Commit 2f73dc95 authored by MUSSET Paul's avatar MUSSET Paul
Browse files

one docker file for xcache and improve directories tree

parent b0d7b5f6
stages: stages:
- build:docker_base - build
- build:docker_standalone
.build: .build:
image: image:
...@@ -12,60 +11,48 @@ stages: ...@@ -12,60 +11,48 @@ stages:
IMAGE_NAME: "" IMAGE_NAME: ""
script: script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --context $CI_PROJECT_DIR --context-sub-path "$DIRECTORY" --dockerfile "$CI_PROJECT_DIR/$DIRECTORY/Dockerfile" --destination "$CI_REGISTRY_IMAGE/$IMAGE_NAME" --build-arg "tag=$TAG" --skip-unused-stages - /kaniko/executor --context "$CI_PROJECT_DIR/$DIRECTORY" --dockerfile "$CI_PROJECT_DIR/$DIRECTORY/Dockerfile" --destination "$CI_REGISTRY_IMAGE/$IMAGE_NAME"
build_standalone_base: build_xcache:
extends: extends:
- .build - .build
stage: build:docker_base stage: build
variables: variables:
TAG: ${CI_COMMIT_REF_SLUG} TAG: ${CI_COMMIT_REF_SLUG}
DIRECTORY: xcache-standalone/base/dockerfile/ DIRECTORY: containers/images/xcache/
IMAGE_NAME: standalone/base:${CI_COMMIT_REF_SLUG} IMAGE_NAME: xcache:${CI_COMMIT_REF_SLUG}
rules: rules:
- if: '$CI_COMMIT_BRANCH != "master"' - if: '$CI_COMMIT_BRANCH != "master"'
changes:
- xcache-standalone/base/dockerfile/
build_standalone_base_master: build_xcache_master:
extends: extends:
- .build - .build
stage: build:docker_base stage: build
variables: variables:
TAG: "" TAG: ""
DIRECTORY: xcache-standalone/base/dockerfile/ DIRECTORY: containers/images/xcache/
IMAGE_NAME: standalone/base IMAGE_NAME: xcache
rules: rules:
- if: '$CI_COMMIT_BRANCH == "master"' - if: '$CI_COMMIT_BRANCH == "master"'
changes:
- xcache-standalone/base/dockerfile/
build_standalone_token: build_voms_proxy_init:
extends: extends:
- .build - .build
stage: build:docker_standalone stage: build
needs:
- build_standalone_base
variables: variables:
TAG: ${CI_COMMIT_REF_SLUG} TAG: ${CI_COMMIT_REF_SLUG}
DIRECTORY: xcache-standalone/token/dockerfile/ DIRECTORY: containers/images/voms-proxy-init/
IMAGE_NAME: standalone/token:${CI_COMMIT_REF_SLUG} IMAGE_NAME: voms-proxy-init:${CI_COMMIT_REF_SLUG}
rules: rules:
- if: '$CI_COMMIT_BRANCH != "master"' - if: '$CI_COMMIT_BRANCH != "master"'
changes:
- xcache-standalone/token/dockerfile/
build_standalone_token_master: build_voms_proxy_init_master:
extends: extends:
- .build - .build
stage: build:docker_standalone stage: build
needs:
- build_standalone_base_master
variables: variables:
TAG: "" TAG: ""
DIRECTORY: xcache-standalone/token/dockerfile/ DIRECTORY: containers/images/voms-proxy-init/
IMAGE_NAME: standalone/token IMAGE_NAME: voms-proxy-init
rules: rules:
- if: '$CI_COMMIT_BRANCH == "master"' - if: '$CI_COMMIT_BRANCH == "master"'
changes:
- xcache-standalone/token/dockerfile/
FROM centos:7
RUN groupadd -g 9999 xrootd\
&& useradd -g xrootd -u 9998 xrootd
# install ca certificates
ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo /etc/yum.repos.d/EGI-trustanchors.repo
RUN yum install --nogpg -y ca-policy-lcg
# Get VOMS Files
ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.vomses /etc/vomses/
ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.lsc /etc/grid-security/vomsdir/escape/
RUN chmod 644 /etc/grid-security/vomsdir/escape/voms-escape.cloud.cnaf.infn.it.lsc /etc/vomses/voms-escape.cloud.cnaf.infn.it.vomses
# voms client
RUN yum install --nogpg -y epel-release\
&& yum install --nogpg -y voms-clients-java
COPY loop_voms_proxy_init.sh /usr/local/bin/loop_voms_proxy_init.sh
RUN chmod 755 /usr/local/bin/loop_voms_proxy_init.sh
RUN mkdir -p /tmp/proxy-certificate\
