Mu2epro: Difference between revisions

From Mu2eWiki
Jump to navigation Jump to search
(Created page with " ==Introduction== These are notes on using the group account mu2epro, which is used for collaboration-managed production activities. Access is controlled by the k5login. As qu...")
 
 
(39 intermediate revisions by 2 users not shown)
Line 1: Line 1:


==Introduction==
==Introduction==
These are notes on using the group account mu2epro, which is used for collaboration-managed production activities. Access is controlled by the k5login. As quick start quide, you can get the correct environment and authentication with:
These are notes on using the group account mu2epro, which is used for collaboration-managed production activities. [[Authentication|Access is controlled]] by the k5login. As quick start quide, you can get the correct environment and authentication with (the -k is important!):
 
ssh -k mu2epro@nodename
<pre>ssh -k mu2epro@nodename (-k is important!)    formatted with pre</pre>
Here is [http://cd-docdb.fnal.gov/cgi-bin/RetrieveFile?docid=5644 SCD note 5644] on group accounts.


==Kerberos==
==Kerberos==
In 4/2015 we (rlc) installed kerberos keytabs in <code>~mu2epro/keytab (code inline)</code>. The principals are created by the servicedesk, and a temp password returned. The actual <tt>keytab (tt inline)</tt> file is made according to this article.
===installing keytabs===
 
In 8/2016 we asked the service desk to reset the keytab passwords and then ran the procedure '''/usr/bin/make-cron-keytab''' ([https://fermi.servicenowservices.com/nav_to.do?uri=%2Fkb_view.do%3Fsysparm_article%3DKB0010954 servicedesk article] [https://fermi.servicenowservices.com/com.glideapp.servicecatalog_cat_item_view.do?v=1&sysparm_id=9a0304dee4809000863885ce73245e77&sysparm_link_parent=a5a8218af15014008638c2db58a72314&sysparm_catalog=e0d08b13c3330100c8b837659bba8fb4&sysparm_catalog_view=catalog_default&sysparm_view=catalog_default servicedesk form]).  This moves the keytab to a secure system location under /var. This solves the security problem of using the keytab from a network-mounted disk, exposing the kerberos data to the network.
In 8/2016 we asked the service desk to reset the keytab passwords and then ran the procedure '''/usr/krb5/config/make-cron-keytab''' This moves the keytab to a secure system location under /var. This solves the security problem of using the keytab from a network-mounted disk, exposing the kerberos data to the network.
 
To get a new ticket, you run
 
:: <pre>/usr/krb5/bin/kcron      formatted with pre and indentx2</pre>


at any time, but please see the notes below on where the ticket goes.
In 2021, we added principles to mu2esamgpvm01,2,3.  


A cron job on all of the interactive machines runs every 4 hours, runs a kcron command and writes the ticket to /tmp/krb5cc_44592_auto. As long as you use this ticket location, you will always have a valid ticket.
At times, such as when the machines we re-installed, we loose the keytabs.


Using the keytab with
The procedure is ask for the existing principles to be reset with new passwords ("Kerberos (FNAL.GOV) Standard" "Access to Kerberized Machines"), then run make-cron-keytab on each machine again.  We have keytabs for each machine mu2egpvm01-07, mu2ebuild02, and mu2egpvmsam01-03.


<code>kinit -k -t $HOME/keytab/mu2egpvm01.keytab mu2epro/cron/mu2egpvm01.fnal.gov@FNAL.GOV (formatted with code)</code>
In 2024, we added mu2eprodgpvm01 and 2, and get the keytab this time, we had to install <code>fermilab-util_makehostkeys-1.3-1.el9.noarch</code> for the <code>/usr/sbin/makehostkeys</code> exe, then ask the service desk for the principles and a password for each. Then
/usr/libexec/kcron/init-kcron-keytab
makehostkeys -s mu2epro/cron -n mu2eprodgpvm02.fnal.gov -k $(/usr/libexec/kcron/client-keytab-name)


is no longer available.
===using keytabs===
To get a new ticket, you can run
  kinit -k -t /var/adm/krb5/mu2epro.cron.$(hostname).keytab mu2epro/cron/$(hostname)@FNAL.GOV
    for older nodes, or for mu2eprodgpmv*
  kinit -k -t /var/kerberos/krb5/user/44592/client.keytab mu2epro/cron/$(hostname)@FNAL.GOV


