Running xrootd

ROOT
1

Hello everybody,

I’m trying to run PROOF and I’ve several problems with the authentication. Everything seems to work fine without it but the problems start when I try to enable the globus authentication.
I modified all the system.root* files in $ROOTSYS/etc and I added these lines in my xpd.cf file:

xpd.seclib libXrdSec.so
xpd.sec.protocol gsi -cert:/etc/grid-security/hostcert.pem
-key:/etc/grid-security/hostkey.pem -dlgpxy:1

When I try to start the xrootd daemon, I get the following messages :

sec_Config: No protocols defined; only host authentication available. - Why? I thought I had already defined my protocol by saying ?gsi? . I 've filled as well the system.root* files with the option ?globus?.

-XrdCryptosslX509_file: cannot open file /etc/grid-security/xrd/xrdkey.pem (errno: 13) -
What is this xrdkey.pem supposed to be? I thought it was the computer’s hostkey.pem but it doesn’t seem to work.

Any hint?

Thank you,

Lara

2

are permissions on the key and cert are correct?
something like:

[quote]chmod 644 /etc/grid-security/hostcert.pem
chmod 400 /etc/grid-security/hostkey.pem[/quote]

Check also that libXrdSecgsi.so exists and in the LD_LIBRARY_PATH.

3

Hello,

thank you for your answer. Yes, the permissions are correct and the path too but it still doesn’t work

In the configuration file I’ve to writte “xpd.sec.protocol gsi” or “sec.protocol gsi” or both?

Lara

4

[quote=“lara”]
In the configuration file I’ve to writte “xpd.sec.protocol gsi” or “sec.protocol gsi” or both?[/quote]
I have only xpd.sec.protocol
In my case I have the following configuration for xrood redirector.

[quote]xpd.seclib libXrdSec.so
xpd.sec.protocol gsi -d:1 -certdir:/home/anar/gLite/external/etc/grid-security/certificates -cert:/home/anar/svn/grid/certificates/hosts/depc218/hostcert.pem -key:/home/anar/svn/grid/certificates/hosts/depc218/hostkey.pem[/quote]

Please note, that CA directory should also be present exactly as “/etc/grid-security/certificates”. CA must be up to date. Otherwise, like in my case you will face the bug I posted some time ago.
Check also time synchronization on your box and on the server.
By the way, could you please attach you xrootd log file.

5

I attach here my xpd.log (just the part with errors)

080115 12:13:10 001 secgsi_LoadCADir: Entry /etc/grid-security/certificates/11b4a5a2.namespaces does not contain a valid CA
080115 12:13:10 001 sut_Cache::Rehash: Hash table updated (found 71 active entries)
080115 12:13:10 001 sut_Cache::Init: cache allocated for 10 entries
080115 12:13:10 001 sut_Cache::Rehash: Hash table updated (found 0 active entries)
080115 12:13:10 001 cryptossl_X509::XrdCryptosslX509_file: certificate successfully loaded
080115 12:13:10 001 cryptossl_X509::IsCA: certificate has 13 extensions
080115 12:13:10 001 cryptossl_X509::XrdCryptosslX509_file: cannot open file /etc/grid-security/hostkey.pem (errno: 13)
080115 12:13:10 001 secgsi_Init: problems loading srv cert: invalid PKI
080115 12:13:10 001 sut_Cache::Rehash: Hash table updated (found 0 active entries)
080115 12:13:10 001 secgsi_ErrF: Secgsi: ErrError: no valid server certificate found
080115 12:13:10 001 secgsi_Init: Secgsi: ErrError: no valid server certificate found
080115 12:13:10 001 sec_Config: *'
080115 12:13:10 001 sec_Config: 1 authentication directives processed in /tmp/xpdcfn_cOJVfA
080115 12:13:10 001 sec_Config: Authentication system initialization failed.
080115 12:13:10 001 ProofdLoadSecurity: Unable to create security service object via /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdSec.so
080115 12:13:10 001 Proofd: Configure: unable to load security system.
080115 12:13:10 001 XrdProtocol: Protocol xproofd could not be loaded
080115 12:13:10 001 xrootd anon@fanae41.geol.uniovi.es:1094 initialization failed.
080115 12:13:10 001 XrdSched: scheduling midnight runner in 42410 seconds