&& chown xrootd:xrootd /tmp/proxy-certificate
USER xrootd:xrootd
CMD ["/usr/local/bin/loop_voms_proxy_init.sh"]
#!/usr/bin/env bash
while true; do
voms-proxy-init --voms escape --out /tmp/proxy-certificate/certificate --cert /run/secrets/xrdcert.pem --key /run/secrets/xrdkey.pem
sleep 11h
done
ARG tag=latest # Build sci-token rpm for token
# Build sci-token rpm for token image
FROM centos:7 AS sci-token-build FROM centos:7 AS sci-token-build
RUN yum install --nogpg -y epel-release\ RUN yum install --nogpg -y epel-release\
...@@ -19,34 +17,73 @@ WORKDIR xrootd-scitokens ...@@ -19,34 +17,73 @@ WORKDIR xrootd-scitokens
ENV CXXFLAGS=-Wno-error CFLAGS=-Wno-error ENV CXXFLAGS=-Wno-error CFLAGS=-Wno-error
RUN git archive v1.2.0 --prefix=xrootd-scitokens-1.2.0/ | gzip -7 > ~/rpmbuild/SOURCES/xrootd-scitokens-1.2.0.tar.gz\ RUN git archive v1.2.2 --prefix=xrootd-scitokens-1.2.2/ | gzip -7 > ~/rpmbuild/SOURCES/xrootd-scitokens-1.2.2.tar.gz\
&& rpmbuild -ba rpm/xrootd-scitokens.spec && rpmbuild -ba rpm/xrootd-scitokens.spec
FROM gitlab-registry.in2p3.fr/cc-escape/xcache-config/standalone/base:$tag # XCache image
FROM centos:7
COPY xrootd-stable-slc7.repo /etc/yum.repos.d/xrootd-stable-slc7.repo
RUN yum install --nogpg -y epel-release\
&& yum install --nogpg -y xrootd-server-4.12.3-1.el7.x86_64
# Have the predefined uid/gid for xrootd to enable easy access to volumes
RUN xrootd_uid=$(id -u xrootd)\
&& xrootd_gid=$(id -g xrootd)\
&& groupmod -g 9999 xrootd\
&& usermod -u 9998 xrootd\
&& find / -group ${xrootd_gid} -user ${xrootd_gid} -type d -execdir chown xrootd:xrootd {} \;
# Config directory
RUN mkdir -p /etc/xrootd\
&& chown xrootd:xrootd /etc/xrootd
# Directory to mount the data storage. need to have same gid on host and container
RUN mkdir -p /mnt/xcache\
&& chown xrootd:xrootd /mnt/xcache\
&& chmod g+w /mnt/xcache
# For now checking crl is disabled in xcache config file # For now checking crl is disabled in xcache config file
# Might have to be later to be put in a volume. with a container spawning every n hours doing the fetch crl # Might have to be later to be put in a volume. with a container spawning every n hours doing the fetch crl
# install ca certificates # install ca certificates
ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo\ ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo /etc/yum.repos.d/EGI-trustanchors.repo
/etc/yum.repos.d/EGI-trustanchors.repo
RUN yum install --nogpg -y ca-policy-lcg RUN yum install --nogpg -y ca-policy-lcg
# Server certificates directory # Certificates directory
RUN mkdir /etc/grid-security/xrd/\ RUN mkdir /etc/grid-security/xrd/\
&& chown xrootd:xrootd /etc/grid-security/xrd/ && chown xrootd:xrootd /etc/grid-security/xrd/
# Steps for certificates authentication
# Get VOMS Files
ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.vomses /etc/vomses/
ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.lsc /etc/grid-security/vomsdir/escape/
RUN chmod 644 /etc/vomses/voms-escape.cloud.cnaf.infn.it.vomses /etc/grid-security/vomsdir/escape/voms-escape.cloud.cnaf.infn.it.lsc
# Install the VO info extractor
RUN yum install --nogpg -y xrootd-voms-4.12.3-1.el7.x86_64
ENV X509_USER_PROXY=/tmp/proxy-certificate/certificate
RUN mkdir -p /tmp/proxy-certificate\
&& chown xrootd:xrootd /tmp/proxy-certificate
# Steps for Token authorization
# Scitokens library # Scitokens library
COPY --from=sci-token-build /root/rpmbuild/RPMS/x86_64/xrootd-scitokens-1.2.0-1.el7.x86_64.rpm . COPY --from=sci-token-build /root/rpmbuild/RPMS/x86_64/xrootd-scitokens-1.2.2-1.el7.x86_64.rpm .
