Deploying ARCHERY for Country/Project/VO¶

This document shows the example configuration of ARCHERY to hold Computing Elements endpoints for some project (country-level, experiment, virtual organization, etc).

Configuration examples in this guide are provided for BIND, however you can use any name server implementation.

Entry point¶

An entry point to ARCHERY-based registry is a domain name. In this guide example.org used as an entry point. To submit job using ARCHERY run:

arcsub -g example.org myjob.xrsl

The nordugrid.org represents the whole Nordugrid infrastructure entry point. It holds references to the country-level endpoints named upon country code top-level domain (ccTLD) identifiers: <ccTLD>.archery.nordugrid.org

Transaction signature key to manage endpoints¶

It is possible to manage records manually, however to provide up-to-date information and keep it simple to manage endpoints it is advised to use Dynamic DNS updates with archery-manage.

Generate key¶

Use the following command to generate the key:

dnssec-keygen -a HMAC-MD5 -b 256 -n USER archery

From the generated files you need a secret part to be included in both BIND and archery-manage configuration.

Define key in BIND¶

Create the /etc/named/archery.key and put the secret key generated on the previous step here:

key archery_key {
      algorithm hmac-md5;
      secret "S0Me+SecRet+keYgener@tedwithdnssec==";
};

Include key definition into named.conf using the config line:

include "/etc/named/archery.key";

Keyfile for archery-manage¶

Create a file (let it be named archery-manage.key) with the generated key in the following format:

archery_key:S0Me+SecRet+keYgener@tedwithdnssec==

Configure DNS zone to host endpoints¶

It is possible to put records directly into the example.org zone, however for manageability and security [1] reasons it is advised to have dedicated zone configured for ARCHERY records.

[1]	The content will be updated dynamically and it is better to eliminate the possiblity of changing non-archery related records. Dedicated subzone is an easiest way.

You can use any name for dedicated zone, this example uses index.example.org. [2]

[2]	Use `<ccTLD>.archery.nordugrid.org` if you are setting up country-level index for the Nordugrid infrastructure

Addresses used in the following examples:

Primary (master) DNS: ns1.example.org (192.0.2.100)

Seondary (slave) DNS: ns2.example.org (192.0.2.200)

Define zone in DNS¶

Add zone definition to master named.conf:

zone "index.example.org." IN {
    type master;
    file "master/index.example.org.db";
    notify yes;
    also-notify {
        192.0.2.200;  /* slave DNS IP address */
    };
    allow-transfer {
        192.0.2.200;  /* slave DNS IP address */
    };
    allow-update {
        key archery_key;
    };
};

Please note allow-update directive that authorize dynamic DNS update queries signed by archery-manage key.

Secondary DNS should be configured without any special options:

zone "index.example.org." IN {
    type slave;
    file "slave/index.example.org.db";
    masters {
        192.0.2.100;
    };
    allow-transfer {
        192.0.2.100;
    };
};

Create zonefile with basic structure¶

Zonefile requires only basic SOA record and will be filled with data by archery-manage. The zonefile template (timers are subject to arrange depending on planned update frequency):

$ORIGIN example.org.
$TTL 3600
index   IN SOA    ns1.example.org. hostmaster.example.org. (
             2018082401 ; serial
             1200       ; refresh (20 minutes)
             180        ; retry (3 minutes)
             604800     ; expire (1 week)
             60         ; minimum (1 minute)
             )
        NS    ns1.example.org.
        NS    ns2.example.org.

Define records in parent zone¶

Note

If you setup country-level index for the Nordugrid infrastructure such records are defined in the parent nordugrid.org zone. Please provide your setup information for the top-level index instead of this section.

Define NS records [3] to refer defined subzone:

$ORIGIN example.org.
# dedicated ARCHERY zone
index   NS ns1.example.org.
index   NS ns2.example.org.

[3]	If you plan to use different out-of-scope domain names in `NS` don’t forget to add glue `A` records.

To create an ARCHERY entry point in the parent zone you can:

define CNAME record to use example.org as an entry point:
$ORIGIN example.org.
# ARCHERY entry point
_archery CNAME _archery.index
OR define TXT resource record with ARCHERY data pointing to group:
$ORIGIN example.org.
# ARCHERY entry point
_archery TXT “u=index.example.org t=archery.group”

The same technics can be used to define any other entry points (e.g. in the complete different domain). CNAME is recommended if you point to the only one ARCHERY group.