My /etc/grid-security looks like this:

-r-------- 1 root root 1.9K Dec 4 18:37 hostkey.pem
-rw-r–r-- 1 root root 2.5K Dec 4 18:37 hostcert.pem
lrwxrwxrwx 1 root root 45 Dec 21 13:06 certificates -> /opt/external/etc/grid-security/certificates/

Lara

6

Here it is my xpd.cf file. We’ve one master and 4 slaves:

XRD port

xrd.port 1094

xpd.seclib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdSec.so
xpd.sec.protocol gsi -d:1 -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem

Export /data/proofpool

xrootd.export /data/proofpool

FS lib

xrootd.fslib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdOfs.so

OpenFS section

if fanae41
ofs.redirect remote
ofs.forward all
else
ofs.redirect target
fi

OSS section

oss.cache public /data/cache*
oss.path /data/proofpool r/w

OLB / ODC section

Port

olb.port 3121

Paths

olb.path w /data/proofpool

Role

if fanae41
all.role manager
else
all.role server
fi

Manager location (ignored by managers)

all.manager fanae41 3121

Delay client requests at manager startup

olb.delay startup 30

PROOF part

(xrootd only: the ‘xpd.’ directives are ignored if the protocol is not loaded)

Load the XrdProofd protocol:

using absolute paths (<ROOT_sys> with the path to the ROOT distribution)

if exec xrootd
xrd.protocol xproofd:1092 /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdProofd.so
fi

ROOTSYS

xpd.rootsys /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q pro
xpd.rootsys /cms/slc4_ia32_gcc345/lcg/root/5.14.00g-CMS11 pro_dev

Working directory for sessions [<User_Home>/proof]

xpd.workdir /data/proofbox

Resource finder

NB: 'if ’ not supported for this directive.

xpd.resource static [<cfg_file>] [ucfg:<user_cfg_opt>] [wmx:<max_workers>]

[selopt:<selection_mode>]

“static”, i.e. using a config file

<cfg_file> path alternative config file

[$ROOTSYS/proof/etc/proof.conf]

<user_cfg_opt> if “yes”: enable user private config files at

$HOME/.proof.conf or $HOME/.<usr_def>, where

<usr_cfg> is the second argument to

TProof::Open("","<usr_cfg>") [“no”]

<max_workers> Maximum number of workers to be assigned to user

session [-1, i.e. all]

<selection_mode> If <max_workers> != -1, specify the way workers

are chosen:

“roundrobin” round-robin selection in bunches

of n(=<max_workers>) workers.

Example:

N = 10 (available workers), n = 4:

1st (session): 1-4, 2nd: 5-8,

3rd: 9,10,1,2, 4th: 3-6, …

“random” random choice (a worker is not

assigned twice)

xpd.resource static /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/etc/proof.conf all

Server role (master, submaster, worker) [default: any]

Allows to control the cluster structure.

The following (commented) example will set lxb6046 as master, and all

the others lxb* as workers

xpd.role worker if fanae*
xpd.role master if fanae41

Master(s) allowed to connect. Directive active only for Worker or

Submaster session requests. Multiple ‘allow’ directives can

be specified. By default all connections are allowed.

xpd.allow fanae41

URL and namespace for the local storage if different from defaults.

By the default it is assumed that the pool space on the cluster is

accessed via a redirector running at the top master under the common

namespace /proofpool.

Any relevant protocol specification should be included here.

xpd.poolurl root://fanae41
xpd.namespace /data/proofpool

7

I think the authentication should be processed between xrootd redirector and a user interface, then xrootd redirector should delegate user’s proxy to worker nodes. Correct me if I am wrong on this, at least I thought it works that way.
If I am right, you miss a condition in your configuration.

