one docker file for xcache and improve directories tree

.gitlab-ci.yml

 stages:
- - build:docker_base
- - build:docker_standalone
+ - build
 
 .build:
   image:
@@ -12,60 +11,48 @@ stages:
     IMAGE_NAME: ""
   script:
     - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    - /kaniko/executor --context $CI_PROJECT_DIR --context-sub-path "$DIRECTORY" --dockerfile "$CI_PROJECT_DIR/$DIRECTORY/Dockerfile" --destination "$CI_REGISTRY_IMAGE/$IMAGE_NAME" --build-arg "tag=$TAG" --skip-unused-stages 
+    - /kaniko/executor --context "$CI_PROJECT_DIR/$DIRECTORY" --dockerfile "$CI_PROJECT_DIR/$DIRECTORY/Dockerfile" --destination "$CI_REGISTRY_IMAGE/$IMAGE_NAME" 
 
-build_standalone_base:
+build_xcache:
   extends:
     - .build
-  stage: build:docker_base
+  stage: build
   variables:
     TAG: ${CI_COMMIT_REF_SLUG}
-    DIRECTORY: xcache-standalone/base/dockerfile/
-    IMAGE_NAME: standalone/base:${CI_COMMIT_REF_SLUG}
+    DIRECTORY: containers/images/xcache/
+    IMAGE_NAME: xcache:${CI_COMMIT_REF_SLUG}
   rules:
     - if: '$CI_COMMIT_BRANCH != "master"'
-      changes: 
-        - xcache-standalone/base/dockerfile/
 
-build_standalone_base_master:
+build_xcache_master:
   extends:
     - .build
-  stage: build:docker_base
+  stage: build
   variables:
     TAG: ""
-    DIRECTORY: xcache-standalone/base/dockerfile/
-    IMAGE_NAME: standalone/base
+    DIRECTORY: containers/images/xcache/
+    IMAGE_NAME: xcache
   rules:
     - if: '$CI_COMMIT_BRANCH == "master"'
-      changes: 
-        - xcache-standalone/base/dockerfile/
 
-build_standalone_token:
+build_voms_proxy_init:
   extends:
     - .build
-  stage: build:docker_standalone
-  needs: 
-    - build_standalone_base
+  stage: build
   variables:
     TAG: ${CI_COMMIT_REF_SLUG}
-    DIRECTORY: xcache-standalone/token/dockerfile/
-    IMAGE_NAME: standalone/token:${CI_COMMIT_REF_SLUG}
+    DIRECTORY: containers/images/voms-proxy-init/
+    IMAGE_NAME: voms-proxy-init:${CI_COMMIT_REF_SLUG}
   rules:
     - if: '$CI_COMMIT_BRANCH != "master"'
-      changes: 
-        - xcache-standalone/token/dockerfile/
 
-build_standalone_token_master:
+build_voms_proxy_init_master:
   extends:
     - .build
-  stage: build:docker_standalone
-  needs: 
-    - build_standalone_base_master
+  stage: build
   variables:
     TAG: ""
-    DIRECTORY: xcache-standalone/token/dockerfile/
-    IMAGE_NAME: standalone/token
+    DIRECTORY: containers/images/voms-proxy-init/
+    IMAGE_NAME: voms-proxy-init
   rules:
     - if: '$CI_COMMIT_BRANCH == "master"'
-      changes: 
-        - xcache-standalone/token/dockerfile/

containers/images/voms-proxy-init/Dockerfile

+FROM centos:7
+
+RUN groupadd -g 9999 xrootd\
+  && useradd -g xrootd -u 9998 xrootd
+
+# install ca certificates 
+ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo /etc/yum.repos.d/EGI-trustanchors.repo
+RUN yum install --nogpg -y ca-policy-lcg
+
+# Get VOMS Files
+ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.vomses /etc/vomses/
+ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.lsc /etc/grid-security/vomsdir/escape/
+RUN chmod 644 /etc/grid-security/vomsdir/escape/voms-escape.cloud.cnaf.infn.it.lsc /etc/vomses/voms-escape.cloud.cnaf.infn.it.vomses
+
+# voms client
+RUN yum install --nogpg -y epel-release\
+  && yum install --nogpg -y voms-clients-java
+
+COPY loop_voms_proxy_init.sh /usr/local/bin/loop_voms_proxy_init.sh
+RUN chmod 755 /usr/local/bin/loop_voms_proxy_init.sh 
+
+RUN mkdir -p /tmp/proxy-certificate\
+  && chown xrootd:xrootd /tmp/proxy-certificate
+
+USER xrootd:xrootd
+CMD ["/usr/local/bin/loop_voms_proxy_init.sh"]

containers/images/voms-proxy-init/loop_voms_proxy_init.sh

+#!/usr/bin/env bash
+
+while true; do
+  voms-proxy-init --voms escape --out /tmp/proxy-certificate/certificate --cert /run/secrets/xrdcert.pem --key /run/secrets/xrdkey.pem
+  sleep 11h
+done

xcache-standalone/token/dockerfile/Dockerfile → containers/images/xcache/Dockerfile

