpoint ~~~~~~~~~~~~~~~~~ *Synopsis:* ``arguspdp_endpoint = url`` *Description:* Specifies URL of Argus PDP service to use for authorization and user mapping. It is worth to mention that ``requireClientCertAuthentication`` (default is false) item of pdp.ini (configuration of Argus PDP service) is set to be 'true', then https should be used, otherwise http is proper. .. note:: Argus will be contacted for every WS interface operation requested! *Default:* ``undefined`` *Example*:: arguspdp_endpoint=https://somehost.somedomain:8152/authz .. _reference_arex_ws_argus_arguspdp_profile: arguspdp_profile ~~~~~~~~~~~~~~~~ *Synopsis:* ``arguspdp_profile = profile_name`` *Description:* Defines which communication profile to use while communicating with Argus PDP service. Possible values for profile_name are: subject - pass only subject name of client emi - ARC native profile developed in EMI project. This is default option. *Allowed values:* ``subject``, ``emi`` *Default:* ``emi`` *Example*:: arguspdp_profile=emi .. warning:: CHANGE: modified parameter values: remove cream (or at least hide from the ``arc.conf``.reference) .. _reference_arex_ws_argus_arguspdp_accpetnotapplicable: arguspdp_accpetnotapplicable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``arguspdp_accpetnotapplicable = yes/no`` *Description:* Specify if the ``NotApplicable`` decision returned by Argus PDP service is treated as reason to deny request. Default is 'no', which treats ``NotApplicable`` as reason to deny request. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: arguspdp_acceptnotapplicable=no .. _reference_arex_jura: [arex/jura] block ----------------- JURA is the accounting record generating and reporting module of A-REX. A-REX periodically executes JURA to processes the job log files, and based on the accounting target destinations specified in them, JURA creates usage records in the appropriate format and sends the generated records to one or more accounting service destinations. Optionally, the generated accounting records can be archived on the CE. Enable and configure this block if you want to send accounting records to accounting services. Note that a dedicated ``accounting target`` subblock is needed for every accounting destination. The target subblocks are either of a type apel or sgas: ``[arex/jura/apel:targetname]`` or ``[arex/jura/sgas:targetname]`` .. warning:: CHANGE: new dedicated block for JURA .. warning:: CHANGE: A-REX should NOT provide the possibility of client-side target selection (in xrsl) any longer! .. _reference_arex_jura_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* (previously jobreport_logfile) The name of the jura logfile. *Default:* ``/var/log/arc/jura.log`` *Example*:: logfile=/var/log/arc/jura.log .. warning:: CHANGE: renamed. .. _reference_arex_jura_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = number`` *Description:* Log level for the JURA accounting module. *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``3`` *Example*:: loglevel=3 .. warning:: CHANGE: new parameter! implement it in the code .. _reference_arex_jura_vomsless_vo: vomsless_vo ~~~~~~~~~~~ *Synopsis:* ``vomsless_vo = voname[#voissuer]`` *Description:* This parameter allows the sysadmin to manually assign VOs to jobs that were submitted with ``VOMS-less grid proxies`` . voname is the VO name to be used in the generated records (the same as expected in voms-proxy) optional voissuer (relevant to SGAS only) value is the VOMS server identity (certificate DN). *Default:* ``undefined`` *Example*:: vomsless_vo=atlas vomsless_vo=atlas#/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch .. warning:: CHANGE: new parameter. .. _reference_arex_jura_vo_group: vo_group ~~~~~~~~ *Synopsis:* ``vo_group = group`` *Description:* Adds an additional VO group attribute to the usage records. *Default:* ``undefined`` *Example*:: vo_group=/atlas/production .. warning:: CHANGE: new parameter .. _reference_arex_jura_urdelivery_keepfailed: urdelivery_keepfailed ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``urdelivery_keepfailed = days`` *Description:* Specifies for how many days JURA will try to send a record to the destination accounting service before it gives up. Records not successfully sent by after the number of days expired will be deleted from the controldir/logs directory. The deleted records are nevertheless archived if archiving was turned on. This parameter can be overwritten with a target specific value. *Default:* ``30`` *Example*:: urdelivery_keepfailed=30 .. warning:: CHANGE: new parameter. .. _reference_arex_jura_urdelivery_frequency: urdelivery_frequency ~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``urdelivery_frequency = seconds`` *Description:* (previously jobreport_period) Specifies the frequency of message publishing: how often the JURA process is started by A-REX. *Default:* ``3600`` *Example*:: urdelivery_frequency=3600 .. warning:: CHANGE: renamed .. _reference_arex_jura_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_key}`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: new parameter in this block .. _reference_arex_jura_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_cert}`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: new parameter in this block .. _reference_arex_jura_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_cert_dir}`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. warning:: CHANGE: new parameter in this block .. _reference_arex_jura_archiving: [arex/jura/archiving] block --------------------------- This block enables the archiving functionality of JURA. If archiving is enabled then the generated usage records are stored in a the specified archivedir directory on the disk with the following file naming convention used: ``usagerecord..``. Here Type is one of the supported record formats such as OGFUR or CAR. By default the archiving is turned off. .. warning:: CHANGE: NEW block .. _reference_arex_jura_archiving_archivettl: archivettl ~~~~~~~~~~ *Synopsis:* ``archivettl = days`` *Description:* The archive time to live (ttl) parameter sets the number of days to keep the archive records in the archivedir. If not specified the records are kept forever. *Default:* ``undefined`` *Example*:: archivettl=365 .. warning:: CHANGE: new parameter. new feature to implement! .. _reference_arex_jura_archiving_archivedir: archivedir ~~~~~~~~~~ *Synopsis:* ``archivedir = path`` *Description:* Sets the directory path for the archived usage records. If archiving is turned on, then the generated usage records are stored in this directory with the following file naming convention used:: ``usagerecord..``. Here Type is one of the supported record formats such as OGFUR or CAR. *Default:* ``/var/spool/arc/jura/archive`` .. warning:: TODO: create the directory *Example*:: archivedir=/var/spool/arc/jura/archive .. warning:: CHANGE: NEW .. _reference_arex_jura_sgas: [arex/jura/sgas:targetname] block --------------------------------- An SGAS sub-block of ``[arex/jura]`` enables and configures an SGAS accounting server as a target destination to which JURA will send properly formatted usage records. The ``[arex/jura]`` config values are applicable for every target sub-block but also can be overwritten. You need to define a separate block with a unique targetname for every SGAS target server. .. warning:: CHANGE: new dedicated sub-blocks for SGAS JURA targets .. _reference_arex_jura_sgas_targeturl: targeturl ~~~~~~~~~ *Synopsis:* ``*targeturl = url`` *Description:* The service endpoint URL of SGAS server. *Default:* ``undefined`` *Example*:: targeturl=https://grid.uio.no:8001/logger .. warning:: CHANGE: new parameter .. _reference_arex_jura_sgas_localid_prefix: localid_prefix ~~~~~~~~~~~~~~ *Synopsis:* ``localid_prefix = prefix_string`` *Description:* Sets a prefix value for the LocalJobID ur parameter for the SGAS usage records. *Default:* ``undefined`` *Example*:: localid_prefix=some_text_for_SGAS .. warning:: CHANGE: new parameter .. _reference_arex_jura_sgas_vofilter: vofilter ~~~~~~~~ *Synopsis:* ``vofilter = vo`` *Description:* Configures a job record filtering mechanism based on the VO attribute of the jobs. Only the matching job records, which was one of VO that you set here, will be sent to the target accounting service. This option in **multivalued**. *Default:* ``undefined`` *Example*:: vofilter=atlas vofilter=fgi.csc.fi .. warning:: CHANGE: new parameter .. _reference_arex_jura_sgas_urbatchsize: urbatchsize ~~~~~~~~~~~ *Synopsis:* ``urbatchsize = number`` *Description:* JURA sends usage records not one-by-one, but in batches. This options sets the size of a batch. Zero value means unlimited batch size. This option can also be set in the sgas/apel target blocks to overwrite common value. *Default:* ``50`` *Example*:: urbatchsize=80 .. warning:: CHANGE: new parameter. .. _reference_arex_jura_apel: [arex/jura/apel:targetname] block --------------------------------- An APEL sub-block of ``[arex/jura]`` enables and configures an APEL accounting server as a target destination to which JURA will send properly formatted usage records. The ``[arex/jura]`` config values are applicable for every target sub-block but also can be overwritten. You need to define a separate block with a unique targetname for every APEL target server. .. warning:: CHANGE: new dedicated sub-blocks for APEL JURA targets .. _reference_arex_jura_apel_targeturl: targeturl ~~~~~~~~~ *Synopsis:* ``*targeturl = url`` *Description:* The service endpoint URL of the APEL accounting server. *Default:* ``undefined`` *Example*:: targeturl=https://mq.cro-ngi.hr:6162 .. warning:: CHANGE: new parameter .. _reference_arex_jura_apel_topic: topic ~~~~~ *Synopsis:* ``topic = topic_name`` *Description:* Sets the name of the APEL topic to which JURA will publish the accounting records. *Default:* ``/queue/global.accounting.cpu.central`` *Example*:: topic=/queue/global.accounting.test.cpu.central .. warning:: CHANGE: new parameter. .. _reference_arex_jura_apel_gocdb_name: gocdb_name ~~~~~~~~~~ *Synopsis:* ``*gocdb_name = name`` *Description:* Can be used to specify the GOCDB name of the resource. This value would be seen as Site attribute in the generated APEL record. *Default:* ``undefined`` *Example*:: gocdb_name=GRID_UIO_NO .. warning:: CHANGE: new parameter. .. _reference_arex_jura_apel_benchmark_type: benchmark_type ~~~~~~~~~~~~~~ *Synopsis:* ``benchmark_type = type`` *Description:* Type of benchmark (Si2k, Sf2k, HEPSPEC) to be reported in every UR. *Default:* ``undefined`` *Example*:: benchmark_type=HEPSPEC .. warning:: CHANGE: new parameter .. _reference_arex_jura_apel_benchmark_value: benchmark_value ~~~~~~~~~~~~~~~ *Synopsis:* ``benchmark_value = number`` *Description:* The value of the of benchmark to be reported in every UR. *Default:* ``undefined`` *Example*:: benchmark_value=2.4 .. warning:: CHANGE: new parameter .. _reference_arex_jura_apel_benchmark_description: benchmark_description ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``benchmark_description = string`` *Description:* Additional description for the benchmark to be reported in every UR. *Default:* ``undefined`` *Example*:: benchmark_description=some description for benchmark .. warning:: CHANGE: new parameter .. _reference_arex_jura_apel_use_ssl: use_ssl ~~~~~~~ *Synopsis:* ``use_ssl = yes/no`` *Description:* Turns on/off ssl for the SSM communication with APEL server. