diff --git a/maintenance/README.md b/maintenance/README.md new file mode 100644 index 0000000..36f116c --- /dev/null +++ b/maintenance/README.md @@ -0,0 +1,14 @@ +# +# LDCS System maintenance files +# + +The maintenance folder contains files that are used to +maintain the LDCS system. + + * `README.md` - this file + * `configFiles/` - configuration files for the various subsystems + * `docker/` - docker files to bring up the various systems + * `tools/` - scripts and tools for various purposes + * `docs/` - quick reference documentation + + diff --git a/maintenance/configFiles/rucio-server/README.md b/maintenance/configFiles/rucio-server/README.md new file mode 100644 index 0000000..d94e75f --- /dev/null +++ b/maintenance/configFiles/rucio-server/README.md @@ -0,0 +1,5 @@ +Each configuration file in this folder should contain a comment stating where +the file should be located in the target service. + +Note that default passwords are in cleartext. A production setup should at +least create a new password. diff --git a/maintenance/configFiles/rucio-server/alembic.ini b/maintenance/configFiles/rucio-server/alembic.ini new file mode 100644 index 0000000..984f1d6 --- /dev/null +++ b/maintenance/configFiles/rucio-server/alembic.ini @@ -0,0 +1,70 @@ +# Copyright European Organization for Nuclear Research (CERN) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Authors: +# - Vincent Garonne , 2014 +# - Mario Lassnig , 2019 + +# A generic, single database configuration. + +# LDCS: this file should be placed in +# /opt/rucio/etc + +[alembic] +# path to migration scripts +#script_location = /usr/lib/python2.7/site-packages/rucio/db/sqla/migrate_repo/ +# Attempt to switch to newer version... +script_location = /usr/local/lib/python3.6/site-packages/rucio/db/sqla/migrate_repo/ + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# max length of characters to apply to the +# "slug" field +#truncate_slug_length = 40 + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +sqlalchemy.url = postgresql://rucio:secret@ruciodb/rucio +version_table_schema = rucio + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S + diff --git a/maintenance/configFiles/rucio-server/rucio.cfg b/maintenance/configFiles/rucio-server/rucio.cfg new file mode 100644 index 0000000..40f6a09 --- /dev/null +++ b/maintenance/configFiles/rucio-server/rucio.cfg @@ -0,0 +1,51 @@ +# Copyright European Organization for Nuclear Research (CERN) +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Authors: +# - Vincent Garonne, , 2013 + +# LDCS: this file should be placed in +# /opt/rucio/etc/ + +[common] +logdir = /var/log/rucio +loglevel = DEBUG +mailtemplatedir = /opt/rucio/etc/mail_templates +[api] +endpoints=accountlimits,accounts,auth,config,credentials,dids,export,heartbeats,identities,import,lifetime_exceptions,locks,meta,ping,redirect,replicas,requests,rses,rules,scopes,subscriptions +[database] +default = postgresql://rucio:secret@ruciodb/rucio +pool_reset_on_return = rollback +echo = 0 +pool_recycle = 600 +[bootstrap] +userpass_identity = ddmlab +userpass_pwd = secret +userpass_email = rucio-dev@cern.ch +[alembic] +cfg = /opt/rucio/etc/alembic.ini +[monitor] +carbon_server = localhost +carbon_port = 8125 +user_scope = default_docker +[trace] +tracedir = /var/log/rucio/trace +brokers = localhost +port = 61013 +topic = /topic/rucio.tracer +[nongrid_trace] +tracedir = /var/log/rucio/trace +brokers = localhost +port = 61013 +topic = /topic/rucio.tracer +[policy] +permission = generic +schema = generic +lfn2pfn_algorithm_default = hash +support = https://github.com/rucio/rucio/issues/ +support_rucio = https://github.com/rucio/rucio/issues/ +[webui] +usercert = /opt/rucio/etc/usercert_with_key.pem + diff --git a/maintenance/docker/LDCS-rucio/README.md b/maintenance/docker/LDCS-rucio/README.md new file mode 100644 index 0000000..4159cc1 --- /dev/null +++ b/maintenance/docker/LDCS-rucio/README.md @@ -0,0 +1,38 @@ +# Docker compose file for rucio server + +1) Copy all these files in a folder