[quote]if fanae41
xpd.seclib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdSec.so
xpd.sec.protocol gsi -d:1 -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem
fi[/quote]

8

Hello again,

Now I get the next log message:
080115 13:00:51 001 © 2004 Stanford University/SLAC xrd version 20060928-1600
080115 13:00:51 001 xrootd anon@fanae41.geol.uniovi.es initialization started.
080115 13:00:51 001 Using configuration file /afs/fanae/code/Proof/xpd.cf
080115 13:00:51 001 Optimizing for 256 connections; maximum is 1024
080115 13:00:51 001 XrdSched: Set min_Workers=4 max_Workers=32
080115 13:00:51 001 XrdSched: Set stk_Workers=26 max_Workidl=780
080115 13:00:51 001 XrdSched: scheduling underused thread monitor in 780 seconds
080115 13:00:51 001 XrdSched: Starting with 1 workers
080115 13:00:51 001 XrdLink: Allocating 16 link objects at a time
080115 13:00:51 001 XrdPoll: Starting poller 0
080115 13:00:51 001 XrdPoll: Starting poller 1
080115 13:00:51 001 XrdPoll: Starting poller 2
080115 13:00:51 001 XrdProtocol: getting port from protocol xrootd
080115 13:00:51 001 XrdProtocol: getting port from protocol xproofd
— Proofd: : XrdgetProtocolPort: listening on port: 1092 (0x8094440, 1092)
080115 13:00:51 001 XrdProtocol: getting protocol object xrootd
080115 13:00:51 001 © 2005 Stanford University/SLAC XRootd.
080115 13:00:51 001 XrootdAioReq: Max aio/req=8; aio/srv=4096; Quantum=65536
080115 13:00:51 001 XrootdAioReq: Adding 30 aioreq objects.
080115 13:00:51 001 XrootdAio: Adding 24 aio objects; 4096 pending.
080115 13:00:51 001 XRootd seclib not specified; strong authentication disabled
080115 13:00:51 001 XrootdProtocol: Loading filesystem library /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdOfs.so
080115 13:00:51 001 ofs_Init: © 2005 Stanford University/SLAC, Ofs Version 20060928-1600
080115 13:00:51 001 ofs_Config: File system initialization started.
080115 13:00:51 001 ofs_Config: Warning! redirect directive is deprecated; use role.
080115 13:00:51 001 odc_Config: Target redirection initialization started
080115 13:00:51 001 odc_Config: Target redirection initialization completed.
080115 13:00:51 001 ofs_Config: File system initialization completed.
/afs/fanae/code/Proof/xpd.cf ofs configuration:
ofs.role server
ofs.authorize
ofs.fdscan 9 120 1200
ofs.maxdelay 60
ofs.trace bfcd
080115 13:00:51 001 oss_Init: © 2006, Stanford University, oss Version 20060928-1600
080115 13:00:51 001 oss_config: Storage system initialization started.
080115 13:00:51 001 oss_AioInit: started AIO read signal thread; tid=3079232416
080115 13:00:51 001 oss_AioInit: started AIO write signal thread; tid=3078441888
080115 13:00:51 001 oss_config: Storage system initialization completed.
/afs/fanae/code/Proof/xpd.cf oss configuration:
oss.alloc 0 0 0
oss.cachescan 600
oss.compdetect *
oss.fdlimit 512 1024
oss.maxdbsize 0
oss.trace fff
oss.xfr 1 9437184 30 10800
oss.memfile off max 131020800
oss.path /data/proofpool r/w nocheck nodread nomig nomkeep nomlock nommap norcreate nostage
oss.path / r/w nocheck nodread nomig nomkeep nomlock nommap norcreate nostage
oss.cache public /data/cache/
080115 13:00:51 001 XrdSched: scheduling xrootd protocol anchor in 3600 seconds
080115 13:00:51 001 Prep log directory not specified; prepare tracking disabled.
080115 13:00:51 001 Exporting /data/proofpool
080115 13:00:51 001 XRootd protocol version 2.6.0 build 20060928-1600 successfully loaded.
080115 13:00:51 001 XrdProtocol: getting protocol object xproofd
080115 13:00:51 001 Config: configuration file cannot be read: /root/allpri1
080115 13:00:51 001 Configure: using ROOTSYS: /cms/slc4_ia32_gcc345/lcg/root/5.14.00g-CMS11
080115 13:00:51 001 Configure: PROOF server application: /cms/slc4_ia32_gcc345/lcg/root/5.14.00g-CMS11/bin/proofserv
080115 13:00:51 001 Configure: using temp dir: /tmp
080115 13:00:51 001 XRD seclib not specified; strong authentication disabled
080115 13:00:51 001 Configure: role set to: worker
080115 13:00:51 001 Configure: masters allowed to connect: fanae41
080115 13:00:51 001 Configure: no priority changes requested
080115 13:00:51 001 Configure: image set to: fanae41.geol.uniovi.es
080115 13:00:51 001 Configure: PROOF work directories under: /data/proofbox
080115 13:00:51 001 Configure: client sessions kept idle for 0 secs after disconnection
080115 13:00:51 001 Configure: list of superusers: lara
— Proofd: : SetProofServEnv: enter: psid: -1, log: -1
080115 13:00:51 001 Proofd : Forking external proofsrv
080115 13:00:51 001 Proofd : SetSrvProtVers: test server launched: wait for protocol
080115 13:00:52 001 Configure: PROOF server protocol number: 12
080115 13:00:52 001 XrdSched: scheduling xproofd protocol anchor in 3600 seconds
080115 13:00:52 001 Configure: cron thread started
080115 13:00:52 001 XProofd protocol version 0.2 build 20060928-1600 successfully loaded.
080115 13:00:52 001 xproofd: protocol V 0.2 successfully loaded
080115 13:00:52 001 xrootd anon@fanae41.geol.uniovi.es:1094 initialization completed.
080115 13:00:52 001 XrdSched: scheduling midnight runner in 39548 seconds
080115 13:00:52 7122 XrdXeq: Port 1092 handler thread started