Prepare static list of Computing Elements¶

The initial list of CEs used by archery-manage to fetch the endpoints from LDAP GLUE2 and push it to DNS zone with incremental DDNS updates. CEs are specified line-by-line in the file:

ce01.example.org
ce02.example.org
arc6.example.org

To migrate from EGIIS archery-manage allows you to dump list of CEs automatically:

archery-manage -s egiis:ldap://old.egiis.example.org:2135/Mds-Vo-Name=ExampleVO,o=grid \
               -o arc-CEs > ces.list

Populate DNS with information¶

To populate DNS zone with endpoints information you should run archery-manage in the following way:

archery-manage -s arcce-list:ces.list --ddns-update \
            --domain index.example.org --ddns-master-ip 192.0.2.100 \
            --ddns-tsig-keyfile archery-manage.key

Note

Updates are performed over the network, so you can run archery-manage on any host. It SHOULD NOT be DNS server itself.

Consider to add filters to archery-manage:

Filter: Port connectivity¶

Check network connectivity to endpoint TCP port and filter endpoints that do not pass this test:

archery-manage -s arcce-list:ce.list -f portscan ...

Filter: Endpoint type¶

By default any endpoints available on CE are published. If you want to filter endpoints based on type there is a dedicated filter.

For example, if you want only EMI-ES ResourceInfo endpoints for EMI-ES only operation:

archery-manage -s arcce-list:ce.list -f type:org.ogf.glue.emies.resourceinfo ...

EMI-ES ResourceInfo and LDAP GLUE2 endpoints:

archery-manage -s arcce-list:ce.list -f type:org.ogf.glue.emies.resourceinfo,org.nordugrid.ldapglue2 ...

There is a special endpoint filter resourceinfo that is equivalent to EMI-ES ResourceInfo, LDAP GLUE2 and LDAP Nordugrid.

Filter: VO¶

For project-based ARCHERY deployment it is also useful to filter endpoints based on VO access policy. Only endpoints that advertise specified VO support will be added [4]:

archery-manage -s arcce-list:ce.list -f vo:exampleVO ...

[4]	Resource information (`GLUE2PolicyRule` in GLUE2 and `nordugrid-cluster-acl` in Nordugrid LDAP) will be used as a source of supported VOs

Checking the operation¶

General DNS queries¶

Any DNS client tool can be used, for example:

[user ~]$ host -t TXT _archery.example.org
_archery.example.org is an alias for _archery.index.example.org
_archery.index.example.org descriptive text "u=dns://ce01.example.org._archery.index.example.org. t=archery.service"
_archery.index.example.org descriptive text "u=dns://ce02.example.org._archery.index.example.org. t=archery.service"
<output omitted>

[root ~]$ host -t TXT ce01.example.org._archery.index.example.org
ce01.example.org._archery.index.example.org descriptive text "o=service t=org.nordugrid.arex id=ce01.example.org"
ce01.example.org._archery.index.example.org descriptive text "u=ldap://ce01.example.org:2135/o=glue t=org.nordugrid.ldapglue2"
ce01.example.org._archery.index.example.org descriptive text "u=https://ce01.example.org:60000/arex t=org.ogf.glue.emies.resourceinfo"
<output omitted>

Submit job¶

Use arcsub -g example.org -d DEBUG to check the process of endpoints discovery from ARCHERY.

Setup regular updates to ARCHERY¶

To keep information about endpoints up to date setup a CRON job or Systemd Timer to run archery-manage regularly. In combination with at least port filtering this allows to eliminate stale endpoints and actualize information in registry.

Configure LDAP-monitor to use ARCHERY¶

NorduGrid LDAP monitor support fetching endpoints [5] from ARCHERY with the following configuration in settings.inc:

$archery_list = array (
  array (
      "endpoint" => "example.org",
  )
);

[5]	Nordugrid monitor only works with `org.nordugrid.ldapng` data (and LDAP GLUE2 is experimental with known issues), so Nordugrid LDAP schema publishing is mandatory to use monitor.