Operating ARCHERY instance

The first and main task of the administrator of ARCHERY DNS zone is to keep services topology up to date.

Services topology is a static list of e-Infrastructure services (and optionaly their grouping) defined in the simple confiuration file (see below).

The archery-manage tool than uses the topology configuration file, fetch necessary information about the defined services and update data in ARCHERY DNS zone.

As an ARCHERY DNS zone administrator you should establish regular updates (e.g. cron-job or similar) to keep the information up to date.

The following sections will provide details about this operations tasks.

Define infrastructure services topology

In the simplest way, when a topolgy is a flat list of ARC services - the text file with hostnemaes specified line-by-line can be used.

More advanced topologies (e.g. grouping or non-ARC services) can be described in the JSON topology configuration file for ARCHERY.

Simple topology: flat list of ARC CEs

CE hostanames can be defined line-by-line in a plain text file:

ce01.example.org
ce02.example.org
arc6.example.org

Alternatively you can use JSON config syntax as well:

{
  "arc-services": [
     "ce01.example.org",
     "ce02.example.org",
     "arc6.example.org"
  ]
}

The archery-manage will automatically detect ARC service endpoints using information services on ARC CE and push it to DNS zone with an incremental DDNS update.

Hierarchical topology and non-ARC services

ARCHERY is NOT restricted to the ARC services only and can hold any e-Infrastructure service endpoints information.

To define such services the JSON configuration file, as a most flexible source of topology definition for archery-manage should be used.

Please consult the JSON topology configuration file for ARCHERY document for such topologies configuration examples.

Run archery-manage to update DNS zone information

To populate DNS zone with endpoint information based on the configured services topology you should run archery-manage:

[user ~]$ archery-manage -s arcce-list:ces.list --ddns-update \
            --domain index.example.org --ddns-master-ip 192.0.2.100 \
            --ddns-tsig-keyfile archery-manage.key

The -s key that define the type of configuration file to use and path to configuration file separated by colon. The arcce-list type corresponds to the plain text list of ARC services. The json type should be used for JSON configuration file.

The --ddns-tsig-keyfile points to the location of generated transaction signature key.

Options --domain and --ddns-master-ip defined the dedicated ARCHERY DNS zone name and master DNS server IP respectively.

Note

Updates are performed over the network, so you can run archery-manage on any host. It SHOULD NOT be the DNS server itself.

The archery-manage writes a logs to stderr that indicate the status of each operations performed during the run, including fetching, filtering and DDNS updates. You can increase logs verbosity with -d option.

Consider to add filters to archery-manage:

Filter: Port connectivity

Check network connectivity to endpoint TCP port and filter endpoints that do not pass this test.

It is advised to have the portscan filter enabled during the regular operations.

[user ~]$ archery-manage -s arcce-list:ce.list -f portscan ...

Filter: Endpoint type

By default any service endpoints types that are defined or discovered will be published. If you want to filter endpoints based on type there is a dedicated filter to apply.

For example, if you want only ARC REST endpoints in the ARCHERY:

[user ~]$ archery-manage -s json:/etc/archery.json -f type:org.nordugrid.arcrest ...

Both ARC REST and LDAP GLUE2 endpoints:

[user ~]$ archery-manage -s json:/etc/archery.json -f type:org.nordugrid.arcrest,org.nordugrid.ldapglue2 ...

Filter: VO

Note

VO filtering is only available when service endpoints are automatically discovered based on information services (e.g. ARC services, Site-BDII, etc)

For project-based ARCHERY deployment it is also useful to filter endpoints based on VO access policy. Only endpoints that advertise specified VO support will be added [1]:

[user ~]$ archery-manage -s arcce-list:ce.list -f vo:exampleVO ...
[1]Resource information (GLUE2PolicyRule in GLUE2 and nordugrid-cluster-acl in Nordugrid LDAP) will be used as a source of supported VOs.

Check the data is embedded to DNS

Once you populate ARCHERY DNS zone with data, you can try to query the ARCHERY data from the DNS to verify the update is working. This includes manual DNS queries or job submission.

Setup regular updates to ARCHERY

To keep information about endpoints up to date setup a CRON job (or Systemd Timer) to run archery-manage regularly.

In combination with at least port filtering this allows to eliminate stale endpoints and actualize information in registry.

ARCHERY operations hints

Optimize information fetching frequency

Available services endpoints itself is not subject of rapid change. But the enpoint availability status is.

The archery-manage automatic endpoints fetching can be done less frequent as actual endpoint availability scan using the JSON configuration output:

  1. Setup endpoints fetching to expanded JSON config.

Run archery-manage with defined topology and desired filters but without DDNS update. This job can be run less frequent, e.g. once daily.

[user ~]$ archery-manage -s json:/etc/archery.json -f vo:exampleVO -o json > /etc/archery-expanded.json
  1. Update information in the ARCHERY DNS zone using expanded JSON config.

For actual ARCHERY DNS zone updates use obtained expanded JSON config. This job should be run more frequently (e.g. every 5 minutes) with a portscan filter to eliminate stale endpoints.

[user ~]$ archery-manage -s json:/etc/archery-expanded.json -f portscan \
           --ddns-update --ddns-tsig-keyfile archery-manage.key \
           --domain index.example.org --ddns-master-ip 192.0.2.100

Configure LDAP-monitor to use ARCHERY

The popular ARC CE monitoring tool - the LDAP monitor, can be used with ARCHERY out-of-the box.

It support fetching endpoints [2] from ARCHERY with the following configuration in settings.inc:

[2]Nordugrid monitor only works with org.nordugrid.ldapng data (and LDAP GLUE2 is experimental), so Nordugrid LDAP schema publishing is mandatory to use monitor.
<?php
 $archery_list = array (
   array (
    "endpoint" => "example.org",
   )
 );
?>