From ef10c6a78eb97b031fb875c84e7276305f7881e4 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Mon, 16 Jun 2025 17:00:33 +0200 Subject: [PATCH 01/11] First commit of maintenance tools --- maintenance/README.md | 16 +++++++++ maintenance/tools/CAtools/README.md | 1 + maintenance/tools/CAtools/generateCA.sh | 31 ++++++++++++++++ maintenance/tools/CAtools/generatehostcert.sh | 35 ++++++++++++++++++ .../tools/CAtools/generateusercerts.sh | 36 +++++++++++++++++++ 5 files changed, 119 insertions(+) create mode 100644 maintenance/README.md create mode 100644 maintenance/tools/CAtools/README.md create mode 100755 maintenance/tools/CAtools/generateCA.sh create mode 100755 maintenance/tools/CAtools/generatehostcert.sh create mode 100755 maintenance/tools/CAtools/generateusercerts.sh diff --git a/maintenance/README.md b/maintenance/README.md new file mode 100644 index 0000000..f58964c --- /dev/null +++ b/maintenance/README.md @@ -0,0 +1,16 @@ +#################################### +# +# LDCS System maintenance files +# +#################################### + +The maintenance folder contains files that are used to +maintain the LDCS system. + +README.md - this file +configFiles - configuration files for the various subsystems +docker - docker files to bring up the various systems +tools - scripts and tools for various purposes +docs - quick reference documentation + + diff --git a/maintenance/tools/CAtools/README.md b/maintenance/tools/CAtools/README.md new file mode 100644 index 0000000..1c365c6 --- /dev/null +++ b/maintenance/tools/CAtools/README.md @@ -0,0 +1 @@ +Suite of tools to manage CA and certificates diff --git a/maintenance/tools/CAtools/generateCA.sh b/maintenance/tools/CAtools/generateCA.sh new file mode 100755 index 0000000..68ebafd --- /dev/null +++ b/maintenance/tools/CAtools/generateCA.sh @@ -0,0 +1,31 @@ +#!/bin/bash -x + +SUBJECT='/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=LDCS CA' +CANAME='LDCS-CA' +MESSAGEDIGEST='sha512' +VALIDITYPERIOD='1460' + + +# Generate key +openssl genrsa -out $CANAME.key 4096 + +# Generate self-signed CSR and cert +openssl req -x509 -new -${MESSAGEDIGEST} -subj "$SUBJECT" -key $CANAME.key -days $VALIDITYPERIOD -out $CANAME.pem + +# Generate signing policy +cat << EOF > $CANAME.signing_policy +access_id_CA X509 '/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=LDCS CA' +pos_rights globus CA:sign +cond_subjects globus '"/DC=org/DC=nordugrid/DC=ARC/O=LDMX/*"' +EOF + +# Generate hash links +CERTHASH=$(openssl x509 -subject_hash -subject_hash_old -noout -in $CANAME.pem) + +for h in $CERTHASH; do + ln -s $CANAME.pem $h.0 + ln -s $CANAME.signing_policy $h.signing_policy +done + + + diff --git a/maintenance/tools/CAtools/generatehostcert.sh b/maintenance/tools/CAtools/generatehostcert.sh new file mode 100755 index 0000000..c2c315a --- /dev/null +++ b/maintenance/tools/CAtools/generatehostcert.sh @@ -0,0 +1,35 @@ +#!/bin/bash -x + +#TODO: add defaults +CADIR=${2:-CA/} +CANAME='LDCS-CA' +CACERT=$CADIR/$CANAME.pem +CAKEY=$CADIR/$CANAME.key +MESSAGEDIGEST='sha512' + +HOSTNAME=$1 +SUBJECTHEAD='/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=host\/' +SUBJECT="$SUBJECTHEAD$HOSTNAME" + +# Generate hostkey + +openssl genrsa -out $HOSTNAME.key 4096 + +# Generate csr +openssl req -new -$MESSAGEDIGEST -subj "$SUBJECT" -key $HOSTNAME.key -out $HOSTNAME.csr + +#generate config + +cat << EOF > x509v3_config-$HOSTNAME +basicConstraints=CA:FALSE +keyUsage=digitalSignature, nonRepudiation, keyEncipherment +subjectAltName=DNS:$HOSTNAME +EOF + +# Sign certificate with CA + +openssl x509 -req -$MESSAGEDIGEST -in $HOSTNAME.csr -CA $CACERT -CAkey $CAKEY -CAcreateserial -extfile x509v3_config-$HOSTNAME -out $HOSTNAME.pem -days 365 + + + + diff --git a/maintenance/tools/CAtools/generateusercerts.sh b/maintenance/tools/CAtools/generateusercerts.sh new file mode 100755 index 0000000..a91dfb6 --- /dev/null +++ b/maintenance/tools/CAtools/generateusercerts.sh @@ -0,0 +1,36 @@ +#!