VOBox¶
This document describes how to install and configure the site VO-Box to support ALICE VO services. This is a node on which long-lived agents and services will be deployed. These are expected to be provided at the sites. The agents/services deployment and support on the VO-Box is under VO responsibility.
See the following quick links to setup steps depending on your preferred deployment approach:
| Generic/VM | Step 1: General requirements, Network setup Step 2: WLCG VO-Box Installation Step 3: HTCondor/ARC Specifics Step 4: Grid Monitoring: MonALISA |
| Container | Step 1: Container requirements, Network Setup Step 2: Install HTCondor/ARC VOBox container Step 3: Grid Monitoring: MonALISA |
Requirements¶
General requirements for the VO node agents/services are as follows:
| OS | RH/Alma/Rocky EL9, 64-bit Linux. The machine usually will need to be a WLCG VOBOX |
| Hardware | Minimum 4GB RAM, any standard CPU, 20GB for logs, 5GB cache |
Network¶
The following network connectivity is expected for the VO-Box services:
| Port | Access | Service |
|---|---|---|
| 1093 | TCP Incoming from the World | MonALISA FDT server, SE tests |
| 8884 | UDP Incoming from your site WN and your site SE nodes | Monitoring info |
| 9930 | UDP Incoming from your site SE nodes | XRootD metrics |
| ICMP Incoming and Outgoing | Network topology for file placement and access |
In the future, these extra services may be needed:
| Port | Access | Service |
|---|---|---|
| 8098 | TCP Incoming from your site WN | JAliEn/Java Serialized Object stream |
| 8097 | TCP Incoming from your site WN | JAliEn/WebSocketS |
In general, the assumption is that the outgoing connectivity from the VO-box and the WNs is unrestricted.
CERN has multiple networks that may all be used for Central Services, already now or in the future:
| Protocol | IP Range | Note |
|---|---|---|
| IPv4 | 128.141.0.0/16 | |
| 128.142.0.0/16 | ||
| 128.142.249.0/24 | <- part of Central Services are here | |
| 137.138.0.0/16 | ||
| 188.184.0.0/15 | ||
| 185.249.56.0/22 | ||
| 192.65.196.0/23 | ||
| 192.91.242.0/24 | ||
| 194.12.128.0/18 | ||
| IPv6 | 2001:1458::/32 | |
| 2001:1458:301:54::/64 | <- part of Central Services are here | |
| 2001:1459::/32 |
Hint
Please mind the address masks in the above table
WLCG VO-Box¶
The VO-Box usually should be preinstalled as a standard WLCG VO-Box, following the instructions given at:
https://twiki.cern.ch/twiki/bin/view/LCG/WLCGvoboxDeployment
This procedure sets up a standard gLite UI, with the following additions (in particular provided by lcg-vobox RPM):
- Only one local user account alicesgm (or equivalent), with no special privileges. Please DO NOT configure pool accounts for the SGM user on the VO-Box!
- Access via gsissh, with selected users from the ALICE LCG VO mapped to the alicesgm account (YAIM handles that)
- A proxy renewal service running, for the automatic renewal or registered proxies via the MyProxy mechanism (
idem) - A host certificate, issued by one of the trusted LCG Certification Authorities. The machine also needs to be registered as a trusted host in the CERN MyProxy server,
myproxy.cern.ch.
MyProxy
To have the machine registered as trusted host in myproxy.cern.ch, send an email with the host certificate DN to Maarten.Litmaath@cern.ch. You can get the host certificate DN by issuing the following command:
VO-Box> openssl x509 -in /etc/grid-security/hostcert.pem -noout -subject
Additionally, specifically for ALICE, the following configuration details are required:
- The home directory should not be mounted via NFS from some server (for performance reasons and because lock files may be kept there)
- The experiment software is provided on the VO-box and Worker nodes through CVMFS. See the 'Setup CVMFS' section.