RAL default setup
xrootd-unified.cfg
###########################################################################
# This is a very simple sample configuration file sufficient to start an #
# xrootd data server using the default port 1094. This server runs by #
# itself (stand-alone) and does not assume it is part of a cluster. You #
# can then connect to this server to access files in '/tmp'. #
# Consult the the reference manuals on how to create more complicated #
# configurations. #
# #
# On successful start-up you will see 'initialization completed' in the #
# last message. You can now connect to the xrootd server. #
# #
# Note: You should always create a *single* configuration file for all #
# daemons related to xrootd. #
###########################################################################
# The export directive indicates which paths are to be exported
#
# Allow object ids to be used
#
all.export *?
# Export each pool explicity for filesystem like path access
#
all.export /atlas:
all.export /cms:
all.export /dteam:
all.export /dune:
all.export /gen:
all.export /lhcb:
all.export /lsst:
all.export /test:
# Export the CMS namespace
#
all.export /store
# Export each pool explicity for object idlike path access
#
all.export atlas:
all.export cms:
all.export dteam:
all.export dune:
all.export gen:
all.export lhcb:
all.export lsst:
all.export test:
# The adminpath and pidpath variables indicate where the pid and various
# IPC files should be placed
#
all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd
xrootd.async off
xrd.buffers maxbsz 67108864
# Site name
#
all.sitename T1_UK_RAL
# Define roles for each instance
#
all.role server
all.role manager if echo-manager02.gridpp.rl.ac.uk
all.role manager if echo-manager01.gridpp.rl.ac.uk
# Define the managers
#
all.manager echo-manager02.gridpp.rl.ac.uk:1213
all.manager echo-manager01.gridpp.rl.ac.uk:1213
# Define the hosts that may connect to the cmsds
#
cms.allow host echo-manager02.gridpp.rl.ac.uk
cms.allow host echo-manager01.gridpp.rl.ac.uk
cms.allow host ceph-gw14.gridpp.rl.ac.uk
cms.allow host ceph-gw15.gridpp.rl.ac.uk
cms.allow host ceph-gw16.gridpp.rl.ac.uk
cms.allow host ceph-gw4.gridpp.rl.ac.uk
cms.allow host ceph-gw5.gridpp.rl.ac.uk
cms.allow host ceph-gw6.gridpp.rl.ac.uk
cms.allow host ceph-gw7.gridpp.rl.ac.uk
cms.allow host ceph-svc01.gridpp.rl.ac.uk
cms.allow host ceph-svc02.gridpp.rl.ac.uk
cms.allow host ceph-svc03.gridpp.rl.ac.uk
cms.allow host ceph-svc05.gridpp.rl.ac.uk
cms.allow host ceph-svc07.gridpp.rl.ac.uk
cms.allow host ceph-svc08.gridpp.rl.ac.uk
cms.allow host ceph-svc09.gridpp.rl.ac.uk
cms.allow host ceph-svc11.gridpp.rl.ac.uk
cms.allow host ceph-svc13.gridpp.rl.ac.uk
cms.allow host ceph-svc14.gridpp.rl.ac.uk
cms.allow host ceph-svc15.gridpp.rl.ac.uk
cms.allow host ceph-svc17.gridpp.rl.ac.uk
cms.allow host ceph-svc18.gridpp.rl.ac.uk
cms.allow host ceph-svc20.gridpp.rl.ac.uk
cms.allow host ceph-svc21.gridpp.rl.ac.uk
cms.allow host ceph-svc22.gridpp.rl.ac.uk
cms.allow host ceph-svc23.gridpp.rl.ac.uk
cms.allow host ceph-svc24.gridpp.rl.ac.uk
cms.allow host ceph-svc25.gridpp.rl.ac.uk
cms.allow host ceph-svc26.gridpp.rl.ac.uk
# Define the main role that this host provides as a variable to use later
# This is only defined for either the isserver or ismanager variables
#
set ismanager = true
# Configure gsi security
#
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protparm gsi -vomsfun:libXrdVoms.so -vomsfunparms:certfmt=pem|grpopt=useall|dbg
sec.protocol unix
sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gridmap:/etc/grid-security/voms-mapfile -gmapopt:trymap -d:0 -gmapto:600
sec.protocol ztn
sec.protbind * only ztn gsi
sec.protbind cta-adm.scd.rl.ac.uk unix
# Configure authorisation
#
ofs.authorize
acc.authdb /etc/grid-security/voms-authdb
acc.audit deny grant
# Use VOMS for WebDAV transfers with voms-mapfile overrides:
#
http.secxtractor /usr/lib64/libXrdVoms.so
http.gridmap /etc/grid-security/voms-mapfile
# TLS
#
if exec xrootd
xrd.tls /etc/grid-security/xrootd/hostcert.pem /etc/grid-security/xrootd/hostkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
