Tags:
view all tags
<!-- keep this as a security measure: #uncomment if the subject should only be modifiable by the listed groups # * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup # * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup #uncomment this if you want the page only be viewable by the listed groups # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup,Main.CMSAdminReaderGroup --> ---+ !!How to access, set up, and test your account %TOC% ---++ Mailing lists and communication with admins and other users * =cms-tier3-users@lists.psi.ch=: list through which we broadcast information (e.g about downtimes). It can also be used for discussions among users (e.g. getting help from other users). *You must subscribe to this list* using [[https://psilists.ethz.ch/sympa/info/cms-tier3-users][its web interface]] ([[https://psilists.ethz.ch/sympa/arc/cms-tier3-users][list archives]]). * =cms-tier3@lists.psi.ch=: Use this list to reach the Tier-3 admins, typically if you have a problem and you need help. What you write to this list is only seen by the administrators Both lists are read by the administrators and are archived. ---++ First Steps on T3 User Interfaces (UI) Three identical User Interface servers ( UIs ) are available as login nodes for the Tier-3 cluster. You can test your programs there, submit batch jobs and do some interactive work. But production runs that inflict a heavy load on the system are not permitted, since they willl impact the work of other users. Please run such jobs in the batch queues (one can also run interactively in an allocated batch slot). %INCLUDE{"Tier3Policies" section="UisPerGroup"}% 1. Use =ssh= to log in to a UI server =t3ui0*= server. You can use =-Y= or =-X= flag if you want to work with graphical X applications. <pre> ssh -Y YourUsername@t3ui02.psi.ch </pre> 1. If you are an ETHZ or UniZ user and do not have a regular PSI account, you will have to change your initial password after logging in for the first time. Modify the initial password by using the =passwd= command. 1. Check that you can access the Storage Element through the NFS protocol, by just creating and deleting a test file in your user area <pre> touch /pnfs/psi.ch/cms/trivcat/store/user/${USER}/my-first-test rm /pnfs/psi.ch/cms/trivcat/store/user/${USER}/my-first-test </pre> 1. Check that you can access the NFS /work area <pre> touch /work/${USER}/my-first-test rm /work/${USER}/my-first-test </pre> 1. For setting up the basics for the CMS software environment, make sure that this works for you <pre> source ${VO_CMS_SW_DIR}/cmsset_default.sh </pre> ---++ Access to the SE (Storage Element) - requires Grid Certificate The following tests only apply if you own a *Grid certificate* for authentication on the LHC Grid, and if you registered that certificate with us in your account application. Also, you should register in the =chcms= VOMS group in order to get access to certain services of the Swiss Tier-2 center (see below). 1. In order to work with resources on the WLCG grid you need to have a grid x509 certificate and a matching private key. Copy these credentials to the standard locations of =~/.globus/userkey.pem= and =~/.globus/usercert.pem= on one of the T3 user interface hosts and make sure that their permissions are properly set. The user key must NEVER be readable by any other user! <pre> chmod 600 userkey.pem chmod 644 usercert.pem </pre> For details about how to extract those =.pem= files from your CERN User Grid-Certificate ( usually a password protected .p12 file ) please follow [[https://twiki.cern.ch/twiki/bin/view/CMSPublic/PersonalCertificate]]. 1. Make sure that your credentials are registered with the CMS Virtual Organization [[https://twiki.cern.ch/twiki/bin/view/CMSPublic/SWGuideLcgAccess#How_to_register_in_the_CMS_VO][CERN details about that]]. Else, the next step will fail. 1. Create you short term credentials in the form of a proxy certificate with CMS extensions (valid for 168 hours): <pre> voms-proxy-init -voms cms --valid 168:00</pre> If the command fails you can run it again adding a =-debug= flag to troubleshoot the problem.