-ARG tag=latest
-
-# Build sci-token rpm for token image
+# Build sci-token rpm for token
 FROM centos:7 AS sci-token-build
 
 RUN yum install --nogpg -y epel-release\
@@ -19,34 +17,73 @@ WORKDIR xrootd-scitokens
 
 ENV CXXFLAGS=-Wno-error CFLAGS=-Wno-error
 
-RUN git archive v1.2.0 --prefix=xrootd-scitokens-1.2.0/ | gzip -7 > ~/rpmbuild/SOURCES/xrootd-scitokens-1.2.0.tar.gz\
+RUN git archive v1.2.2 --prefix=xrootd-scitokens-1.2.2/ | gzip -7  > ~/rpmbuild/SOURCES/xrootd-scitokens-1.2.2.tar.gz\
   && rpmbuild -ba rpm/xrootd-scitokens.spec
 
 
-FROM gitlab-registry.in2p3.fr/cc-escape/xcache-config/standalone/base:$tag
+# XCache image
+FROM centos:7
+
+COPY xrootd-stable-slc7.repo /etc/yum.repos.d/xrootd-stable-slc7.repo
+
+RUN  yum install --nogpg -y epel-release\
+  && yum install --nogpg -y xrootd-server-4.12.3-1.el7.x86_64
+
+# Have the predefined uid/gid for xrootd to enable easy access to volumes 
+RUN xrootd_uid=$(id -u xrootd)\
+  && xrootd_gid=$(id -g xrootd)\
+  && groupmod -g 9999 xrootd\
+  && usermod -u 9998 xrootd\
+  && find / -group ${xrootd_gid} -user ${xrootd_gid} -type d -execdir chown xrootd:xrootd {} \; 
+
+# Config directory
+RUN mkdir -p /etc/xrootd\
+  && chown xrootd:xrootd /etc/xrootd
+
+# Directory to mount the data storage. need to have same gid on host and container
+RUN mkdir -p /mnt/xcache\
+  && chown xrootd:xrootd /mnt/xcache\
+  && chmod g+w /mnt/xcache
 
 # For now checking crl is disabled in xcache config file
 # Might have to be later to be put in a volume. with a container spawning every n hours doing the fetch crl
 # install ca certificates 
-ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo\
-  /etc/yum.repos.d/EGI-trustanchors.repo
+ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo /etc/yum.repos.d/EGI-trustanchors.repo
 RUN yum install --nogpg -y ca-policy-lcg
 
-# Server certificates directory
+# Certificates directory
 RUN mkdir /etc/grid-security/xrd/\
   && chown xrootd:xrootd /etc/grid-security/xrd/  
 
+
+# Steps for certificates authentication
+# Get VOMS Files
+ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.vomses /etc/vomses/
+ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.lsc /etc/grid-security/vomsdir/escape/
+RUN chmod 644 /etc/vomses/voms-escape.cloud.cnaf.infn.it.vomses /etc/grid-security/vomsdir/escape/voms-escape.cloud.cnaf.infn.it.lsc
+
+# Install the VO info extractor
+RUN yum install --nogpg -y xrootd-voms-4.12.3-1.el7.x86_64 
+
+ENV X509_USER_PROXY=/tmp/proxy-certificate/certificate
+
+RUN mkdir -p /tmp/proxy-certificate\
+  && chown xrootd:xrootd /tmp/proxy-certificate
+
+
+# Steps for Token authorization
 # Scitokens library
-COPY --from=sci-token-build /root/rpmbuild/RPMS/x86_64/xrootd-scitokens-1.2.0-1.el7.x86_64.rpm .
-RUN yum install --nogpg -y xrootd-scitokens-1.2.0-1.el7.x86_64.rpm
+COPY --from=sci-token-build /root/rpmbuild/RPMS/x86_64/xrootd-scitokens-1.2.2-1.el7.x86_64.rpm .
+RUN yum install --nogpg -y xrootd-scitokens-*.el7.x86_64.rpm
 
