Working with community-defined RTEs

New in version 6.5.

Community-defined RTEs are RTEs that created, managed and distributed by particular community.

ARC provides the software solution to automate Community-defined RTEs discovery and software environment provisioning for distributed computing e-Infrastructures.

Typicaly community-defined RTEs describes software packages used for computations. The cummunity itself is responsible for building, testing and verifying a particular version of software packages and the RTE scripts that will prepare such runtime enviroment to be used on the computing cluster worker nodes behind the computing element.

In general RunTime Environments in ARC6 are very flexible, so in addition to defining software packages such RTEs can be used to transfer data or communicate with community services to fetch/register some data. It is up to community to define what they need.

This document describes how to work with community RTEs from ARC CE admin point of view.

To establish community-defined RTEs registry refer to this guide.

1. Enable Community-defined RTEs support

Community RTEs support is added as a technology preview in the ARC 6.5 and turned off by default.

If you need to support Community RTEs deployment on ARC CE, please install nordugrid-arc-community-rtes package:

[root ~]# yum -y install nordugrid-arc-community-rtes

2. Establish trust chain with community

The trust-chain between community and site-admin is based on the digital signatures. All Community-defined RTEs are supposed to be signed using OpenPGP standard for signatures. Technical implementation relies on the GNU Privacy Guard (GPG) software.

To add new community to the trusted list run:

[root ~]# arcctl rte community add
The imported community public key data is:
  pub   2048R/AA56A775 2020-01-30 [expires: 2022-01-29]
        Key fingerprint = 3A47 F0D4 E406 D854 EDAA  ADB5 8FD6 DD57 AA56 A775
  uid                  Example Computations Lab <>
  sub   2048R/3F914B9D 2020-01-30 [expires: 2022-01-29]

Is the community key fingerprint correct? (yes/NO): yes


Check the community key fingerprint matches the one provided to you by community authorities!


Alternatively you can pass expected fingerprint value to --fingerprint option

In the provided example the is the name of the community to add and in the same time it is interpreted as a domain name of ARCHERY community-defined RTEs registry.

If ARCHERY domain name is diffrent add --archery <DOMAIN> option.

It is also possible to establish trust with community using OpenPGP compatible keyserver or web-based RTEs registry [1] as an alternative to ARCHERY.

3. Discover RTEs in the registry


Examples below show APPS/EXAMPLE.ORG/SIMULATION-3.0.1 is already deployed on ARC CE. That is result of the next step execution.

You can list all available community-defined RTEs with rte-list command:

[root ~]# arcctl rte community rte-list
APPS/EXAMPLE.ORG/SIMULATION-3.0.1    (deployed, registry)
APPS/EXAMPLE.ORG/ANALYSIS-1.7.0      (registry)
ENV/EXAMPLE.ORG/SENDSTATS-1.0.0      (registry)

RTEs optionally provide description string that can be viewer with long listing:

[root ~]# arcctl rte community rte-list --long
Community deployed RTEs:
  APPS/EXAMPLE.ORG/SIMULATION-3.0.1   # Example Simulation Software
Additional community RTEs available in the registry:
  APPS/EXAMPLE.ORG/ANALYSIS-1.7.0     # Example Analysis Software
  ENV/EXAMPLE.ORG/SENDSTATS-1.0.0     # Send stats to central services

Before deployment it can be usefull to look inside the RTE script. The rte-cat will show you the content:

[root ~]# arcctl rte community rte-cat APPS/EXAMPLE.ORG/ANALYSIS-1.7.0
# description: Example Analysis Sowtware
# download: url: checksum:md5:63490ad38190a6f172a9020c0c5615f4

if [ "x$1" = "x1" ]; then
  mkdir ${RUNTIME_JOB_DIR}/bin
  cat > ${RUNTIME_JOB_DIR}/bin/example-analysis <<EOF
exec singularity run ${RUNTIME_JOB_SWDIR}/analysis.sif "\$@"
  chmod +x ${RUNTIME_JOB_DIR}/bin/example-analysis
  export PATH=${RUNTIME_JOB_DIR}/bin:${PATH}

4. Deploy community-defined RTE

Deploying community-defined RTE from the registry requires nothing more that passing RTE name to rte-deploy:

[root ~]# arcctl rte community rte-deploy APPS/EXAMPLE.ORG/SIMULATION-3.0.1

This command will:

  • fetch RTE script signed by community

  • verify signature using trusted community public keys (installed during step 2)

  • deploy RTE script itself to be used further with arcctl rte

  • download files specified in the community-defined RTE script to community software location

  • verify checksum data of downloaded files


HINT: It is usefull to increase debug level to at least INFO level during the deployment phase to monitor the progress.

5. Enable community-defined RTE

After deployemnt of community-defined RTEs, operating can be done as ususal - the same was as for other RTE types.

In particular you can list, enable or default RTEs including deployed from community registry:

[root ~]# arcctl rte list
ENV/CANDYPOND                      (system, disabled)
ENV/PROXY                          (system, enabled)
ENV/RTE                            (system, disabled)
ENV/SINGULARITY                    (system, disabled)
APPS/EXAMPLE.ORG/SIMULATION-3.0.1  (community, disabled)

[root ~]# arcctl rte enable APPS/EXAMPLE.ORG/SIMULATION-3.0.1

Additional information and hints

This section provide information how to customize the cummunity-defined RTEs operations.

Location of deployed community software

By default the location for deployed community software picked up automatically based on arc.conf and rely on the session directory in particular.

You can discover and change the location with arcctl:

[root ~]# arcctl rte community config-get

[root ~]# arcctl rte community config-set SOFTWARE_DIR /opt/community/

Operating without the registry

It is possible to deploy community-defined RTEs using the same arcctl automations without registry.

During the deployment phase you can provide URL to signed RTE file with the --url option:

[root ~]# arcctl rte community deploy ENV/URLDEPLOYED-1.0.0 --url

Or it can be even RTE script wihtout signature if you trust the content:

[root ~]# arcctl rte community deploy APPS/SIM-DEVEL --url file:///home/example/dev/ --insecure

Removing RTEs and communities

If you want to remove deployed RTE or entire community, there are rte-remove and remove actions respectively:

[root ~]# arcctl rte community rte-remove APPS/EXAMPLE.ORG/SIMULATION-3.0.1
[2020-02-06 18:11:03,653] [ARCCTL.RunTimeEnvironment.Community] [ERROR] [32505] [Community
RTE APPS/EXAMPLE.ORG/SIMULATION-3.0.1 is enabled. Please disable it first or use "--force"
to disable and undefault automatically]
[root ~]# arcctl rte community rte-remove APPS/EXAMPLE.ORG/SIMULATION-3.0.1 --force
[root ~]# arcctl rte community remove