### ### Example of simple xrootd config file. ### ### The first part enables a simple data server exposing to clients ### the root paths /tmp and /data1. ### The second part shows how to enable password-based strong ### authentication using the ROOT special password in $HOME/.rootdpass ### The third part shows how to concurrently enable the PROOF serving ### features ### ### To load this configuration file: ### ### ~> xrootd -c $ROOTSYS/etc/proof/xpd.cf ### ### See http://www.slac.stanford.edu/xrootd for more details on the ### data serving part. ### ### ### Part one: data serving ### xrd.protocol xproofd libXrdProofd.so xrootd.fslib libXrdOfs.so ### Specify a non-default port here: ### - overwritten by -p on the command line xrd.port 5151 ### Export path directives, i.e. the root paths which can be accessed ### by clients ('xrootd.export /' exports the whole file system). ### An arbitrary number of these can be defined. The default is ### to export /tmp. ### NB: specifying any of these directives removes the default /tmp ### from the internal list; in such a case a directive needs to ### be given explicitly if /tmp needs to be exposed. xrootd.export /tmp xrootd.export /pool/data ### ### Part two: security directives: ### ### Example: enable password-based strong authentication checking ### also the special ROOT password in $HOME/.rootdpass. ### NB: if the application complains about a missing password file in ### $HOME/.xrd/ just create an empty one running 'xrdpwdadmin' and ### replying to the questions ### ( with the path to the ROOT distribution) # xrootd.seclib /lib/libXrdSec.so # sec.protocol pwd -d:0 -a:1 -vc:1 -upwd:2 -cryptfile:.rootdpass ### ### Part three: enable PROOF serving ### ### Load the XrdProofd protocol: ### a) if the ROOT lib paths are known by the linker/loader # xrd.protocol xproofd:1093 libXrdProofd.so ### b) using absolute paths ( with the path to the ROOT distribution) xrd.protocol xproofd:1093 /opt/local/libexec/root6/lib/root/libXrdProofd.so ### NB: envs vars are not expanded here, i.e. $ROOTSYS/lib/libXrdProofd.so will ### not work; they are supported for the remaining "xpd." directives ### ### Directives governing the behaviour of the XrdProofd plug-in. ### Except when explicitly indicated, all the following directives support ### an optional 'if ' condition at the end of the line, e.g. ### xpd.rootsys /opt/root if lxb*.cern.ch ### xpd.rootsys /usr/local if lxp*.cern.ch ### Patterns may contain any number of wild cards; the best match is retained ### (max number of matching chars; if two are equal, the last specified wins). ### ### Available ROOT versions: the first 'rootsys' defines the default one; ### specifying a tag is optional: if missing, the ROOT version tag is taken ### (however, the tag must be unique, the first occurence is retained). ### If no 'xpd.rootsys' valid directives are specified, $ROOTSYS is used as ### default ROOT version. # xpd.rootsys /opt/root [tag_for_default_version] # xpd.rootsys /opt/root-dev [tag_for_an_alternative_version] xpd.rootsys /opt/local/libexec/root6 ### ### Location of the temporary directory [/tmp] xpd.tmp /opt/local/tmp ### ### Internal wait timeout in secs [5] xpd.intwait 500 ### ### Max number of PROOF sessions [-1, i.e. no limit] xpd.maxsessions 10 ### ### Number of workers for local sessions [number of CPUs] xpd.localwrks 4 ### ### Multiuser option ### Default 1 (==ON) when running as superuser, 0 (==OFF) when running as normal. ### user. In the case the daemon has normal privileges, all users run under the ### effective user starting the daemon and privacy of sandboxes is not ensured xpd.multiuser 0 ### ### Defines what to do when no client sessions are attached to a client area. # Format: # xpd.shutdown # where: # is the type of action to be taken when a client completely # disconnets; the options are: # 0 remain connected # 1 terminate when idle # 2 terminate no matter the processing state # # is the delay after which the action for option 1 or 2 # is performed; in seconds; to indicate minutes or hours use # the suffix 'm' or 'h', respectively; e.g. 5m for 5 minutes. # default: # xpd.shutdown 1 0 xpd.shutdown 1 10s # xpd.shutdown 1 1s ### ### Image name of this server [node name] # xpd.image ### ### Working directory for sessions [/proof] ### If this directive is given, the user working directories will be in the ### form / # xpd.workdir ### ### Dataset root directory [/dataset] ### If this directive is given, the user dataset directories will be in the ### form //, with ="default" if ### does not belongs to any of the defined groups. # xpd.datasetdir ### ### Max number of old PROOF sessions for which the working directory ### is kept with all the relevant files in (logs, env, ...); non-positive ### values mean no limit [10] # xpd.maxoldlogs 10 ### ### Modify priority of sessions belonging to by ### If is