such as + +``` + cp -r ../LDCS_rucio ~ + cd ~/LDCS_rucio +``` + +2) Add values to the variables in `env` and rename the file to .env + +``` + mv env .env +``` + +3) Switch to root (mainly for access to port 443) + +``` + sudo -s +``` + +4) Deploy and edit the relevant configuration files in ../configFiles. Create folders if needed. +Make sure passwords and paths match between the configFiles and the docker-compose file + +5) Start all the services with docker-compose + +``` +docker compose -f docker-compose-rucioserver-postgres-daemons.yml up -d + +``` +6) To stop all the services: +``` +docker compose -f docker-compose-rucioserver-postgres-daemons.yml down + +``` + +Refer to docker compose documentation for further information on how to interact with each single service. + diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml new file mode 100644 index 0000000..ceb515d --- /dev/null +++ b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml @@ -0,0 +1,80 @@ +services: + rucio-server: + image: rucio/rucio-server:release-1.26.11 + hostname: ${LDCS_RUCIO_FQDN} + ports: + - "443:443" + volumes: + - /etc/grid-security/:/etc/grid-security/ +# - /etc/grid-security/hostcert.pem:/etc/grid-security/hostcert.pem +# - /etc/grid-security/hostkey.pem:/etc/grid-security/hostkey.pem + - /opt/rucio/etc:/opt/rucio/etc + # Added for rucio logs according to https://rucio.github.io/documentation/operator/installing_server + - /var/log/rucio/httpd:/var/log/httpd + environment: + - RUCIO_ENABLE_SSL=True + - RUCIO_HOSTNAME=${LDCS_RUCIO_FQDN} + - RUCIO_CFG_DATABASE_DEFAULT=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@ruciodb/${POSTGRES_DB} + - RUCIO_CA_PATH=/etc/grid-security/certificates + - RUCIO_ENABLE_LOGFILE=True + depends_on: + - ruciodb + restart: unless-stopped + ruciodb: + image: postgres:11 + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_DB=${POSTGRES_DB} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + ports: + - "5432:5432" + command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"] + volumes: + - vol-ruciodb-data:/var/lib/postgresql/data + restart: unless-stopped + rucio-daemons-abacus: + image: rucio/rucio-daemons:release-1.26.11 + volumes: + - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio + environment: + - RUCIO_DAEMON=abacus-rse + - RUCIO_ENABLE_LOGS=True + depends_on: + - ruciodb + - rucio-server + restart: unless-stopped + rucio-daemons-reaper: + image: rucio/rucio-daemons:release-1.26.11 + volumes: + - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg + - /home/almalinux/act/ldmx.long.proxy.root:/opt/rucio/etc/x509 + - /etc/grid-security/certificates:/etc/grid-security/certificates + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio + environment: + - RUCIO_DAEMON=reaper + - RUCIO_ENABLE_LOGS=True + - X509_USER_PROXY=/opt/rucio/etc/x509 + depends_on: + - ruciodb + - rucio-server + restart: unless-stopped + rucio-daemons-undertaker: + image: rucio/rucio-daemons:release-1.26.11 + volumes: + - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio + environment: + - RUCIO_DAEMON=undertaker + - RUCIO_ENABLE_LOGS=True + depends_on: + - ruciodb + - rucio-server + restart: unless-stopped + +volumes: + vol-ruciodb-data: + diff --git a/maintenance/docker/LDCS-rucio/env b/maintenance/docker/LDCS-rucio/env new file mode 100644 index 0000000..375ccd2 --- /dev/null +++ b/maintenance/docker/LDCS-rucio/env @@ -0,0 +1,7 @@ +# fill the blanks below and rename this file to .env for docker to parse it +# it must be in the same folder as the docker-compose file +LDCS_RUCIO_FQDN= +POSTGRES_USER= +POSTGRES_DB= +POSTGRES_PASSWORD= + diff --git a/maintenance/tools/CAtools/README.md b/maintenance/tools/CAtools/README.md new file mode 100644 index 0000000..572bd69 --- /dev/null +++ b/maintenance/tools/CAtools/README.md @@ -0,0 +1,3 @@ +Suite of tools to manage CA and certificates + +The CA is not shared with this bundle for obvious security reasons. diff --git a/maintenance/tools/CAtools/excludelist b/maintenance/tools/CAtools/excludelist new file mode 100644 index 0000000..e639a50 --- /dev/null +++ b/maintenance/tools/CAtools/excludelist @@ -0,0 +1,3 @@ +LDCS-CA.key +*.csr +x509* diff --git a/maintenance/tools/CAtools/generateCA.sh b/maintenance/tools/CAtools/generateCA.sh new file mode 100755 index 0000000..68ebafd --- /dev/null +++ b/maintenance/tools/CAtools/generateCA.sh @@ -0,0 +1,31 @@ +#!