Deploying ARCHERY for Country/Project/VO¶
This document shows the example configuration of ARCHERY to hold Computing Elements endpoints for some project (country-level, experiment, virtual organization, etc).
Configuration examples in this guide are provided for BIND, however you can use any name server implementation.
Entry point¶
An entry point to ARCHERY-based registry is a domain name. In this guide example.org
used as an entry point.
To submit job using ARCHERY run:
arcsub -g example.org myjob.xrsl
The nordugrid.org
represents the whole Nordugrid infrastructure entry point. It holds references to the country-level
endpoints named upon country code top-level domain (ccTLD) identifiers: <ccTLD>.archery.nordugrid.org
Transaction signature key to manage endpoints¶
It is possible to manage records manually, however to provide up-to-date information and keep it simple to manage endpoints
it is advised to use Dynamic DNS updates with archery-manage
.
Generate key¶
Use the following command to generate the key:
dnssec-keygen -a HMAC-MD5 -b 256 -n USER archery
From the generated files you need a secret part to be included in both BIND and archery-manage
configuration.
Define key in BIND¶
Create the /etc/named/archery.key
and put the secret key generated on the previous step here:
key archery_key {
algorithm hmac-md5;
secret "S0Me+SecRet+keYgener@tedwithdnssec==";
};
Include key definition into named.conf
using the config line:
include "/etc/named/archery.key";
Keyfile for archery-manage¶
Create a file (let it be named archery-manage.key
) with the generated key in the following format:
archery_key:S0Me+SecRet+keYgener@tedwithdnssec==
Configure DNS zone to host endpoints¶
It is possible to put records directly into the example.org
zone, however for manageability and security [1]
reasons it is advised to have dedicated zone configured for ARCHERY records.
[1] | The content will be updated dynamically and it is better to eliminate the possiblity of changing non-archery related records. Dedicated subzone is an easiest way. |
You can use any name for dedicated zone, this example uses index.example.org
. [2]
[2] | Use <ccTLD>.archery.nordugrid.org if you are setting up country-level index for the Nordugrid infrastructure |
Addresses used in the following examples:
- Primary (master) DNS:
ns1.example.org (192.0.2.100)
- Seondary (slave) DNS:
ns2.example.org (192.0.2.200)
Define zone in DNS¶
Add zone definition to master named.conf
:
zone "index.example.org." IN {
type master;
file "master/index.example.org.db";
notify yes;
also-notify {
192.0.2.200; /* slave DNS IP address */
};
allow-transfer {
192.0.2.200; /* slave DNS IP address */
};
allow-update {
key archery_key;
};
};
Please note allow-update
directive that authorize dynamic DNS update queries signed by archery-manage
key.
Secondary DNS should be configured without any special options:
zone "index.example.org." IN {
type slave;
file "slave/index.example.org.db";
masters {
192.0.2.100;
};
allow-transfer {
192.0.2.100;
};
};
Create zonefile with basic structure¶
Zonefile requires only basic SOA
record and will be filled with data by archery-manage
.
The zonefile template (timers are subject to arrange depending on planned update frequency):
$ORIGIN example.org.
$TTL 3600
index IN SOA ns1.example.org. hostmaster.example.org. (
2018082401 ; serial
1200 ; refresh (20 minutes)
180 ; retry (3 minutes)
604800 ; expire (1 week)
60 ; minimum (1 minute)
)
NS ns1.example.org.
NS ns2.example.org.
Define records in parent zone¶
Note
If you setup country-level index for the Nordugrid infrastructure such records are defined in the parent nordugrid.org
zone.
Please provide your setup information for the top-level index instead of this section.
Define NS
records [3] to refer defined subzone:
$ORIGIN example.org.
# dedicated ARCHERY zone
index NS ns1.example.org.
index NS ns2.example.org.
[3] | If you plan to use different out-of-scope domain names in NS don’t forget to add glue A records. |
To create an ARCHERY entry point in the parent zone you can:
define
CNAME
record to useexample.org
as an entry point:$ORIGIN example.org. # ARCHERY entry point _archery CNAME _archery.indexOR define
TXT
resource record with ARCHERY data pointing to group:$ORIGIN example.org. # ARCHERY entry point _archery TXT “u=index.example.org t=archery.group”
The same technics can be used to define any other entry points (e.g. in the complete different domain). CNAME
is recommended if you point to the only one ARCHERY group.