/bin/bash -x + +#TODO: add better defaults +CADIR=${2:-CA/} +CANAME='LDCS-CA' +CACERT=$CADIR/$CANAME.pem +CAKEY=$CADIR/$CANAME.key +MESSAGEDIGEST='sha512' + +USERNAME=${1:-'Simulation Agent'} +# Avoid blank spaces in filenames +USERNAMEDASHES=$(echo $USERNAME | tr ' ' '-') +SUBJECTHEAD='/DC=org/DC=nordugrid/DC=ARC/O=LDMX/CN=' +SUBJECT="$SUBJECTHEAD$USERNAME" + +# Generate hostkey + +openssl genrsa -out userkey-$USERNAMEDASHES.key 4096 + +# Generate csr +openssl req -new -$MESSAGEDIGEST -subj "$SUBJECT" -key userkey-$USERNAMEDASHES.key -out usercert-$USERNAMEDASHES.csr + +#generate config + +cat << EOF > x509v3_config-$USERNAMEDASHES +basicConstraints=CA:FALSE +keyUsage=digitalSignature, nonRepudiation, keyEncipherment +EOF + +# Sign certificate with CA + +openssl x509 -req -$MESSAGEDIGEST -in usercert-$USERNAMEDASHES.csr -CA $CACERT -CAkey $CAKEY -CAcreateserial -extfile x509v3_config-$USERNAMEDASHES -out usercert-$USERNAMEDASHES.pem -days 365 + + + + From e901cfbacbc53dfba1d432151c6d74ea4fd3c062 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Mon, 16 Jun 2025 17:02:12 +0200 Subject: [PATCH 02/11] Update README.md Cosmetics --- maintenance/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/maintenance/README.md b/maintenance/README.md index f58964c..20dcf67 100644 --- a/maintenance/README.md +++ b/maintenance/README.md @@ -7,10 +7,10 @@ The maintenance folder contains files that are used to maintain the LDCS system. -README.md - this file -configFiles - configuration files for the various subsystems -docker - docker files to bring up the various systems -tools - scripts and tools for various purposes -docs - quick reference documentation + * `README.md` - this file + * `configFiles/` - configuration files for the various subsystems + * `docker/` - docker files to bring up the various systems + * `tools/` - scripts and tools for various purposes + * `docs/` - quick reference documentation From 5fadd897c6e26286c657660dc8335c151fa47db7 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Mon, 16 Jun 2025 17:03:26 +0200 Subject: [PATCH 03/11] Cosmetics on readme --- maintenance/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/maintenance/README.md b/maintenance/README.md index 20dcf67..36f116c 100644 --- a/maintenance/README.md +++ b/maintenance/README.md @@ -1,8 +1,6 @@ -#################################### # # LDCS System maintenance files # -#################################### The maintenance folder contains files that are used to maintain the LDCS system. From 9535fb43612133fe1a7f8317afd25add4989c39e Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Mon, 16 Jun 2025 17:47:17 +0200 Subject: [PATCH 04/11] Added docker compose file for rucio server --- maintenance/docker/LDCS-rucio/README.md | 29 ++++++++++++++++ .../docker-compose-rucioserver-postgres.yml | 33 +++++++++++++++++++ maintenance/docker/LDCS-rucio/env | 7 ++++ 3 files changed, 69 insertions(+) create mode 100644 maintenance/docker/LDCS-rucio/README.md create mode 100644 maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml create mode 100644 maintenance/docker/LDCS-rucio/env diff --git a/maintenance/docker/LDCS-rucio/README.md b/maintenance/docker/LDCS-rucio/README.md new file mode 100644 index 0000000..6e1af93 --- /dev/null +++ b/maintenance/docker/LDCS-rucio/README.md @@ -0,0 +1,29 @@ +# Docker compose file for rucio server + +1) Copy all these files in a folder such as + +``` + cp -r ../LDCS_rucio ~ + cd ~/LDCS_rucio +``` + +2) Add values to the variables in `env` and rename the file to .env + +``` + mv env .env +``` + +3) Switch to root (mainly for access to port 443) + +``` + sudo -s +``` + +4) Deploy and edit the relevant configuration files in ../configFiles. Create folders if needed. + +5) Start the services with docker-compose + +``` +docker compose -f docker-compose-rucioserver-postgres.yml up -d + +``` diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml new file mode 100644 index 0000000..fed2379 --- /dev/null +++ b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml @@ -0,0 +1,33 @@ +services: + rucio-server: + image: rucio/rucio-server:release-1.21.6 + hostname: ${LDCS_RUCIO_FQDN} + ports: + - "443:443" + volumes: + - /etc/grid-security/:/etc/grid-security/ +# - /etc/grid-security/hostcert.pem:/etc/grid-security/hostcert.pem +# - /etc/grid-security/hostkey.pem:/etc/grid-security/hostkey.pem + - /opt/rucio/etc:/opt/rucio/etc + environment: + - RUCIO_ENABLE_SSL=True + - RUCIO_HOSTNAME=${LDCS_RUCIO_FQDN} + - RUCIO_CFG_DATABASE_DEFAULT=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@ruciodb/${POSTGRES_DB} + - RUCIO_CA_PATH=/etc/grid-security/certificates + - RUCIO_ENABLE_LOGFILE=True + - RUCIO_DEFINE_ALIASES=True + ruciodb: + image: postgres:11 + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_DB=${POSTGRES_DB} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + ports: + - "5432:5432" + command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"] + volumes: + - vol-ruciodb-data:/var/lib/postgresql/data + +volumes: + vol-ruciodb-data: + diff --git a/maintenance/docker/LDCS-rucio/env b/maintenance/docker/LDCS-rucio/env new file mode 100644 index 0000000..375ccd2 --- /dev/null +++ b/maintenance/docker/LDCS-rucio/env @@ -0,0 +1,7 @@ +# fill the blanks below and rename this file to .env for docker to parse it +# it must be in the same folder as the docker-compose file +LDCS_RUCIO_FQDN= +POSTGRES_USER= +POSTGRES_DB= +POSTGRES_PASSWORD= + From 7b77597eceabf2fad5595f359143c86d56a567e8 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Tue, 17 Jun 2025 10:48:13 +0200 Subject: [PATCH 05/11] Added default configuration files for rucio-server --- .../configFiles/rucio-server/README.md | 5 ++ .../configFiles/rucio-server/alembic.ini | 68 +++++++++++++++++++ .../configFiles/rucio-server/aliases.conf | 27 ++++++++ .../configFiles/rucio-server/rucio.cfg | 51 ++++++++++++++ 4 files changed, 151 insertions(+) create mode 100644 maintenance/configFiles/rucio-server/README.md create mode 100644 maintenance/configFiles/rucio-server/alembic.ini create mode 100644 maintenance/configFiles/rucio-server/aliases.conf create mode 100644 maintenance/configFiles/rucio-server/rucio.cfg diff --git a/maintenance/configFiles/rucio-server/README.md b/maintenance/configFiles/rucio-server/README.md new file mode 100644 index 0000000..d94e75f --- /dev/null +++ b/maintenance/configFiles/rucio-server/README.md @@ -0,0 +1,5 @@ +Each configuration file in this folder should contain a comment stating where +the file should be located in the target service. + +Note that default passwords are in cleartext. A production setup should at +least create a new password. diff --git a/maintenance/configFiles/rucio-server/alembic.ini b/maintenance/configFiles/rucio-server/alembic.ini new file mode 100644 index 0000000..0163e1c --- /dev/null +++ b/maintenance/configFiles/rucio-server/alembic.ini @@ -0,0 +1,68 @@ +# Copyright European Organization for Nuclear Research (CERN) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Authors: +# - Vincent Garonne , 2014 +# - Mario Lassnig , 2019 + +# A generic, single database configuration. + +# LDCS: this file should be placed in +# /opt/rucio/etc + +[alembic] +# path to migration scripts +script_location = /usr/lib/python2.7/site-packages/rucio/db/sqla/migrate_repo/ + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# max length of characters to apply to the +# "slug" field +#truncate_slug_length = 40 + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +sqlalchemy.url = postgresql://rucio:secret@ruciodb/rucio +version_table_schema = rucio + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S + diff --git a/maintenance/configFiles/rucio-server/aliases.conf b/maintenance/configFiles/rucio-server/aliases.conf new file mode 100644 index 0000000..a456b6c --- /dev/null +++ b/maintenance/configFiles/rucio-server/aliases.conf @@ -0,0 +1,27 @@ +# LDCS: this file should be placed in +# /opt/rucio/etc + +WSGIScriptAlias /ping /usr/lib/python2.7/site-packages/rucio/web/rest/ping.py +WSGIScriptAlias /accounts /usr/lib/python2.7/site-packages/rucio/web/rest/account.py +WSGIScriptAlias /accountlimits /usr/lib/python2.7/site-packages/rucio/web/rest/account_limit.py +#WSGIScriptAlias /auth /usr/lib/python2.7/site-packages/rucio/web/rest/authentication.py process-group=rucio application-group=rucio +WSGIScriptAlias /auth /usr/lib/python2.7/site-packages/rucio/web/rest/authentication.py +WSGIScriptAlias /config /usr/lib/python2.7/site-packages/rucio/web/rest/config.py +WSGIScriptAlias /dids /usr/lib/python2.7/site-packages/rucio/web/rest/did.py +WSGIScriptAlias /export /usr/lib/python2.7/site-packages/rucio/web/rest/exporter.py +WSGIScriptAlias /identities /usr/lib/python2.7/site-packages/rucio/web/rest/identity.py +WSGIScriptAlias /import /usr/lib/python2.7/site-packages/rucio/web/rest/importer.py +WSGIScriptAlias /heartbeats /usr/lib/python2.7/site-packages/rucio/web/rest/heartbeat.py +WSGIScriptAlias /locks /usr/lib/python2.7/site-packages/rucio/web/rest/lock.py +WSGIScriptAlias /meta /usr/lib/python2.7/site-packages/rucio/web/rest/meta.py +WSGIScriptAlias /ping /usr/lib/python2.7/site-packages/rucio/web/rest/ping.py +WSGIScriptAlias /redirect /usr/lib/python2.7/site-packages/rucio/web/rest/redirect.py +WSGIScriptAlias /replicas /usr/lib/python2.7/site-packages/rucio/web/rest/replica.py +WSGIScriptAlias /requests /usr/lib/python2.7/site-packages/rucio/web/rest/request.py +WSGIScriptAlias /rses /usr/lib/python2.7/site-packages/rucio/web/rest/rse.py +WSGIScriptAlias /rules /usr/lib/python2.7/site-packages/rucio/web/rest/rule.py +WSGIScriptAlias /scopes /usr/lib/python2.7/site-packages/rucio/web/rest/scope.py +WSGIScriptAlias /subscriptions /usr/lib/python2.7/site-packages/rucio/web/rest/subscription.py +WSGIScriptAlias /objectstores /usr/lib/python2.7/site-packages/rucio/web/rest/objectstore.py +WSGIScriptAlias /lifetime_exceptions /usr/lib/python2.7/site-packages/rucio/web/rest/lifetime_exception.py + diff --git a/maintenance/configFiles/rucio-server/rucio.cfg b/maintenance/configFiles/rucio-server/rucio.cfg new file mode 100644 index 0000000..e78944e --- /dev/null +++ b/maintenance/configFiles/rucio-server/rucio.cfg @@ -0,0 +1,51 @@ +# Copyright European Organization for Nuclear Research (CERN) +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Authors: +# - Vincent Garonne, , 2013 + +# LDCS: this file should be placed in +# /opt/rucio/etc/ + +[common] +logdir = /var/log/rucio +loglevel = WARNING +mailtemplatedir = /opt/rucio/etc/mail_templates +[api] +endpoints=accountlimits,accounts,auth,config,credentials,dids,export,heartbeats,identities,import,lifetime_exceptions,locks,meta,ping,redirect,replicas,requests,rses,rules,scopes,subscriptions +[database] +default = postgresql://rucio:secret@ruciodb/rucio +pool_reset_on_return = rollback +echo = 0 +pool_recycle = 600 +[bootstrap] +userpass_identity = ddmlab +userpass_pwd = secret +userpass_email = rucio-dev@cern.ch +[alembic] +cfg = /opt/rucio/etc/alembic.ini +[monitor] +carbon_server = localhost +carbon_port = 8125 +user_scope = default_docker +[trace] +tracedir = /var/log/rucio/trace +brokers = localhost +port = 61013 +topic = /topic/rucio.tracer +[nongrid_trace] +tracedir = /var/log/rucio/trace +brokers = localhost +port = 61013 +topic = /topic/rucio.tracer +[policy] +permission = generic +schema = generic +lfn2pfn_algorithm_default = hash +support = https://github.com/rucio/rucio/issues/ +support_rucio = https://github.com/rucio/rucio/issues/ +[webui] +usercert = /opt/rucio/etc/usercert_with_key.pem + From e9524c2f29c907b36d4e31c5144ae4c055823a4c Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Wed, 18 Jun 2025 11:45:20 +0200 Subject: [PATCH 06/11] attempt to start rucio daemons in the same docker compose file --- ...r-compose-rucioserver-postgres-daemons.yml | 61 +++++++++++++++++++ .../docker-compose-rucioserver-postgres.yml | 33 ---------- 2 files changed, 61 insertions(+), 33 deletions(-) create mode 100644 maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml delete mode 100644 maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml new file mode 100644 index 0000000..d09bfb7 --- /dev/null +++ b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml @@ -0,0 +1,61 @@ +services: + rucio-server: + image: rucio/rucio-server:release-1.21.6 + hostname: ${LDCS_RUCIO_FQDN} + ports: + - "443:443" + volumes: + - /etc/grid-security/:/etc/grid-security/ +# - /etc/grid-security/hostcert.pem:/etc/grid-security/hostcert.pem +# - /etc/grid-security/hostkey.pem:/etc/grid-security/hostkey.pem + - /opt/rucio/etc:/opt/rucio/etc +# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead? or