 # HTTP xroot client library
-RUN yum install --nogpg -y xrdcl-http\
+RUN yum install --nogpg -y xrdcl-http-4.12.3-1.el7.x86_64\
   && rm -rf /etc/xrootd
 
 # problem with xrdcl-http not looking /etc/grid-security
 RUN cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/\
  && update-ca-trust extract
 
+
 USER xrootd:xrootd
-CMD ["xrootd","-c","/etc/xrootd/xcache-config.cfg","-n","xcache"]
+CMD ["xrootd","-d","-c","/etc/xrootd/xcache-config.cfg","-n","xcache"]

containers/images/xcache/xrootd-stable-slc7.repo

+[xrootd-stable]
+name=XRootD Stable repository
+baseurl=http://xrootd.org/binaries/stable/slc/7/$basearch http://xrootd.cern.ch/sw/repos/stable/slc/7/$basearch
+gpgcheck=1
+enabled=1
+protect=0
+gpgkey=http://xrootd.cern.ch/sw/releases/RPM-GPG-KEY.txt

containers/setup/certificate/config/Authfile

+g /escape /pnfs/in2p3.fr/data/escape a

xcache-standalone/certificate/config/xcache-config.cfg → containers/setup/certificate/config/xcache-config.cfg

@@ -4,7 +4,7 @@ all.export      /
 # all.role        proxy server
 
 # remote data source
-pss.origin      <origin_server>:1094
+pss.origin ccdcalitest10.in2p3.fr:1094
 
 # proxy plugin
 ofs.osslib      libXrdPss.so
@@ -19,19 +19,24 @@ oss.localroot   /mnt/xcache
 if exec xrootd
 xrd.protocol http libXrdHttp.so 
 http.cadir /etc/grid-security/certificates
-http.cert /etc/grid-security/xrd/xrdcert.pem
-http.key /etc/grid-security/xrd/xrdkey.pem
-http.secxtractor libXrdHttpVOMS.so
+http.cert /run/secrets/xrdcert.pem
+http.key /run/secrets/xrdkey.pem
+http.secxtractor libXrdSecgsiVOMS.so
 fi
 
 # cache log level
-pfc.trace info
+#pfc.trace dump
+#oss.trace all
+#xrootd.trace all
+#xrd.trace all
+#sec.trace all
+
 
 # authentication
 xrootd.seclib libXrdSec.so
-sec.protocol gsi -d:3 -cert:/etc/grid-security/xrd/xrdcert.pem -key:/etc/grid-security/xrd/xrdkey.pem -gridmap:/dev/null -vomsfun:/usr/lib64/libXrdSecgsiVOMS-4.so -vomsfunparms:dbg
+sec.protocol gsi -crl:0 -cert:/run/secrets/xrdcert.pem -key:/run/secrets/xrdkey.pem -gridmap:/dev/null -vomsfun:/usr/lib64/libXrdVoms.so
 sec.protbind * gsi
 
 # authorization
 ofs.authorize 1
-acc.authdb /opt/xrd/etc/Authfile
+acc.authdb /etc/xrootd/Authfile

containers/setup/certificate/docker-compose.yml

+version: '3.8'
+
+services:
+  xcache-certificate-standalone:
+    build: ../../images/xcache
+    image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/xcache
+    ports:
+      - "1094:1094"
+    depends_on:
+      - voms-renewer
+    volumes:
+      - type: bind
+        source: /mnt/xcache
+        target: /mnt/xcache
+      - type: bind
+        source: ./config
+        target: /etc/xrootd
+      - type: volume
+        source: proxy-certificate
+        target: /tmp/proxy-certificate
+    secrets:
+      - source: cert
+        target: xrdcert.pem
+        mode: 0640
+      - source: key
+        target: xrdkey.pem
+        mode: 0400
+
+  voms-renewer:
+    build: ../../images/voms-proxy-init/
+    image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/voms-proxy-init
+    ports:
+      - "15000:15000"
+    volumes: 
+      - type: volume
+        source: proxy-certificate
+        target: /tmp/proxy-certificate
+    secrets:
+      - source: cert
+        target: xrdcert.pem
+        mode: 0600
+      - source: key
+        target: xrdkey.pem
+        mode: 0400
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
+
+secrets:
+  cert: 
+    file: /root/cert.pem
+  key:
+    file: /root/cert.key
+
+volumes:
+  proxy-certificate:

xcache-standalone/token/config/xcache-config.cfg → containers/setup/token/config/xcache-config.cfg