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: use_ssl=yes .. warning:: CHANGE: new parameter .. _reference_arex_jura_apel_vofilter: vofilter ~~~~~~~~ *Synopsis:* ``vofilter = vo`` *Description:* Configures a job record filtering mechanism based on the VO attribute of the jobs. Only the matching job records, which was one of VO that you set here, will be sent to the target accounting service. This option in **multivalued**. *Default:* ``undefined`` *Example*:: vofilter=atlas vofilter=fgi.csc.fi .. warning:: CHANGE: new parameter .. _reference_arex_jura_apel_urbatchsize: urbatchsize ~~~~~~~~~~~ *Synopsis:* ``urbatchsize = number`` *Description:* JURA sends usage records not one-by-one, but in batches. This options sets the size of a batch. Zero value means unlimited batch size. This option can also be set in the sgas/apel target blocks to overwrite common value. *Default:* ``1000`` *Example*:: urbatchsize=1000 .. warning:: CHANGE: new parameter. new default. .. _reference_arex_ganglia: [arex/ganglia] block -------------------- This block enables the monitoring of ARC-specific metrics through and existing ganglia installation. Earlier versions (ARC < 6.0) relied only on the standalone tool gangliarc. Ganglia is now integrated into ARC to extract jobmetrics. Ganglia for system metrics is run as separate gangliarc instance. .. warning:: CHANGE: RENAMED block .. _reference_arex_ganglia_gmetric_bin_path: gmetric_bin_path ~~~~~~~~~~~~~~~~ *Synopsis:* ``gmetric_bin_path = path`` *Description:* (previously gmetric_exec) The path to gmetric executable. *Default:* ``/usr/bin/gmetric`` *Example*:: gmetric_bin_path=/usr/local/bin/gmetric .. warning:: CHANGE: Moved from deleted ``[gangliarc]`` block and renamed. Path used in arc-ganglia implementation JobsMetrics.cpp .. _reference_arex_ganglia_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* log file of the daemon. *Default:* ``/var/log/arc/gangliarc.log`` *Example*:: logfile=/tmp/gangliarc.log .. warning:: TODO: is this needed for the internal ganglia? .. _reference_arex_ganglia_pidfile: pidfile ~~~~~~~ *Synopsis:* ``pidfile = pid`` *Description:* pid file of the daemon. *Default:* ``/var/run/gangliarc.pid`` *Example*:: pidfile=/tmp/gangliarc.pid .. warning:: TODO: it is not a separate service, therefore pid is not there. .. _reference_arex_ganglia_python_bin_path: python_bin_path ~~~~~~~~~~~~~~~ *Synopsis:* ``python_bin_path = path`` *Description:* The path to python executable. *Default:* ``/usr/bin/python`` *Example*:: python_bin_path=/usr/local/bin/python .. warning:: TODO (Maiken) clarify if this is still needed. .. _reference_arex_ganglia_metrics: metrics ~~~~~~~ *Synopsis:* ``metrics = name_of_the_metrics`` *Description:* the metrics to be monitored. metrics takes a comma-separated list of one or more of the following metrics: - staging -- number of tasks in different data staging states - cache -- free cache space - session -- free session directory space - heartbeat -- last modification time of A-REX heartbeat - processingjobs -- the number of jobs currently being processed by ARC (jobs between PREPARING and FINISHING states) - failedjobs -- the number of failed jobs per last 100 finished - jobstates -- number of jobs in different A-REX internal stages - all -- all of the above metrics *Default:* ``all`` *Allowed values:* ``staging``, ``cache``, ``session``, ``heartbeat``, ``processingjobs``, ``failedjobs``, ``jobstates``, ``all`` *Example*:: metrics=all .. warning:: TODO which metrics is used by the internal ganglia? .. _reference_arex_ganglia_frequency: frequency ~~~~~~~~~ *Synopsis:* ``frequency = seconds`` *Description:* The period between each information gathering cycle, in seconds. *Default:* ``60`` *Example*:: frequency=300 .. warning:: CHANGE: defult increased from 20s to one minute .. _reference_gridftpd: [gridftpd] block ---------------- This block enables and configures the gridftp server. The usage of the gridftp is twofold in connection with ARC: 1) The server together with its custom jobplugin can be used as a job submission and management interface for an ARC CE. 2) The server with the fileplugin can be used as a very simplistic storage element. This block configures the common server capabilities. To make the gridftp service functional, you need to enable at least one of the plugin subblocks as well. .. _reference_gridftpd_user: user ~~~~ *Synopsis:* ``user = user[:group]`` *Description:* Switch to a non root user/group after startup WARNING: Make sure that the certificate files are owned by the user/group specified by this option. *Default:* ``root:root`` *Example*:: user=grid .. _reference_gridftpd_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = level`` *Description:* (previously debug) Set log level of the gridftpd daemon, between 0 (FATAL) and 5 (DEBUG). Default is 3 (INFO). *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``3`` *Example*:: loglevel=2 .. warning:: CHANGE: renamed .. _reference_gridftpd_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* Set logfile location of the gridftp server. *Default:* ``/var/log/arc/gridftpd.log`` *Example*:: logfile=/var/log/arc/gridftpd.log .. _reference_gridftpd_pidfile: pidfile ~~~~~~~ *Synopsis:* ``pidfile = path`` *Description:* Specify location of file containing PID of daemon process. *Default:* ``/var/run/gridftpd.pid`` *Example*:: pidfile=/var/run/gridftpd.pid .. _reference_gridftpd_port: port ~~~~ *Synopsis:* ``port = bindport`` *Description:* Port to listen on. For gridftp-based job submission strongly adviced to use the default 2811 port because 3rd party clients assume ARC CE using that port. *Default:* ``2811`` *Example*:: port=2811 .. _reference_gridftpd_allowencryption: allowencryption ~~~~~~~~~~~~~~~ *Synopsis:* ``allowencryption = yes/no`` *Description:* (previously encryption) should data encryption be allowed on client request. Encryption is very heavy, therefore the default is no. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: allowencryption=no .. warning:: CHANGE: RENAMED as allowencryption .. _reference_gridftpd_allowactivedata: allowactivedata ~~~~~~~~~~~~~~~ *Synopsis:* ``allowactivedata = yes/no`` *Description:* if no, only passive data transfer is allowed. By default both passive and active data transfers are allowed. *Default:* ``yes`` *Example*:: allowactivedata=yes .. _reference_gridftpd_maxconnections: maxconnections ~~~~~~~~~~~~~~ *Synopsis:* ``maxconnections = number`` *Description:* The maximum number of connections accepted by a gridftpd server. *Default:* ``100`` *Example*:: maxconnections=200 .. _reference_gridftpd_defaultbuffer: defaultbuffer ~~~~~~~~~~~~~ *Synopsis:* ``defaultbuffer = size`` *Description:* Defines size of every buffer for data reading/writing. The actual value may decrease if the cumulative size of all buffers exceeds value specified by maxbuffer. *Default:* ``65536`` *Example*:: defaultbuffer=65536 .. _reference_gridftpd_maxbuffer: maxbuffer ~~~~~~~~~ *Synopsis:* ``maxbuffer = size`` *Description:* Defines maximal amount of memory in bytes to be allocated for all data reading/writing buffers. Default is 640kB. The number of buffers is (max {3, min {41, 2P + 1}}), where P is the parallelism level requested by the client. Hence, even without parallel streams enabled number of buffers will be 3. *Default:* ``655360`` *Example*:: maxbuffer=655360 .. _reference_gridftpd_globus_tcp_port_range: globus_tcp_port_range ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``globus_tcp_port_range = port_range`` *Description:* In a firewalled environment the software which uses GSI needs to know what ports are available. If not set a random port is selected. These variable are similar to the Globus enviroment variables: GLOBUS_TCP_PORT_RANGE and GLOBUS_UDP_PORT_RANGE. *Default:* ``9000,9300`` *Example*:: globus_tcp_port_range=9000,12000 .. _reference_gridftpd_globus_udp_port_range: globus_udp_port_range ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``globus_udp_port_range = port_range`` *Description:* In a firewalled environment the software which uses GSI needs to know what ports are available. If not set a random port is selected. These variable are similar to the Globus enviroment variables: GLOBUS_TCP_PORT_RANGE and GLOBUS_UDP_PORT_RANGE. *Default:* ``9000,9300`` *Example*:: globus_udp_port_range=9000,12000 .. _reference_gridftpd_firewall: firewall ~~~~~~~~ *Synopsis:* ``firewall = hostname`` *Description:* The hostname or IP address to use in response to PASV command instead of the IP address of a network interface of computer. *Default:* ``undefined`` *Example*:: firewall=my.host.org .. _reference_gridftpd_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_key}`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: renamed .. _reference_gridftpd_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_cert}`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: renamed .. _reference_gridftpd_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_cert_dir}`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. _reference_gridftpd_jobs: [gridftpd/jobs] block --------------------- The jobplugin of the gridftp server implements a custom job management and submission interface of ARC CE. This subblock enables and configures that interface. Consult the Technical Reference within the ARC sysadmin guide for the interface specification. Comment out this subblock if you don't want a gridftp-based jobinterface. .. _reference_gridftpd_jobs_allownew: allownew ~~~~~~~~ *Synopsis:* ``allownew = yes/no`` *Description:* This parameter sets if the ARC CE accepts submission of new jobs via the gridftp interface. This parameter can be used to close down the ARC CE. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: allownew=yes .. _reference_gridftpd_jobs_allownew_override: allownew_override ~~~~~~~~~~~~~~~~~ *Synopsis:* ``allownew_override = [authgroup ...]`` *Description:* (previously allowsubmit) Defines which authorization groups are allowed to submit new jobs via the gridftp interface when the CE is closed with allownew=no. Note that it requires the allownew=no to be set. This option in **multivalued**. *Default:* ``undefined`` *Example*:: allownew_override=biousers atlasusers allownew_override=yourauthgroup .. warning:: CHANGE: rename. modify behaviour: possible to specify several groups on a single line! .. _reference_gridftpd_jobs_allowaccess: allowaccess ~~~~~~~~~~~ *Synopsis:* ``allowaccess = authgroup [authgroup ...]