reroute to avoid space clogging/easier cleanup? + environment: + - RUCIO_ENABLE_SSL=True + - RUCIO_HOSTNAME=${LDCS_RUCIO_FQDN} + - RUCIO_CFG_DATABASE_DEFAULT=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@ruciodb/${POSTGRES_DB} + - RUCIO_CA_PATH=/etc/grid-security/certificates + - RUCIO_ENABLE_LOGFILE=True + - RUCIO_DEFINE_ALIASES=True + ruciodb: + image: postgres:11 + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_DB=${POSTGRES_DB} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + ports: + - "5432:5432" + command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"] + volumes: + - vol-ruciodb-data:/var/lib/postgresql/data + rucio-daemons-abacus: + image: rucio/rucio-daemons + volumes: + - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg +# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead + environment: + - RUCIO_DAEMON=abacus-rse + - RUCIO_ENABLE_LOGS=True + rucio-daemons-reaper: + image: rucio/rucio-daemons + volumes: + - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg + - /home/almalinux/act/ldmx.long.proxy.root:/opt/rucio/etc/x509 + - /etc/grid-security/certificates:/etc/grid-security/certificates +# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead + environment: + - RUCIO_DAEMON=reaper + - RUCIO_ENABLE_LOGS=True + - X509_USER_PROXY=/opt/rucio/etc/x509 + rucio-daemons-undertaker: + image: rucio/rucio-daemons + volumes: + - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg +# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead ? + environment: + - RUCIO_DAEMON=undertaker + - RUCIO_ENABLE_LOGS=True + +volumes: + vol-ruciodb-data: + diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml deleted file mode 100644 index fed2379..0000000 --- a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres.yml +++ /dev/null @@ -1,33 +0,0 @@ -services: - rucio-server: - image: rucio/rucio-server:release-1.21.6 - hostname: ${LDCS_RUCIO_FQDN} - ports: - - "443:443" - volumes: - - /etc/grid-security/:/etc/grid-security/ -# - /etc/grid-security/hostcert.pem:/etc/grid-security/hostcert.pem -# - /etc/grid-security/hostkey.pem:/etc/grid-security/hostkey.pem - - /opt/rucio/etc:/opt/rucio/etc - environment: - - RUCIO_ENABLE_SSL=True - - RUCIO_HOSTNAME=${LDCS_RUCIO_FQDN} - - RUCIO_CFG_DATABASE_DEFAULT=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@ruciodb/${POSTGRES_DB} - - RUCIO_CA_PATH=/etc/grid-security/certificates - - RUCIO_ENABLE_LOGFILE=True - - RUCIO_DEFINE_ALIASES=True - ruciodb: - image: postgres:11 - environment: - - POSTGRES_USER=${POSTGRES_USER} - - POSTGRES_DB=${POSTGRES_DB} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - ports: - - "5432:5432" - command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"] - volumes: - - vol-ruciodb-data:/var/lib/postgresql/data - -volumes: - vol-ruciodb-data: - From 94ff0196496ec6ac63243a490cb57a70992a1a60 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Wed, 18 Jun 2025 11:54:05 +0200 Subject: [PATCH 07/11] updated README with info about daemons and stopping all services --- maintenance/docker/LDCS-rucio/README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/maintenance/docker/LDCS-rucio/README.md b/maintenance/docker/LDCS-rucio/README.md index 6e1af93..4159cc1 100644 --- a/maintenance/docker/LDCS-rucio/README.md +++ b/maintenance/docker/LDCS-rucio/README.md @@ -20,10 +20,19 @@ ``` 4) Deploy and edit the relevant configuration files in ../configFiles. Create folders if needed. +Make sure passwords and paths match between the configFiles and the docker-compose file -5) Start the services with docker-compose +5) Start all the services with docker-compose ``` -docker compose -f docker-compose-rucioserver-postgres.yml up -d +docker compose -f docker-compose-rucioserver-postgres-daemons.yml up -d ``` +6) To stop all the services: +``` +docker compose -f docker-compose-rucioserver-postgres-daemons.yml down + +``` + +Refer to docker compose documentation for further information on how to interact with each single service. + From 23cf97528d415ee2fcc7aa2bb555702b9cd22680 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Wed, 18 Jun 2025 17:36:13 +0200 Subject: [PATCH 08/11] Fixed rucio-daemons container version and changed log path to host instead of inside docker - latest rucio-daemons container seem to have some python dependency problem, must be tested if fixing version helps - decided to write all logs to host system on /var/log/rucio, to minimize the use of docker volumes. --- ...er-compose-rucioserver-postgres-daemons.