It is important to setup how the ticket is located. If you do not have the KRB5CCNAME environmental set when you run kcron, the ticket will go to /tmp/krb5cc_44592cronXXXXX and no other utility will find it, not even klist, so you will always want to have KRB5CCNAME set. What follows is how it gets set.
at any time. However, a cron job on all of the interactive machines runs this command every 4 hours and writes the ticket to /tmp/krb5cc_44592_auto. As long as you point to this ticket location, you will always have a valid ticket. Your process can use the ticket by setting
export KRB5CCNAME=FILE:/tmp/krb5cc_44592_auto


Ideally users should
Ideally users should
 
ssh -k mu2epro@nodename
:: <code>ssh -k mu2epro@nodename formatted with code and indentx2</code>
The -k switch stops your personal ticket from being forwarded to your interactive sessions as mu2epro. During the login, .bashrc will set KRB5CCNAME to FILE:/tmp/krb5cc_44592_auto for you.  
 
The -k switch stops your personal ticket from being forwarded to your interactive sessions as mu2epro. During the login, .bash_profile will set KRB5CCNAME to FILE:/tmp/krb5cc_44592_auto for you. If you avoid using a "login shell" you will not run .bash_profile and KRB5CCNAME will not be set. In some philosophical sense this is what you asked for, so just use login shells.


If you forward your ticket (not recommended):
If you forward your ticket (not recommended):
 
ssh mu2epro@nodename
<code>
ssh mu2epro@nodename (formatted with code and newlines)
</code>
 
you will end up in the mu2epro account, and
you will end up in the mu2epro account, and
 
KRB5CCNAME=FILE:/tmp/krb5cc_44592_XXXXXXXXXX
KRB5CCNAME=FILE:/tmp/krb5cc_44592_XXXXXXXXXX
which is a ticket with your ''personal'' principle. But in .bash_profile, KRB5CCNAME will be reset to FILE:/tmp/krb5cc_44592_auto since this is the only reasonable and convenient default for the mu2epro account. If you do forward your personal ticket, it is possible for other people using the mu2epro account to gain your kerberos identity.  Also, nfs has a behavior which caches which kerberos identity is associated with a UID.  In this case, other uses (such as cron jobs) will not be able to access any disks that you as your personal UID cannot access. Also if you are using your personal ticket and run bare jobsub_submit, the job will be run in your personal account, not mu2epro.  
 
which is a ticket with your personal principle. But in .bash_profile, KRB5CCNAME will be reset to FILE:/tmp/krb5cc_44592_auto since this is the only reasonable and convenient default for the mu2epro account. If you do forward your personal ticket, it is possible for other people in the mu2epro account to gain your credentials. Also if you are using your personal ticket and run bare jobsub_submit, the job will be run in your personal account, not mu2epro.


Anyone can get their personal principal back with
Anyone can get their personal principal back with
 
kinit your_user_name@FNAL.GOV
kinit your_user_name@FNAL.GOV
 
But note that if KRB5CCNAME is not set, the ticket will default to /tmp/krb5cc_44592, which may be found by utilities or other users. If it is set to FILE:/tmp/krb5cc_44592_auto, it will overwrite the mu2epro ticket, so please don't do that!
But note that if KRB5CCNAME is not set, the ticket will default to /tmp/krb5cc_44592, which may be found by utilities or other users. If it is set to FILE:/tmp/krb5cc_44592_auto, it will overwrite the mu2epro ticket, so please don't do that!


Bottom line, just ssh -k and only use the default mu2epro automatic tickets!
Bottom line, just ssh -k and only use the default mu2epro automatic tickets! Do not use your kerberos identity inside the mu2epro account.