It starts but it doesn’t seem to work. When I start Proof it doesn’t ask me for the Grid password.
It isn’t necessary to add two lines like these:
xrootd.seclib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdSec.so
xrd.seclib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdSec.so

at the beginning of my xpd.cf file?
I say that because of: XRD seclib not specified; strong authentication disabled

Lara

9

I know where you have a bug :unamused:

10

The initialization of xproof should be done before you specify sec libraries for it.
For example:

[quote]
if exec xrootd
xrd.protocol xproofd:1093 libXrdProofd.so tmp:/$PROOFTMP
fi

if depc218.gsi.de
xpd.seclib libXrdSec.so
xpd.sec.protocol gsi -d:1 -certdir:/home/anar/gLite/external/etc/grid-security/certificates -cert:/home/anar/svn/grid/certificates/hosts/depc218/hostcert.pem -key:/home/anar/svn/grid/certificates/hosts/depc218/hostkey.pem
fi[/quote]

11

XPROOF shouldn’t ask for a password, If you have a Grid proxy file. He will ask , if you don’t have a valid proxy in order to create one. I always create my proxy myself, because I need to have a VOMS proxy extensions in it. ROOT can’t create such a proxy for me :frowning:

12

ok, thank you. I’ve already changed it, buuuut…It keeps saying XRD seclib not specified; strong authentication disabled :frowning:

What can I do to check if it’s working? I’ve already tried with voms-init-destroy to see if it generates a new one but it hasn’t worked

Lara

13

[quote=“lara”]ok, thank you. I’ve already changed it, buuuut…It keeps saying XRD seclib not specified; strong authentication disabled :frowning:

What can I do to check if it’s working? I’ve already tried with voms-init-destroy to see if it generates a new one but it hasn’t worked

Lara[/quote]
Could you please delete your xrood log and start a session, then attach your new log and config file here.

14

Dear Lara and Anar,

First a comment about the conditional statement around the ‘xpd.seclib’ and ‘xpd.sec.protocol’ directives: to have the proxy transmitted to the workers nodes you need to specify the directives at all levels. With the conditional statements (in which, btw, one has o specify the full FQDN, i.e. fanae41.geol.uniovi.es), authentication will be run only between the user and the redirector, and the proxy will remain on the redirector.

