Page Comparison

...

1. To get set up with a Rucio account please create a ticket on GGUS. Please fill in the form with a subject, description, ticket catagory - service request, priority - less urgent, and under routing information please select Assign to support unit - Rucio). Within the ticket description please sent Tim an email at Rucio-Support@stfc365.onmicrosoft.com. Please include:

   • Desired Username (usually initials and surname e.g. John Doe would have jdoe)

   • Your email

   • Name of the experiment / VO you are part of

   • The subject of your eScience certificate

...

1. You will then need to install a containerised client on your computer.

   • Install Docker to run the container

   • https://www.docker.com/get-started (for windows users I would recommend using WSL2)

   • Follow the docker instructions to ensure it is running correctly.

   • Using openSSL you will need to split your grid certificate bundle into the certificate and key:

   Code Block
   $ openssl pkcs12 -in <*.pfx> -out /sensible/path/usercert.pem -clcerts -nokeys $ openssl pkcs12 -in <*.pfx> -out /sensible/path/userkey.pem -nocerts -nodes

2. Run the Docker container using the following command:

...

1. docker compose:

Create a file called compose.yaml and fill in the details below

You will need BOTH UK eScience CA 2B can be obtained here, and the eScience ROOT obtained here.

You then need to combine them both into a file and call it ca-first.pem, this can be done like this:

curl https://cert.ca.ngs.ac.uk/530f7122.0 > ca-first.pem
curl https://cert.ca.ngs.ac.uk/7ed47087.0 >> ca-first.pem

It is important to include the full path to the usercert.pem and userkey.pem files, and the e-Science CA 2B, as well as their file extensions. Otherwise Docker seems to think they are directories which causes problems. If you still have issues, you may need to chmod 777 the usercert and userkey files.

$ run \services:
  rucio-client:
    image:
       -ethysk/ral-rucio-client
    environment:
       RUCIO_CFG_RUCIO_HOST=: https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
\      -e RUCIO_CFG_AUTH_HOST=: https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
 \     -e RUCIO_CFG_AUTH_TYPE=: x509_proxy
 \     -e RUCIO_CFG_CLIENT_VO=<3 CHAR VO NAME LOWERCASE> \: dtm
      -e RUCIO_CFG_CLIENT_CERT=: /opt/rucio/etc/usercreds/usercert.pem
 \     -e RUCIO_CFG_CLIENT_KEY=: /opt/rucio/etc/usercreds/userkey.pem
 \     -e RUCIO_CFG_ACCOUNT=<Rucio Username> \: <account name>
      -e RUCIO_CFG_CA_CERT=: /opt/rucio/etc/web/ca-first.pem
  \     -v <PATH/TO/e-Science CA 2B.pem>:/opt/rucio/etc/web/ca-first.pem \RUCIO_CFG_CLIENT_X509_PROXY: /tmp/x509up_u1000
    volumes:
      - type: bind
        source: <path to your x509 certificate>
       -v <PATH/TO/YOUR/USERCERT.pem>: target: /opt/rucio/etc/usercert.pem
 \     -v <PATH/TO/YOUR/USERKEY.pem>:/opt/rucio/etc/userkey \ type: bind
         --name=rucio-client \
    -it \source: <path to your x509 certificate>
       -d egifedcloud/rucioclient:1.23.17

VO Names and Rucio abbreviations

...

Name

...

Abbreviation

...

DTeam

...

dtm

...

Square Kilometer Array Observatory

...

ska

...

Gridpp

...

gpp

This block of code may look large but it is configuring Rucio to connect to the Multi-VO Rucio at RAL, your account and VO details, where you are loading them into the container, and mounting the authentication details into the container.

The UK eScience CA 2B can be obtained here.

Download the OpenSSL certificate for /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B
and append the IGTF-accredited UK eScience CA Certificates.

This can be done easily using

curl <URL for CA 2B cert> > ca-first.pem && curl <URL for CA root cert> >> ca-first.pem

The 3 character VO name will be provided to you when you sign up for a Rucio account.

1. Run the following commands inside the docker container to finalise set up:

$ cp /opt/rucio/etc/usercert /opt/rucio/etc/usercert.pem
$ cp /opt/rucio/etc/userkeytarget: /home/user/.globus/usercert.pem
      - type:  bind
        source: <path to your x509 key>
        target: /opt/rucio/etc/userkey.pem
$ chmod 600 /opt/rucio/etc/usercert.pem
$ chmod 400 /opt/rucio/etc/userkey.pem

Create .globus directory in your home directory and copy usercert.pem and userkey.pem to .globus:

$ mkdir ~/.globus
$ cp /opt/rucio/etc/usercert.pem ~/.globus  
$ cp
      - type:  bind
        source: <path to your x509 key>
        target: /home/user/.globus/userkey.pem
      - type: bind
        source: /home/rtt84632/rucio-client/ca-first.pem
        target: /opt/rucio/etc/web/userkeyca-first.pem ~/.globus  

...

    stdin_open: true
    tty: true

VO Names and Rucio abbreviations

Once the container is created. Inside the container run this command:

$ voms-proxy-init --voms <VO NAME>

After this you will be able to run Rucio commands.

Rucio configuration setup (advanced setup)

You need to edit the /opt/rucio/etc/rucio.cfg file, this then needs to be lightly edited to add your account name. This will then be loaded into the Rucio client.

[common]
logdir = /var/log/rucio
multi_vo = True
loglevel = DEBUG
INFO
[client]

rucio_host = https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
auth_host = https://multi-vo-rucio-server.gridppnubes.rlstfc.ac.uk:443
vo = <3 character VO name><VO>
account = <your_account><ACCOUNT>
ca_cert = /opt/rucio/etc/web/ca-first.pem
auth_type = x509_proxy
#username =
#password =
client_cert = /opt/rucio/etc/usercert.pem
client_key = /opt/rucio/etc/userkey.pem
client_x509_proxy = /tmp/x509up_u1000
request_retries = 5
oidc_scope = rucio openid profile offline_access
oidc_audience = rucio
oidc_issuer = iris

You should now have a fully set up Containerised Client for your Rucio Account and VO which you can start in docker and use whenever you need it.

...