Andrei has an ssh config setup that will effectively set "-k" for you automatically. Add this text block to $HOME/.ssh/config
Andrei has an ssh config setup that will effectively set "-k" for you automatically. Add this text block to $HOME/.ssh/config
<blockquote>
<pre>
<pre>
#----------------
#----------------
Line 64: Line 54:
#----------------
#----------------
</pre>
</pre>
</blockquote>
and then the command
and then the command
ssh mu2epro
translates to
ssh -k mu2epro@mu2egpvm01.fnal.gov


ssh mu2epro
You can see the kerberos ticket with
 
klist
translates to "ssh -k mu2epro@mu2egpvm01.fnal.gov".


==Certificate==
==Certificate==
This account has a OSG Service Certificate consisting of certificate and key files kept in ~mu2epro/osg_service_cert_2015. This directory should have only owner access permissions. Notes on obtaining the cert are also in that directory. The cert is valid until 2/24/17.
This account has a OSG Service Certificate consisting of certificate and key files.   The service cert is for a "service" instead of a person. Certificate authorities always require a responsible person behind the cert and for this one that is Ray Culbertson.


The cert has been copied to a Computing Division server. There, it is converted to a VOMS proxy every 8 hours and that proxy is copied in a secure way to
The cert has been copied to a Computing Division server. They will renew the cert yearly, as needed.


<code>
The SCD generates a VOMS proxy every 4 hours and that proxy is copied in a secure way to
/opt/mu2epro/mu2epro.Production.proxy
/opt/mu2epro/mu2epro.Production.proxy
</code>
on all the interactive machines.  The SCD has [https://cdcvs.fnal.gov/redmine/projects/fife/wiki/_Service_Certificate_Management_ notes] on the system (bottom of the page). We believe the proxy is updated by an atomic command, so there is no chance of a user finding a partial proxy file.  You can see the proxy with
voms-proxy-info -all


on all the interactive machines. I don't know if the proxy is updated by an atomic command, (so there is no chance of a user finding a partial proxy file).
When you log into mu2epro, an environmental is set to point to this proxy.


Andrei has installed the actual certificate in the /opt area too. We believe the /opt area is a local disk so this will not expose the cert over the network. This will allow scripts to authenticate https communication with the SAM server. There may be other methods to authenticate, but the concern is that they will time-out.
===Production Role===
When the mu2epro account submits production jobs, it should use the <code>--role=Production</code> switch.  This switch is then also necessary for <code>jobsub_rm</code> and <code>jobsub_fetchlog</code>. This puts the jobs in a different category than the user default role Analysis. For example, I believe the username on the grid node is different.  We presumably can give more advanced privileges to this role, but we have not used this so far.  Other users can also have the Production role and if the authenticate with their personal certificate and submit with this role, the job will run as if it were submitted by mu2epro and the Production role. In particular, the output will be owned by mu2epro and you can remove or examine any production jobs.  We do not use this feature.  It has the one advantage that the SCD can see what user submitted this job, if they need to contact you.  It might useful if we have lots of operators submitting jobs, since even today we occasionally are left wondering who is submitting mu2epro jobs.


==Setup scripts==
==Setup scripts==
Line 88: Line 81:
The login file .bash_profile defines KRB5CCNAME to point to the mu2epro automatic kerberos ticket. It also makes sure /usr/krb5/bin and ~/bin are in the path, defines some environmentals which allow you to use the mu2epro authentication for commands, and aliases for setting further things up.
The login file .bash_profile defines KRB5CCNAME to point to the mu2epro automatic kerberos ticket. It also makes sure /usr/krb5/bin and ~/bin are in the path, defines some environmentals which allow you to use the mu2epro authentication for commands, and aliases for setting further things up.


.bashrc defines aliases for personalization for operators and for projects (see next). It also runs
.bashrc defines aliases for personalization for specific operators and projects.
 
/cvmfs/fermilab.opensciencegrid.org/products/common/etc/setups
 
to point PRODUCTS to the common products, allowing "setup mu2e" as well as fermilab common products, such as jobsub_client.