About, now, the original problem.
The server (i.e. xrootd) needs to access the private key of the certificate to be able to mutually authenticate the client. The errno 13 indicates that this is not the case, as you probably the daemon is run as a non-privileged user, and access to the host certificate key requires su-privileges.

Possible solutions are:
[ul]
1.Have a certificate dedicated to the service (xrootd) which is accessible to the user under which you run xrootd;

xpd.sec.protocol gsi -cert:/etc/grid-certificates/xrootd/xrootdcert.pem -key:/etc/grid-certificates/xrootd/xrootdkey.pem -dlgpxy:1

If xrootd is run as user ‘lara’ then you should make sure that the directory /etc/grid-certificates/xrootd is owned by user ‘lara’.

  1. Run xrootd with su-privileges
xrootd -c <config-file> -R <non-privileged-user> -l <log-file>

where is the username of a non-privileged user under which the daemon is effectively run (to reduce the risk of running as super-user; see the xrootd docs).

[/ul]

Have a look and let me know.

Gerri

15

Here it goes!

This is my xpd.cf file:

XRD port

xrd.port 1094

if exec xrootd
xrd.protocol xproofd:1092 /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdProofd.so
fi

if fanae41

xpd.seclib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdSec.so
xpd.sec.protocol gsi -d:1 -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem

fi

Export /data/proofpool

xrootd.export /data/proofpool

FS lib

xrootd.fslib /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdOfs.so

OpenFS section

if fanae41
ofs.redirect remote
ofs.forward all
else
ofs.redirect target
fi

OSS section

oss.cache public /data/cache*
oss.path /data/proofpool r/w

OLB / ODC section

Port

olb.port 3121

Paths

olb.path w /data/proofpool

Role

if fanae41
all.role manager
else
all.role server
fi

Manager location (ignored by managers)

all.manager fanae41 3121

Delay client requests at manager startup

olb.delay startup 30

PROOF part

(xrootd only: the ‘xpd.’ directives are ignored if the protocol is not loaded)

Load the XrdProofd protocol:

using absolute paths (<ROOT_sys> with the path to the ROOT distribution)

#if exec xrootd
#xrd.protocol xproofd:1092 /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdProofd.so

fi

ROOTSYS

xpd.rootsys /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q pro
xpd.rootsys /cms/slc4_ia32_gcc345/lcg/root/5.14.00g-CMS11 pro_dev

Working directory for sessions [<User_Home>/proof]

xpd.workdir /data/proofbox

Resource finder

NB: 'if ’ not supported for this directive.

xpd.resource static [<cfg_file>] [ucfg:<user_cfg_opt>] [wmx:<max_workers>]

[selopt:<selection_mode>]

“static”, i.e. using a config file

<cfg_file> path alternative config file

[$ROOTSYS/proof/etc/proof.conf]

<user_cfg_opt> if “yes”: enable user private config files at

$HOME/.proof.conf or $HOME/.<usr_def>, where

<usr_cfg> is the second argument to

TProof::Open("","<usr_cfg>") [“no”]

<max_workers> Maximum number of workers to be assigned to user

session [-1, i.e. all]

<selection_mode> If <max_workers> != -1, specify the way workers

are chosen:

“roundrobin” round-robin selection in bunches

of n(=<max_workers>) workers.

Example:

N = 10 (available workers), n = 4:

1st (session): 1-4, 2nd: 5-8,

3rd: 9,10,1,2, 4th: 3-6, …

“random” random choice (a worker is not

assigned twice)

xpd.resource static /cms/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/etc/proof.conf all

Server role (master, submaster, worker) [default: any]

Allows to control the cluster structure.

The following (commented) example will set lxb6046 as master, and all

the others lxb* as workers

xpd.role worker if fanae*
xpd.role master if fanae41

Master(s) allowed to connect. Directive active only for Worker or

Submaster session requests. Multiple ‘allow’ directives can

be specified. By default all connections are allowed.

xpd.allow fanae41

URL and namespace for the local storage if different from defaults.

By the default it is assumed that the pool space on the cluster is

accessed via a redirector running at the top master under the common

namespace /proofpool.