@@ -5,7 +5,7 @@ xrd.trace all
 # all.role        proxy server
 
 # remote data source
-pss.origin      https://<https_endpoint>
+pss.origin      https://ccdcalitest10.in2p3.fr:2880
 
 # proxy plugin
 ofs.osslib      libXrdPss.so

xcache-standalone/token/docker-compose.yml → containers/setup/token/docker-compose.yml

 version: '3.8'
 
 services:
-  xcache-standalone:
-    build: dockerfile/
+  xcache-token-standalone:
+    build: ../../images/xcache
+    image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/xcache
+    ports:
+      - "1094:1094"
     volumes:
       - type: bind
         source: /mnt/xcache
@@ -22,11 +25,11 @@ networks:
   default:
     ipam:
       config:
-        - subnet: 172.28.0.0/16
+        - subnet: 172.29.0.0/16
 
 secrets:
   cert: 
-    file: <path to cert>
+    file: /root/cert.pem
   key:
-    file: <path to key>
+    file: /root/cert.key
 

monitor/Dockerfile

-FROM centos:7
-
-ADD https://xrootd.slac.stanford.edu/binaries/xrootd-testing-slc7.repo /etc/yum.repos.d/
-RUN yum install -y epel-release\
-  && yum install -y xrootd-server-5.0.0-0.rc1.el7
-
-EXPOSE 3333/udp
-
-USER xrootd:xrootd
-CMD ["mpxstats","-p","3333"]

readme.md

@@ -3,8 +3,13 @@
 > :construction: **THIS IS A WORK IN PROGRESS AND IT IS NOT PRODUCTION READY** :construction: 
 
 - `doc`: documentation on xcache
-- `monitoring`: trial of the integrated XRootD monitoring system. Didn't work with XRootD5-rc1, should work from rc2
-- `xcache-standalone`: Dockerization of a standalone XCache server
-  - `base`: base XCache docker image whithout any authentication 
-  - `token`: XCache with token authN/Z 
-  - `certificate`: Xcache with certificate authN/Z. Doesn't work yet as I didnt find an easy and clean way to manage the `voms-proxy-init` cron
+- `containers`: Dockerization of a standalone XCache server
+  - `images`: Dockerfiles 
+    - `xcache`: Dockerfiles and context to build a xcache standalone server
+    - `voms-proxy-init`: Dockerfile to obtain a proxy certificate for the xcache server
+  - `setup`: docker-compose files and xrootd configuration to make xcache work
+    - `base`: basic config of a xcache standalone server
+    - `certificate`: basic config to launch a xcache server with certificate authN/Z[^ct]
+    - `token`: basic config to launch a xcache server with token authN/Z[^ct]
+
+[^ct]: `certificate` and `token` config will be soon merged in one file

xcache-standalone/base/dockerfile/Dockerfile

-FROM centos:7
-
-RUN  yum install --nogpg -y epel-release\
-  && yum install --nogpg -y xrootd-server
-
-# Have the same gid for xrootd group on container and host for xrootd to be able to access volume
-RUN groupmod -g 9999 xrootd
-
-# Config directory
-RUN mkdir -p /etc/xrootd\
-  && chown xrootd:xrootd /etc/xrootd
-
-# Directory to mount the data storage. need to have same gid on host and container
-RUN mkdir -p /mnt/xcache\
-  && chown xrootd:xrootd /mnt/xcache\
-  && chmod g+w /mnt/xcache

xcache-standalone/certificate/dockerfile/Dockerfile

-FROM centos:7
-
-RUN  yum install -y epel-release\
-  && yum install -y xrootd-server
-
-# Have the same gid for xrootd group on container and host for xrootd to be able to access volume
-RUN groupmod -g 9999 xrootd
-
-# Directory to mount the data storage. need to have same gid on host and container
-RUN mkdir /mnt/xcache\
-  && chown xrootd:xrootd /mnt/xcache
-
-# For now checking crl is disabled in xcache config file
-# Might have to be later to be put in a volume. with a container spawning every n hours doing the fetch crl
-# install ca certificates 
-RUN wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo\
-  -O /etc/yum.repos.d/EGI-trustanchors.repo\
-  && yum install ca-policy-lcg
-
-# Certificates directory
-RUN mkdir /etc/grid-security/xrd/\
-  && chown xrootd:xrootd /etc/grid-security/xrd/  
-
-# Get VOMS Files
-ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.vomses /etc/vomses/
-ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.lsc /etc/grid-security/vomsdir/escape/
-
-# Install the VO info extractor plugin not necessary from 4.12 
-# yum install 
-RUN yum install xrootd-devel voms-devel 
-
-USER xrootd:xrootd
-CMD ["xrootd","-c","/etc/xrootd/xcache-config.cfg","-n","xcache"]