After logging in, the user can chose their environment. You can set your preferences through a personal setup script alias such as "setup_rlc". Please see
After logging in, the user can chose their environment. You can set your preferences through a personal setup script alias such as "setup_rlc". Please see
 
~mu2epro/bin/setup_alias.sh
~mu2epro/bin/setup_alias.sh
 
for examples. These scripts should only set minor interactive preferences such as the prompt or "rm -i". It should set the environmental
for examples. These scripts should only set minor interactive preferences such as the prompt or "rm -i". It should set the environmental
 
export OPERATOR=rlc
export OPERATOR=rlc
 
to your username. It should not do anything required for real production projects. The original (TDR era) setup is saved as "setup_old".
to your username. It should not do anything required for real production projects. The original (TDR era) setup is saved as "setup_old".


In addition, you can run the setup for a project, such as "setup_upload". These should set the environmental MUE2PRO_PROJECT to a unique value. This script should then setup all environment needed for the project. This should be complete, but not include any enviroment that is not necessary to run the project. Necessary setups might include "setup mu2e", offline version setup, jobsub, ifdhc and useful environmentals, such as pointers to scratch disk directories.
In addition, you can run the setup for a project, such as "setup_upload". These should set the environmental MUE2PRO_PROJECT to a unique value. This script should then setup all environment needed for the project. This should be complete, but not include any enviroment that is not necessary to run the project. Necessary setups might include <code>mu2einit</code>, offline version setup, jobsub, ifdhc and useful environmentals, such as pointers to scratch disk directories.


If the environment for a project must be strictly controlled, then you would only setup the project, and this setup should overwrite the value of OPERATOR to stop personalized .bashrc behaviour.
If the environment for a project must be strictly controlled, then you would only setup the project, and this setup should overwrite the value of OPERATOR to stop personalized .bashrc behavior.


You should write project scripts which only depend on setup_project and with alias-defeating /bin/mv etc to avoid differences in preferences. A final useful convention would be to keep project scripts in ~/projectname.
You should write project scripts which only depend on setup_project and with alias-defeating /bin/mv etc to avoid differences in preferences. A final useful convention would be to keep project scripts in ~/projectname.


There are also hooks in .bashrc to add behaviour as needed.
There are also hooks in .bashrc to add behaviour as needed.
<code>
<pre>
source ~/bin/setup_alias.sh
source ~/bin/setup_alias.sh
[ "$OPERATOR" == "rlc"      ] && source ~rlc/bin/setup_rlc.sh rc
[ "$OPERATOR" == "SOMENAME"      ] && source ~/bin/setup_SOMENAME.sh rc
...
</pre>
[ "$MUE2PRO_PROJECT" == "upload" ] && source ~/bin/setup_upload.sh rc
</code>
cron jobs should do all their setup explicitly, which should include sourcing these setup scripts.
cron jobs should do all their setup explicitly, which should include sourcing these setup scripts.


==Jobsub and ifdh==
==GitHub and mu2epro==
 
Some GitHub repos, for example OfflineOps, are normally cloned into the mu2epro disk space and used from that disk space; they need to be used from the mu2epro account in order to have the required authorizations.  In that sense they are "live".
 
Issues arise because there is no mu2epro GitHub account and different people will use the mu2epro account to edit the clone.  One issue is how do we authenticate to GitHub in order to push and another is how do we identify who made which commit.  This section outlines a procedure to resolve these issues.  The procedure is applicable to other live repos, such as some of those in the TDAQ environment.
 
