Page Comparison

...

Getting started as a new user

Account creation

1. To get set up with a Rucio account please

...

1. sent Tim an email at Rucio-Support@stfc365.onmicrosoft.com. Please include:

   • Desired Username (usually initials and surname e.g. John Doe would have jdoe)

   • Your email

   • Name of the experiment / VO you are part of

   • The subject of your eScience certificate

If you want password access we can organise a video call to explain or take sensitive information if you prefer
In Terms of testing you can join the test VO (dteam) to try Rucio as a service and its capabilities.
Please note that we are working on allowing Rucio accounts to be created and accessed with IAM services, and EGI Check-in, but currently only support x509 and password access.

1. Once our team has this information we will create you a Rucio account.

Docker container setup

1. You will then need to install a containerised client on your computer.

   • Install Docker to run the container

   • https://www.docker.com/get-started (for windows users I would recommend using WSL2)

   • Follow the docker instructions to ensure it is running correctly.

   • Using openSSL you will need to split your grid certificate bundle into the certificate and key:

   Code Block
   $ openssl pkcs12 -in <*.pfx> -out /sensible/path/usercert.pem -clcerts -nokeys $ openssl pkcs12 -in <*.pfx> -out /sensible/path/userkey.pem -nocerts -nodes

2. Run the Docker container

...

When running the block of code below please replaces all items within <> with the relevent information. This uses a Rucio container that was setup for the EGI communities.

...

1. docker compose:

Create a file called compose.yaml and fill in the details below

You will need BOTH UK eScience CA 2B can be obtained here, and the eScience ROOT obtained here.

You then need to combine them both into a file and call it ca-first.pem, this can be done like this:

curl https://cert.ca.ngs.ac.uk/530f7122.0 > ca-first.pem
curl https://cert.ca.ngs.ac.uk/7ed47087.0 >> ca-first.pem

It is important to include the full path to the usercert.pem and userkey.pem files, and the e-Science CA 2B, as well as their file extensions. Otherwise Docker seems to think they are directories which causes problems. If you still have issues, you may need to chmod 777 the usercert and userkey files.

services:
  rucio-client:
    image:
       thysk/ral-rucio-client
    environment:
       RUCIO_CFG_RUCIO_HOST=: https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
\      -e RUCIO_CFG_AUTH_HOST=: https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
 \     -e RUCIO_CFG_AUTH_TYPE=: x509_proxy
 \     -e RUCIO_CFG_CLIENT_VO=<3: CHARdtm
VO NAME LOWERCASE> \
    -e RUCIO_CFG_CLIENT_CERT=: /opt/rucio/etc/usercreds/usercert.pem
 \     -e RUCIO_CFG_CLIENT_KEY=: /opt/rucio/etc/usercreds/userkey.pem
 \     -e RUCIO_CFG_ACCOUNT=<Rucio Username> \: <account name>
      -e RUCIO_CFG_CA_CERT=: /opt/rucio/etc/web/ca-first.pem
  \     -v <PATH/TO/e-Science CA 2B>:RUCIO_CFG_CLIENT_X509_PROXY: /tmp/x509up_u1000
    volumes:
      - type: bind
        source: <path to your x509 certificate>
        target: /opt/rucio/etc/web/ca-firstusercert.pem
 \     -v <PATH/TO/YOUR/USERCERT>:/opt/rucio/etc/usercert \ type: bind
        source: <path to your x509 certificate>
       -v <PATH/TO/YOUR/USERKEY>:/opt/rucio/etc/userkey \ target: /home/user/.globus/usercert.pem
      --name=rucio-client \type:  bind
  -it \     -d egifedcloud/rucioclient:1.23.17

VO Names and Rucio abbreviations

...

Name

...

Abbreviation

...

DTeam

...

dtm

...

Square Kilometer Array Observatory

...

ska

...

Gridpp

...

gpp

This block of code may look large but it is configuring Rucio to connect to the Multi-VO Rucio at RAL, your account and VO details, where you are loading them into the container, and mounting the authentication details into the container.

The UK eScience CA 2B can be obtained here. The 3 character VO name will be provided to you when you sign up for a Rucio account.

1. Run the following commands inside the docker container to finalise set up:

$ cp /opt/rucio/etc/usercert /opt/rucio/etc/usercert.pem
$ cp /opt/rucio/etc/userkeysource: <path to your x509 key>
        target: /opt/rucio/etc/userkey.pem
$ chmod 600 /opt/rucio/etc/usercert.pem
$ chmod 400 /opt/rucio/etc/userkey.pem

Create .globus directory in your home directory and copy usercert.pem and userkey.pem to .globus:

$ mkdir ~/.globus
$ cp /opt/rucio/etc/usercert.pem ~/.globus  
$ cp
      - type:  bind
        source: <path to your x509 key>
        target: /home/user/.globus/userkey.pem
      - type: bind
        source: /home/rtt84632/rucio-client/ca-first.pem
        target: /opt/rucio/etc/web/userkeyca-first.pem ~/.globus  

...

    stdin_open: true
    tty: true

VO Names and Rucio abbreviations

Once the container is created. Inside the container run this command:

$ voms-proxy-init --voms <VO NAME>

After this you will be able to run Rucio commands.

Rucio configuration setup (advanced setup)

You need to edit the /opt/rucio/etc/rucio.cfg file, this then needs to be lightly edited to add your account name. This will then be loaded into the Rucio client.

[common]
logdir = /var/log/rucio
multi_vo = True
loglevel = INFODEBUG

[client]

rucio_host = https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
auth_host = https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
vo = <3 character VO name><VO>
account = <your_account><ACCOUNT>
ca_cert = /opt/rucio/etc/web/ca-first.pem
auth_type = x509_proxy
#username =
#password =
client_cert = /opt/rucio/etc/usercert.pem
client_key = /opt/rucio/etc/userkey.pem
client_x509_proxy = /tmp/x509up_u1000
request_retries = 5
oidc_scope = rucio openid profile offline_access
oidc_audience = rucio
oidc_issuer = iris

You should now have a fully set up Containerised Client for your Rucio Account and VO which you can start in docker and use whenever you need it.

...