USG Proxy Renewal with MyProxy
|Main||EGI.eu operations services||Support||Documentation||Tools||Activities||Performance||Technology||Catch-all Services||Resource Allocation||Security|
|Documentation menu:||Home •||Manuals •||Procedures •||Training •||Other •||Contact ►||For:||VO managers •||Administrators|
For long-lived jobs, it is often necessary to automatically renew a proxy to ensure that the job continues to have proper delegated rights until it finishes. This page explains how to use the proxy renewal services.
Proxy Renewal Services
Proxies created as described in the previous section pose a problem: if a job does not finish before the expiration time of the proxy, it is aborted. This can easily happen, for example, if the job takes a very long time to execute, or if it stays in a queue for a long time. The easiest solution to the problem would be to use very long-lived proxies, but at the expense of an increased security risk. Moreover, the duration of a VOMS proxy is limited by the VOMS server and cannot be made arbitrarily long.
To overcome this limitation, a proxy credential repository system is used, which allows the user to create and store a long-term proxy in a dedicated server (a "MyProxy" server). The Workload Management System (WMS) will then be able to use this long-term proxy to periodically renew the proxy for a submitted job before it expires and until the job ends (or the long-term proxy expires).
To see if a site has a MyProxy server, the Grid Operations Centre (GOC) database may be consulted. Some MyProxy servers have restricted access and user has to first contact site administrator to get an access.
A UI may have a default server defined in the
MYPROXY_SERVER environment variable.
Because the renewal process starts 30 minutes before the old proxy expires, it is necessary to generate an initial proxy long enough, or the renewal may not complete in time. In this case, the job will fail with the following error:
Status Reason: Got a job held event, reason: Globus error 131: the user proxy expired (job is still running)
The minimum recommended time for the initial proxy is 30 minutes, and in most circumstances it should be substantially longer. Job submission is forbidden for proxies with a remaining lifetime less than 20 minutes.
Management of the proxy renewal functionality is available via the
myproxy commands that are analogous to the
voms commands. The user must either specify the host name of a MyProxy server, or define it as the value of the
MYPROXY_SERVER environment variable.
For the WMS to know which MyProxy server to use in the proxy renewal process, the name of the server must be included in an attribute of the job's
JDL file. If the user does not add it manually, the name of the default MyProxy server is added automatically when the job is submitted. This default is defined in a VO-specific configuration file.
The machine on which the WMS is running must be trusted by the MyProxy server for renewal to be allowed.
Managing Long-term Proxies
Store a long-term proxy in a MyProxy server
To create and store a long-term proxy, the user must follow the format:
$ myproxy-init -s <myproxy_server> -d -n
-s <myproxy_server> specifies the hostname of the machine where a MyProxy Server runs, the
-d option instructs the server to associate the user DN to the proxy, and the
-n option avoids the use of a passphrase to access the long-term proxy, so that the WMS can perform the renewal automatically. It is critical that the
-d option be used.
The output will be similar to:
Your identity: /O=Grid/O=CERN/OU=cern.ch/CN=John Doe Enter GRID pass phrase for this identity: Creating proxy ............................................. Done Your proxy is valid until: Thu Jul 17 18:57:04 2003 A proxy valid for 168 hours (7.0 days) for user /O=Grid/O=CERN/OU=cern.ch/CN=John Doe now exists on myproxy.cern.ch.
By default, the long-term proxy lasts for one week and the proxies created from it last 12 hours. These lifetimes can be changed using either the
-c and the
-t option, but cannot be longer than the lifetime of the user certificate.
-s <myproxy_server> option is missing, the command will try to use the
MYPROXY_SERVER environment variable to determine the MyProxy Server.
Retrieve information about a long-term proxy
To get information about a long-term proxy stored in a Proxy Server, the following command format is used:
$ myproxy-info -s <myproxy_server> -d
-d options have the same meaning as in the previous example. The output is similar to:
username: /O=Grid/O=CERN/OU=cern.ch/CN=John Doe owner: /O=Grid/O=CERN/OU=cern.ch/CN=John Doe timeleft: 167:59:48 (7.0 days)
There must be a valid proxy on the UI, created with to successfully interact with the long-term proxy on the MyProxy server.
Deleting a long-term proxy
Deleting a stored long-term proxy is achieved by doing:
$ myproxy-destroy -s <myproxy_server> -d
-d options have the same meaning as in the previous example. The output is:
Default MyProxy credential for user /O=Grid/O=CERN/OU=cern.ch/CN=John Doe was successfully removed.
Again, a valid proxy must exist on the UI for this to work.