The short version is that everyone should use their own ssh-agent credentials: see [[Authentication#SSH_Keys]].  And everyone should use one of the forms of the --author option to the git commit command:


ifdhc with version less than 1_7 may not work to transfer files, it may generate an incorrect gridftp url resulting in globus errors. If you write to bluearc, you will need to force the transfer through gridftp to get the permissions to work.
--author=<name>
--author="Full Name <name@subdomain.domain>"


<code>
Roughly speaking, the first form will work if you have already made at least one commit to the repo; the second form is required if you have not.  Consult the git documentation to understand exactly how the first form works; in short, it pattern matches <name> to the author field of previous commits. The two Dave Browns will need to figure our how to use the short version correctly.  
ifdh cp --force=gridftp file /mu2e/data/..
</code>


You will also need this switch for ifdh non-transfer commands
An alternative to providing --author on the command line is to define the environment variables GIT_AUTHOR_NAME, for the human-readable name, and GIT_AUTHOR_EMAIL for the author email address. Since mu2epro is a shared account we must not set these in the login scripts.
<code>
ifdh rm /mu2e/data/.. --force=gridftp
</code>
Writes to dCache (/pnfs/...) using x509 authentication (like gridftp or expftp) currently end up owned by mu2eana or mu2epro. gridftp-ls does not always list permissions correctly, uberftp fndca1 "ldir" does.


jobsub needs to be pointed to the OSG cert to work.
We are investigating using a pre-commit hook to enforce the requirement of supplying --author or providing the environment variables.
<code>
export X509_USER_PROXY=/tmp/x509up_u44592
</code>
this should be done though the command


setup_mu2epro
There are two ways that we might choose to organize this work.  For some live repos we might chose to follow the feature branch and pull request model that we use for Offline.  For other live repos we may, instead, choose to work on the one "official" branch and to push directly to the Mu2e repo from the clone; perhaps the official branch will be the main branch but it could be a different one.  In the both options, users will need to communicate with each other to avoid two people making changes to the live system at the same time - but that is an inherent feature of a live repo, not something peculiar to this discussion.


As of jobsub_client v1_1_0_2, the --role switch is needed for submit, rm, and fetchlog. It is not needed for q and history, which list the jobs as user mu2epro.
=== Option 1: Using Pull Request ===
# Before you log into mu2epro, add the ssh-key for your GitHub identity to your ssh-agent. See [[Authentication#SSH_Keys]].
# When you log into mu2epro you must forward your ssh-agent.  You can do this with the -A option on the ssh command line or by having "ForwardAgent yes" in your ~/.ssh/config file for the mu2e interactive machines.
# Add your own GitHub fork as a remote to the local clone; you only need to do this once
# Modify files as needed; commit them to the local clone using --author and push the working branch to your own GitHub fork.
# Make a pull request from your GitHub fork.


Note that when a user becomes mu2epro, they may still have their personal kerberos ticket active, and that may be used accidentally to authenticate the submission, so the user should kdestroy their ticket. Please see the discussion of kerberos and the setup commands below. If there is no user kerberos ticket, the job will be authenticated by the proxy.
If many people have their forks added as remotes, the ssh-agent mechanism ensures that each can only push to their own remote.
<blockquote>
 
<pre>
=== Option 2: Pushing Directly to Mu2e ===
jobsub_submit -G mu2e --role=Production -N 1 \
# Before you log into mu2epro, add the ssh-key for your GitHub identity to your ssh-agent. See [[Authentication#SSH_Keys]].
  --generate-email-summary --email-to=rlc@fnal.gov  --OS=SL6 \
# When you log into mu2epro you must forward your ssh-agent. You can do this with the -A option on the ssh command line or by having "ForwardAgent yes" in your ~/.ssh/config file for the mu2e interactive machines.
  --resource-provides=usage_model=DEDICATED \
# Check with the Mu2e GitHub admins to ensure that your GitHub identity has write (or better) privileges on the repo in the Mu2e organization.
  file:///mu2e/app/users/rlc/jobs/remote.bash
# Work on the "standard" working branch; commit to the local clone using --author and push the working branch directly to the repo in the Mu2e organization.
</pre>
</blockquote>


"ifdh cp --force=expftp" will not work with the service cert, i.e. interactively. It works on the grid because a different grid-based cert is used there.
==Cron jobs==
Cron jobs
cron job information is kept in ~mu2epro/cron. We will try to run all cron jobs on mu2egpvm01 unless they have to run elsewhere.
cron job information is kept in ~mu2epro/cron. We will try to run all cron jobs on mu2egpvm01 unless they have to run elsewhere.