Any relevant protocol specification should be included here.

xpd.poolurl root://fanae41
xpd.namespace /data/proofpool

And…this is my log file:

080115 13:35:05 001 © 2004 Stanford University/SLAC xrd version 20060928-1600
080115 13:35:05 001 xrootd anon@fanae41.geol.uniovi.es initialization started.
080115 13:35:05 001 Using configuration file /afs/fanae/code/Proof/xpd.cf
080115 13:35:05 001 Optimizing for 256 connections; maximum is 1024
080115 13:35:05 001 XrdSched: Set min_Workers=4 max_Workers=32
080115 13:35:05 001 XrdSched: Set stk_Workers=26 max_Workidl=780
080115 13:35:05 001 XrdSched: scheduling underused thread monitor in 780 seconds
080115 13:35:05 001 XrdSched: Starting with 1 workers
080115 13:35:05 001 XrdLink: Allocating 16 link objects at a time
080115 13:35:05 001 XrdPoll: Starting poller 0
080115 13:35:05 001 XrdPoll: Starting poller 1
080115 13:35:05 001 XrdPoll: Starting poller 2
080115 13:35:05 001 XrdProtocol: getting port from protocol xrootd
080115 13:35:05 001 XrdProtocol: getting port from protocol xproofd
— Proofd: : XrdgetProtocolPort: listening on port: 1092 (0x8094440, 1092)
080115 13:35:05 001 XrdProtocol: getting protocol object xrootd
080115 13:35:05 001 © 2005 Stanford University/SLAC XRootd.
080115 13:35:05 001 XrootdAioReq: Max aio/req=8; aio/srv=4096; Quantum=65536
080115 13:35:05 001 XrootdAioReq: Adding 30 aioreq objects.
080115 13:35:05 001 XrootdAio: Adding 24 aio objects; 4096 pending.
080115 13:35:05 001 XRootd seclib not specified; strong authentication disabled
080115 13:35:05 001 XrootdProtocol: Loading filesystem library /afs/fanae/cmssw64/slc4_ia32_gcc345/lcg/root/5.14.00f-CMS3q/lib/libXrdOfs.so
080115 13:35:05 001 ofs_Init: © 2005 Stanford University/SLAC, Ofs Version 20060928-1600
080115 13:35:05 001 ofs_Config: File system initialization started.
080115 13:35:05 001 ofs_Config: Warning! redirect directive is deprecated; use role.
080115 13:35:05 001 odc_Config: Target redirection initialization started
080115 13:35:05 001 odc_Config: Target redirection initialization completed.
080115 13:35:05 001 ofs_Config: File system initialization completed.
/afs/fanae/code/Proof/xpd.cf ofs configuration:
ofs.role server
ofs.authorize
ofs.fdscan 9 120 1200
ofs.maxdelay 60
ofs.trace bfcd
080115 13:35:05 001 oss_Init: © 2006, Stanford University, oss Version 20060928-1600
080115 13:35:05 001 oss_config: Storage system initialization started.
080115 13:35:05 001 oss_AioInit: started AIO read signal thread; tid=3079330720
080115 13:35:05 001 oss_AioInit: started AIO write signal thread; tid=3078540192
080115 13:35:05 001 oss_config: Storage system initialization completed.
/afs/fanae/code/Proof/xpd.cf oss configuration:
oss.alloc 0 0 0
oss.cachescan 600
oss.compdetect *
oss.fdlimit 512 1024
oss.maxdbsize 0
oss.trace fff
oss.xfr 1 9437184 30 10800
oss.memfile off max 131020800
oss.path /data/proofpool r/w nocheck nodread nomig nomkeep nomlock nommap norcreate nostage
oss.path / r/w nocheck nodread nomig nomkeep nomlock nommap norcreate nostage
oss.cache public /data/cache/
080115 13:35:05 001 XrdSched: scheduling xrootd protocol anchor in 3600 seconds
080115 13:35:05 001 Prep log directory not specified; prepare tracking disabled.
080115 13:35:05 001 Exporting /data/proofpool
080115 13:35:05 001 XRootd protocol version 2.6.0 build 20060928-1600 successfully loaded.
080115 13:35:05 001 XrdProtocol: getting protocol object xproofd
080115 13:35:05 001 Config: configuration file cannot be read: /root/allool1
080115 13:35:05 001 Configure: using ROOTSYS: /cms/slc4_ia32_gcc345/lcg/root/5.14.00g-CMS11
080115 13:35:05 001 Configure: PROOF server application: /cms/slc4_ia32_gcc345/lcg/root/5.14.00g-CMS11/bin/proofserv
080115 13:35:05 001 Configure: using temp dir: /tmp
080115 13:35:05 001 XRD seclib not specified; strong authentication disabled
080115 13:35:05 001 Configure: role set to: worker
080115 13:35:05 001 Configure: masters allowed to connect: fanae41
080115 13:35:05 001 Configure: no priority changes requested
080115 13:35:05 001 Configure: image set to: fanae41.geol.uniovi.es
080115 13:35:05 001 Configure: PROOF work directories under: /data/proofbox
080115 13:35:05 001 Configure: client sessions kept idle for 0 secs after disconnection
080115 13:35:05 001 Configure: list of superusers: lara
— Proofd: : SetProofServEnv: enter: psid: -1, log: -1
080115 13:35:05 001 Proofd : Forking external proofsrv
080115 13:35:05 001 Proofd : SetSrvProtVers: test server launched: wait for protocol
080115 13:35:05 001 Configure: PROOF server protocol number: 12
080115 13:35:05 001 XrdSched: scheduling xproofd protocol anchor in 3600 seconds
080115 13:35:05 001 Configure: cron thread started
080115 13:35:05 001 XProofd protocol version 0.2 build 20060928-1600 successfully loaded.
080115 13:35:05 001 xproofd: protocol V 0.2 successfully loaded
080115 13:35:05 001 xrootd anon@fanae41.geol.uniovi.es:1094 initialization completed.
080115 13:35:05 001 XrdSched: scheduling midnight runner in 37495 seconds
080115 13:35:05 7299 XrdXeq: Port 1092 handler thread started