xrootd.tls capable all
http.header2cgi Authorization authz
fi
# Require the use of the xrd.tls certificates (alternative is to use manual)
#
http.httpsmode auto
# Ensure any redirect, e.g. via cmsd is done via https
#
http.selfhttps2http no
http.desthttps yes
# Configure rados connection
#
ofs.osslib +cksio /usr/lib64/libXrdCeph.so xrootd@,1,8388608,67108864
ofs.xattrlib /usr/lib64/libXrdCephXattr.so
# Configure TPC
# Disable root protocol TPC as only have a single instance of xrootd running.
# Redirect any root TPC requests to the xrootd aliased hosts
# Manager instance does not do tpc
#
ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/xrdcp-tpc.sh
# Configure the port, both webdav and root to use 1094
#
if exec xrootd
xrd.port 1094
xrd.protocol http:1094 libXrdHttp.so
fi
if exec cmsd
xrd.port 1213
fi
# Name-to-name mapping
#
pss.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs
ceph.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs
# Trigger external checksum calculation.
# On manager, do not specify external pgm, unless you want the manager to perform the checkums (for xroot).
#
if defined ?ismanager
xrootd.chksum max 300 adler32
else
xrootd.chksum max 100 adler32
fi
# Configure distributed file system handling.
# Here, redirect immed redirects the request to a server without performing a lookup
# (alternative would be to specify verify)
#
cms.dfs limit 0 lookup distrib mdhold 0 redirect immed retries 2
# Distribute load across all servers, subject to load-balancing information
# multiple lines are cumlutative, relating to specific load requirements.
# Only used by the manager
#
# No special attachement to particular servers
cms.sched affinity none
# sum of values (excluding fuzz) should be 100
cms.sched cpu 20 io 0 mem 0 pag 0 runq 80 space 0 fuzz 3
# dont schedule a server with load above this value
cms.sched maxload 80
#Specify how the load is reported. Only used by servers (with role server)
#
# XRootD expects this script to be constantly running, and will be restarted if no (or invalid) data is recieved.
# The 10s value is the interval at which xrootd expects to receive load reports from the script via stdout.
# pgm reports: system load, cpu utilization, memory utilization, paging load, network utilization
#
cms.perf int 10s pgm /etc/xrootd/xrdload.sh
# Control of load-reporting and keep alive functionality
# Only used by the cmsd managers
#
cms.ping 3 log 1 usage 2
# The time that file existence info is cached
# Only used by cmsd manager
# specify the file non- and with- existence times, respectively
# Exact values to be optimised
#
cms.fxhold 60s 1m
# Blacklisting and whitelisting; Only used by the manager nodes.
# To update the file; make a copy and then overwrite the original with it.
#
# A line separated list of DNS names to black/whitelist.
# Redirection target may also be applied:
# see https://xrootd.slac.stanford.edu/doc/dev54/cms_config.pdf
#
cms.blacklist check 1m /etc/xrootd/cms.blacklist
#cms.whitelist
# Set the space query time to reasonably long value.
# the queries ceph for allocated space, which has no real meaning in server selection.
# set the min value low, so that a server is never excluded because ceph is full.
#
cms.space recalc 30 min 1g
# Specify the minimum number of servers that must be subscribed for load balancing to be effective
# This option effectively determines the server quorum necessary for the cmsd to redirect clients.
#
cms.delay servers 1
# HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy
#
http.exthandler xrdtpc libXrdHttpTPC.so
http.header2cgi Authorization authz
# Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support
# Please install libmacaroons rpm from EPEL.
#
http.exthandler xrdmacaroons libXrdMacaroons.so
# the secret must be the same on all external gateways
# the current secret can be found on keys.gridpp in /var/keys/echo-xrootd-token/,
# and should be copied into the location below, owned by xrootd:xrootd (perms 440)
# original command used to generate:
# openssl rand -base64 -out /etc/xrootd/macaroon-secret 64 (make single line)
macaroons.secretkey /etc/xrootd/macaroon-secret
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so
# Provide robots file
# it is used to discourage Google search of http(s)
# User-agent: *
# Disallow: /
#
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
# Configure internal fstream event reporting
# details: https://wiki.e-science.cclrc.ac.uk/web1/bin/view/EScienceInternal/XrootdMonitoring
#
xrootd.monitor all auth fstat 10s ops lfn xfr 1 ident 1m dest fstat info user redir 172.16.105.115:9931