==Backup==
==Backup==
The home area is on /mu2e/app and is not backed up automatically like the user home areas. It is backed up by a cron job to /pnfs/mu2e/scratch/users/mu2epro/backup.
The home area is on /mu2e/app and is not backed up automatically like the user home areas. It is backed up by a cron job to /pnfs/mu2e/scratch/users/mu2epro/backup. Older backups are purged.
 
==Mailing Lists==
There exist (11/2022) two mailing lists:
mu2e-production@listserv.fnal.gov
for registering Docker, Github, and communication with the computing division
mu2epro-sim@listserv.fnal.gov
for receiving mailed grid job summaries from production jobs


<BR>
<BR>
[[Category:Computing]]
[[Category:Computing]]
[[Category:Computing/Accounts]]
[[Category:Infrastructure]]

Latest revision as of 20:28, 19 July 2024

Introduction

These are notes on using the group account mu2epro, which is used for collaboration-managed production activities. Access is controlled by the k5login. As quick start quide, you can get the correct environment and authentication with (the -k is important!):

ssh -k mu2epro@nodename

Here is SCD note 5644 on group accounts.

Kerberos

installing keytabs

In 8/2016 we asked the service desk to reset the keytab passwords and then ran the procedure /usr/bin/make-cron-keytab (servicedesk article servicedesk form). This moves the keytab to a secure system location under /var. This solves the security problem of using the keytab from a network-mounted disk, exposing the kerberos data to the network.

In 2021, we added principles to mu2esamgpvm01,2,3.

At times, such as when the machines we re-installed, we loose the keytabs.

The procedure is ask for the existing principles to be reset with new passwords ("Kerberos (FNAL.GOV) Standard" "Access to Kerberized Machines"), then run make-cron-keytab on each machine again. We have keytabs for each machine mu2egpvm01-07, mu2ebuild02, and mu2egpvmsam01-03.

In 2024, we added mu2eprodgpvm01 and 2, and get the keytab this time, we had to install fermilab-util_makehostkeys-1.3-1.el9.noarch for the /usr/sbin/makehostkeys exe, then ask the service desk for the principles and a password for each. Then

/usr/libexec/kcron/init-kcron-keytab
makehostkeys -s mu2epro/cron -n mu2eprodgpvm02.fnal.gov -k $(/usr/libexec/kcron/client-keytab-name)

using keytabs

To get a new ticket, you can run

 kinit -k -t /var/adm/krb5/mu2epro.cron.$(hostname).keytab mu2epro/cron/$(hostname)@FNAL.GOV
   for older nodes, or for mu2eprodgpmv*
 kinit -k -t /var/kerberos/krb5/user/44592/client.keytab mu2epro/cron/$(hostname)@FNAL.GOV

at any time. However, a cron job on all of the interactive machines runs this command every 4 hours and writes the ticket to /tmp/krb5cc_44592_auto. As long as you point to this ticket location, you will always have a valid ticket. Your process can use the ticket by setting

export KRB5CCNAME=FILE:/tmp/krb5cc_44592_auto

Ideally users should

ssh -k mu2epro@nodename

The -k switch stops your personal ticket from being forwarded to your interactive sessions as mu2epro. During the login, .bashrc will set KRB5CCNAME to FILE:/tmp/krb5cc_44592_auto for you.

If you forward your ticket (not recommended):

ssh mu2epro@nodename

you will end up in the mu2epro account, and

KRB5CCNAME=FILE:/tmp/krb5cc_44592_XXXXXXXXXX

which is a ticket with your personal principle. But in .bash_profile, KRB5CCNAME will be reset to FILE:/tmp/krb5cc_44592_auto since this is the only reasonable and convenient default for the mu2epro account. If you do forward your personal ticket, it is possible for other people using the mu2epro account to gain your kerberos identity. Also, nfs has a behavior which caches which kerberos identity is associated with a UID. In this case, other uses (such as cron jobs) will not be able to access any disks that you as your personal UID cannot access. Also if you are using your personal ticket and run bare jobsub_submit, the job will be run in your personal account, not mu2epro.

