|  |
Home
Interactive Login to the NAF
Login Concept
The NAF is conceived with single sign on in mind. As the Grid requires certificates and proxies, a valid proxy is also required as authentication to log into the interactive part of the NAF.
The advantage is: you can use your certificate as login and don't have to think of another password. Also no password changes have to be done. Security is enforced with the certificate which will expire itself.
The login mechanism will forward you from the login host to one of the workgroup servers (WGS) of your VO. This is done for security reasons.
There are several WGS available for each VO. A load balancer will choose one according to the load on the WGS (the load balancer is updated every 10 min).
Instructions
Requirements
You need a glite User Interface version 3.1 or newer. There are several possibilities to set up a UI:
-
If you have access to AFS you can use:
- The UI installed in the AFS cell from DESY:
for sh, bash, zsh:
for tcsh,csh:source /afs/desy.de/project/glite/UI/etc/profile.d/grid-env.shsource /afs/desy.de/project/glite/UI/etc/profile.d/grid-env.csh- With access to the CERN AFS cell:
for sh, bash, zsh:
for tcsh,csh:source /afs/cern.ch/project/gd/LCG-share/current/external/etc/profile.d/grid-env.sh
source /afs/cern.ch/project/gd/LCG-share/current/external/etc/profile.d/grid-env.csh- Or the glite UI installed in the afs/some shared file system at your home institute, ask your site admin for more information
-
When logged into a DESY system, you can also use ini:
ini glite
Create Proxy
Make yourself a suitable proxy, which is rfc compatible. It is not mandatory to have the VOMS extension to log in (but it won't hurt either):
This will produce an rfc compatible proxy, which is the version globus toolkit 4 will work with, so this will be the default proxy on the grid in the near future. Still it might cause troubles with some services on the Grid running old versions of gLite (older than 3.1). If you found some please inform us or the maintainer of the service to settle out these incompatibilities.voms-proxy-init -rfcvoms-proxy-init -voms VO -rfc
The login
You are now able to login to a NAF workgroup server using gsissh, depending on your VO (the guest login is for school and training users):
You will then automatically get forwarded to a free workgroup server owned by your VO. (Use the -Y switch if you want to enable trusted X11 forwarding.)gsissh atlas.naf.desy.degsissh cms.naf.desy.degsissh lhcb.naf.desy.degsissh ilc.naf.desy.degsissh guest.naf.desy.de
General Hints
Find another WGS
When you are logged in to the NAF and you want to find out which other machines are available, you can use the command:
wgsinfo
It will state the name of the WGS which are available for you (according to your VO-membership) and give information about the Operating System on the WGS.
Interactive Usage of the Batch Nodes
Sometimes the WGS are loaded too much and it seems impossible to do interactive work. Then you can use the batch nodes to do interactive work. But keep in mind, that the same rules apply to the qrsh session as for a qsub submitted jobs.
- You can get in interactive shell on an execution host (worker node).
- Usual command:
qrsh -now n <resource requirements> qrsh -now n -l h_vmem=2000M -l h_rt=12:00:00
- The
-nowswitch will make the batch system wait for a free slot instead of quitting if there is no slot free immediately. - See Requesting resources for details about the available resources.
- The less resources you require, the faster you get a slot, but if you use more resources than requested, your shell will be killed.
- The second example might take a long time till you get the interactive shell
Example for qrsh
-
For transferring data only, where you do not need a lot of cpu time, this would be the
qrshcommand:-
qrsh -now n -l h_rt=10:00:00
-
Laptop: Getting access to WGS
Mac Users
Mac OS X 10.4 or lower: Sorry, no UI providedMac OS X 10.5: You can install AFS on your laptop. You can then source the script
source /afs/desy.de/group/grid/UI/VDT/setup.sh
which provides the basic commands like voms-proxy-init and gsissh.
Then you can proceed as described above.
(Of course, you should have the certificate, either in ~/.globus, or point voms-proxy-init to some other location, like an AFS cell)Mac OS X 10.6: You can install AFS on your laptop. You can then invoke the following commands
DO NOT USE voms-proxy-init with this UI, nor add something like --voms VO! It will not worksource /afs/desy.de/group/grid/UI/OSX10.6/etc/globus-user-env.shgrid-proxy-init -rfcgsissh.naf.desy.de
Note:
/afs/naf.desy.de/products/scripts/naf_token does not work for OSX machines.Note: A common error are wrong permissions on userkey.pem, they should best be 0400.
Ubuntu 11.04 (probably 10.10, 10.04 too)
Ubuntu comes with grid-proxy-init, and kinit from heimdal, but it misses the gsissh command. It is even not part of the globus software package.
To install the gsissh, you can download the precompiled packeage from the LRZ:
http://www.grid.lrz-muenchen.de/de/mware/globus/client/gsissh_static.html
The 64bit version for 10.04 works for 64bit 11.04 too.
Follow the instructions there esp. get hold of the certificates in $HOME/.globus/certificates/
(Of course, you should have the certificate, either in ~/.globus, or point voms-proxy-init to some other location, like an AFS cell)
If you do not want to take care of having the up to date certificates, you can use the DESY afs directory (which is updated daily):
/afs/desy.de/group/grid/www/html/etc/grid-security/certificates
