The WLCG CVM-FS Grid Repository
The WLCG repository for the grid client middleware is hosted on the CVM-FS path /cvmfs/grid.cern.ch/Grid. It's maintained as a mirror of the
WLCG Grid Application Area thus maintaining its tree structure
As soon as new version of client middleware are pushed to AFS they can be published on CVMF-FS ( manual procedure now that could be automate)
The WLCG CVM-FS Grid Repository Management
Members of the egroup
lxcvmfs-grid@cernNOSPAMPLEASE.ch are allowed to make modification and publish on the CMV-FS Grid Repository. Further information can be found on the CVM-FS site
http://cernvm.cern.ch/portal/filesystem/maintain-repositories
and on the wiki maintained by PES
https://twiki.cern.ch/twiki/bin/view/CvmFS/Installers ( obsolete)
Login
You must be a member of the e-group
LxCvmfs-grid. Once you have joined the e-group it is best to wait until 08:00 local time for a cron to run.
Login
ssh
@cvmfs-grid.cern.ch
If you would like to take ownership of the e-group to allow you to manage its members this is fine. The full list of such e-groups can be obtained by querying in https://e-groups.cern.ch/e-groups/EgroupsSearch.do
Changing identity to the Software Owner
The CVMFS shadow tree in /cvmfs/grid.cern.ch/ is owned by a user called cvgrid.
To check know one else is this user and become the user
$ pgrep -fl -u cvgrid
$ sudo -i -u cvgrid
To start a transaction:
cvmfs_server transaction grid.cern.ch
To publish a transaction
cvmfs_server publish grid.cern.ch
The CA and CRLs Management
This is a quite tricky part and delicate cause it could provoke issues on the whole WLCG infra
The /cvmfs/grid.cern.ch is used also to ship CAs and CLRs to sites.
At the moment there is a cron job installed on cvmfs-grid.cern.ch which does cp in certs and crls from /etc/grid-security/certificates and it's available at:
https://gitlab.cern.ch/wlcg-mw-readiness/scripts
If it fails then Lxvmfs-Grid is first point of contact if the lower level fails
/etc/grid-security/certificates on cvmfs-grid.cern.ch is populated same way as all other puppet managed machines, i.e include 'fetch-crl'
-- AndreaManzi - 03 Jun 2014