Anyone can get their personal principal back with

kinit your_user_name@FNAL.GOV

But note that if KRB5CCNAME is not set, the ticket will default to /tmp/krb5cc_44592, which may be found by utilities or other users. If it is set to FILE:/tmp/krb5cc_44592_auto, it will overwrite the mu2epro ticket, so please don't do that!

Bottom line, just ssh -k and only use the default mu2epro automatic tickets! Do not use your kerberos identity inside the mu2epro account.

Andrei has an ssh config setup that will effectively set "-k" for you automatically. Add this text block to $HOME/.ssh/config

#----------------
Host mu2epro
User mu2epro
HostName mu2egpvm01.fnal.gov
ForwardAgent no
GSSAPIDelegateCredentials no
#----------------

and then the command

ssh mu2epro

translates to

ssh -k mu2epro@mu2egpvm01.fnal.gov

You can see the kerberos ticket with

klist

Certificate

This account has a OSG Service Certificate consisting of certificate and key files. The service cert is for a "service" instead of a person. Certificate authorities always require a responsible person behind the cert and for this one that is Ray Culbertson.

The cert has been copied to a Computing Division server. They will renew the cert yearly, as needed.

The SCD generates a VOMS proxy every 4 hours and that proxy is copied in a secure way to

/opt/mu2epro/mu2epro.Production.proxy

on all the interactive machines. The SCD has notes on the system (bottom of the page). We believe the proxy is updated by an atomic command, so there is no chance of a user finding a partial proxy file. You can see the proxy with

voms-proxy-info -all

When you log into mu2epro, an environmental is set to point to this proxy.

Production Role

When the mu2epro account submits production jobs, it should use the --role=Production switch. This switch is then also necessary for jobsub_rm and jobsub_fetchlog. This puts the jobs in a different category than the user default role Analysis. For example, I believe the username on the grid node is different. We presumably can give more advanced privileges to this role, but we have not used this so far. Other users can also have the Production role and if the authenticate with their personal certificate and submit with this role, the job will run as if it were submitted by mu2epro and the Production role. In particular, the output will be owned by mu2epro and you can remove or examine any production jobs. We do not use this feature. It has the one advantage that the SCD can see what user submitted this job, if they need to contact you. It might useful if we have lots of operators submitting jobs, since even today we occasionally are left wondering who is submitting mu2epro jobs.

Setup scripts

The login file .bash_profile defines KRB5CCNAME to point to the mu2epro automatic kerberos ticket. It also makes sure /usr/krb5/bin and ~/bin are in the path, defines some environmentals which allow you to use the mu2epro authentication for commands, and aliases for setting further things up.

.bashrc defines aliases for personalization for specific operators and projects.

After logging in, the user can chose their environment. You can set your preferences through a personal setup script alias such as "setup_rlc". Please see

~mu2epro/bin/setup_alias.sh

for examples. These scripts should only set minor interactive preferences such as the prompt or "rm -i". It should set the environmental

export OPERATOR=rlc

to your username. It should not do anything required for real production projects. The original (TDR era) setup is saved as "setup_old".

In addition, you can run the setup for a project, such as "setup_upload". These should set the environmental MUE2PRO_PROJECT to a unique value. This script should then setup all environment needed for the project. This should be complete, but not include any enviroment that is not necessary to run the project. Necessary setups might include mu2einit, offline version setup, jobsub, ifdhc and useful environmentals, such as pointers to scratch disk directories.

If the environment for a project must be strictly controlled, then you would only setup the project, and this setup should overwrite the value of OPERATOR to stop personalized .bashrc behavior.

You should write project scripts which only depend on setup_project and with alias-defeating /bin/mv etc to avoid differences in preferences. A final useful convention would be to keep project scripts in ~/projectname.

