RAL default setup

xrootd-unified.cfg

########################################################################### # This is a very simple sample configuration file sufficient to start an # # xrootd data server using the default port 1094. This server runs by # # itself (stand-alone) and does not assume it is part of a cluster. You # # can then connect to this server to access files in '/tmp'. # # Consult the the reference manuals on how to create more complicated # # configurations. # # # # On successful start-up you will see 'initialization completed' in the # # last message. You can now connect to the xrootd server. # # # # Note: You should always create a *single* configuration file for all # # daemons related to xrootd. # ########################################################################### # The export directive indicates which paths are to be exported # # Allow object ids to be used # all.export *? # Export each pool explicity for filesystem like path access # all.export /atlas: all.export /cms: all.export /dteam: all.export /dune: all.export /gen: all.export /lhcb: all.export /lsst: all.export /test: # Export the CMS namespace # all.export /store # Export each pool explicity for object idlike path access # all.export atlas: all.export cms: all.export dteam: all.export dune: all.export gen: all.export lhcb: all.export lsst: all.export test: # The adminpath and pidpath variables indicate where the pid and various # IPC files should be placed # all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd xrootd.async off xrd.buffers maxbsz 67108864 # Site name # all.sitename T1_UK_RAL # Define roles for each instance # all.role server all.role manager if echo-manager02.gridpp.rl.ac.uk all.role manager if echo-manager01.gridpp.rl.ac.uk # Define the managers # all.manager echo-manager02.gridpp.rl.ac.uk:1213 all.manager echo-manager01.gridpp.rl.ac.uk:1213 # Define the hosts that may connect to the cmsds # cms.allow host echo-manager02.gridpp.rl.ac.uk cms.allow host echo-manager01.gridpp.rl.ac.uk cms.allow host ceph-gw14.gridpp.rl.ac.uk cms.allow host ceph-gw15.gridpp.rl.ac.uk cms.allow host ceph-gw16.gridpp.rl.ac.uk cms.allow host ceph-gw4.gridpp.rl.ac.uk cms.allow host ceph-gw5.gridpp.rl.ac.uk cms.allow host ceph-gw6.gridpp.rl.ac.uk cms.allow host ceph-gw7.gridpp.rl.ac.uk cms.allow host ceph-svc01.gridpp.rl.ac.uk cms.allow host ceph-svc02.gridpp.rl.ac.uk cms.allow host ceph-svc03.gridpp.rl.ac.uk cms.allow host ceph-svc05.gridpp.rl.ac.uk cms.allow host ceph-svc07.gridpp.rl.ac.uk cms.allow host ceph-svc08.gridpp.rl.ac.uk cms.allow host ceph-svc09.gridpp.rl.ac.uk cms.allow host ceph-svc11.gridpp.rl.ac.uk cms.allow host ceph-svc13.gridpp.rl.ac.uk cms.allow host ceph-svc14.gridpp.rl.ac.uk cms.allow host ceph-svc15.gridpp.rl.ac.uk cms.allow host ceph-svc17.gridpp.rl.ac.uk cms.allow host ceph-svc18.gridpp.rl.ac.uk cms.allow host ceph-svc20.gridpp.rl.ac.uk cms.allow host ceph-svc21.gridpp.rl.ac.uk cms.allow host ceph-svc22.gridpp.rl.ac.uk cms.allow host ceph-svc23.gridpp.rl.ac.uk cms.allow host ceph-svc24.gridpp.rl.ac.uk cms.allow host ceph-svc25.gridpp.rl.ac.uk cms.allow host ceph-svc26.gridpp.rl.ac.uk # Define the main role that this host provides as a variable to use later # This is only defined for either the isserver or ismanager variables # set ismanager = true # Configure gsi security # xrootd.seclib /usr/lib64/libXrdSec.so sec.protparm gsi -vomsfun:libXrdVoms.so -vomsfunparms:certfmt=pem|grpopt=useall|dbg sec.protocol unix sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gridmap:/etc/grid-security/voms-mapfile -gmapopt:trymap -d:0 -gmapto:600 sec.protocol ztn sec.protbind * only ztn gsi sec.protbind cta-adm.scd.rl.ac.uk unix # Configure authorisation # ofs.authorize acc.authdb /etc/grid-security/voms-authdb acc.audit deny grant # Use VOMS for WebDAV transfers with voms-mapfile overrides: # http.secxtractor /usr/lib64/libXrdVoms.so http.gridmap /etc/grid-security/voms-mapfile # TLS # if exec xrootd xrd.tls /etc/grid-security/xrootd/hostcert.pem /etc/grid-security/xrootd/hostkey.pem xrd.tlsca certdir /etc/grid-security/certificates xrootd.tls capable all http.header2cgi Authorization authz fi # Require the use of the xrd.tls certificates (alternative is to use manual) # http.httpsmode auto # Ensure any redirect, e.g. via cmsd is done via https # http.selfhttps2http no http.desthttps yes # Configure rados connection # ofs.osslib +cksio /usr/lib64/libXrdCeph.so xrootd@,1,8388608,67108864 ofs.xattrlib /usr/lib64/libXrdCephXattr.so # Configure TPC # Disable root protocol TPC as only have a single instance of xrootd running. # Redirect any root TPC requests to the xrootd aliased hosts # Manager instance does not do tpc # ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/xrdcp-tpc.sh # Configure the port, both webdav and root to use 1094 # if exec xrootd xrd.port 1094 xrd.protocol http:1094 libXrdHttp.so fi if exec cmsd xrd.port 1213 fi # Name-to-name mapping # pss.