Functional requirements for a centrally managed

VOMS service

Last Update: 2005-10-26
First published: 2004-11-16

Preamble:

The CERN/IT Grid Deployment (IT/GD) team is operating a VOMS server containing the users of Virtual Organisations (VOs) Alice, Atlas, CMS, LHCb, SixT and Dteam. This document explains the details of a request to the CERN/IT Data Base (IT/DB) group to take over the server operation and the data integrity, thus providing a true service.
http://cern.ch/dimou/lcg/voms/REFERENCES-NOTES#notes explains what VOMS is and contains references to original design and installation documentation.

An installer's handbook is available in http://cern.ch/grid-deployment/cgi-bin/index.cgi?var=gis/voms-deploy

Present configuration:

Since November 2003 we operate:

Field Value
Hostname tbed0152.cern.ch
DNS Alias lcg-voms.cern.ch
OS Linux 2.4.21-37.EL.cernsmp
Manufacturer ELONEX
Location Vault 0513 S-0034
IP Connectivity INCOMING and EXTERNAL_WEB_SERVER (Port 8443)
LAN Medium FASTETHERNET
Processors Dual CPU 1GHz
Memory 0.5 GB
Disk 20GB
Processes needed crond, sshd, edg-voms, tomcat4, mysqld (the present database choice)
User logins needed Maximum 10
Concurrent https connections Maximum 30
Concurrent database read operations Maximum 20
Concurrent database write operations Maximum 5

This is considered so far a test service but it has been very reliable with only 2 interruptions in one year. The machine has been very stable, it presents today an uptime of 203 days. 

[root@tbed0152 root]# uptime
  5:47pm  up 203 days,  2:13,  1 user,  load average: 0.00, 0.00, 0.00
The host lxb2094.cern.ch (137.138.4.50), alias sl3-voms.cern.ch is reserved for us to test a.s.a.p. the SL3 VOMS distribution and has all necessary ports (port numbers 15000-15020 in addition to port 8443) enabled by the network group for access from outside CERN.

Application's web view for VO managers and VO candidate members:
Open (with your personal digital certificate loaded):
https://lcg-voms.cern.ch:8443/edg-voms-admin/dteam
https://lcg-voms.cern.ch:8443/edg-voms-admin/atlas
https://lcg-voms.cern.ch:8443/edg-voms-admin/alice
https://lcg-voms.cern.ch:8443/edg-voms-admin/cms
https://lcg-voms.cern.ch:8443/edg-voms-admin/lhcb
This gives an idea of the present look of the interface. Listing the VO members is not possible without administrator's privileges. The users of the 4 LHC experiment VOs will be using the (FNAL-developed) VOMRS interface when the link to the CERN HR database for Personal user data will implemented (Task Force mandated by the Grid Deployment Board (GDB) ).

 

Processes we run from cron are:
13 8 * * * /usr/sbin/tmpwatch -f 240 /var/log/tomcat4              # Log update
13 1,7,13,19 * * * /opt/edg/etc/cron/edg-fetch-crl-cron           #Certificate Revokation List update
13 2,8,14,20 * * * /opt/edg/etc/cron/edg-voms-ldap-sync       #Contact and fetch LDAP contents

The last of these processes consists of polling the contents of 7 LDAP directories (2 servers, physically at NIKHEF and at CERN) containing a total amount of 1500 records. It will be obsolete in a few months when the LDAP directories will no more be updated.

It is understood that DB services are equiped with infrastructure and procedures that manage Oracle-based services. MySQL is the present VOMS db choice but GD group is investigating the effort required to port the service to Oracle (Savannah ticket 1376 in Project JRA1 Middleware).

Additional requirements:

The availability of the VOMS database for read-access is very critical because all LCG2 sites need to update their local account mapping files (grid-map or lcmaps) every few hours. However, a service interruption of (maximum) 24 hours is acceptable. This is because operation can continue with the previous version of these files, which will be a few hours old. The database must re-become accessible within one working day else, considerable service quality degradation and support over-head will arise.

This machine or another of similar capacity, properly managed by DB group, will be enough for the expected amount of data and performance requirements. What we don't have today and we need in addition are:

  1. Backup: We don't have /usr/dsm or any other tool now. This is not a problem as long as the database is entirely re-copied from LDAP every few hours but it will become vital when LDAP is abandoned.
  2. Sue updates: We don't have /usr/sue now.
  3. Performance monitoring: This service doesn't have high performance requirements because the Computing Elements (CEs), Storage Elements (SEs) and Resource Brokers (RBs) across LCG2 will contact the VOMS server 3-4 times per day, which can be well-distributed through-out the day. Savannah ticket 1284 explains performance issues we want to understand in further detail.

Service migration timescale:

Num Activity Completion time
1 DB group experts understand in detail today's VOMS set-up in GD and suggest a transition plan. Christmas 2004
2 DB and GD discuss the procedure for installing new VOMS releases. Christmas 2004
3 DB makes a system available for testing by GD VOMS admins. End January 2005
4 GD coordinates with LHC experiment VO managers and LCG2 sites the introduction of the new service. End February 2005

Communication for announcing service changes:
During migration: Lcg.Registrar@cern.ch

During operation:Lcg.Registrar@cern.ch and the VO managers:
project-lcg-vo-atlas-admin@cern.ch
project-lcg-vo-alice-admin@cern.ch
project-lcg-vo-cms-admin@cern.ch
project-lcg-vo-lhcb-admin@cern.ch
project-lcg-vo-dteam-admin@cern.ch
project-lcg-vo-sixt-admin@cern.ch

Maria Dimou IT/GD Grid Infrastructure Services.