There are also hooks in .bashrc to add behaviour as needed.

source ~/bin/setup_alias.sh
[ "$OPERATOR" == "SOMENAME"      ] && source ~/bin/setup_SOMENAME.sh rc

cron jobs should do all their setup explicitly, which should include sourcing these setup scripts.

GitHub and mu2epro

Some GitHub repos, for example OfflineOps, are normally cloned into the mu2epro disk space and used from that disk space; they need to be used from the mu2epro account in order to have the required authorizations. In that sense they are "live".

Issues arise because there is no mu2epro GitHub account and different people will use the mu2epro account to edit the clone. One issue is how do we authenticate to GitHub in order to push and another is how do we identify who made which commit. This section outlines a procedure to resolve these issues. The procedure is applicable to other live repos, such as some of those in the TDAQ environment.

The short version is that everyone should use their own ssh-agent credentials: see Authentication#SSH_Keys. And everyone should use one of the forms of the --author option to the git commit command:

--author=<name> 
--author="Full Name <name@subdomain.domain>"

Roughly speaking, the first form will work if you have already made at least one commit to the repo; the second form is required if you have not. Consult the git documentation to understand exactly how the first form works; in short, it pattern matches <name> to the author field of previous commits. The two Dave Browns will need to figure our how to use the short version correctly.

An alternative to providing --author on the command line is to define the environment variables GIT_AUTHOR_NAME, for the human-readable name, and GIT_AUTHOR_EMAIL for the author email address. Since mu2epro is a shared account we must not set these in the login scripts.

We are investigating using a pre-commit hook to enforce the requirement of supplying --author or providing the environment variables.

There are two ways that we might choose to organize this work. For some live repos we might chose to follow the feature branch and pull request model that we use for Offline. For other live repos we may, instead, choose to work on the one "official" branch and to push directly to the Mu2e repo from the clone; perhaps the official branch will be the main branch but it could be a different one. In the both options, users will need to communicate with each other to avoid two people making changes to the live system at the same time - but that is an inherent feature of a live repo, not something peculiar to this discussion.

Option 1: Using Pull Request

  1. Before you log into mu2epro, add the ssh-key for your GitHub identity to your ssh-agent. See Authentication#SSH_Keys.
  2. When you log into mu2epro you must forward your ssh-agent. You can do this with the -A option on the ssh command line or by having "ForwardAgent yes" in your ~/.ssh/config file for the mu2e interactive machines.
  3. Add your own GitHub fork as a remote to the local clone; you only need to do this once
  4. Modify files as needed; commit them to the local clone using --author and push the working branch to your own GitHub fork.
  5. Make a pull request from your GitHub fork.

If many people have their forks added as remotes, the ssh-agent mechanism ensures that each can only push to their own remote.

Option 2: Pushing Directly to Mu2e

  1. Before you log into mu2epro, add the ssh-key for your GitHub identity to your ssh-agent. See Authentication#SSH_Keys.
  2. When you log into mu2epro you must forward your ssh-agent. You can do this with the -A option on the ssh command line or by having "ForwardAgent yes" in your ~/.ssh/config file for the mu2e interactive machines.
  3. Check with the Mu2e GitHub admins to ensure that your GitHub identity has write (or better) privileges on the repo in the Mu2e organization.
  4. Work on the "standard" working branch; commit to the local clone using --author and push the working branch directly to the repo in the Mu2e organization.

Cron jobs

cron job information is kept in ~mu2epro/cron. We will try to run all cron jobs on mu2egpvm01 unless they have to run elsewhere.

Backup

The home area is on /mu2e/app and is not backed up automatically like the user home areas. It is backed up by a cron job to /pnfs/mu2e/scratch/users/mu2epro/backup. Older backups are purged.

Mailing Lists

There exist (11/2022) two mailing lists:

mu2e-production@listserv.fnal.gov

for registering Docker, Github, and communication with the computing division

mu2epro-sim@listserv.fnal.gov

for receiving mailed grid job summaries from production jobs