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs ceph.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs # Trigger external checksum calculation. # On manager, do not specify external pgm, unless you want the manager to perform the checkums (for xroot). # if defined ?ismanager xrootd.chksum max 300 adler32 else xrootd.chksum max 100 adler32 fi # Configure distributed file system handling. # Here, redirect immed redirects the request to a server without performing a lookup # (alternative would be to specify verify) # cms.dfs limit 0 lookup distrib mdhold 0 redirect immed retries 2 # Distribute load across all servers, subject to load-balancing information # multiple lines are cumlutative, relating to specific load requirements. # Only used by the manager # # No special attachement to particular servers cms.sched affinity none # sum of values (excluding fuzz) should be 100 cms.sched cpu 20 io 0 mem 0 pag 0 runq 80 space 0 fuzz 3 # dont schedule a server with load above this value cms.sched maxload 80 #Specify how the load is reported. Only used by servers (with role server) # # XRootD expects this script to be constantly running, and will be restarted if no (or invalid) data is recieved. # The 10s value is the interval at which xrootd expects to receive load reports from the script via stdout. # pgm reports: system load, cpu utilization, memory utilization, paging load, network utilization # cms.perf int 10s pgm /etc/xrootd/xrdload.sh # Control of load-reporting and keep alive functionality # Only used by the cmsd managers # cms.ping 3 log 1 usage 2 # The time that file existence info is cached # Only used by cmsd manager # specify the file non- and with- existence times, respectively # Exact values to be optimised # cms.fxhold 60s 1m # Blacklisting and whitelisting; Only used by the manager nodes. # To update the file; make a copy and then overwrite the original with it. # # A line separated list of DNS names to black/whitelist. # Redirection target may also be applied: # see https://xrootd.slac.stanford.edu/doc/dev54/cms_config.pdf # cms.blacklist check 1m /etc/xrootd/cms.blacklist #cms.whitelist # Set the space query time to reasonably long value. # the queries ceph for allocated space, which has no real meaning in server selection. # set the min value low, so that a server is never excluded because ceph is full. # cms.space recalc 30 min 1g # Specify the minimum number of servers that must be subscribed for load balancing to be effective # This option effectively determines the server quorum necessary for the cmsd to redirect clients. # cms.delay servers 1 # HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy # http.exthandler xrdtpc libXrdHttpTPC.so http.header2cgi Authorization authz # Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support # Please install libmacaroons rpm from EPEL. # http.exthandler xrdmacaroons libXrdMacaroons.so # the secret must be the same on all external gateways # the current secret can be found on keys.gridpp in /var/keys/echo-xrootd-token/, # and should be copied into the location below, owned by xrootd:xrootd (perms 440) # original command used to generate: # openssl rand -base64 -out /etc/xrootd/macaroon-secret 64 (make single line) macaroons.secretkey /etc/xrootd/macaroon-secret ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg ofs.authlib ++ libXrdMacaroons.so # Provide robots file # it is used to discourage Google search of http(s) # User-agent: * # Disallow: / # http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt # Configure internal fstream event reporting # details: https://wiki.e-science.cclrc.ac.uk/web1/bin/view/EScienceInternal/XrootdMonitoring # xrootd.monitor all auth fstat 10s ops lfn xfr 1 ident 1m dest fstat info user redir 172.16.105.115:9931 # Configure internal report monitoring # details: https://stfc.atlassian.net/wiki/spaces/X/pages/24543251/Xrd+Report+Monitoring # xrd.report 172.16.105.48:9931 every 1m all # Enabled enhanced cmsd stats reporting for xrd.report # cms.repstats all # Set the number of libradosstriper client pools ceph.nbconnections 5 # Specify Buffer specific logic ceph.usebuffer 1 ceph.bufferiomode io ceph.buffersize 16777216 ceph.usereadvalg 0 ceph.readvalgname passthrough # Allow sufficient logging of macaroon generation and usage # macaroons.trace debug # Enable additional levels of logging # cms.trace all scitokens.trace all

