USG Proxy Renewal with MyProxy

From EGIWiki
Jump to: navigation, search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators




<<  EGI User Start Guide



For long-lived jobs, it is often necessary to automatically renew a proxy to ensure that the job continues to have proper delegated rights until it finishes. This page explains how to use the proxy renewal services.

Proxy Renewal Services

Proxies created as described in the previous section pose a problem: if a job does not finish before the expiration time of the proxy, it is aborted. This can easily happen, for example, if the job takes a very long time to execute, or if it stays in a queue for a long time. The easiest solution to the problem would be to use very long-lived proxies, but at the expense of an increased security risk. Moreover, the duration of a VOMS proxy is limited by the VOMS server and cannot be made arbitrarily long.

To overcome this limitation, a proxy credential repository system is used, which allows the user to create and store a long-term proxy in a dedicated server (a "MyProxy" server). The Workload Management System (WMS) will then be able to use this long-term proxy to periodically renew the proxy for a submitted job before it expires and until the job ends (or the long-term proxy expires).

To see if a site has a MyProxy server, the Grid Operations Centre (GOC) database may be consulted. Some MyProxy servers have restricted access and user has to first contact site administrator to get an access.

A UI may have a default server defined in the MYPROXY_SERVER environment variable.

Because the renewal process starts 30 minutes before the old proxy expires, it is necessary to generate an initial proxy long enough, or the renewal may not complete in time. In this case, the job will fail with the following error:

Status Reason: Got a job held event, reason: Globus error 131:
the user proxy expired (job is still running)

The minimum recommended time for the initial proxy is 30 minutes, and in most circumstances it should be substantially longer. Job submission is forbidden for proxies with a remaining lifetime less than 20 minutes.

Management of the proxy renewal functionality is available via the myproxy commands that are analogous to the voms commands. The user must either specify the host name of a MyProxy server, or define it as the value of the MYPROXY_SERVER environment variable.

For the WMS to know which MyProxy server to use in the proxy renewal process, the name of the server must be included in an attribute of the job's JDL file. If the user does not add it manually, the name of the default MyProxy server is added automatically when the job is submitted. This default is defined in a VO-specific configuration file.

The machine on which the WMS is running must be trusted by the MyProxy server for renewal to be allowed.

Managing Long-term Proxies

Store a long-term proxy in a MyProxy server

To create and store a long-term proxy, the user must follow the format:

$ myproxy-init -s <myproxy_server> -d -n

where -s <myproxy_server> specifies the hostname of the machine where a MyProxy Server runs, the -d option instructs the server to associate the user DN to the proxy, and the -n option avoids the use of a passphrase to access the long-term proxy, so that the WMS can perform the renewal automatically. It is critical that the -d option be used.

The output will be similar to:

Your identity: /O=Grid/O=CERN/OU=cern.ch/CN=John Doe
Enter GRID pass phrase for this identity:
Creating proxy ............................................. Done
Your proxy is valid until: Thu Jul 17 18:57:04 2003
A proxy valid for 168 hours (7.0 days) for user /O=Grid/O=CERN/OU=cern.ch/CN=John Doe
now exists on myproxy.cern.ch.

By default, the long-term proxy lasts for one week and the proxies created from it last 12 hours. These lifetimes can be changed using either the -c and the -t option, but cannot be longer than the lifetime of the user certificate.

If the -s <myproxy_server> option is missing, the command will try to use the MYPROXY_SERVER environment variable to determine the MyProxy Server.

Retrieve information about a long-term proxy

To get information about a long-term proxy stored in a Proxy Server, the following command format is used:

$ myproxy-info -s <myproxy_server> -d

where the <myproxy_server>, -s and -d options have the same meaning as in the previous example. The output is similar to:

username: /O=Grid/O=CERN/OU=cern.ch/CN=John Doe
owner: /O=Grid/O=CERN/OU=cern.ch/CN=John Doe
timeleft: 167:59:48  (7.0 days)

There must be a valid proxy on the UI, created with to successfully interact with the long-term proxy on the MyProxy server.

Deleting a long-term proxy

Deleting a stored long-term proxy is achieved by doing:

$ myproxy-destroy -s <myproxy_server> -d

<myproxy_server>, -s and -d options have the same meaning as in the previous example. The output is:

Default MyProxy credential for user /O=Grid/O=CERN/OU=cern.ch/CN=John Doe
was successfully removed.

Again, a valid proxy must exist on the UI for this to work.