`` *Description:* (previously groupcfg) Specifies authorization groups that are allowed to access the gridftp-based jobsubmission interface. If this parameter is not set, then no additional restrictions are applied for authorizing user access. The matching group is also used for evaluating VOMS attributes representing the user. .. warning:: TODO: check what happens if no gridmapfile used with empty value *Default:* ``undefined`` *Example*:: allowaccess=biousers atlasusers .. warning:: CHANGE: renamed .. _reference_gridftpd_jobs_maxjobdesc: maxjobdesc ~~~~~~~~~~ *Synopsis:* ``maxjobdesc = size`` *Description:* specifies maximal allowed size of job description in bytes. Default value is 5MB. Use 0 to set unlimited size. *Default:* ``5242880`` *Example*:: maxjobdesc=0 .. _reference_gridftpd_filedir: [gridftpd/filedir] block ------------------------ The fileplugin module of the gridftp server can be used to set up a simplistic grid storage element (SE). This subblock enables and configures such an SE by ``exporting`` a directory using the gridftpd's fileplugin. Comment out this block if you don't need a SE. .. _reference_gridftpd_filedir_path: path ~~~~ *Synopsis:* ``*path = virtdir`` *Description:* The name of the virtual directory served by the gridftp server. The exported storage area is accessible as ``gsiftp://my_server/virtdir``. Even ``/`` is a valid choice. *Default:* ``undefined`` *Example*:: path=/topdir .. _reference_gridftpd_filedir_mount: mount ~~~~~ *Synopsis:* ``*mount = path`` *Description:* The physical directory corresponding to the virtual one: gsiftp://my_server/virtdir will give access to this location. *Default:* ``undefined`` *Example*:: mount=/scratch/grid .. _reference_gridftpd_filedir_allowaccess: allowaccess ~~~~~~~~~~~ *Synopsis:* ``allowaccess = authgroup [authgroup ...]`` *Description:* (previously groupcfg) Specifies authorization groups that are allowed to access the gridftp-based jobsubmission interface. If this parameter is not set, then no additional restrictions are applied for authorizing user access. *Default:* ``undefined`` *Example*:: allowaccess=biousers atlasusers .. warning:: CHANGE: renamed .. _reference_gridftpd_filedir_dir: dir ~~~ *Synopsis:* ``dir = path options`` *Description:* Specifies access rules for accessing files in ``path`` (relative to virtual and real path) and all the files and directories below. Available permisisons check ``options`` are: nouser do not use local file system rights, only use those specifies in this line owner check only file owner access rights group check only group access rights other check only ``others`` access rights If none of the above specified usual unix access rights are applied. Avaiable permissions enforecement ``options`` are: read allow reading files delete allow deleting files append allow appending files (does not allow creation) overwrite allow overwriting already existing files (does not allow creation, file attributes are not changed) dirlist allow obtaining list of the files cd allow to make this directory current create owner:group permissions_or:permissions_and allow creating new files. File will be owned by ``owner`` and owning group will be ``group``. If ``*`` is used, the user/group to which connected user is mapped will be used. The permissions will be set to ``permissions_or & permissions_and``. (second number is reserved for the future usage). mkdir owner:group permissions_or:permissions_and allow creating new directories. Example shows setting permissions on mounted ``/`` directory and adjusting permissions on ``/section1`` and ``/section2`` subdirectories. This option in **multivalued**. *Default:* ``undefined`` .. warning:: TODO: check behaviour when this option is missing and user is mapped to root. (what is the default user mapping for file-plugin?) *Example*:: dir=/ nouser read cd dirlist delete create *:* 664:664 mkdir *:* 775:775 dir=/section1 nouser read mkdir *:* 700:700 cd dirlist dir=/section2 nouser read mkdir *:* 700:700 cd dirlist .. _reference_infosys: [infosys] block --------------- This block enables and configures the core part of the information system. Enables the information collection to be used by other ARC components, including interfaces. Parameters in this block applies to all the infosys subsystems. .. _reference_infosys_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* (previously providerlog) Specifies log file location for the information provider scripts. *Default:* ``/var/log/arc/infoprovider.log`` *Example*:: logfile=/var/log/arc/infoprovider.log .. warning:: CHANGE: renamed .. _reference_infosys_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = number`` *Description:* (previously provider_loglevel) The loglevel for the infoprovider scripts (0-5). The infosys default is 1 (critical errors are logged) Each value corresponds to the following verbosity levels: FATAL => 0, ERROR => 1 , WARNING => 2, INFO => 3, VERBOSE => 4, DEBUG => 5 *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``1`` *Example*:: loglevel=3 .. warning:: CHANGE: renamed .. _reference_infosys_validity_ttl: validity_ttl ~~~~~~~~~~~~ *Synopsis:* ``validity_ttl = seconds`` *Description:* The published infosys records advertise their validity e.g. how long the info should be considered up-to-date by the clients. Use this parameter to set the published validity value. .. note:: different schemas may render this information differently. *Default:* ``10800`` *Example*:: validity_ttl=10800 .. _reference_infosys_ldap: [infosys/ldap] block -------------------- This infosys subblock enables and configures the ldap hosting service for the infosys functionality. Using an LDAP server with some schema is one way to publish information about your Computing Element. Comment out this block if you don't want to run an LDAP-based information system. .. warning:: CHANGE: new block .. _reference_infosys_ldap_hostname: hostname ~~~~~~~~ *Synopsis:* ``hostname = FQDN`` *Description:* the hostname of the machine running the slapd service will be the bind for slapd. If not present, will be taken from the ``[common]`` *Default:* ``$VAR{[common]hostname}`` *Example*:: hostname=my.testbox .. _reference_infosys_ldap_slapd_hostnamebind: slapd_hostnamebind ~~~~~~~~~~~~~~~~~~ *Synopsis:* ``slapd_hostnamebind = string`` *Description:* May be used to set the hostname part of the network interface to which the slapd process will bind. Most of the cases no need to set since the hostname parameter is already sufficient. The example below will bind the slapd process to all the network interfaces available on the server. *Default:* ``undefined`` *Example*:: slapd_hostnamebind=* .. _reference_infosys_ldap_port: port ~~~~ *Synopsis:* ``port = port_number`` *Description:* The port on which the slapd service runs. The default infosys port is assumed to be 2135 by many clients, therefore think twice before you change it because 3rd party clients assume 2135 to be the ldap infosys port. *Default:* ``2135`` *Example*:: port=2135 .. _reference_infosys_ldap_user: user ~~~~ *Synopsis:* ``user = unix_user`` *Description:* overwrites the unix user running the slapd. By default the startup scripts search for well-known ldap-users like ``ldap`` or ``openldap`` than fall-back to ``root`` if not found. *Default:* ``undefined`` *Example*:: user=slapd .. warning:: CHANGE: moved here from ``[infosys]`` .. _reference_infosys_ldap_slapd: slapd ~~~~~ *Synopsis:* ``slapd = path`` *Description:* explicitly define the path to slapd command. By default the startup scripts search for ``slapd`` binary in the system PATH. *Default:* ``undefined`` *Example*:: slapd=/usr/sbin/slapd .. _reference_infosys_ldap_slapd_loglevel: slapd_loglevel ~~~~~~~~~~~~~~ *Synopsis:* ``slapd_loglevel = number`` *Description:* Sets the native slapd loglevel (see man slapd). Slapd logs via syslog. The default is set to no-logging (0) and it is RECOMMENDED not to be changed in a production environment. Non-zero slap_loglevel value causes serious performance decrease. *Default:* ``0`` *Example*:: slapd_loglevel=0 .. _reference_infosys_ldap_threads: threads ~~~~~~~ *Synopsis:* ``threads = number`` *Description:* The native slapd threads parameter, default is 32. *Default:* ``32`` *Example*:: threads=128 .. _reference_infosys_ldap_timelimit: timelimit ~~~~~~~~~ *Synopsis:* ``timelimit = seconds`` *Description:* The native slapd timelimit parameter. Maximum number of seconds the slapd server will spend answering a search request. Default is 3600. You probably want a much lower value. *Default:* ``3600`` *Example*:: timelimit=1800 .. _reference_infosys_ldap_idletimeout: idletimeout ~~~~~~~~~~~ *Synopsis:* ``idletimeout = seconds`` *Description:* The native slapd idletimeout parameter. Maximum number of seconds the slapd server will wait before forcibly closing idle client connections. It's value must be larger than the value of ``timelimit`` option. If not set, it defaults to timelimit + 1. *Default:* ``$EVAL{$VAR{timelimit} + 1}`` *Example*:: idletimeout=1801 .. _reference_infosys_ldap_infosys_ldap_run_dir: infosys_ldap_run_dir ~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``infosys_ldap_run_dir = path`` *Description:* The location where NorduGrid/GLUE2 LDAP ldif file will be generated, and where the fifo to sync between infoproviders and BDII will be generated. *Default:* ``/var/run/arc/infosys/`` *Example*:: infosys_ldap_run_dir=/var/run/arc/infosys/ .. _reference_infosys_ldap_ldap_schema_dir: ldap_schema_dir ~~~~~~~~~~~~~~~ *Synopsis:* ``ldap_schema_dir = path`` *Description:* Allows to explicitly specify an additional path to the schema files. Note that this doesn't override standard location, but adds the specified path to the standard locations /etc/ldap and /etc/openldap. Normally it is sufficient to use only standard schema file locations, therefore not to set this parameter. *Default:* ``undefined`` *Example*:: ldap_schema_dir=/nfs/ldap/schema/ The following options configure the third-party bdii ldap parameters. In 99% of cases no need to change anything and use the defaults. These variables are usually automatically set by ARC, and are here mostly for debug purposes and to tweak exotic BDII installations. .. _reference_infosys_ldap_bdii_debug_level: bdii_debug_level ~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_debug_level = level`` *Description:* Set this parameter to DEBUG to check bdii errors in bdii-update.log At the same time don't enable slapd logs this way reducing performance issues. *Default:* ``WARNING`` *Example*:: bdii_debug_level=ERROR .. _reference_infosys_ldap_bdii_provider_timeout: bdii_provider_timeout ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_provider_timeout = seconds`` *Description:* (previously provider_timeout in bdii block) This variable allows a system administrator to modify the behaviour of bdii-update. This is the time BDII waits for the bdii provider scripts generated by A-REX infosys to produce their output. *Default:* ``10800`` *Example*:: bdii_provider_timeout=10800 .. warning:: CHANGE: renamed BDII5 uses these variables. These might change depending on BDII version. ARC sets them by inspecting distributed bdii configuration files. DO NOT .. warning:: CHANGE UNLESS YOU KNOW WHAT YOU'RE DOING .. _reference_infosys_ldap_bdii_location: bdii_location ~~~~~~~~~~~~~ *Synopsis:* ``bdii_location = path`` *Description:* The installation directory for the BDII. *Default:* ``/usr`` *Example*:: bdii_location=/usr .. _reference_infosys_ldap_bdii_run_dir: bdii_run_dir ~~~~~~~~~~~~ *Synopsis:* ``bdii_run_dir = path`` *Description:* Contains BDII pid files and slapd pid files *Default:* ``/var/run/arc/bdii`` *Example*:: bdii_run_dir=/var/run/arc/bdii .. _reference_infosys_ldap_bdii_log_dir: bdii_log_dir ~~~~~~~~~~~~ *Synopsis:* ``bdii_log_dir = path`` *Description:* Contains infosys logs *Default:* ``/var/log/arc/bdii`` *Example*:: bdii_log_dir=/var/log/arc/bdii .. _reference_infosys_ldap_bdii_tmp_dir: bdii_tmp_dir ~~~~~~~~~~~~ *Synopsis:* ``bdii_tmp_dir = path`` *Description:* Contains provider scripts *Default:* ``/var/tmp/arc/bdii`` *Example*:: bdii_tmp_dir=/var/tmp/arc/bdii .. _reference_infosys_ldap_bdii_var_dir: bdii_var_dir ~~~~~~~~~~~~ *Synopsis:* ``bdii_var_dir = path`` *Description:* Contains slapd databases *Default:* ``/var/lib/arc/bdii`` *Example*:: bdii_var_dir=/var/lib/arc/bdii .. _reference_infosys_ldap_bdii_update_pid_file: bdii_update_pid_file ~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_update_pid_file = path`` *Description:* Allows to change bdii-update pidfiles filename and location *Default:* ``$VAR{bdii_run_dir}/bdii-update.pid`` *Example*:: bdii_update_pid_file=/var/run/arc/bdii/bdii-update.pid .. _reference_infosys_ldap_bdii_database: bdii_database ~~~~~~~~~~~~~ *Synopsis:* ``bdii_database = backend_type`` *Description:* Configure what ldap database backend should be used. *Default:* ``hdb`` *Example*:: bdii_database=hdb .. _reference_infosys_ldap_bdii_conf: bdii_conf ~~~~~~~~~ *Synopsis:* ``bdii_conf = path`` *Description:* Location of the bdii config file generated by ARC. *Default:* ``$VAR{[infosys/ldap]infosys_ldap_run_dir}/bdii.conf`` *Example*:: bdii_conf=/var/run/arc/infosys/bdii.conf .. _reference_infosys_ldap_bdii_update_cmd: bdii_update_cmd ~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_update_cmd = path`` *Description:* path to bdii-update script *Default:* ``$VAR{bdii_location}/sbin/bdii-update`` *Example*:: bdii_update_cmd=/usr/sbin/bdii-update .. _reference_infosys_ldap_bdii_db_config: bdii_db_config ~~~~~~~~~~~~~~ *Synopsis:* ``bdii_db_config = path`` *Description:* path to slapd database configuration file *Default:* ``/etc/bdii/DB_CONFIG`` *Example*:: bdii_db_config=/etc/bdii/DB_CONFIG .. _reference_infosys_ldap_bdii_archive_size: bdii_archive_size ~~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_archive_size = number`` *Description:* Sets BDII_ARCHIVE_SIZE in bdii configuration file *Default:* ``0`` *Example*:: bdii_archive_size=0 .. _reference_infosys_ldap_bdii_breathe_time: bdii_breathe_time ~~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_breathe_time = number`` *Description:* Sets BDII_BREATHE_TIME in bdii configuration file *Default:* ``10`` *Example*:: bdii_breathe_time=10 .. _reference_infosys_ldap_bdii_delete_delay: bdii_delete_delay ~~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_delete_delay = number`` *Description:* Sets BDII_DELETE_DELAY in bdii configuration file *Default:* ``0`` *Example*:: bdii_delete_delay=0 .. _reference_infosys_ldap_bdii_read_timeout: bdii_read_timeout ~~~~~~~~~~~~~~~~~ *Synopsis:* ``bdii_read_timeout = number`` *Description:* Sets BDII_READ_TIMEOUT in bdii configuration file *Default:* ``$EVAL{$VAR{bdii_provider_timeout} + $VAR{[arex]infoproviders_timelimit} + $VAR{[arex]wakeupperiod}}`` *Example*:: bdii_read_timeout=300 Infosys Schema sub-blocks: The following infosys sub-blocks enable information publishing according to various information schema. In order to publish information in a certain schema, the corresponding sub-block must be defined in addition to the schema-neutral ``[infosys/cluster]`` and ``[queue:name]`` blocks! Comment out a specific schema block if you don't want to publish a specific information schema representation. Currently available information model (schema) sub-blocks: ``[infosys/nordugrid]`` - The native ARC info representation of a cluster and its queues ``[infosys/glue2]`` - The GLUE2 information model, both LDAP and XML (the latter is for WS-interface) ``[infosys/glue2/ldap]`` - The LDAP rendering of the GLUE2 model ``[infosys/glue1]`` - The legacy GLUE1 model (only LDAP) ``[infosys/glue1/site-bdii]`` - The site BDII element of the GLUE1 legacy model .. _reference_infosys_nordugrid: [infosys/nordugrid] block ------------------------- Enables the publication of the NorduGrid information model in the LDAP-based infosys. See the NORDUGRID-TECH-4 for schema definition. The configuration block does not contain any parameter. The information tree is populated based on the contents of the schema-neutral ``[infosys/cluster]`` and ``[queue:name]`` blocks. .. warning:: CHANGE: new schema block. should be used to turn on/off nordugrid-ldap publication. .. _reference_infosys_glue2: [infosys/glue2] block --------------------- Enables the publication of the GLUE2 information model both in the LDAP and XML rendering. The information tree is populated based on the contents of the schema-neutral ``[infosys/cluster]`` and ``[queue:name]`` blocks and the GLUE2 specific schema sub-blocks. .. warning:: CHANGE: new schema block. should be used to turn on/off GLUE2 publication (both ldap & xml) AdminDomain entity parameters: admindomain_name = string - The Name attribute for the admindomain. This will show in top-BDII to group the resources belonging to this cluster. To group a bunch of clusters under the same AdminDomain, just use the same name. If not specified, will default to UNDEFINEDVALUE. *Default:* ``UNDEFINEDVALUE`` *Example*:: admindomain_name=ARC-TESTDOMAIN .. _reference_infosys_glue2_admindomain_description: admindomain_description ~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``admindomain_description = text`` *Description:* The free-form description of this domain. *Default:* ``undefined`` *Example*:: admindomain_description=ARC test Domain .. _reference_infosys_glue2_admindomain_www: admindomain_www ~~~~~~~~~~~~~~~ *Synopsis:* ``admindomain_www = url`` *Description:* The URL pointing at a site holding information about the AdminDomain. *Default:* ``undefined`` *Example*:: admindomain_www=http://www.nordugrid.org/ .. _reference_infosys_glue2_admindomain_distributed: admindomain_distributed ~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``admindomain_distributed = yes/no`` *Description:* Set this to yes if the domain is distributed that means, if the resources belonging to the domain are considered geographically distributed. *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: admindomain_distributed=yes .. _reference_infosys_glue2_admindomain_owner: admindomain_owner ~~~~~~~~~~~~~~~~~ *Synopsis:* ``admindomain_owner = email`` *Description:* The contact email of a responsible person for the domain *Default:* ``undefined`` *Example*:: admindomain_owner=admin@nordugrid.org .. _reference_infosys_glue2_admindomain_otherinfo: admindomain_otherinfo ~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``admindomain_otherinfo = text`` *Description:* Free-form text that fills the OtherInfo GLUE2 field. no need to set, used only for future development. *Default:* ``undefined`` *Example*:: admindomain_otherinfo=Test Other info ComputingService entity parameters: computingservice_qualitylevel = qlevel - (previously infosys_glue2_service_qualitylevel) Allows a sysadmin to define different GLUE2 QualityLevel values for A-REX. Refer to GLUE2 documentation for the qualitylevel definitions. *Allowed values:* ``production``, ``pre-production``, ``testing``, ``development`` *Default:* ``production`` *Example*:: computingservice_qualitylevel=production .. warning:: CHANGE: renamed end of the ``[infosys/glue2]`` schema block ######################## .. _reference_infosys_glue2_ldap: [infosys/glue2/ldap] block -------------------------- Enables the publication of the LDAP-rendering of the GLUE2 infomodel. The information tree is populated based on the contents of the schema-neutral ``[infosys/cluster]`` and ``[queue:name]`` blocks and the GLUE2 specific schema sub-blocks. .. warning:: CHANGE: new schema block. should be used to turn on/off GLUE2 LDAP tree publication. .. _reference_infosys_glue2_ldap_showactivities: showactivities ~~~~~~~~~~~~~~ *Synopsis:* ``showactivities = yes/no`` *Description:* (previously infosys_glue2_ldap_showactivities) Enables GLUE2 ComputingActivities to appear in the LDAP rendering *Allowed values:* ``yes``, ``no`` *Default:* ``no`` *Example*:: showactivities=no .. warning:: CHANGE: renamed. .. _reference_infosys_glue1: [infosys/glue1] block --------------------- This block enables the publication of GLUE1 LDAP representation of a CE. The information tree is populated based on the contents of the schema-neutral ``[infosys/cluster]`` and ``[queue:name]`` blocks and the GLUE1 specific schema sub-blocks. This block holds information that is needed by the glue1, in addition to the schema-neutral blocks. .. warning:: CHANGE: renamed. should be used to turn on/off GLUE1 publication. .. _reference_infosys_glue1_resource_location: resource_location ~~~~~~~~~~~~~~~~~ *Synopsis:* ``resource_location = string`` *Description:* GLUE1 location attribute. IMPORTANT: no slashes or backslashes here! *Default:* ``undefined`` *Example*:: resource_location=Kastrup, Denmark .. _reference_infosys_glue1_resource_latitude: resource_latitude ~~~~~~~~~~~~~~~~~ *Synopsis:* ``resource_latitude = latitude`` *Description:* GLUE1 latitude. *Default:* ``undefined`` *Example*:: resource_latitude=55.75000 .. _reference_infosys_glue1_resource_longitude: resource_longitude ~~~~~~~~~~~~~~~~~~ *Synopsis:* ``resource_longitude = longitude`` *Description:* GLUE1 longitude. *Default:* ``undefined`` *Example*:: resource_longitude=12.41670 .. _reference_infosys_glue1_cpu_scaling_reference_si00: cpu_scaling_reference_si00 ~~~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``cpu_scaling_reference_si00 = number`` *Description:* GLUE1 CPU_scaling *Default:* ``undefined`` *Example*:: cpu_scaling_reference_si00=2400 .. _reference_infosys_glue1_processor_other_description: processor_other_description ~~~~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``processor_other_description = string`` *Description:* GLUE1 proc description *Default:* ``undefined`` *Example*:: processor_other_description=Cores 3, Benchmark 9.8-HEP-SPEC06 .. _reference_infosys_glue1_glue_site_web: glue_site_web ~~~~~~~~~~~~~ *Synopsis:* ``glue_site_web = url`` *Description:* GLUE1 site web url *Default:* ``undefined`` *Example*:: glue_site_web=http://www.ndgf.org .. _reference_infosys_glue1_glue_site_unique_id: glue_site_unique_id ~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``glue_site_unique_id = siteid`` *Description:* GLUE1 site id *Default:* ``undefined`` *Example*:: glue_site_unique_id=NDGF-T1 .. _reference_infosys_glue1_site-bdii: [infosys/glue1/site-bdii] block ------------------------------- Enable this block ONLY if you want to publish a semi-fake GLUE1 site-bdii as part of the LDAP server. This block is used to configure ARC to generate a semi-fake site-bdii that can be registered in GOCDB. .. warning:: CHANGE: renamed. turn on/off the fake site-bdii based on this block. .. _reference_infosys_glue1_site-bdii_unique_id: unique_id ~~~~~~~~~ *Synopsis:* ``*unique_id = id`` *Description:* The unique id used to identify this site, eg ``NDGF-T1`` *Default:* ``undefined`` *Example*:: unique_id=NDGF-T1 .. _reference_infosys_glue1_site-bdii_url: url ~~~ *Synopsis:* ``*url = url`` *Description:* The url of the resource BDII underlying the fake site bdii. It is on the format: ldap://host.domain:2170/mds-vo-name=something,o=grid. *Default:* ``undefined`` *Example*:: url=ldap://host.domain:2170/mds-vo-name=something,o=grid Information schema-neutral blocks ``[infosys/cluster]`` and ``[queue/NAME]`` contain attributes that describe the computing cluster together with its queues. The parameters are available for every information model/schema representation. .. _reference_infosys_cluster: [infosys/cluster] block ----------------------- This block describes the cluster characteristics of a Computing Element. The information specified here is mostly used by the Infosys ARC component. .. _reference_infosys_cluster_alias: alias ~~~~~ *Synopsis:* ``alias = text`` *Description:* An arbitrary alias name of the cluster, optional. *Default:* ``undefined`` *Example*:: cluster_alias=Big Blue Cluster in Nowhere .. _reference_infosys_cluster_hostname: hostname ~~~~~~~~ *Synopsis:* ``hostname = fqdn`` *Description:* Set the FQDN of the frontend. *Default:* ``$VAR{[common]hostname}`` *Example*:: hostname=myhost.org .. _reference_infosys_cluster_interactive_contactstring: interactive_contactstring ~~~~~~~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``interactive_contactstring = url`` *Description:* the contact URL for interactive logins, set this if the cluster supports some sort of grid-enabled interactive login (gsi-ssh), This option in **multivalued**. *Default:* ``undefined`` *Example*:: interactive_contactstring=gsissh://frontend.cluster:2200 .. _reference_infosys_cluster_comment: comment ~~~~~~~ *Synopsis:* ``comment = text`` *Description:* Free text field for additional comments on the cluster in a single line, no newline character is allowed! *Default:* ``undefined`` *Example*:: comment=This cluster is specially designed for XYZ applications: www.xyz.org .. _reference_infosys_cluster_cluster_location: cluster_location ~~~~~~~~~~~~~~~~ *Synopsis:* ``cluster_location = formatted_string`` *Description:* The geographical location of the cluster, preferably specified as a postal code with a two letter country prefix *Default:* ``undefined`` *Example*:: cluster_location=DK-2100 .. _reference_infosys_cluster_cluster_owner: cluster_owner ~~~~~~~~~~~~~ *Synopsis:* ``cluster_owner = text`` *Description:* It can be used to indicate the owner of a resource, multiple entries can be used This option in **multivalued**. *Default:* ``undefined`` *Example*:: cluster_owner=World Grid Project cluster_owner=University of NeverLand .. _reference_infosys_cluster_advertisedvo: advertisedvo ~~~~~~~~~~~~ *Synopsis:* ``advertisedvo = vo_name`` *Description:* (previously authorizedvo) This attribute is used to advertise which VOs are authorized on the cluster. Add only one VO for each advertisedvo entry. Multiple VOs in the same line will cause errors. These entries will be shown in all GLUE2 AccessPolicy and MappingPolicy objects, that is, they will apply for all Endpoints(Interfaces) and all Shares(currently queues). You can also add additional advertisedvos to queues. The information is also published in the NorduGrid schema. .. note:: it is IMPORTANT to understand that this parameter is NOT enforcing any access control, it is just for information publishing! This option in **multivalued**. *Default:* ``undefined`` *Example*:: advertisedvo=atlas advertisedvo=community.nordugrid.org .. warning:: CHANGE: renamed it as advertisedvo .. _reference_infosys_cluster_clustersupport: clustersupport ~~~~~~~~~~~~~~ *Synopsis:* ``clustersupport = email`` *Description:* This is the support email address of the resource. This option in **multivalued**. *Default:* ``undefined`` *Example*:: clustersupport=arc.support@mysite.org clustersupport=arc.support@myproject.org .. _reference_infosys_cluster_homogeneity: homogeneity ~~~~~~~~~~~ *Synopsis:* ``homogeneity = True/False`` *Description:* Determines whether the cluster consists of identical NODES with respect to cputype, memory, installed software (opsys). The frontend is NOT needed to be homogeneous with the nodes. In case of inhomogeneous nodes, try to arrange the nodes into homogeneous groups assigned to a queue and use queue-level attributes. False may trigger multiple GLUE2 ExecutionEnvironments to be published if applicable. *Allowed values:* ``True``, ``False`` *Default:* ``True`` *Example*:: homogeneity=True .. _reference_infosys_cluster_architecture: architecture ~~~~~~~~~~~~ *Synopsis:* ``architecture = string`` *Description:* Sets the hardware architecture of the NODES. The ``architecture`` is defined as the output of the ``uname -m`` (e.g. i686). Use this cluster attribute if only the NODES are homogeneous with respect to the architecture. Otherwise the queue-level attribute may be used for inhomogeneous nodes. If the frontend's architecture agrees to the nodes, the ``adotf`` (Automatically Determine On The Frontend) can be used to request automatic determination. *Default:* ``adotf`` *Example*:: architecture=adotf .. _reference_infosys_cluster_opsys: opsys ~~~~~ *Synopsis:* ``opsys = formatted_string`` *Description:* This multivalued attribute is meant to describe the operating system of the computing NODES. Set it to the opsys distribution of the NODES and not the frontend! opsys can also be used to describe the kernel or libc version in case those differ from the originally shipped ones. The distribution name should be given as distroname-version.number, where spaces are not allowed. Kernel version should come in the form kernelname-version.number. If the NODES are inhomogeneous with respect to this attribute do NOT set it on cluster level, arrange your nodes into homogeneous groups assigned to a queue and use queue-level attributes. opsys will be used to fill GLUE2 OSName, OSVersion and OSFamily unless these values are explicitly defined. See below for their usage. This option in **multivalued**. *Default:* ``undefined`` .. warning:: TODO: check if adotf is supported for this parameter. If so, use that as default. *Example*:: opsys=Linux-2.6.18 opsys=glibc-2.5.58 opsys=CentOS-5.6 .. _reference_infosys_cluster_nodecpu: nodecpu ~~~~~~~ *Synopsis:* ``nodecpu = formatted_string`` *Description:* This is the cputype of the homogeneous nodes. The string is constructed from the /proc/cpuinfo as the value of ``model name`` and ``@`` and value of ``cpu MHz``. Do NOT set this attribute on cluster level if the NODES are inhomogeneous with respect to cputype, instead arrange the nodes into homogeneous groups assigned to a queue and use queue-level attributes. Setting the nodecpu=adotf will result in Automatic Determination On The Frontend, which should only be used if the frontend has the same cputype as the homogeneous nodes. *Default:* ``adotf`` *Example*:: nodecpu=AMD Duron(tm) Processor @ 700 MHz .. _reference_infosys_cluster_nodememory: nodememory ~~~~~~~~~~ *Synopsis:* ``nodememory = number`` *Description:* This is the amount of memory (specified in MB) on the node which can be guaranteed to be available for the application. Please note in most cases it is less than the physical memory installed in the nodes. Do NOT set this attribute on cluster level if the NODES are inhomogeneous with respect to their memories, instead arrange the nodes into homogeneous groups assigned to a queue and use queue-level attributes. *Default:* ``undefined`` *Example*:: nodememory=64000 .. _reference_infosys_cluster_benchmark: benchmark ~~~~~~~~~ *Synopsis:* ``benchmark = name value`` *Description:* This optional multivalued attribute can be used to specify benchmark results on the cluster level. Use this cluster attribute if only the NODES are homogeneous with respect to the benchmark performance. Otherwise the similar queue-level attribute should be used. Please try to use standard benchmark names, if possible. This option in **multivalued**. *Default:* ``undefined`` *Example*:: benchmark=SPECINT2000 222 benchmark=SPECFP2000 333 .. _reference_infosys_cluster_middleware: middleware ~~~~~~~~~~ *Synopsis:* ``middleware = string`` *Description:* The multivalued attribute shows the installed grid software on the cluster. Nordugrid-ARC is automatically set, no need to specify This option in **multivalued**. *Default:* ``undefined`` *Example*:: middleware=my software .. _reference_infosys_cluster_nodeaccess: nodeaccess ~~~~~~~~~~ *Synopsis:* ``nodeaccess = inbound/outbound`` *Description:* Determines how the nodes can connect to the internet. Not setting anything means the nodes are sitting on a private isolated network. ``outbound`` access means the nodes can connect to the outside world while ``inbound`` access means the nodes can be connected from outside. inbound & outbound access together means the nodes are sitting on a fully open network. This option in **multivalued**. *Default:* ``undefined`` *Allowed values:* ``inbound``, ``outbound`` *Example*:: nodeaccess=inbound nodeaccess=outbound .. _reference_infosys_cluster_localse: localse ~~~~~~~ *Synopsis:* ``localse = url`` *Description:* This multivalued parameter tells the BROKER that certain URLs (and locations below that) should be considered ``locally`` available to the cluster. This option in **multivalued**. *Default:* ``undefined`` *Example*:: localse=gsiftp://my.storage/data1/ localse=gsiftp://my.storage/data2/ .. _reference_infosys_cluster_cpudistribution: cpudistribution ~~~~~~~~~~~~~~~ *Synopsis:* ``cpudistribution = formatted_string`` *Description:* This