The production efforts maintain a number of group accounts. If you are part of the production efforts you may or may not be included in the login list for these special accounts.
Currently the primary account used for production is the novapro account. This account is able to perform submission of special production jobs as well as being the home for a number of production related programs, scripts and items.
Normally, users submit jobs using authentication credentials based upon their kerberos login. The novapro account is different.
The novapro account uses a special "service certificate" to allow it to more generally submit jobs.
The service certificate was issued through the Open Science Grid (OSG) and has the following information:
Subject: DC=com, DC=DigiCert-Grid, O=Open Science Grid, OU=Services, CN=novaproduction/nova-offline.fnal.gov
The public certificate and private key are held in a local area (non-nfs, non-afs) of the machines where they are installed. On the nova interactive nodes, gpsn01 and other standard FNAL nova machine this is: /scratch/nova/novapro/private
They are named:
They can be used to generate an appropriate grid proxy using voms-proxy-init:
voms-proxy-init -cert=/scratch/nova/novapro/private/novaproduction_cert.pem -key=/scratch/nova/novapro/private/novaproduction_servicekey.pem --rfc --voms=fermilab:/fermilab/nova/Role=Production
This identity is registered with the /Fermilab/nova VO and has both Analysis and Production roles.
Summitting Jobs as novapro¶
The novapro certificates have been installed in the novapro account on gpsn01. The certificate files are located in /scratch/nova/novapro/private/.
Links have been created in /scratch/novapro/grid/ to have the following names for the different proxies:
novapro.nova.Production.proxy novapro.proxy novapro.nova.proxy
A cron entry renews the proxy three times a day. The entry reads:
0 */3 * * * voms-proxy-init -cert=/scratch/nova/novapro/private/novaproduction_cert.pem -key=/scratch/nova/novapro/private/novaproduction_servicekey.pem --rfc --voms=fermilab:/fermilab/nova/Role=Analysis -out /scratch/novapro/grid/novapro.Production.proxy > /dev/null
Before submitting a job, the user must define the appropriate static values for the variables KRB5CCNAME and X509_USER_PROXY. This can be done by using the following commands:
export KRB5CCNAME=FILE:/tmp/krb5_novapro export X509_USER_PROXY=/var/tmp/novapro.Production.proxy
With this in place, the normal user can setup the jobsub tools (from within the novapro account) and submit a job transparently.
jobsub -g /usr/bin/printevn
All the jobs will show up as being owned by novapro and have accounting that is linked to the novapro account.