RUN yum install --nogpg -y xrootd-scitokens-1.2.0-1.el7.x86_64.rpm RUN yum install --nogpg -y xrootd-scitokens-*.el7.x86_64.rpm
# HTTP xroot client library # HTTP xroot client library
RUN yum install --nogpg -y xrdcl-http\ RUN yum install --nogpg -y xrdcl-http-4.12.3-1.el7.x86_64\
&& rm -rf /etc/xrootd && rm -rf /etc/xrootd
# problem with xrdcl-http not looking /etc/grid-security # problem with xrdcl-http not looking /etc/grid-security
RUN cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/\ RUN cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/\
&& update-ca-trust extract && update-ca-trust extract
USER xrootd:xrootd USER xrootd:xrootd
CMD ["xrootd","-c","/etc/xrootd/xcache-config.cfg","-n","xcache"] CMD ["xrootd","-d","-c","/etc/xrootd/xcache-config.cfg","-n","xcache"]
[xrootd-stable]
name=XRootD Stable repository
baseurl=http://xrootd.org/binaries/stable/slc/7/$basearch http://xrootd.cern.ch/sw/repos/stable/slc/7/$basearch
gpgcheck=1
enabled=1
protect=0
gpgkey=http://xrootd.cern.ch/sw/releases/RPM-GPG-KEY.txt
g /escape /pnfs/in2p3.fr/data/escape a
...@@ -4,7 +4,7 @@ all.export / ...@@ -4,7 +4,7 @@ all.export /
# all.role proxy server # all.role proxy server
# remote data source # remote data source
pss.origin <origin_server>:1094 pss.origin ccdcalitest10.in2p3.fr:1094
# proxy plugin # proxy plugin
ofs.osslib libXrdPss.so ofs.osslib libXrdPss.so
...@@ -19,19 +19,24 @@ oss.localroot /mnt/xcache ...@@ -19,19 +19,24 @@ oss.localroot /mnt/xcache
if exec xrootd if exec xrootd
xrd.protocol http libXrdHttp.so xrd.protocol http libXrdHttp.so
http.cadir /etc/grid-security/certificates http.cadir /etc/grid-security/certificates
http.cert /etc/grid-security/xrd/xrdcert.pem http.cert /run/secrets/xrdcert.pem
http.key /etc/grid-security/xrd/xrdkey.pem http.key /run/secrets/xrdkey.pem
http.secxtractor libXrdHttpVOMS.so http.secxtractor libXrdSecgsiVOMS.so
fi fi
# cache log level # cache log level
pfc.trace info #pfc.trace dump
#oss.trace all
#xrootd.trace all
#xrd.trace all
#sec.trace all
# authentication # authentication
xrootd.seclib libXrdSec.so xrootd.seclib libXrdSec.so
sec.protocol gsi -d:3 -cert:/etc/grid-security/xrd/xrdcert.pem -key:/etc/grid-security/xrd/xrdkey.pem -gridmap:/dev/null -vomsfun:/usr/lib64/libXrdSecgsiVOMS-4.so -vomsfunparms:dbg sec.protocol gsi -crl:0 -cert:/run/secrets/xrdcert.pem -key:/run/secrets/xrdkey.pem -gridmap:/dev/null -vomsfun:/usr/lib64/libXrdVoms.so
sec.protbind * gsi sec.protbind * gsi
# authorization # authorization
ofs.authorize 1 ofs.authorize 1
acc.authdb /opt/xrd/etc/Authfile acc.authdb /etc/xrootd/Authfile
version: '3.8'
services:
xcache-certificate-standalone:
build: ../../images/xcache
image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/xcache
ports:
- "1094:1094"
depends_on:
- voms-renewer
volumes:
- type: bind
source: /mnt/xcache
target: /mnt/xcache
- type: bind
source: ./config
target: /etc/xrootd
- type: volume
source: proxy-certificate
target: /tmp/proxy-certificate
secrets:
- source: cert
target: xrdcert.pem
mode: 0640
- source: key
target: xrdkey.pem
mode: 0400
voms-renewer:
build: ../../images/voms-proxy-init/
image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/voms-proxy-init
ports:
- "15000:15000"
volumes:
- type: volume
source: proxy-certificate
target: /tmp/proxy-certificate
secrets:
- source: cert
target: xrdcert.pem
mode: 0600
- source: key
target: xrdkey.pem
mode: 0400
networks:
default:
ipam:
config:
- subnet: 172.28.0.0/16
secrets:
cert:
file: /root/cert.pem
key:
file: /root/cert.key
volumes:
proxy-certificate:
...@@ -5,7 +5,7 @@ xrd.trace all ...@@ -5,7 +5,7 @@ xrd.trace all
# all.role proxy server # all.role proxy server
# remote data source # remote data source
pss.origin https://<https_endpoint> pss.origin https://ccdcalitest10.in2p3.fr:2880
# proxy plugin # proxy plugin
ofs.osslib libXrdPss.so ofs.osslib libXrdPss.so
......
