Project

General

Profile

Production Account

The production efforts maintain a number of group accounts. If you are part of the production efforts you may or may not be included in the login list for these special accounts.

Currently the primary account used for production is the novapro account. This account is able to perform submission of special production jobs as well as being the home for a number of production related programs, scripts and items.

novapro Credentials

Normally, users submit jobs using authentication credentials based upon their kerberos login. The novapro account is different.

The novapro account uses a special "service certificate" to allow it to more generally submit jobs.

The service certificate was issued through the Open Science Grid (OSG) and has the following information:

"/CN=novaproduction\/nova-offline.fnal.gov" 

Distinguished Name:
Subject: DC=com, DC=DigiCert-Grid, O=Open Science Grid, OU=Services, CN=novaproduction/nova-offline.fnal.gov

The public certificate and private key are held in a local area (non-nfs, non-afs) of the machines where they are installed. On the nova interactive nodes, gpsn01 and other standard FNAL nova machine this is: /scratch/nova/novapro/private

They are named:

novaproduction_servicekey.pem 
novaproduction_cert.pem

They can be used to generate an appropriate grid proxy using voms-proxy-init:


voms-proxy-init 
 -cert=/scratch/nova/novapro/private/novaproduction_cert.pem 
 -key=/scratch/nova/novapro/private/novaproduction_servicekey.pem 
 --rfc 
 --voms=fermilab:/fermilab/nova/Role=Production 

This identity is registered with the /Fermilab/nova VO and has both Analysis and Production roles.

Summitting Jobs as novapro

The novapro certificates have been installed in the novapro account on gpsn01. The certificate files are located in /scratch/nova/novapro/private/.

Links have been created in /scratch/novapro/grid/ to have the following names for the different proxies:

novapro.nova.Production.proxy 
novapro.proxy
novapro.nova.proxy

A cron entry renews the proxy three times a day. The entry reads:

0 */3 * * * voms-proxy-init -cert=/scratch/nova/novapro/private/novaproduction_cert.pem -key=/scratch/nova/novapro/private/novaproduction_servicekey.pem --rfc --voms=fermilab:/fermilab/nova/Role=Analysis -out /scratch/novapro/grid/novapro.Production.proxy > /dev/null

Before submitting a job, the user must define the appropriate static values for the variables KRB5CCNAME and X509_USER_PROXY. This can be done by using the following commands:

export KRB5CCNAME=FILE:/tmp/krb5_novapro
export X509_USER_PROXY=/var/tmp/novapro.Production.proxy

With this in place, the normal user can setup the jobsub tools (from within the novapro account) and submit a job transparently.

jobsub -g /usr/bin/printevn

All the jobs will show up as being owned by novapro and have accounting that is linked to the novapro account.