16

condition should be with fully qualified domain name

17

Gerri, would be enough to write like the following?

[quote]
if depc218.gsi.de

xpd.seclib libXrdSec.so
xpd.sec.protocol gsi -d:1 -certdir:/home/anar/gLite/external/etc/grid-security/certificates -cert:/home/anar/svn/grid/certificates/hosts/depc218/hostcert.pem
-key:/home/anar/svn/grid/certificates/hosts/depc218/hostkey.pem

else

xpd.seclib libXrdSec.so
xpd.sec.protocol gsi -d:1 crl:0

fi[/quote]

or do I need to have certificates for each WNs then?

18

Hi Anar,

The Globus-X509 protocol requires that each participant has its own certificate.
The second block of your if-else-fi will try to load certificates from the standard location, failing if not there.
In such a case authentication between master and workers is just switched-off.

Cheers, Gerri

19

[quote=“ganis”]Hi Anar,

The Globus-X509 protocol requires that each participant has its own certificate.
The second block of your if-else-fi will try to load certificates from the standard location, failing if not there.
In such a case authentication between master and workers is just switched-off.

Cheers, Gerri[/quote]
Thank you.
It looks like I have to keep authentication only between redirector and client in gLitePROOF project. Or maybe I remove authentication at all, must think on it. Since gLite doesn’t require certificates for WNs, gLitePROOF will be not able to connect to its workers.
Actually I do agree with “Globus-X509” :slight_smile: Every host in the Grid business must have a certificate.

Gerri, thanks for your comments in anyways. Very useful!

20

Hello again,

So, if I have certificates for all my WN’s I don’t really need the if-else ?

What about "XrdProtocol: Protocol xrootd could not be loaded "?

Where do I have to specify the XrdProtocol ?

Enter PEM pass phrase:
080115 16:30:45 001 cryptossl_X509::XrdCryptosslX509_file: cannot read the key from file

It’s seems like it can’t read the certificates, I don’t know why