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml index d09bfb7..3cd2834 100644 --- a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml +++ b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml @@ -9,7 +9,8 @@ services: # - /etc/grid-security/hostcert.pem:/etc/grid-security/hostcert.pem # - /etc/grid-security/hostkey.pem:/etc/grid-security/hostkey.pem - /opt/rucio/etc:/opt/rucio/etc -# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead? or reroute to avoid space clogging/easier cleanup? + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio environment: - RUCIO_ENABLE_SSL=True - RUCIO_HOSTNAME=${LDCS_RUCIO_FQDN} @@ -29,29 +30,32 @@ services: volumes: - vol-ruciodb-data:/var/lib/postgresql/data rucio-daemons-abacus: - image: rucio/rucio-daemons + image: rucio/rucio-daemons:release-1.21.6 volumes: - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg -# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio environment: - RUCIO_DAEMON=abacus-rse - RUCIO_ENABLE_LOGS=True rucio-daemons-reaper: - image: rucio/rucio-daemons + image: rucio/rucio-daemons:release-1.21.6 volumes: - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg - /home/almalinux/act/ldmx.long.proxy.root:/opt/rucio/etc/x509 - /etc/grid-security/certificates:/etc/grid-security/certificates -# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio environment: - RUCIO_DAEMON=reaper - RUCIO_ENABLE_LOGS=True - X509_USER_PROXY=/opt/rucio/etc/x509 rucio-daemons-undertaker: - image: rucio/rucio-daemons + image: rucio/rucio-daemons:release-1.21.6 volumes: - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg -# - /var/log/rucio:/var/log/rucio # use docker-compose logs instead ? + # comment out the following to use docker compose logs only. This logs to the host system, when we have space + - /var/log/rucio:/var/log/rucio environment: - RUCIO_DAEMON=undertaker - RUCIO_ENABLE_LOGS=True From 3205a426ab18362458d3fc7ff2053efba1a9f011 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Mon, 23 Jun 2025 17:14:02 +0200 Subject: [PATCH 09/11] Upgraded to rucio version 1.26.11 - Removed WSGI configuration, seems not to be needed anymore. - Rewieved log output for both server and daemons - Changed alembic.ini to support a certain version of python3 in the containers Known issues: - abacus logs errors about not finding the database. I suspect it requires a different configuration. - sometimes daemons don't start or die abruptly. --- .../configFiles/rucio-server/alembic.ini | 4 ++- .../configFiles/rucio-server/aliases.conf | 27 ------------------- .../configFiles/rucio-server/rucio.cfg | 2 +- ...r-compose-rucioserver-postgres-daemons.yml | 13 +++++---- 4 files changed, 10 insertions(+), 36 deletions(-) delete mode 100644 maintenance/configFiles/rucio-server/aliases.conf diff --git a/maintenance/configFiles/rucio-server/alembic.ini b/maintenance/configFiles/rucio-server/alembic.ini index 0163e1c..984f1d6 100644 --- a/maintenance/configFiles/rucio-server/alembic.ini +++ b/maintenance/configFiles/rucio-server/alembic.ini @@ -15,7 +15,9 @@ [alembic] # path to migration scripts -script_location = /usr/lib/python2.7/site-packages/rucio/db/sqla/migrate_repo/ +#script_location = /usr/lib/python2.7/site-packages/rucio/db/sqla/migrate_repo/ +# Attempt to switch to newer version... +script_location = /usr/local/lib/python3.6/site-packages/rucio/db/sqla/migrate_repo/ # template used to generate migration files # file_template = %%(rev)s_%%(slug)s diff --git a/maintenance/configFiles/rucio-server/aliases.conf b/maintenance/configFiles/rucio-server/aliases.conf deleted file mode 100644 index a456b6c..0000000 --- a/maintenance/configFiles/rucio-server/aliases.conf +++ /dev/null @@ -1,27 +0,0 @@ -# LDCS: this file should be placed in -# /opt/rucio/etc - -WSGIScriptAlias /ping /usr/lib/python2.7/site-packages/rucio/web/rest/ping.py -WSGIScriptAlias /accounts /usr/lib/python2.7/site-packages/rucio/web/rest/account.py -WSGIScriptAlias /accountlimits /usr/lib/python2.7/site-packages/rucio/web/rest/account_limit.py -#WSGIScriptAlias /auth /usr/lib/python2.7/site-packages/rucio/web/rest/authentication.py process-group=rucio application-group=rucio -WSGIScriptAlias /auth /usr/lib/python2.7/site-packages/rucio/web/rest/authentication.py -WSGIScriptAlias /config /usr/lib/python2.7/site-packages/rucio/web/rest/config.py -WSGIScriptAlias /dids /usr/lib/python2.7/site-packages/rucio/web/rest/did.py -WSGIScriptAlias /export /usr/lib/python2.7/site-packages/rucio/web/rest/exporter.py -WSGIScriptAlias /identities /usr/lib/python2.7/site-packages/rucio/web/rest/identity.py -WSGIScriptAlias /import /usr/lib/python2.7/site-packages/rucio/web/rest/importer.py -WSGIScriptAlias /heartbeats /usr/lib/python2.7/site-packages/rucio/web/rest/heartbeat.py -WSGIScriptAlias /locks /usr/lib/python2.7/site-packages/rucio/web/rest/lock.py -WSGIScriptAlias /meta /usr/lib/python2.7/site-packages/rucio/web/rest/meta.py -WSGIScriptAlias /ping /usr/lib/python2.7/site-packages/rucio/web/rest/ping.py -WSGIScriptAlias /redirect /usr/lib/python2.7/site-packages/rucio/web/rest/redirect.py -WSGIScriptAlias /replicas /usr/lib/python2.7/site-packages/rucio/web/rest/replica.py -WSGIScriptAlias /requests /usr/lib/python2.7/site-packages/rucio/web/rest/request.py -WSGIScriptAlias /rses /usr/lib/python2.7/site-packages/rucio/web/rest/rse.py -WSGIScriptAlias /rules /usr/lib/python2.7/site-packages/rucio/web/rest/rule.py -WSGIScriptAlias /scopes /usr/lib/python2.7/site-packages/rucio/web/rest/scope.py -WSGIScriptAlias /subscriptions /usr/lib/python2.7/site-packages/rucio/web/rest/subscription.py -WSGIScriptAlias /objectstores /usr/lib/python2.7/site-packages/rucio/web/rest/objectstore.py -WSGIScriptAlias /lifetime_exceptions /usr/lib/python2.7/site-packages/rucio/web/rest/lifetime_exception.py - diff --git a/maintenance/configFiles/rucio-server/rucio.cfg b/maintenance/configFiles/rucio-server/rucio.cfg index e78944e..40f6a09 100644 --- a/maintenance/configFiles/rucio-server/rucio.cfg +++ b/maintenance/configFiles/rucio-server/rucio.cfg @@ -11,7 +11,7 @@ [common] logdir = /var/log/rucio -loglevel = WARNING +loglevel = DEBUG mailtemplatedir = /opt/rucio/etc/mail_templates [api] endpoints=accountlimits,accounts,auth,config,credentials,dids,export,heartbeats,identities,import,lifetime_exceptions,locks,meta,ping,redirect,replicas,requests,rses,rules,scopes,subscriptions diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml index 3cd2834..90a15f2 100644 --- a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml +++ b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml @@ -1,6 +1,6 @@ services: rucio-server: - image: rucio/rucio-server:release-1.21.6 + image: rucio/rucio-server:release-1.26.11 hostname: ${LDCS_RUCIO_FQDN} ports: - "443:443" @@ -9,15 +9,14 @@ services: # - /etc/grid-security/hostcert.pem:/etc/grid-security/hostcert.pem # - /etc/grid-security/hostkey.pem:/etc/grid-security/hostkey.pem - /opt/rucio/etc:/opt/rucio/etc - # comment out the following to use docker compose logs only. This logs to the host system, when we have space - - /var/log/rucio:/var/log/rucio + # Added for rucio logs according to https://rucio.github.io/documentation/operator/installing_server + - /var/log/rucio/httpd:/var/log/httpd environment: - RUCIO_ENABLE_SSL=True - RUCIO_HOSTNAME=${LDCS_RUCIO_FQDN} - RUCIO_CFG_DATABASE_DEFAULT=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@ruciodb/${POSTGRES_DB} - RUCIO_CA_PATH=/etc/grid-security/certificates - RUCIO_ENABLE_LOGFILE=True - - RUCIO_DEFINE_ALIASES=True ruciodb: image: postgres:11 environment: @@ -30,7 +29,7 @@ services: volumes: - vol-ruciodb-data:/var/lib/postgresql/data rucio-daemons-abacus: - image: rucio/rucio-daemons:release-1.21.6 + image: rucio/rucio-daemons:release-1.26.11 volumes: - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg # comment out the following to use docker compose logs only. This logs to the host system, when we have space @@ -39,7 +38,7 @@ services: - RUCIO_DAEMON=abacus-rse - RUCIO_ENABLE_LOGS=True rucio-daemons-reaper: - image: rucio/rucio-daemons:release-1.21.6 + image: rucio/rucio-daemons:release-1.26.11 volumes: - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg - /home/almalinux/act/ldmx.long.proxy.root:/opt/rucio/etc/x509 @@ -51,7 +50,7 @@ services: - RUCIO_ENABLE_LOGS=True - X509_USER_PROXY=/opt/rucio/etc/x509 rucio-daemons-undertaker: - image: rucio/rucio-daemons:release-1.21.6 + image: rucio/rucio-daemons:release-1.26.11 volumes: - /opt/rucio/etc/rucio.cfg:/opt/rucio/etc/rucio.cfg # comment out the following to use docker compose logs only. This logs to the host system, when we have space From 4fede7e2811ebfae34f2110b6253d0cad26dab3b Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Mon, 6 Oct 2025 14:32:30 +0200 Subject: [PATCH 10/11] Definine compose dependencies and restart policies --- ...r-compose-rucioserver-postgres-daemons.yml | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml index 90a15f2..ceb515d 100644 --- a/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml +++ b/maintenance/docker/LDCS-rucio/docker-compose-rucioserver-postgres-daemons.yml @@ -17,6 +17,9 @@ services: - RUCIO_CFG_DATABASE_DEFAULT=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@ruciodb/${POSTGRES_DB} - RUCIO_CA_PATH=/etc/grid-security/certificates - RUCIO_ENABLE_LOGFILE=True + depends_on: + - ruciodb + restart: unless-stopped ruciodb: image: postgres:11 environment: @@ -28,6 +31,7 @@ services: command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"] volumes: - vol-ruciodb-data:/var/lib/postgresql/data + restart: unless-stopped rucio-daemons-abacus: image: rucio/rucio-daemons:release-1.26.11 volumes: @@ -37,6 +41,10 @@ services: environment: - RUCIO_DAEMON=abacus-rse - RUCIO_ENABLE_LOGS=True + depends_on: + - ruciodb + - rucio-server + restart: unless-stopped rucio-daemons-reaper: image: rucio/rucio-daemons:release-1.26.11 volumes: @@ -49,6 +57,10 @@ services: - RUCIO_DAEMON=reaper - RUCIO_ENABLE_LOGS=True - X509_USER_PROXY=/opt/rucio/etc/x509 + depends_on: + - ruciodb + - rucio-server + restart: unless-stopped rucio-daemons-undertaker: image: rucio/rucio-daemons:release-1.26.11 volumes: @@ -56,8 +68,12 @@ services: # comment out the following to use docker compose logs only. This logs to the host system, when we have space - /var/log/rucio:/var/log/rucio environment: - - RUCIO_DAEMON=undertaker - - RUCIO_ENABLE_LOGS=True + - RUCIO_DAEMON=undertaker + - RUCIO_ENABLE_LOGS=True + depends_on: + - ruciodb + - rucio-server + restart: unless-stopped volumes: vol-ruciodb-data: From bd6917b96baef3023377ffb6e63515ca51561937 Mon Sep 17 00:00:00 2001 From: Florido Paganelli Date: Thu, 9 Oct 2025 13:48:37 +0200 Subject: [PATCH 11/11] Helper files to create/ship the certficate bundle using tar --- maintenance/tools/CAtools/README.md | 2 ++ maintenance/tools/CAtools/excludelist | 3 +++ maintenance/tools/CAtools/setenv.sh | 6 ++++++ 3 files changed, 11 insertions(+) create mode 100644 maintenance/tools/CAtools/excludelist create mode 100644 maintenance/tools/CAtools/setenv.sh diff --git a/maintenance/tools/CAtools/README.md b/maintenance/tools/CAtools/README.md index 1c365c6..572bd69 100644 --- a/maintenance/tools/CAtools/README.md +++ b/maintenance/tools/CAtools/README.md @@ -1 +1,3 @@ Suite of tools to manage CA and certificates + +The CA is not shared with this bundle for obvious security reasons. diff --git a/maintenance/tools/CAtools/excludelist b/maintenance/tools/CAtools/excludelist new file mode 100644 index 0000000..e639a50 --- /dev/null +++ b/maintenance/tools/CAtools/excludelist @@ -0,0 +1,3 @@ +LDCS-CA.key +*.csr +x509* diff --git a/maintenance/tools/CAtools/setenv.sh b/maintenance/tools/CAtools/setenv.sh new file mode 100644 index 0000000..a31a30f --- /dev/null +++ b/maintenance/tools/CAtools/setenv.sh @@ -0,0 +1,6 @@ +# This script can be used to initialize the user environment for testing. +basedir=$(dirname `readlink -f -- ${BASH_SOURCE:-$_}`) +export X509_USER_CERT="$basedir/usercert.pem" +export X509_USER_KEY="$basedir/userkey.pem" +export X509_USER_PROXY="$basedir/userproxy.pem" +export X509_CERT_DIR="$basedir/certificates"