is the CPU distribution over nodes given in the form ``ncpu:m`` where: ``n`` is the number of CPUs per machine ``m`` is the number of such machines Example: ``1cpu:3,2cpu:4,4cpu:1`` represents a cluster with 3 single CPU machines, 4 dual CPU machines and one machine with 4 CPUs. *Default:* ``undefined`` *Example*:: cpudistribution=1cpu:3,2cpu:4,4cpu:1 .. _reference_queue: [queue:name] block ------------------ Each grid-enabled queue on the cluster should be represented and described by a separate queue block. The queue_name should be used as a label in the block name. In case of fork, or other LRMSes with no queue names, just use any unique string. A queue can represent a PBS/LSF/SGE/SLURM/LL queue, a SGE pool, a Condor pool or a single machine in case 'fork' type of LRMS. This block describes the queue characteristics. .. _reference_queue_homogeneity: homogeneity ~~~~~~~~~~~ *Synopsis:* ``homogeneity = True/False`` *Description:* determines whether the queue consists of identical NODES with respect to cputype, memory, installed software (opsys). In case of inhomogeneous nodes, try to arrange the nodes into homogeneous groups and assigned them to a queue. Possible values: True,False, the default is True. *Allowed values:* ``True``, ``False`` *Default:* ``$VAR{[infosys/cluster]homogeneity}`` *Example*:: homogeneity=True .. _reference_queue_comment: comment ~~~~~~~ *Synopsis:* ``comment = text`` *Description:* A free-form text field for additional comments on the queue in a single line, no newline character is allowed! *Default:* ``undefined`` *Example*:: comment=This queue is nothing more than a condor pool .. _reference_queue_pbs_queue_node: pbs_queue_node ~~~~~~~~~~~~~~ *Synopsis:* ``pbs_queue_node = string`` *Description:* (previously queue_node_string) In PBS you can assign nodes to a queue (or a queue to nodes) by using the ``node property`` mark in PBS config. Essentially, ``pbs_queue_node`` value is used to construct ``nodes=`` string in PBS script, such as ``nodes=count:pbs_queue_node`` where ``count`` is taken from the job description (1 if not specified). This corresponds to setting the following parameter in PBS for this queue:: resources_default.neednodes = cpu_topology[:pbs_queue_node] Setting the ``pbs_queue_node`` changes how the queue-totalcpus, user freecpus are determined for this queue. You shouldn't use this option unless you are sure that your PBS configuration makes use of the above configuration. Read NorduGrid PBS instructions for more information: http://www.nordugrid.org/documents/pbs-config.html *Default:* ``undefined`` *Example*:: pbs_queue_node=gridlong_nodes pbs_queue_node=ppn=4:ib .. warning:: CHANGE: renamed .. _reference_queue_sge_jobopts: sge_jobopts ~~~~~~~~~~~ *Synopsis:* ``sge_jobopts = string`` *Description:* Per-queue override of additional SGE options to be used when submitting jobs to SGE to this queue *Default:* ``undefined`` *Example*:: sge_jobopts=-P atlas -r yes .. _reference_queue_condor_requirements: condor_requirements ~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``condor_requirements = string`` *Description:* It needs to be defined for each Condor queue. Use this option to determine which nodes belong to the current queue. The value of ``condor_requirements`` must be a valid constraints string which is recognized by a ``condor_status -constraint ...`` command. It can reference pre-defined ClassAd attributes (like Memory, Opsys, Arch, HasJava, etc) but also custom ClassAd attributes. To define a custom attribute on a condor node, just add two lines like the ones below in the ``$(hostname).local`` config file on the node:: NORDUGRID_RESOURCE=TRUE STARTD_EXPRS = NORDUGRID_RESOURCE, $(STARTD_EXPRS) A job submitted to this queue is allowed to run on any node which satisfies the ``condor_requirements`` constraint. If ``condor_requirements`` is not set, jobs will be allowed to run on any of the nodes in the pool. When configuring multiple queues, you can differentiate them based on memory size or disk space, for example. *Default:* ``$VAR{[lrms]condor_requirements}`` *Example*:: condor_requirements=(OpSys == "linux" && NORDUGRID_RESOURCE && Memory >= 1000 && Memory < 2000) .. _reference_queue_totalcpus: totalcpus ~~~~~~~~~ *Synopsis:* ``totalcpus = number`` *Description:* Manually sets the number of cpus assigned to the queue. No need to specify the parameter in case the queue_node_string method was used to assign nodes to the queue (this case it is dynamically calculated and the static value is overwritten) or when the queue have access to the entire cluster (this case the cluster level totalcpus is the relevant parameter). *Default:* ``undefined`` *Example*:: totalcpus=32 queue-level configuration parameters: nodecpu, nodememory, architecture, opsys and benchmark should be set if they are homogeneous over the nodes assigned to the queue AND they are different from the cluster-level value. Their meanings are described in the ``[infosys/cluster]`` block. Usage: this queue collects nodes with ``nodememory=512`` while another queue has nodes with ``nodememory=256`` -> don't set the cluster attributes but use the queue-level attributes. When the frontend's architecture or cputype agrees with the queue nodes, the ``adotf`` (Automatically Determine On The Frontend) can be used to request automatic determination of architecture or nodecpu. For GLUE2, fine tune configuration of OSName, OSVersion, OSFamily is allowed in a dedicated subblock. .. _reference_queue_nodecpu: nodecpu ~~~~~~~ *Synopsis:* ``nodecpu = formatted_string`` *Description:* see description at ``[infosys/cluster]`` block *Default:* ``$VAR{[infosys/cluster]nodecpu}`` *Example*:: nodecpu=AMD Duron(tm) Processor @ 700 MHz .. _reference_queue_nodememory: nodememory ~~~~~~~~~~ *Synopsis:* ``nodememory = number`` *Description:* see description at ``[infosys/cluster]`` block *Default:* ``$VAR{[infosys/cluster]nodememory}`` *Example*:: nodememory=512 .. _reference_queue_defaultmemory: defaultmemory ~~~~~~~~~~~~~ *Synopsis:* ``defaultmemory = number`` *Description:* The LRMS memory request of job to be set by the LRMS backend scripts, if a user submits a job without specifying how much memory should be used. The order of precedence is: job description -> ``[lrms-defaultmemory]`` -> ``[queue-defaultmemory]``. This is the amount of memory (specified in MB) that a job will request. *Default:* ``undefined`` *Example*:: defaultmemory=512 .. warning:: CHANGE: new parameter in this block .. _reference_queue_architecture: architecture ~~~~~~~~~~~~ *Synopsis:* ``architecture = string`` *Description:* see description at ``[infosys/cluster]`` block *Default:* ``$VAR{[infosys/cluster]architecture}`` *Example*:: architecture=adotf .. _reference_queue_opsys: opsys ~~~~~ *Synopsis:* ``opsys = formatted_string`` *Description:* see description at ``[infosys/cluster]`` block This option in **multivalued**. *Default:* ``$VAR{[infosys/cluster]opsys}`` *Example*:: opsys=Linux-2.6.18 opsys=glibc-2.5.58 .. _reference_queue_osname: osname ~~~~~~ *Synopsis:* ``osname = string`` *Description:* Only for GLUE2 This option in **multivalued**. *Default:* ``undefined`` *Example*:: osname=Ubuntu .. _reference_queue_osversion: osversion ~~~~~~~~~ *Synopsis:* ``osversion = string`` *Description:* Only for GLUE2 *Default:* ``undefined`` *Example*:: osversion=12.04 .. _reference_queue_osfamily: osfamily ~~~~~~~~ *Synopsis:* ``osfamily = string`` *Description:* Only for GLUE2 *Default:* ``undefined`` *Example*:: osfamily=linux .. _reference_queue_benchmark: benchmark ~~~~~~~~~ *Synopsis:* ``benchmark = name value`` *Description:* see description at ``[infosys/cluster]`` block This option in **multivalued**. *Default:* ``$VAR{[infosys/cluster]benchmark}`` *Example*:: benchmark=SPECINT2000 222 benchmark=SPECFP2000 333 .. _reference_queue_allowaccess: allowaccess ~~~~~~~~~~~ *Synopsis:* ``allowaccess = authgroup [authgroup ...]`` *Description:* Specifies authorization groups that are allowed to submit jobs to this queue. It does not override simular parameter specified in ``[gridftpd/jobs]`` and ``[arex/ws/emies]`` blocks. If this parameter is not set, then no additional restrictions are applied for authorizing user abbility to submit jobs to this queue. The matching group from this parameter does not affect which VOMS attributes are selected as representing the user. *Default:* ``undefined`` *Example*:: allowaccess=biousers atlasusers .. warning:: CHANGE: NEW parameter in the ``[queue:name]`` block .. _reference_queue_advertisedvo: advertisedvo ~~~~~~~~~~~~ *Synopsis:* ``advertisedvo = vo_name`` *Description:* (previously authorizedvo) This attribute is used to advertise which VOs are authorized on the ``[queue:name]`` of the cluster. Add only one VO for each advertiseddvo entry. Multiple VOs in the same line will cause errors. These entries will be shown in the MappingPolicy objects, that is, they will apply for the Shares that corresponds to the queue. The information is also published in the NorduGrid schema. .. note:: if you have also configured ``advertisedvo`` in the ``[infosys/cluster]`` block, the result advertised VOs per queue is the union set of what is contained in the ``[infosys/cluster]`` and in this ``[queue:name]`` block! .. note:: it is IMPORTANT to understand that this parameter is NOT enforcing any access control, it is just for information publishing! This option in **multivalued**. *Default:* ``undefined`` *Example*:: advertisedvo=atlas advertisedvo=community.nordugrid.org .. warning:: CHANGE: renamed it as advertisedvo .. _reference_queue_maxslotsperjob: maxslotsperjob ~~~~~~~~~~~~~~ *Synopsis:* ``maxslotsperjob = number`` *Description:* This GLUE2 specific parameter configures the MaxSlotsPerJob value on a particular queue. This value is usually generated by LRMS infocollectors, but there are cases in which a system administrator might like to tweak it. Default is to publish what is returned by the LRMS, and if nothing is returned, NOT to publish the MaxSlotsPerJob attribute. If a system administrator sets the value here, that value will be published instead, regardless of what the LRMS returns. Each LRMS might have a different meaning for this value. *Default:* ``undefined`` *Example*:: maxslotsperjob=5 .. _reference_queue_forcedefaultvoms: forcedefaultvoms ~~~~~~~~~~~~~~~~ *Synopsis:* ``forcedefaultvoms = VOMS_FQAN`` *Description:* specify VOMS FQAN which user will be assigned if his/her credentials contain no VOMS attributes. *Default:* ``$VAR{[arex]forcedefaultvoms}`` *Example*:: forcedefaultvoms=/vo/group/subgroup .. warning:: CHANGE: documented in ``[queue]`` as described in ``[arex]`` .. warning:: TODO: add Florido's new variables both to the queue and cluster block (maxcputime and maxwalltime) .. _reference_datadelivery-service: [datadelivery-service] block ---------------------------- This