VOBox¶
This document describes how to install and configure the site VO-Box to support ALICE VO services. This is a node on which long-lived agents and services will be deployed. These are expected to be provided at the sites. The agents/services deployment and support on the VO-Box is under VO responsibility.
See the following quick links to setup steps depending on your preferred deployment approach:
Generic/VM | Step 1: General requirements, Network setup Step 2: WLCG VO-Box Installation Step 3: HTCondor/ARC Specifics Step 4: Grid Monitoring: MonALISA |
Container | Step 1: Container requirements, Network Setup Step 2: Install HTCondor/ARC VOBox container Step 3: Grid Monitoring: MonALISA |
Requirements¶
General requirements for the VO node agents/services are as follows:
OS | RH/Alma/Rocky EL9, 64-bit Linux. The machine usually will need to be a WLCG VOBOX |
Hardware | Minimum 4GB RAM, any standard CPU, 20GB for logs, 5GB cache |
Network¶
The following network connectivity is expected for the VO-Box services:
Port | Access | Service |
---|---|---|
1093 | TCP Incoming from the World | MonALISA FDT server, SE tests |
8884 | UDP Incoming from your site WN and your site SE nodes | Monitoring info |
9930 | UDP Incoming from your site SE nodes | XRootD metrics |
ICMP Incoming and Outgoing | Network topology for file placement and access |
In the future, these extra services may be needed:
Port | Access | Service |
---|---|---|
8098 | TCP Incoming from your site WN | JAliEn/Java Serialized Object stream |
8097 | TCP Incoming from your site WN | JAliEn/WebSocketS |
In general, the assumption is that the outgoing connectivity from the VO-box and the WNs is unrestricted.
CERN has multiple networks that may all be used for Central Services, already now or in the future:
Protocol | IP Range | Note |
---|---|---|
IPv4 | 128.141.0.0/16 | |
128.142.0.0/16 | ||
128.142.249.0/24 | <- part of Central Services are here | |
137.138.0.0/16 | ||
188.184.0.0/15 | ||
185.249.56.0/22 | ||
192.65.196.0/23 | ||
192.91.242.0/24 | ||
194.12.128.0/18 | ||
IPv6 | 2001:1458::/32 | |
2001:1458:301:54::/64 | <- part of Central Services are here | |
2001:1459::/32 |
Hint
Please mind the address masks in the above table
WLCG VO-Box¶
The VO-Box usually should be preinstalled as a standard WLCG VO-Box, following the instructions given at:
https://twiki.cern.ch/twiki/bin/view/LCG/WLCGvoboxDeployment
This procedure sets up a standard gLite UI, with the following additions (in particular provided by lcg-vobox
RPM):
- Only one local user account alicesgm (or equivalent), with no special privileges. Please DO NOT configure pool accounts for the SGM user on the VO-Box!
- Access via gsissh, with selected users from the ALICE LCG VO mapped to the alicesgm account (YAIM handles that)
- A proxy renewal service running, for the automatic renewal or registered proxies via the MyProxy mechanism (
idem
) - A host certificate, issued by one of the trusted LCG Certification Authorities. The machine also needs to be registered as a trusted host in the CERN MyProxy server,
myproxy.cern.ch
.
MyProxy
To have the machine registered as trusted host in myproxy.cern.ch, send an email with the host certificate DN to Maarten.Litmaath@cern.ch. You can get the host certificate DN by issuing the following command:
VO-Box> openssl x509 -in /etc/grid-security/hostcert.pem -noout -subject
Additionally, specifically for ALICE, the following configuration details are required:
- The home directory should not be mounted via NFS from some server (for performance reasons and because lock files may be kept there)
- The experiment software is provided on the VO-box and Worker nodes through CVMFS. See the 'Setup CVMFS' section.