</br> 1. Test your access to the PSI Storage element using our =test-dCacheProtocols= testing suite<pre> $ test-dCacheProtocols [feichtinger@t3ui01 ~]$ ./test-dCacheProtocols TEST: GFTP-write ...... [OK] TEST: GFTP-ls ...... [OK] TEST: GFTP-read ...... [OK] TEST: DCAP-read ...... [OK] TEST: XROOTD-LAN-write ...... [OK] TEST: XROOTD-LAN-stat ...... [OK] TEST: XROOTD-LAN-read ...... [OK] TEST: XROOTD-LAN-rm ...... [OK] TEST: XROOTD-WAN-write ...... [OK] TEST: XROOTD-WAN-read ...... [OK] TEST: XROOTD-WAN-rm ...... [OK] TEST: SRMv2-write ...... [OK] TEST: SRMv2-ls ...... [OK] TEST: SRMv2-read ...... [OK] TEST: SRMv2-rm ...... [OK] </pre> * If a test fails, an error message will be written to the screen, and it will point you to a file containing the details of the error. Please send this together with all the information to cms-tier3@lists.psi.ch. * *TIP*: You can use the =-v= (verbose) flag to see the commands that the script executes. This is a good way to learn about the slightly esoteric syntax for interacting with grid storage. If you supply a =-d= flag as well, the tests will not be run, but you will be able to look at all the actions that the script would execute. 1. Test write access to your user area on the storage element. The user area is located underneath =/pnfs/psi.ch/cms/trivcat/store/user= and has by convention your *cms hypernews name* name as directory name. However, due to historic procedures, it might also be that your Tier-3 login name is used for this directory /pnfs/psi.ch/cms/trivcat/store/user/${your_cms_name}. E.g. <pre> test-dCacheProtocols -l /pnfs/psi.ch/cms/trivcat/store/user/feichtinger TEST: GFTP-write ...... [OK] TEST: GFTP-ls ...... [OK] TEST: GFTP-read ...... [OK] TEST: DCAP-read ...... [OK] TEST: XROOTD-LAN-write ...... [OK] TEST: XROOTD-LAN-stat ...... [OK] TEST: XROOTD-LAN-read ...... [OK] TEST: XROOTD-LAN-rm ...... [OK] TEST: XROOTD-WAN-write ...... [OK] TEST: XROOTD-WAN-read ...... [OK] TEST: XROOTD-WAN-rm ...... [OK] TEST: SRMv2-write ...... [OK] TEST: SRMv2-ls ...... [OK] TEST: SRMv2-read ...... [OK] TEST: SRMv2-rm ...... [OK] </pre> You may want to read about the Tier3Storage next! ---++ T3 policies Please read and take note of our [[Tier3Policies][Policies]] ---++ Linux groups (partially OBSOLETE - needs to be revised) Each T3 user belongs to both a primary group and a common secondary group %GREEN%cms%ENDCOLOR%, the former is meant to classify common files like the ones downloaded by the [[https://cmsweb.cern.ch/phedex/][PhEDEx]] file transfer service. T3 primary groups are : | *ETHZ* | *UniZ* | *PSI* | | =ethz-ecal= | =uniz-higgs= | =psi-bphys= | | =ethz-bphys= | =uniz-pixel= | =psi-pixel= | | =ethz-ewk= | =uniz-bphys= | | | =ethz-higgs= | | | | =ethz-susy= | | | For instance this is the %BLUE%primary%ENDCOLOR% and the %GREEN%secondary%ENDCOLOR% group of a generic T3 account : <pre> $ id auser uid=571(auser) gid=532(%BLUE%ethz-higgs%ENDCOLOR%) groups=532(%BLUE%ethz-higgs%ENDCOLOR%),500(%GREEN%cms%ENDCOLOR%) </pre> <!-- The following output is a fragment of the private user dirs =/pnfs/psi.ch/cms/trivcat/store/user/= : <pre> $ ls -l /pnfs/psi.ch/cms/trivcat/store/user | grep -v cms total 56 drwxr-xr-x 2 alschmid %ORANGE%uniz-bphys%ENDCOLOR% 512 Feb 21 2013 alschmid drwxr-xr-x 5 amarini %RED%ethz-ewk%ENDCOLOR% 512 Nov 7 15:37 amarini drwxr-xr-x 2 arizzi %BROWN%ethz-bphys%ENDCOLOR% 512 Sep 16 17:49 arizzi drwxr-xr-x 5 bean %TEAL%psi-bphys%ENDCOLOR% 512 Aug 24 2010 bean drwxr-xr-x 5 bianchi %BLUE%ethz-higgs%ENDCOLOR% 512 Sep 9 09:40 bianchi drwxr-xr-x 98 buchmann %PURPLE%ethz-susy%ENDCOLOR% 512 Nov 5 20:36 buchmann ... </pre> --> The T3 groups areas: =/pnfs/psi.ch/cms/trivcat/store/t3groups= ---++ Applying for the VOMS Group =/cms/chcms= membership to identify as a Swiss CMS user VOMS is the Virtual Organisation Managent System that is used to manage the CMS groups and roles. Users are identified by their grid certificate. We manage the 'Swiss' VOMS Group =/cms/chcms=. If you run with these added credentials, you can get additional benefits when running on our national Tier-2 *T2_CH_CSCS* * write access to directories under /store/user and /store/group. This area is reserved for associated users. All others need to place files in /store/temp/user where they get cleaned regularly. * currently not active, but we can activate in need * higher priority on the T2_CH_CSCS batch queues * additional Jobs slots on the T2_CH_CSCS batch queues To request membership in our VOMS group, visit the CMS VOMS page at https://voms2.cern.ch:8443/voms/cms/group/edit.action?groupId=5. You must have your grid certificate loaded in your browser, otherwise VOMS cannot recognize you! ---+++ Creating a valid proxy certificate with the right chcms attributes In order to get correctly mapped to a Swiss user account at our Tier-2, you need to create your proxy certificate using a =-voms= flag similar to this<pre> voms-proxy-init -voms cms:/cms/chcms </pre> You can confirm your VOMS attributes by running<pre> voms-proxy-info -all subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=dfeich/CN=613756/CN=Derek Feichtinger/CN=1404297260 issuer : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=dfeich/CN=613756/CN=Derek Feichtinger identity : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=dfeich/CN=613756/CN=Derek Feichtinger type : RFC3820 compliant impersonation proxy strength : 2048 path : /t3home/feichtinger/.x509up_u3896 timeleft : 191:59:42 key usage : Digital Signature, Key Encipherment === VO cms extension information === VO : cms subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=dfeich/CN=613756/CN=Derek Feichtinger issuer : /DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch %BLUE%attribute : /cms/chcms/Role=NULL/Capability=NULL%ENDCOLOR% attribute : /cms/Role=NULL/Capability=NULL timeleft : 24:59:41 uri : voms-cms-auth.app.cern.ch:15000 </pre> Make sure that the chcms attribute =%BLUE%/cmschcms%ENDCOLOR%/Role=NULL/Capability=NULL= appears before the attribute for the standard CMS membership =%BLUE%/cms%ENDCOLOR%/Role=NULL/Capability=NULL= in that listing! Your chcms prioritzed proxy certificate will be accepted as a normal CMS proxy certificate when accessing other grid services, there should be no conflicts. Note that it is possible to ask for multiple attributes and roles with a single =voms-proxy-init= command! The order of resulting attributes will reflect the order you gave on the command line, and our grid site will map you with the first attribute that matches on of our rules. So, e.g. if you had created your proxy by = voms-proxy-init -voms cms:/cms -voms cms:/cms/chcms=, then the mapping to a normal CMS user without special rights would take precedence. ---+++ Testing write access to T2_CH_CSCS as a Swiss user Having created your grid proxy with the correct =chcms= attribute, as described above, execute the following line from one of our Tier-3 login nodes. ${USER} should be your CMS name (usually the CERN login name also used on lxplus)! <pre> gfal-copy file:///t3home/T3-INFO/USER-SPACE-ACCOUNTING root://storage01.lcg.cscs.ch:1096/pnfs/lcg.cscs.ch/cms/trivcat/store/chcms-user-test/test-${USER} </pre> If you get a permission denied error, try to test whether you are allowed to write to the space open for writing to all CMS users <pre> gfal-copy file:///t3home/T3-INFO/USER-SPACE-ACCOUNTING root://storage01.lcg.cscs.ch:1096/pnfs/lcg.cscs.ch/cms/trivcat/store/temp/user/test-${USER} </pre> If only the latter test succeeds, there is still a problem with you chcms membership or the mapping. Please contact us on the admin mailing list. ---++ Optional Initial Setups (partially obsolete) ---+++ local Anaconda/Conda installation One might do following steps to add anaconda: * Only once: <pre> cd /work/${USER}/ wget https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh sh Miniconda3-latest-Linux-x86_64.sh -b -p ./miniconda3 rm Miniconda3-latest-Linux-x86_64.sh </pre> * Every time when using this conda environment: =export PATH=${PWD}/miniconda3/bin:${PATH}= or =export PATH=/work/${USER}/miniconda3/bin:${PATH}= ---+++ Installing the CERN CA files into your Web Browser Install in your Web Browser any [[https://cafiles.cern.ch/cafiles/][CERN CA file]], conversely your Web Browser might constantly bother you about all the CERN =https://= URLs ; typically the Web Browsers feature many well known [[https://en.wikipedia.org/wiki/Certificate_authority][CA files]] by default but not the CERN CA files.
Edit
|
Attach
|
Watch
|
P
rint version
|
H
istory
:
r80
<
r79
<
r78
<
r77
<
r76
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Topic revision: r78 - 2023-08-25
-
DerekFeichtinger
CmsTier3
Log In
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
User Pages
Main Page
Policies
Monitoring Storage Space
Monitoring Slurm Usage
Physics Groups
Steering Board Meetings
Admin Pages
AdminArea
Cluster Specs
Home
Site map
CmsTier3 web
LCGTier2 web
PhaseC web
Main web
Sandbox web
TWiki web
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback