-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathxrootd-cluster.cfg
168 lines (127 loc) · 4.86 KB
/
xrootd-cluster.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
###
#cluster config
###
##basics
#cmsd
all.manager xgate.hec.lancs.ac.uk:3121
all.role server
#all
all.export /cephfs/grid
all.sitename UKI-NORTHGRID-LANCS-HEP
all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd
xrd.port 1095
xrootd.port 1095
#checksum - aim for max*size to be about 0.5*systemram
xrootd.chksum max 32 adler32
#checksum size -default 64m
ofs.cksrdsz 1024m
#notify on mkdir and call fix-perms.sh
# ofs.notify mkdir >/tmp/ofs-events.fifo
ofs.notify mkdir |/usr/local/bin/fix-perms.sh
# fix perms using https://xrootd.web.cern.ch/doc/dev56/ofs_config.htm#_Toc136617291
# min:max permissions
ofs.crmode dirs 0755:0775 files 0644:0664
#logging
#all.trace all
#if need to set explicitly
#xrd.trace all -debug
#xrootd.trace all -debug
#ofs.trace all -debug
#sec.trace all -debug
#http.trace all -debug
#cms.trace all -debug
xrootd.trace emsg login stall redirect
cms.trace files redirect
#http.trace request response
#26/124 reduce this due to log size
http.trace login
##temp for scitoken testing
#scitoken.trace all -debug
#timeouts (default read was 5)
xrd.timeout read 10
#report sending
xrd.report 10.41.5.42:9485 every 5m all
#monitoring incantation
#https://xrootd.slac.stanford.edu/doc/dev54/xrd_config.htm#_Toc88514009
## safe at 2023-12-20
#xrootd.monitor all auth fstat 1m lfn xfr 1 ident 1m dest files fstat info tcpmon user 10.41.5.42:9486
## Talk to our collector and the shoveler at the same time.
xrootd.monitor all auth flush 30s mbuff 1472 window 5s fstat 1m lfn ops xfr 5 ident 1m \
dest files fstat info tcpmon user 10.41.5.42:9486 \
dest fstat files info user pfc tcpmon ccm 10.41.5.42:9993
## auth stuff
#largely from Sam
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates \
-cert:/etc/grid-security/xrdcert.pem \
-key:/etc/grid-security/xrdkey.pem \
-crl:1 \
-authzfun:libXrdSecgsiAUTHZVO.so \
-gmapopt:10 -gmapto:0 \
-dlgpxy:2 -exppxy:=creds \
-vomsat:extract -vomsfun:libXrdVoms.so
#for the tokens
sec.protocol ztn
#needed? I don't think so for us, RAL specific, but record just in case
#sec.protbind * only ztn gsi
#point to our authdb
acc.authdb /etc/grid-security/authdb
ofs.authorize
# Config TLS
#from https://xrootd-howto.readthedocs.io/en/latest/tpc/#an-example-of-wlcg-tpc-configuration-with-x509-authentication
xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
xrootd.tls capable all
#xrd tpc
ofs.tpc fcreds ?gsi =X509_USER_PROXY ttl 60 70 xfr 100 autorm pgm /usr/bin/xrdcp -f
## http stuff
if exec xrootd
#kick off xroot http, on 1095
xrd.protocol http:1095 /usr/lib64/libXrdHttp.so
http.selfhttps2http no
#from James
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
# Require the use of the xrd.tls certificates (alternative is to use manual)
http.httpsmode auto
# HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy
http.secxtractor libXrdVoms.so
http.exthandler xrdtpc libXrdHttpTPC.so
http.header2cgi Authorization authz
# Please install libmacaroons rpm from EPEL.
# Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support
http.exthandler xrdmacaroons libXrdMacaroons.so
# secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440
macaroons.secretkey /etc/xrootd/macaroon-secret
## token stuff
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so
## packet marking settings
## largely lifted from Sam
## disabled 20/11/24
#xrootd.pmark defsfile curl https://www.scitags.org/api.json
##this is Raul’s JISC collector
#xrootd.pmark ffdest firefly-collector.perf.ja.net:10514
##change these for your default paths for ATLAS stuff to be fetched from
#xrootd.pmark map2exp path /cephfs/grid/atlas atlas
## try the same for lsst path
#xrootd.pmark map2exp path /cephfs/grid/lsst lsst
## and finally one for dune
xrootd.pmark map2exp path /cephfs/grid/dune dune
#there needs to be a “default VO” to report a transfer as…
#choose atlas (as dteam doesn't exist yet)
#xrootd.pmark map2exp default atlas
#this shouldn’t be needed but lets be explicit
#xrootd.pmark use firefly scitag
fi
# CMS perf
#[0] https://xrootd.slac.stanford.edu/doc/dev54/cms_config.htm#_Toc53611073
#[1] https://github.com/xrootd/xrootd/blob/master/utils/cms_monPerf
#[2] https://cms-perf.readthedocs.io/en/latest/
if exec cmsd
# call preinstall script every minute
cms.perf int 5 pgm /usr/share/xrootd/utils/cms_monPerf 5
#file existence caching
# ntime (non existence), htime (existence)
cms.fxhold 60s 60s
fi