xrootd-tpc.cfg

########################################################################### # This is a very simple sample configuration file sufficient to start an # # xrootd data server using the default port 1094. This server runs by # # itself (stand-alone) and does not assume it is part of a cluster. You # # can then connect to this server to access files in '/tmp'. # # Consult the the reference manuals on how to create more complicated # # configurations. # # # # On successful start-up you will see 'initialization completed' in the # # last message. You can now connect to the xrootd server. # # # # Note: You should always create a *single* configuration file for all # # daemons related to xrootd. # ########################################################################### # The export directive indicates which paths are to be exported. While the # default is '/tmp', we indicate it anyway to show you this directive. # all.export *? all.export / # The adminpath and pidpath variables indicate where the pid and various # IPC files should be placed # all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd xrootd.async off xrd.buffers maxbsz 67108864 # Site name # all.sitename T1_UK_RAL # Configure gsi security # xrootd.seclib /usr/lib64/libXrdSec.so sec.protparm gsi -vomsfun:libXrdVoms.so -vomsfunparms:certfmt=pem|grpopt=useall|dbg sec.protocol unix sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gridmap:/etc/grid-security/voms-mapfile -gmapopt:trymap -d:0 sec.protbind * only gsi sec.protbind cta-adm.scd.rl.ac.uk unix # Configure authorisation # ofs.authorize acc.authdb /etc/grid-security/voms-authdb acc.audit deny grant # Use VOMS for WebDAV transfers with voms-mapfile overrides: # http.secxtractor /usr/lib64/libXrdVoms.so http.gridmap /etc/grid-security/voms-mapfile # TLS # xrd.tls /etc/grid-security/xrootd/hostcert.pem /etc/grid-security/xrootd/hostkey.pem xrd.tlsca certdir /etc/grid-security/certificates xrootd.tls off # Require the use of the xrd.tls certificates (alternative is to use manual) # http.httpsmode auto # Configure rados connection # ofs.osslib +cksio /usr/lib64/libXrdCeph.so xrootd@,1,8388608,67108864 ofs.xattrlib /usr/lib64/libXrdCephXattr.so # Do not Configure TPC # The tpc instance should not inititiate TPC, hence the ofs.tpc directive is not included here # Configure the port, both webdav and root to use 1094 # if exec xrootd xrd.port 1095 xrd.protocol http:1095 libXrdHttp.so fi # Name-to-name mapping # pss.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs ceph.namelib /usr/lib64/libXrdCmsTfc.so file:/etc/xrootd/storage.xml?protocol=xrootd,https,http,davs # Trigger external checksum calculation. # xrootd.chksum max 100 adler32 # HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy # http.exthandler xrdtpc libXrdHttpTPC.so http.header2cgi Authorization authz # Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support # Please install libmacaroons rpm from EPEL. # http.exthandler xrdmacaroons libXrdMacaroons.so # the secret must be the same on all external gateways # the current secret can be found on keys.gridpp in /var/keys/echo-xrootd-token/, # and should be copied into the location below, owned by xrootd:xrootd (perms 440) # original command used to generate: # openssl rand -base64 -out /etc/xrootd/macaroon-secret 64 (make single line) macaroons.secretkey /etc/xrootd/macaroon-secret # In future this will be the configuration, with scitokens also enabled #ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg #ofs.authlib ++ libXrdMacaroons.so #for now, we do this ofs.authlib libXrdMacaroons.so # Provide robots file # it is used to discourage Google search of http(s) # User-agent: * # Disallow: / # http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt # Configure internal fstream event reporting # details: https://wiki.e-science.cclrc.ac.uk/web1/bin/view/EScienceInternal/XrootdMonitoring # xrootd.monitor all auth fstat 10s ops lfn xfr 1 ident 1m dest fstat info user redir 172.16.105.115:9931 # Configure internal report monitoring # details: https://stfc.atlassian.net/wiki/spaces/X/pages/24543251/Xrd+Report+Monitoring # xrd.report 172.16.105.48:9931 every 1m all # Set the number of libradosstriper client pools ceph.nbconnections 5 # Specify Buffer specific logic ceph.usebuffer 1 ceph.bufferiomode io ceph.buffersize 16777216 ceph.usereadvalg 0 ceph.readvalgname passthrough ofs.trace open close delay oss.trace open xrootd.trace auth fs login redirect stall xrd.trace conn tls