# Configure internal report monitoring
# details: https://stfc.atlassian.net/wiki/spaces/X/pages/24543251/Xrd+Report+Monitoring
#
xrd.report 172.16.105.48:9931 every 1m all
# Enabled enhanced cmsd stats reporting for xrd.report
#
cms.repstats all
# Set the number of libradosstriper client pools
ceph.nbconnections 5
# Specify Buffer specific logic
ceph.usebuffer 1
ceph.bufferiomode io
ceph.buffersize 16777216
ceph.usereadvalg 0
ceph.readvalgname passthrough
# Allow sufficient logging of macaroon generation and usage
#
macaroons.trace debug
# Enable additional levels of logging
#
cms.trace all
scitokens.trace all
xrootd-tpc.cfg
###########################################################################
# This is a very simple sample configuration file sufficient to start an #
# xrootd data server using the default port 1094. This server runs by #
# itself (stand-alone) and does not assume it is part of a cluster. You #
# can then connect to this server to access files in '/tmp'. #
# Consult the the reference manuals on how to create more complicated #
# configurations. #
# #
# On successful start-up you will see 'initialization completed' in the #
# last message. You can now connect to the xrootd server. #
# #
# Note: You should always create a *single* configuration file for all #
# daemons related to xrootd. #
###########################################################################
# The export directive indicates which paths are to be exported. While the
# default is '/tmp', we indicate it anyway to show you this directive.
#
all.export *?
all.export /
# The adminpath and pidpath variables indicate where the pid and various
# IPC files should be placed
#
all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd
xrootd.async off
xrd.buffers maxbsz 67108864
# Site name
#
all.sitename T1_UK_RAL
# Configure gsi security
#
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protparm gsi -vomsfun:libXrdVoms.so -vomsfunparms:certfmt=pem|grpopt=useall|dbg
sec.protocol unix
sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gridmap:/etc/grid-security/voms-mapfile -gmapopt:trymap -d:0
sec.protbind * only gsi
sec.protbind cta-adm.scd.rl.ac.uk unix
# Configure authorisation
#
ofs.authorize
acc.authdb /etc/grid-security/voms-authdb
acc.audit deny grant
# Use VOMS for WebDAV transfers with voms-mapfile overrides:
#
http.secxtractor /usr/lib64/libXrdVoms.so
http.gridmap /etc/grid-security/voms-mapfile
# TLS
#
xrd.tls /etc/grid-security/xrootd/hostcert.pem /etc/grid-security/xrootd/hostkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
xrootd.tls off
# Require the use of the xrd.tls certificates (alternative is to use manual)
#
http.httpsmode auto
# Configure rados connection
#
ofs.osslib +cksio /usr/lib64/libXrdCeph.so xrootd@,1,8388608,67108864
ofs.xattrlib /usr/lib64/libXrdCephXattr.so
# Do not Configure TPC
# The tpc instance should not inititiate TPC, hence the ofs.tpc directive is not included here
# Configure the port, both webdav and root to use 1094
#
if exec xrootd
xrd.port 1095
xrd.protocol http:1095 libXrdHttp.so
fi
# Name-to-name mapping
#
pss.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs
ceph.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs
# Trigger external checksum calculation.
#
xrootd.chksum max 100 adler32
# HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy
#
http.exthandler xrdtpc libXrdHttpTPC.so
http.header2cgi Authorization authz
# Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support
# Please install libmacaroons rpm from EPEL.
#
http.exthandler xrdmacaroons libXrdMacaroons.so
# the secret must be the same on all external gateways
# the current secret can be found on keys.gridpp in /var/keys/echo-xrootd-token/,
# and should be copied into the location below, owned by xrootd:xrootd (perms 440)
# original command used to generate:
# openssl rand -base64 -out /etc/xrootd/macaroon-secret 64 (make single line)
macaroons.secretkey /etc/xrootd/macaroon-secret
# In future this will be the configuration, with scitokens also enabled
#ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
#ofs.authlib ++ libXrdMacaroons.so
#for now, we do this
ofs.authlib libXrdMacaroons.so
# Provide robots file
# it is used to discourage Google search of http(s)
# User-agent: *
# Disallow: /
#
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
# Configure internal fstream event reporting
# details: https://wiki.e-science.cclrc.ac.uk/web1/bin/view/EScienceInternal/XrootdMonitoring
#
xrootd.monitor all auth fstat 10s ops lfn xfr 1 ident 1m dest fstat info user redir 172.16.105.115:9931
# Configure internal report monitoring
# details: https://stfc.atlassian.net/wiki/spaces/X/pages/24543251/Xrd+Report+Monitoring
#
xrd.report 172.16.105.48:9931 every 1m all
# Set the number of libradosstriper client pools
ceph.nbconnections 5
# Specify Buffer specific logic
ceph.usebuffer 1
ceph.bufferiomode io
ceph.buffersize 16777216
ceph.usereadvalg 0
ceph.readvalgname passthrough
ofs.trace open close delay
oss.trace open
xrootd.trace auth fs login redirect stall
xrd.trace conn tls