Prepare static list of Computing Elements¶
The initial list of CEs used by archery-manage
to fetch the endpoints from LDAP GLUE2 and push it to DNS zone with incremental DDNS updates.
CEs are specified line-by-line in the file:
ce01.example.org
ce02.example.org
arc6.example.org
To migrate from EGIIS archery-manage
allows you to dump list of CEs automatically:
archery-manage -s egiis:ldap://old.egiis.example.org:2135/Mds-Vo-Name=ExampleVO,o=grid \
-o arc-CEs > ces.list
Populate DNS with information¶
To populate DNS zone with endpoints information you should run archery-manage
in the following way:
archery-manage -s arcce-list:ces.list --ddns-update \
--domain index.example.org --ddns-master-ip 192.0.2.100 \
--ddns-tsig-keyfile archery-manage.key
Note
Updates are performed over the network, so you can run archery-manage
on any host. It SHOULD NOT be DNS server itself.
Consider to add filters to archery-manage
:
Filter: Port connectivity¶
Check network connectivity to endpoint TCP port and filter endpoints that do not pass this test:
archery-manage -s arcce-list:ce.list -f portscan ...
Filter: Endpoint type¶
By default any endpoints available on CE are published. If you want to filter endpoints based on type there is a dedicated filter.
For example, if you want only EMI-ES ResourceInfo endpoints for EMI-ES only operation:
archery-manage -s arcce-list:ce.list -f type:org.ogf.glue.emies.resourceinfo ...
EMI-ES ResourceInfo and LDAP GLUE2 endpoints:
archery-manage -s arcce-list:ce.list -f type:org.ogf.glue.emies.resourceinfo,org.nordugrid.ldapglue2 ...
There is a special endpoint filter resourceinfo
that is equivalent to EMI-ES ResourceInfo, LDAP GLUE2 and LDAP Nordugrid.
Filter: VO¶
For project-based ARCHERY deployment it is also useful to filter endpoints based on VO access policy. Only endpoints that advertise specified VO support will be added [4]:
archery-manage -s arcce-list:ce.list -f vo:exampleVO ...
[4] | Resource information (GLUE2PolicyRule in GLUE2 and nordugrid-cluster-acl in Nordugrid LDAP) will be used as a source of supported VOs |
Checking the operation¶
General DNS queries¶
Any DNS client tool can be used, for example:
[user ~]$ host -t TXT _archery.example.org
_archery.example.org is an alias for _archery.index.example.org
_archery.index.example.org descriptive text "u=dns://ce01.example.org._archery.index.example.org. t=archery.service"
_archery.index.example.org descriptive text "u=dns://ce02.example.org._archery.index.example.org. t=archery.service"
<output omitted>
[root ~]$ host -t TXT ce01.example.org._archery.index.example.org
ce01.example.org._archery.index.example.org descriptive text "o=service t=org.nordugrid.arex id=ce01.example.org"
ce01.example.org._archery.index.example.org descriptive text "u=ldap://ce01.example.org:2135/o=glue t=org.nordugrid.ldapglue2"
ce01.example.org._archery.index.example.org descriptive text "u=https://ce01.example.org:60000/arex t=org.ogf.glue.emies.resourceinfo"
<output omitted>
Submit job¶
Use arcsub -g example.org -d DEBUG
to check the process of endpoints discovery from ARCHERY.
Setup regular updates to ARCHERY¶
To keep information about endpoints up to date setup a CRON job or Systemd Timer to run archery-manage
regularly.
In combination with at least port filtering this allows to eliminate stale endpoints and actualize information in registry.
Configure LDAP-monitor to use ARCHERY¶
NorduGrid LDAP monitor support fetching endpoints [5] from ARCHERY with the following configuration in settings.inc
:
$archery_list = array (
array (
"endpoint" => "example.org",
)
);
[5] | Nordugrid monitor only works with org.nordugrid.ldapng data (and LDAP GLUE2 is experimental with known issues), so Nordugrid LDAP schema publishing is mandatory to use monitor. |
See also
- ARCHERY Architecture Overview
- ARCHERY Architecture Overview, including concept and DNS records specification.
- ARCHERY NorduGrid Top-Level Deployment
- ARCHERY Deployment for Top-Level Nordugrid Registry, including example configuratioin.