/bin/bash -x + +SUBJECT='/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=LDCS CA' +CANAME='LDCS-CA' +MESSAGEDIGEST='sha512' +VALIDITYPERIOD='1460' + + +# Generate key +openssl genrsa -out $CANAME.key 4096 + +# Generate self-signed CSR and cert +openssl req -x509 -new -${MESSAGEDIGEST} -subj "$SUBJECT" -key $CANAME.key -days $VALIDITYPERIOD -out $CANAME.pem + +# Generate signing policy +cat << EOF > $CANAME.signing_policy +access_id_CA X509 '/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=LDCS CA' +pos_rights globus CA:sign +cond_subjects globus '"/DC=org/DC=nordugrid/DC=ARC/O=LDMX/*"' +EOF + +# Generate hash links +CERTHASH=$(openssl x509 -subject_hash -subject_hash_old -noout -in $CANAME.pem) + +for h in $CERTHASH; do + ln -s $CANAME.pem $h.0 + ln -s $CANAME.signing_policy $h.signing_policy +done + + + diff --git a/maintenance/tools/CAtools/generatehostcert.sh b/maintenance/tools/CAtools/generatehostcert.sh new file mode 100755 index 0000000..c2c315a --- /dev/null +++ b/maintenance/tools/CAtools/generatehostcert.sh @@ -0,0 +1,35 @@ +#!/bin/bash -x + +#TODO: add defaults +CADIR=${2:-CA/} +CANAME='LDCS-CA' +CACERT=$CADIR/$CANAME.pem +CAKEY=$CADIR/$CANAME.key +MESSAGEDIGEST='sha512' + +HOSTNAME=$1 +SUBJECTHEAD='/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=host\/' +SUBJECT="$SUBJECTHEAD$HOSTNAME" + +# Generate hostkey + +openssl genrsa -out $HOSTNAME.key 4096 + +# Generate csr +openssl req -new -$MESSAGEDIGEST -subj "$SUBJECT" -key $HOSTNAME.key -out $HOSTNAME.csr + +#generate config + +cat << EOF > x509v3_config-$HOSTNAME +basicConstraints=CA:FALSE +keyUsage=digitalSignature, nonRepudiation, keyEncipherment +subjectAltName=DNS:$HOSTNAME +EOF + +# Sign certificate with CA + +openssl x509 -req -$MESSAGEDIGEST -in $HOSTNAME.csr -CA $CACERT -CAkey $CAKEY -CAcreateserial -extfile x509v3_config-$HOSTNAME -out $HOSTNAME.pem -days 365 + + + + diff --git a/maintenance/tools/CAtools/generateusercerts.sh b/maintenance/tools/CAtools/generateusercerts.sh new file mode 100755 index 0000000..a91dfb6 --- /dev/null +++ b/maintenance/tools/CAtools/generateusercerts.sh @@ -0,0 +1,36 @@ +#!/bin/bash -x + +#TODO: add better defaults +CADIR=${2:-CA/} +CANAME='LDCS-CA' +CACERT=$CADIR/$CANAME.pem +CAKEY=$CADIR/$CANAME.key +MESSAGEDIGEST='sha512' + +USERNAME=${1:-'Simulation Agent'} +# Avoid blank spaces in filenames +USERNAMEDASHES=$(echo $USERNAME | tr ' ' '-') +SUBJECTHEAD='/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=' +SUBJECT="$SUBJECTHEAD$USERNAME" + +# Generate hostkey + +openssl genrsa -out userkey-$USERNAMEDASHES.key 4096 + +# Generate csr +openssl req -new -$MESSAGEDIGEST -subj "$SUBJECT" -key userkey-$USERNAMEDASHES.key -out usercert-$USERNAMEDASHES.csr + +#generate config + +cat << EOF > x509v3_config-$USERNAMEDASHES +basicConstraints=CA:FALSE +keyUsage=digitalSignature, nonRepudiation, keyEncipherment +EOF + +# Sign certificate with CA + +openssl x509 -req -$MESSAGEDIGEST -in usercert-$USERNAMEDASHES.csr -CA $CACERT -CAkey $CAKEY -CAcreateserial -extfile x509v3_config-$USERNAMEDASHES -out usercert-$USERNAMEDASHES.pem -days 365 + + + + diff --git a/maintenance/tools/CAtools/setenv.sh b/maintenance/tools/CAtools/setenv.sh new file mode 100644 index 0000000..a31a30f --- /dev/null +++ b/maintenance/tools/CAtools/setenv.sh @@ -0,0 +1,6 @@ +# This script can be used to initialize the user environment for testing. +basedir=$(dirname `readlink -f -- ${BASH_SOURCE:-$_}`) +export X509_USER_CERT="$basedir/usercert.pem" +export X509_USER_KEY="$basedir/userkey.pem" +export X509_USER_PROXY="$basedir/userproxy.pem" +export X509_CERT_DIR="$basedir/certificates"