block configures and enables the data delivery service. This service is intended to off-load data-staging from A-REX and usually deployed on one or more separate machines. See details at https://wiki.nordugrid.org/wiki/Data_Staging/Multi-host This service can also act as an independent data transfers service that case it would require a inteligent data manager that could replace A-REX's intelligence. (see draft vision document) .. warning:: TODO: point to the documentation that describes protocol, operations. .. warning:: CHANGE: NEW block .. _reference_datadelivery-service_transfer_dir: transfer_dir ~~~~~~~~~~~~ *Synopsis:* ``*transfer_dir = path`` *Description:* (previously allowed_dir) The directori(es) on the DDS host in which the service is allowed to read and write. When DDS is used as a remote transfer service assisting A-REX then this is usually one or more cache and/or session directories shared as a common mount with A-REX. This option in **multivalued**. *Default:* ``undefined`` *Example*:: transfer_dir=/shared/arc/cache transfer_dir=/shared/arc/session .. warning:: CHANGE: NEW, also renamed from allowed_dir to work_dir .. warning:: TODO renamed .. _reference_datadelivery-service_hostname: hostname ~~~~~~~~ *Synopsis:* ``hostname = FQDN`` *Description:* The hostname of the machine on which DDS service runs. *Default:* ``$EXEC{hostname -f}`` *Example*:: hostname=localhost .. warning:: CHANGE: NEW .. warning:: TODO: got remaned from interface, fix DDS startup script and profile. .. _reference_datadelivery-service_port: port ~~~~ *Synopsis:* ``port = port`` *Description:* Port on which service listens *Default:* ``443`` *Example*:: port=8443 .. warning:: CHANGE: NEW .. _reference_datadelivery-service_ipversion: ipversion ~~~~~~~~~ *Synopsis:* ``ipversion = number`` *Description:* IP version to use *Default:* ``4`` *Example*:: ipversion=6 .. warning:: TODO: Ask Aleksandr if can we have both 4 and 6 together (multivalued)? .. warning:: CHANGE: NEW .. _reference_datadelivery-service_pidfile: pidfile ~~~~~~~ *Synopsis:* ``pidfile = path`` *Description:* pid file of the daemon *Default:* ``/var/run/arc/datadelivery-service.pid`` .. warning:: TODO: changed the pid file name and location! *Example*:: pidfile=/tmp/delivery.pid .. warning:: CHANGE: NEW .. _reference_datadelivery-service_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* log file of the daemon *Default:* ``/var/log/arc/datadelivery-service.log`` *Example*:: logfile=/tmp/delivery.log .. warning:: CHANGE: NEW .. _reference_datadelivery-service_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = level`` *Description:* set loglevel of the data delivery service between 0 (FATAL) and 5 (DEBUG). Defaults to 3 (INFO). *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``3`` *Example*:: loglevel=4 .. warning:: CHANGE: NEW .. _reference_datadelivery-service_user: user ~~~~ *Synopsis:* ``user = username`` *Description:* Overwrites the user under which the service runs. The default is the user starting the service. DDS is very limited if not run as root. *Default:* ``undefined`` *Example*:: user=ddsuser .. warning:: CHANGE: NEW .. _reference_datadelivery-service_secure: secure ~~~~~~ *Synopsis:* ``secure = yes/no`` *Description:* Set to ``no`` if the service should run without a host certificate. In this case the corresponding deliveryservice option in the ``[arex/data-staging]`` A-REX configuration block should use http rather than https URLs. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: secure=no .. warning:: CHANGE: NEW .. _reference_datadelivery-service_allowed_ip: allowed_ip ~~~~~~~~~~ *Synopsis:* ``*allowed_ip = ip`` *Description:* IP address authorized to access service. Normally this is the A-REX host IP. This option in **multivalued**. *Default:* ``undefined`` *Example*:: allowed_ip=192.0.2.1 .. warning:: CHANGE: NEW .. _reference_datadelivery-service_allowed_dn: allowed_dn ~~~~~~~~~~ *Synopsis:* ``allowed_dn = DN`` *Description:* DN authorized to access service. This option restricts access to specified DNs (of the users who submit jobs to A-REX). It is only effective if secure=yes. This option in **multivalued**. *Default:* ``undefined`` *Example*:: allowed_dn=/O=Grid/O=Big VO/CN=Main Boss .. warning:: CHANGE: NEW .. _reference_datadelivery-service_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_key}`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: new in this block .. _reference_datadelivery-service_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_cert}`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: new in this block .. _reference_datadelivery-service_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_cert_dir}`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. warning:: CHANGE: new in this block .. _reference_acix-scanner: [acix-scanner] block -------------------- The ARC Cache Index (ACIX) is a distributed system that maintains a catalog of locations of cached files stored in various A-REX caches. ACIX consists of two components, the Cache Scanner (on the CEs), and the Index Server. This config block enables and configures the cache scanner component of ACIX. The scanning component of ACIX is a separate service that runs alongside A-REX/DDS and all it needs from A-REX/DDS service is the location of the cache. The acix-scanner periodically scans the cache directories and composes a Bloom filter of A-REX cache content which can be pulled via its public interface. In the current deployment the ACIX index services are the main consumers of the collected information. .. warning:: CHANGE: renamed block, renamed component (cache scanner, instead of cacheserver) .. _reference_acix-scanner_cachedir: cachedir ~~~~~~~~ *Synopsis:* ``cachedir = cache_path`` *Description:* Specifies the cache directory to be scanned in case not set in ``[arex/cache]`` block (e.g. the scanner is running on a different machine then A-REX) This option in **multivalued**. *Default:* ``$VAR{[arex/cache]cachedir}`` *Example*:: cachedir=/scratch/cache cachedir=/fs1/cache drain .. _reference_acix-scanner_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* Log file location for the acix-scanner. *Default:* ``/var/log/arc/arc-acix-scanner.log`` *Example*:: logfile=/tmp/arc-acix-scanner.log .. warning:: CHANGE: modified default for the logfile .. warning:: TODO: changed logfile name .. _reference_acix-scanner_hostname: hostname ~~~~~~~~ *Synopsis:* ``hostname = string`` *Description:* Hostname on which the acix-scanner listens *Default:* ``$EXEC{hostname -f}`` *Example*:: hostname=myhost.org .. _reference_acix-scanner_port: port ~~~~ *Synopsis:* ``port = port`` *Description:* Port on which the acix-scanner service listens *Default:* ``5443`` *Example*:: port=6000 .. _reference_acix-scanner_cachedump: cachedump ~~~~~~~~~ *Synopsis:* ``cachedump = yes/no`` *Description:* Whether to make a dump of the list of files on the cache at $TMP/ARC-ACIX/timestamp each time the acix-scanner runs. *Default:* ``no`` *Allowed values:* ``yes``, ``no`` *Example*:: cachedump=yes .. _reference_acix-scanner_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_key}`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: new in this block .. _reference_acix-scanner_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_cert}`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: new in this block .. _reference_acix-scanner_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_cert_dir}`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. warning:: CHANGE: new in this block .. _reference_acix-index: [acix-index] block ------------------ The ARC Cache Index (ACIX) is a distributed system that maintains a catalog of locations of cached files stored in various A-REX caches. ACIX consists of two components, the Cache Scanner (on the CEs), and the Index Server. This config block enables and configures the index server component of ACIX. The index server component of ACIX collects cache content filters generated by a set of acix-scanners and maintains an aggregated view of distributed cache contents. The acix-index server is deployed separately and can be queried for the location of cached files. The service endpoint is https://hostname:6443/data/index and a query is performed via giving the URLs to check as comma-separated values to the ``url`` option, e.g.: ``index_service_endpoint?url=http://www.nordugrid.org:80/data/echo.sh,http://my.host/data1`` .. _reference_acix-index_cachescanner: cachescanner ~~~~~~~~~~~~ *Synopsis:* ``*cachescanner = url`` *Description:* (previously cacheserver) ACIX cache scanners from which to pull information This option in **multivalued**. *Default:* ``undefined`` *Example*:: cachescanner=https://some.host:5443/data/cache cachescanner=https://another.host:5443/data/cache .. warning:: CHANGE: renamed .. warning:: TODO: should be mandatory .. _reference_acix-index_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_key}`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: new in this block .. _reference_acix-index_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_cert}`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: new in this block .. _reference_acix-index_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_cert_dir}`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. warning:: CHANGE: new in this block .. _reference_userlist: [userlist:name] block --------------------- The ``[userlist:name]`` blocks are used to define userlists and configure how those are generated by the nordugridmap utility, including the optional user mapping information. The userlist is identified with the generated file that is stored in the ``outfile``. Please note that behaviour of the nordugridmap external utility can be further modified by the optional ``[nordugridmap]`` block (see next block). Note that the ``[userlist:name]`` block by itself does not affect authorization. In order to define auth rules userlists can be referenced within the ``[authgroup]`` blocks by the userlist=name parameter. Also, the generated ``outfile`` can be used via the 'file' auth rule of the ``[authgroup]`` block. The order of this block in ``arc.conf`` may influence authorization decision. This block must appear before the ``[arex]`` block. .. warning:: CHANGE: new blockname that better reflects the purpose of the config block. This block is not defining any VO! .. _reference_userlist_outfile: outfile ~~~~~~~ *Synopsis:* ``outfile = path`` *Description:* (previously file) The full path of the GENERATED file that contains the userlist (with optional mapping info). If the same file specified as output for different ``[userlist:name]`` blocks then nordugridmap will automatically merge entries following the order of the blocks. *Default:* ``$VAR{[common/mapping]gridmap}`` *Example*:: outfile=/etc/grid-security/lists/atlas-users .. warning:: CHANGE: renamed from ``file`` .. _reference_userlist_source: source ~~~~~~ *Synopsis:* ``*source = url`` *Description:* the URL of the VO database which is used to generate the userlist. The nordugridmap will use this URL to automatically generate and keep up-to-date userlist (mapfile) specified by the 'outfile' attribute. url is a multivalued attribute, several sources can be specified and all the users from those sources will be merged into the same file. The source URLs are processed in the given order. Currently supported URL types are: ``http(s)://`` URL to plain text file. File should contain a list of DNs. ``voms(s)://`` URL to VOMS-Admin interface ``file://`` local file (stand-alone or dynamicaly generated by ``nordugridmap``). File should contain a list of DNs with optional mapped unixid: ``user DN`` ``[mapped user ID]`` Result of optional mapped unixid processing depend on ``mapuser_processing`` option settings. ``userlist://`` reference to another ``[userlist/name]`` configuration block ``nordugrid`` add NorduGrid VO members You can use either ``userlist://`` or ``file://`` entries to specify dependencies between ``[userlist/name]`` blocks, but using ``userlist://`` is a recommended way. For each separate source URL it is possible to override some parameters value. You can use the following syntax to perform this:: "source=URL < parameter1=value1 parameter2=value2" You can override the following parameters: ``mapped_unixid`` for http(s),voms(s),ldap and file URLs ``cache_enable`` for http(s),voms(s),ldap and file URLs ``voms_method`` for voms(s) URLs ``mapuser_processing`` for file URLs with ``mapped_unixid=''`` overrided (control ``mapped_unixid`` overriding behaviour for URL) This option in **multivalued**. *Default:* ``undefined`` *Example*:: source=vomss://voms.ndgf.org:8443/voms/nordugrid.org source=vomss://lcg-voms.cern.ch:8443/voms/atlas?/atlas/Role=VO-Admin < mapped_unixid=atlasadmin source=vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org < voms_method=get source=http://www.nordugrid.org/developers.dn source=file:///etc/grid-security/priviliged_users.dn source=userlist://biousers source=nordugrid .. warning:: CHANGE: MODIFIED options: edg-mkgridmap source option is removed (obsolete technology); vo source option is renamed as userlist. .. _reference_userlist_mapped_unixid: mapped_unixid ~~~~~~~~~~~~~ *Synopsis:* ``mapped_unixid = unixid`` *Description:* The local UNIXID which is optionally used in the generated outfile by the nordugridmap utility. If any of the sources have already provided mapping information (file:// or userlist://) behavior depends on 'mapuser_processing' from the ``[nordugridmap]`` block: ``mapuser_processing = overwrite`` ignore already provided mapping and apply ``mapped_unixid`` for all sources ``mapuser_processing = keep`` apply mapped_unixid only for sources that does not already has mapping information If the ``mapped_unixid`` config parameter is not specified or has empty value, then behavior depends on the value of ``allow_empty_unixid`` from the ``[nordugridmap]`` block: ``allow_empty_unixid = yes`` empty value will be used for ``mapped_unixid`` which means that nordugridmap will generate only the list of DNs without mapping (consider using ``mapuser_processing = overwrite`` along with this option or sources that does not provide previously defined mapping information) ``allow_empty_unixid = no`` then nordugridmap will skip users without mapping information *Default:* ``nobody`` *Example*:: mapped_unixid=gridtest .. warning:: CHANGE: Modified. The empty value should work the same way as missing parameter. set the default to ``nobody`` .. _reference_userlist_voms_fqan_map: voms_fqan_map ~~~~~~~~~~~~~ *Synopsis:* ``voms_fqan_map = fqan unixid`` *Description:* The local UNIXID which is used to map voms(s) sources with specific FQAN given. Several voms_fqan_map can be specified for a ``[userlist/name]`` block. For each voms(s) sources in ``[userlist/name]`` block and every voms_fqan_map record separate source record will be automatically generated with mapped_unixid overwritten to specified one. Sources are generated in a given voms_fqan_map order. Original voms(s) source URL are processed LAST. This allows to simplify configuration, especially in redundancy cases when several VOMS servers are used for the same VO. This option in **multivalued**. *Default:* ``undefined`` *Example*:: voms_fqan_map=/atlas/Role=VO-Admin atlasadmin voms_fqan_map=/atlas/Role=production atlasprod .. _reference_userlist_filter: filter ~~~~~~ *Synopsis:* ``filter = ACL string`` *Description:* An ACL filter for the nordugridmap utility. Multiple allow/deny statements are possible. The fetched DNs are filtered against the specified rules before they are added to the generated outfile. ``*`` can be used as a wildcard. You may run the nordugridmap with the ``--test`` command line option to see how the filters you specified work. If at least one allow filter is specified implicit deny is used at the end of ACL. If only deny filters are present - implicit allow used at the end. This option in **multivalued**. *Default:* ``undefined`` *Example*:: filter=deny *infn* filter=allow *NorduGrid* .. _reference_nordugridmap: [nordugridmap] block -------------------- This optional block is used to fine-tune the behavior of the nordugridmap utility - an ARC tool used to generate grid-mapfiles. Normal setups don't need to configure this block. Please refer to ``[userlist/name]`` block above to find information how to specify sources for userlist generation. This section setup general source-independent parameters. .. _reference_nordugridmap_x509_host_key: x509_host_key ~~~~~~~~~~~~~ *Synopsis:* ``x509_host_key = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_key}`` *Example*:: x509_host_key=/etc/grid-security/hostkey.pem .. warning:: CHANGE: renamed .. _reference_nordugridmap_x509_host_cert: x509_host_cert ~~~~~~~~~~~~~~ *Synopsis:* ``x509_host_cert = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_host_cert}`` *Example*:: x509_host_cert=/etc/grid-security/hostcert.pem .. warning:: CHANGE: renamed .. _reference_nordugridmap_x509_cert_dir: x509_cert_dir ~~~~~~~~~~~~~ *Synopsis:* ``x509_cert_dir = path`` *Description:* Optional parameter to overwrite ``[common]`` block values. *Default:* ``$VAR{[common]x509_cert_dir}`` *Example*:: x509_cert_dir=/etc/grid-security/certificates .. _reference_nordugridmap_gridmap_owner: gridmap_owner ~~~~~~~~~~~~~ *Synopsis:* ``gridmap_owner = username`` *Description:* The owner of the generated mapfiles. *Default:* ``root`` *Example*:: gridmap_owner=root .. _reference_nordugridmap_gridmap_group: gridmap_group ~~~~~~~~~~~~~ *Synopsis:* ``gridmap_group = groupname`` *Description:* The group of generated gridmapfiles. *Default:* ``root`` *Example*:: gridmap_group=root .. _reference_nordugridmap_gridmap_permissions: gridmap_permissions ~~~~~~~~~~~~~~~~~~~ *Synopsis:* ``gridmap_permissions = filemode`` *Description:* The permissions of generated gridmapfiles. *Default:* ``0600`` *Example*:: gridmap_permissions=0600 .. _reference_nordugridmap_log_to_file: log_to_file ~~~~~~~~~~~ *Synopsis:* ``log_to_file = yes/no`` *Description:* control whether logging output of nordugridmap will be saved to file. If the value is 'no' nordugridmap will write all information to STDERR. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: log_to_file=no .. _reference_nordugridmap_logfile: logfile ~~~~~~~ *Synopsis:* ``logfile = path`` *Description:* specify the nordugridmap log file location when log_to_file is set yes. *Default:* ``/var/log/arc/nordugridmap.log`` *Example*:: logfile=/var/log/arc/nordugridmap.log .. _reference_nordugridmap_cache_enable: cache_enable ~~~~~~~~~~~~ *Synopsis:* ``cache_enable = yes/no`` *Description:* Controls whether caching of external sources will be used. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: cache_enable=yes .. _reference_nordugridmap_cachedir: cachedir ~~~~~~~~ *Synopsis:* ``cachedir = path`` *Description:* Specifies the path where cached sources will be stored. *Default:* ``/var/spool/arc/gridmapcache/`` *Example*:: cachedir=/var/spool/arc/gridmapcache/ .. warning:: TODO changed file location .. _reference_nordugridmap_cachetime: cachetime ~~~~~~~~~ *Synopsis:* ``cachetime = seconds`` *Description:* Controls how long (in seconds) the cached information remains valid. Default is 259200 (3 days). *Default:* ``259200`` *Example*:: cachetime=259200 issuer_processing - control the behavior of ``[userlist/name]`` block's require_issuerdn .. warning:: CHANGE28: DELETED .. _reference_nordugridmap_mapuser_processing: mapuser_processing ~~~~~~~~~~~~~~~~~~ *Synopsis:* ``mapuser_processing = owerwrite/keep`` *Description:* Controls the behavior of ``[userlist:name]`` block's mapped_unixid parameter usage. Please see 'mapped_unixid' description in ``[userlist:name]`` block for details. *Allowed values:* ``keep``, ``overwrite`` *Default:* ``keep`` *Example*:: mapuser_processing=keep .. _reference_nordugridmap_allow_empty_unixid: allow_empty_unixid ~~~~~~~~~~~~~~~~~~ *Synopsis:* ``allow_empty_unixid = yes/no`` *Description:* Controls whether empty (or unspecified) 'mapped_unixid' ``[userlist:name]`` block option is allowed to be used. Please see 'mapped_unixid' description for details. *Allowed values:* ``yes``, ``no`` *Default:* ``yes`` *Example*:: allow_empty_unixid=no .. warning:: CHANGE: MODIFIED. set default to yes. .. _reference_nordugridmap_voms_method: voms_method ~~~~~~~~~~~ *Synopsis:* ``voms_method = soap/get`` *Description:* Controls how to get information from VOMS(S) sources. Valid values are: soap - call SOAP method directly using SOAP::Lite get - use old implementation that manually parses XML response *Allowed values:* ``soap``, ``get`` *Default:* ``soap`` *Example*:: voms_method=soap .. _reference_nordugridmap_loglevel: loglevel ~~~~~~~~ *Synopsis:* ``loglevel = level`` *Description:* (previously debug) Controls the verbosity of nordugridmap output. Valid values are: 0 - FATAL - only critical fatal error shown 1 - ERROR - errors, including non-critical are shown 2 - WARNING (default) - configuration errors that can be ignored 3 - INFO - processing information 4 - VERBOSE - a bit more processing information 5 - DEBUG - lot of processing information When test run is requested (--test command line option of the nordugridmap) loglevel is automatically set to 5 (DEBUG). *Allowed values:* ``0``, ``1``, ``2``, ``3``, ``4``, ``5`` *Default:* ``2`` *Example*:: loglevel=4 .. warning:: CHANGE: renamed as loglevel .. warning:: TODO set default to 2 .. _reference_nordugridmap_fetch_timeout: fetch_timeout ~~~~~~~~~~~~~ *Synopsis:* ``fetch_timeout = seconds`` *Description:* Controls how many time (in seconds) nordugridmap will wait for external sources retrieval. *Default:* ``15`` *Example*:: fetch_timeout=15