missing, apply the change to all sessions. ### This directive requires special privileges, so it may be ineffective ### if these are missing # xpd.priority [if ] # xpd.priority 4 # xpd.priority 6 if thatuser ### ### Resource finder ### NB: 'if ' not supported for this directive. # "static", i.e. using a config file # path alternative config file # [$ROOTSYS/proof/etc/proof.conf] # if "yes": enable user private config files at # $HOME/.proof.conf or $HOME/., where # is the second argument to # TProof::Open("","") ["no"] # Maximum number of workers to be assigned to user # session [-1, i.e. all] # If != -1, specify the way workers # are chosen: # "roundrobin" round-robin selection in bunches # of n(=) workers. # Example: # N = 10 (available workers), n = 4: # 1st (session): 1-4, 2nd: 5-8, # 3rd: 9,10,1,2, 4th: 3-6, ... # "random" random choice (a worker is not # assigned twice) # xpd.resource static [] [ucfg:] [wmx:] [selopt:] # xpd.resource static ~/.proof.test.conf wmx:2 selopt:random # xpd.resource static $ROOTSYS/etc/proof.conf ### ### Master(s) allowed to connect. Directive active only for Worker or ### Submaster session requests. Multiple 'allow' directives can ### be specified. By default all connections are allowed. # xpd.allow lxb6041.cern.ch ### ### Server role (master, submaster, worker) [default: any] ### Allows to control the cluster structure. ### The following (commented) example will set lxb6041 as master, and all ### the others lxb* as workers # xpd.role worker if lxb*.cern.ch # xpd.role master if lxb6041.cern.ch ### ### URL and namespace for the local storage if different from defaults. ### By the default it is assumed that the pool space on the cluster is ### accessed via a redirector running at the top master under the common ### namespace /proofpool. # xpd.poolurl lxb0105.cern.ch # xpd.namespace /store ### ### Specifies tracing options. Valid keywords are: ### req trace protocol requests [on]* ### login trace details about login requests [on]* ### act trace internal actions [off] ### rsp trace server replies [off] ### fork trace proofserv forks [on]* ### dbg trace details about actions [off] ### hdbg trace more details about actions [off] ### err trace errors [on] ### inflt trace details about inflate factors [off] ### all trace everything ### ### Defaults are shown in brackets; '*' shows the default when the '-d' ### option is passed on the command line. Each option may be ### optionally prefixed by a minus sign to turn off the setting. ### Order matters: 'all' in last position enables everything; in first ### position is corrected by subsequent settings ### # xpd.trace fork -err rsp ### Super-users directive: specify a comma-serarated list of users with ### special privileges; the effective user under which the daemon is run ### (-R option on the command line) is always privileged. # xpd.superusers usr1,usr2 ### User access control directive: specifies a comma-separated list ### of users allowed to connect to the cluster. # xpd.allowedusers usr1,usr2,usr3 ### ### Group information file ### Defines the file containing the information about the composition ### of the group and their properties. See example in xpd.groups.sample . # xpd.groupfile $ROOTSYS/etc/proof/xpd.groups ### xproofd specific security directives, allowing for independent ### rules from the ones applying to data serving. ### NB: 'if ' not supported for these directives (protbind can ### used for similar purposes). ### In the example, GSI authentication is required with no control on CRL. ### If this section is missing xproofd falls back to the security setup ### defined for data serving. # xpd.seclib libXrdSec.so # xpd.sec.protocol gsi -crl:0 -gmapopt:1 -dlgpxy:1 ### ### This directive may be used to set additional environment variables ### for 'proofserv'. This is useful, for instance, to set client-side ### security options. It is possible to set some context depending ### keyworks which will be expanded before launching 'proofserv'; the ### syntax is ; keywords currently recognized are: ### --> expanded to workdir (see above) ### --> expanded to the user's username ### Example: ### ### xpd.putenv MYENV=//.creds ### ### with 'xpd.workdir /tmp/proof' will set MYENV to "/tmp/proof/minni/.creds" ### for user 'minni' and to "/tmp/proof/pippo/.creds" for user 'pippo'. ### There can be as 'putenv' directives as needed. # xpd.putenv XrdSecPWDSRVPUK=//.creds/pwdsrvpuk ### ### This directive may be used to set additional rootrc-like variables ### for 'proofserv'. This allows to control everything from this configuration ### file. At start-up, 'proofserv' will read the additional directives ### from the file "session.rootrc" created in the session working dir ### by XProofd; "session.rootrc" is actually a symlink to the real file ### whose name is in the form ### --.rootrc ### Example: ### ### xpd.putrc AName.AVar: AValue