...
Getting started as a new user
Account creation
To get set up with a Rucio account please
...
sent Tim an email at Rucio-Support@stfc365.onmicrosoft.com. Please include:
Desired Username (usually initials and surname e.g. John Doe would have jdoe)
Your email
Name of the experiment / VO you are part of
The subject of your eScience certificate
If you want password access we can organise a video call to explain or take sensitive information if you prefer
In Terms of testing you can join the test VO (dteam) to try Rucio as a service and its capabilities.
Please note that we are working on allowing Rucio accounts to be created and accessed with IAM services, and EGI Check-in, but currently only support x509 and password access.
Once our team has this information we will create you a Rucio account.
Docker container setup
You will then need to install a containerised client on your computer.
Install Docker to run the container
https://www.docker.com/get-started (for windows users I would recommend using WSL2)
Follow the docker instructions to ensure it is running correctly.
Using openSSL you will need to split your grid certificate bundle into the certificate and key:
Code Block $ openssl pkcs12 -in <*.pfx> -out /sensible/path/usercert.pem -clcerts -nokeys $ openssl pkcs12 -in <*.pfx> -out /sensible/path/userkey.pem -nocerts -nodes
Run the Docker container
...
When running the block of code below please replaces all items within <>
with the relevent information. This uses a Rucio container that was setup for the EGI communities.
...
docker compose:
Create a file called compose.yaml and fill in the details below
You will need BOTH UK eScience CA 2B can be obtained here, and the eScience ROOT obtained here.
You then need to combine them both into a file and call it ca-first.pem, this can be done like this:
Code Block |
---|
curl https://cert.ca.ngs.ac.uk/530f7122.0 > ca-first.pem
curl https://cert.ca.ngs.ac.uk/7ed47087.0 >> ca-first.pem |
It is important to include the full path to the usercert.pem
and userkey.pem
files, and the e-Science CA 2B, as well as their file extensions. Otherwise Docker seems to think they are directories which causes problems. If you still have issues, you may need to chmod 777
the usercert and userkey files.
Code Block |
---|
services: rucio-client: image: thysk/ral-rucio-client environment: RUCIO_CFG_RUCIO_HOST=: https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443 \ -e RUCIO_CFG_AUTH_HOST=: https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443 \ -e RUCIO_CFG_AUTH_TYPE=: x509_proxy \ -e RUCIO_CFG_CLIENT_VO=<3: CHARdtm VO NAME LOWERCASE> \ -e RUCIO_CFG_CLIENT_CERT=: /opt/rucio/etc/usercreds/usercert.pem \ -e RUCIO_CFG_CLIENT_KEY=: /opt/rucio/etc/usercreds/userkey.pem \ -e RUCIO_CFG_ACCOUNT=<Rucio Username> \: <account name> -e RUCIO_CFG_CA_CERT=: /opt/rucio/etc/web/ca-first.pem \ -v <PATH/TO/e-Science CA 2B>:RUCIO_CFG_CLIENT_X509_PROXY: /tmp/x509up_u1000 volumes: - type: bind source: <path to your x509 certificate> target: /opt/rucio/etc/web/ca-firstusercert.pem \ -v <PATH/TO/YOUR/USERCERT>:/opt/rucio/etc/usercert \ type: bind source: <path to your x509 certificate> -v <PATH/TO/YOUR/USERKEY>:/opt/rucio/etc/userkey \ target: /home/user/.globus/usercert.pem --name=rucio-client \type: bind -it \ -d egifedcloud/rucioclient:1.23.17 |
VO Names and Rucio abbreviations
...
Name
...
Abbreviation
...
DTeam
...
dtm
...
Square Kilometer Array Observatory
...
ska
...
Gridpp
...
gpp
This block of code may look large but it is configuring Rucio to connect to the Multi-VO Rucio at RAL, your account and VO details, where you are loading them into the container, and mounting the authentication details into the container.
The UK eScience CA 2B can be obtained here. The 3 character VO name will be provided to you when you sign up for a Rucio account.
Run the following commands inside the docker container to finalise set up:
Code Block |
---|
$ cp /opt/rucio/etc/usercert /opt/rucio/etc/usercert.pem $ cp /opt/rucio/etc/userkeysource: <path to your x509 key> target: /opt/rucio/etc/userkey.pem $ chmod 600 /opt/rucio/etc/usercert.pem $ chmod 400 /opt/rucio/etc/userkey.pem |
Create .globus directory in your home directory and copy usercert.pem and userkey.pem to .globus:
Code Block |
---|
$ mkdir ~/.globus $ cp /opt/rucio/etc/usercert.pem ~/.globus $ cp - type: bind source: <path to your x509 key> target: /home/user/.globus/userkey.pem - type: bind source: /home/rtt84632/rucio-client/ca-first.pem target: /opt/rucio/etc/web/userkeyca-first.pem ~/.globus |
...
stdin_open: true
tty: true |
VO Names and Rucio abbreviations
Name | Abbreviation |
---|---|
DTeam | dtm |
Square Kilometer Array Observatory | ska |
Gridpp | gpp |
Once the container is created. Inside the container run this command:
Code Block |
---|
$ voms-proxy-init --voms <VO NAME> |
After this you will be able to run Rucio commands.
Rucio configuration setup (advanced setup)
You need to edit the /opt/rucio/etc/rucio.cfg
file, this then needs to be lightly edited to add your account name. This will then be loaded into the Rucio client.
Code Block |
---|
[common] logdir = /var/log/rucio multi_vo = True loglevel = INFODEBUG [client] rucio_host = https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443 auth_host = https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443 vo = <3 character VO name><VO> account = <your_account><ACCOUNT> ca_cert = /opt/rucio/etc/web/ca-first.pem auth_type = x509_proxy #username = #password = client_cert = /opt/rucio/etc/usercert.pem client_key = /opt/rucio/etc/userkey.pem client_x509_proxy = /tmp/x509up_u1000 request_retries = 5 oidc_scope = rucio openid profile offline_access oidc_audience = rucio oidc_issuer = iris |
You should now have a fully set up Containerised Client for your Rucio Account and VO which you can start in docker and use whenever you need it.
...