version: '3.8' version: '3.8'
services: services:
xcache-standalone: xcache-token-standalone:
build: dockerfile/ build: ../../images/xcache
image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/xcache
ports:
- "1094:1094"
volumes: volumes:
- type: bind - type: bind
source: /mnt/xcache source: /mnt/xcache
...@@ -22,11 +25,11 @@ networks: ...@@ -22,11 +25,11 @@ networks:
default: default:
ipam: ipam:
config: config:
- subnet: 172.28.0.0/16 - subnet: 172.29.0.0/16
secrets: secrets:
cert: cert:
file: <path to cert> file: /root/cert.pem
key: key:
file: <path to key> file: /root/cert.key
FROM centos:7
ADD https://xrootd.slac.stanford.edu/binaries/xrootd-testing-slc7.repo /etc/yum.repos.d/
RUN yum install -y epel-release\
&& yum install -y xrootd-server-5.0.0-0.rc1.el7
EXPOSE 3333/udp
USER xrootd:xrootd
CMD ["mpxstats","-p","3333"]
...@@ -3,8 +3,13 @@ ...@@ -3,8 +3,13 @@
> :construction: **THIS IS A WORK IN PROGRESS AND IT IS NOT PRODUCTION READY** :construction: > :construction: **THIS IS A WORK IN PROGRESS AND IT IS NOT PRODUCTION READY** :construction:
- `doc`: documentation on xcache - `doc`: documentation on xcache
- `monitoring`: trial of the integrated XRootD monitoring system. Didn't work with XRootD5-rc1, should work from rc2 - `containers`: Dockerization of a standalone XCache server
- `xcache-standalone`: Dockerization of a standalone XCache server - `images`: Dockerfiles
- `base`: base XCache docker image whithout any authentication - `xcache`: Dockerfiles and context to build a xcache standalone server
- `token`: XCache with token authN/Z - `voms-proxy-init`: Dockerfile to obtain a proxy certificate for the xcache server
- `certificate`: Xcache with certificate authN/Z. Doesn't work yet as I didnt find an easy and clean way to manage the `voms-proxy-init` cron - `setup`: docker-compose files and xrootd configuration to make xcache work
- `base`: basic config of a xcache standalone server
- `certificate`: basic config to launch a xcache server with certificate authN/Z[^ct]
- `token`: basic config to launch a xcache server with token authN/Z[^ct]
[^ct]: `certificate` and `token` config will be soon merged in one file
FROM centos:7
RUN yum install --nogpg -y epel-release\
&& yum install --nogpg -y xrootd-server
# Have the same gid for xrootd group on container and host for xrootd to be able to access volume
RUN groupmod -g 9999 xrootd
# Config directory
RUN mkdir -p /etc/xrootd\
&& chown xrootd:xrootd /etc/xrootd
# Directory to mount the data storage. need to have same gid on host and container
RUN mkdir -p /mnt/xcache\
&& chown xrootd:xrootd /mnt/xcache\
&& chmod g+w /mnt/xcache
FROM centos:7
RUN yum install -y epel-release\
&& yum install -y xrootd-server
# Have the same gid for xrootd group on container and host for xrootd to be able to access volume
RUN groupmod -g 9999 xrootd
# Directory to mount the data storage. need to have same gid on host and container
RUN mkdir /mnt/xcache\
&& chown xrootd:xrootd /mnt/xcache
# For now checking crl is disabled in xcache config file
# Might have to be later to be put in a volume. with a container spawning every n hours doing the fetch crl
# install ca certificates
RUN wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo\
-O /etc/yum.repos.d/EGI-trustanchors.repo\
&& yum install ca-policy-lcg
# Certificates directory
RUN mkdir /etc/grid-security/xrd/\
&& chown xrootd:xrootd /etc/grid-security/xrd/
# Get VOMS Files
ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.vomses /etc/vomses/
ADD https://indigo-iam.github.io/escape-docs/voms-config/voms-escape.cloud.cnaf.infn.it.lsc /etc/grid-security/vomsdir/escape/
# Install the VO info extractor plugin not necessary from 4.12
# yum install
RUN yum install xrootd-devel voms-devel
USER xrootd:xrootd
CMD ["xrootd","-c","/etc/xrootd/xcache-config.cfg","-n","xcache"]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment