Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

FAQ VO Management

From EGIWiki
Jump to navigation Jump to search
Main operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security

Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators

Frequently Asked Questions

General Information

Do I need a VO?

If you are part of a research community whose members are geographically apart, belong to independent organizations, and collaborate via electronic means to achieve a common goal, probably you are already part of a Virtual Organization (VO) without knowing. However, on GRIDs, VOs have the specificity that their members share computing resources. If the computing resources in your institute are not sufficient to your group needs, maybe the establishment of a VO within your research community is a good solution for you.

How to set up a VO?

VO users can access computing resources in institutes where they are not known in person based on the VO membership records kept under the Virtual Organization Management Service (VOMS). This service saves registration information about all all VO users, is managed by a VO Manager (who accepts or denies VO user requests), and is operated by a VO trustworthy partner. Therefore, the Virtual Organization Management Service (VOMS) represents the technical instanciation of any Virtual Organization.

Which services does a VO need?

GRID resources are separated into two sets of services:

  • Local services: Deployed and maintained by each participating site. Examples of these services are the Computing Element, Storage Element, Site BDII, User Interface and Accounting Processor for Event Logs Box;
  • Core services: Installed only in some Resource Centres but used by all users to allow interaction with the global infrastructure. Examples are the Virtual Organization Management service, Workload Management System, File Catalogues, PX Server, etc...

Ideally, to fully benefit from the GRID, each VO should have a set of sites where the VO is properly configured in the site local services, and a set of core services (which could be operated by a single partner or among several partners).

What is the effort to operate VO services?

The VO responsible must be aware of the effort and cost on the operation of GRID core services. Simultaneously, the VO Manager must understand the requirements for the service deployment. For a better understanding of the operating issues for those services, their operation cost has been evaluated in the Core VO services evaluation document.

How to apply for the VO support in an EGI catch-all server?

If the VO responsible decides that it is not possible to deploy any of the VO core services, EGI/NGIs offer the possibility to host that VO in catch-all service. The current status of catch-all services availability can be found in Catch all grid core services Wiki page.

The VOMS support can be triggered when registering the VO in the EGI Operational Portal. The VO support for any other service is triggered submitting a GGUS ticket to the VO Services Support Unit.

Only VOs already registered in the EGI operational portal can apply for these support.

How to register the VO in EGI Operational Portal?

Please read the VO Registration Process in EGI procedure. That documentation will guide you through the process of requesting VOMS server support (if you do not have any), registering your VO in the EGI Operational Portal, and make the EGI project aware that your VO exists. Do not forget to establish a well defined Acceptable User Policy. Note that if a VO is not registered in the EGI Operational Portal, other EGI tools (like the EGI Accounting Portal) will not be able to collect information for that VO.

What is the VO Acceptable Use Policy (AUP)?

An acceptable use policy (AUP; also sometimes acceptable usage policy or Fair Use Policy) is a set of rules applied by the VO that restrict the ways in which the network site or system may be used. For more details please check [1]

When can a VO start to operate in EGI?

Once the VO Manager has followed all the steps defined in the VO Registration Process in EGI and the VO Supervisor changes the VO status from "VALIDATED" to "ACTIVE".

What are the VO Manager responsibilities?

The VO Manager is the responsible person recording in the VO Database, after appropriate checks, the status of a member of the VO, i.e. performing user entries, assignment of roles, information updates and user removals. The VO management function can be performed by a group of persons delegated by the VO manager. The duties and responsibilities of the VO manager include:

  1. Management of the Registration Data verification process by using existing reliable sources of information, consulting the relevant IRs or by means of other appropriate auditable procedures.
  2. Addition of the new user to the VO Database, after successful completion of step 1 or notification to the user with the reasons of his/her denial.
  3. Logging information including the date when the user registered (User Registration Date). Each request received and the checks made to validate the request should be recorded, for auditing purposes. Audit logs should be kept by the VO manager for two years, even if the member has left the VO.
  4. Timely maintenance of the user’s entry when changes are required.
  5. Removal or suspension of a user from the VO database if it breaks the VO AUP or if the users credentials have been compromissed (check the EGI Incident Response Procedure)
  6. Notification to those sites that wish to receive information about a new user who joined the VO.
  7. Provision of secure read access to the Registration Data for authorised use only.
  8. Ensuring Personal user data is not distributed except for authorised and necessary purposes. The VO Manager must ensure that the VO membership is aware of the circumstances under which their Registration Data will be distributed.
  9. Authorise the Resource Administrators to have secure read access to the VO database.

Which users should be accepted in the VO?

It is unlikely that a user who has no affiliation with a VO will be allowed to use this VO since he (or his institute) has to contribute to the VO (with resources or in any other form) in return. The VO Manager should try to find out if a user request is valid (for example, if it is coming from an institute which already contributes to the VO infrastructure), or if the user is interested in contributing to the enhancement of the VO infrastructure. The VO should have a well defined Acceptable User Policy (AUP) which could guide the VO manager under this procedure. The ultimate decision to accept or deny a user request is always from the VO Manager.

How to get computing resources for the VO?

In most of the places, VOs do not own physical resources but they own a right to use them. That right is earned according to the funding that sites receive from projects where VO members are involved. Therefore, sites do allocate a share of their ressources to a given VO depending on the funding they receive from local projects associated to that VO. This is the normal procedure on how newly VOs provide resources to the GRID. The GRID spirit behind is that everyone can use everybody resources as long as these resources aren't really needed.

If the VO has very few members without computing resources, there is always the possibility to ask external sites to support this VO. However, external sites only accept to do that if they get something in exchange. It can be fame, pride of serving a great cause, pride of helping find a cure to cancer or even money. If you have something to offer, sites will probably consider opening their resources to your VO.

How to include VO Support in GGUS?

If the VO responsibles wish to provide support to the VO users via GGUS, VO experts will have to become part of a Support Unit (SU). In practice this means:

  • they will have to register in GGUS as supporters via the GGUS Support Access Link
  • they will have to be members of a mailing list (e-group) to receive notifications when a ticket is assigned to the SU VO Support(yourVOname)

More information is available in VO Support in GGUS web page.

VO Operations

How to install a VOMS service and other VO services?

Detailed documentation on the installation and configuration of a VOMS server are available in VOMS home page

How to manage VO registration requests in the VOMS server?

Once the VOMS service is installed, configured and running, the VO Manager has the possibility to manage new registrations using the VOMS Admin Web Application. The VO registration management is just one task between many under the scope of the VO Manager. For a full description of the service, please check the VOMS Admin User Guide.

How to install VO specific software in a remote site?

If all VO users use the same programming code, VO software managers can install that software under a special shared storage area (in a grid site) available to all their members. The benefits of this practice include optimal usage of network/storage resources, as the software needs to be deployed only once, instead for each job individually which also results in reduction of time consumed for file transfers and instalations.

An example of a VO independent tool for software instalation is the LJSFI (Light Job Submission Framework for Installation). For more details, please consult the VO Software Instalations Tools.

Who can install VO software in a remote site?

VO Managers normally defined a specific VO role for software installation. That role can be set up using the VOMS Admin Web Application, and the user with the responsibility to use that role can request it when it issues the grid proxy.

VO managers do enforce a policy where users arriving with the software manager role are mapped in the grid site in a local unix account with permissions to write on the special shared storage area, and with higher execution priority at the batch system level. For more details on how to configure those features in the grid site, please check the Group Configuration in YAIM.

Where can the VO software be installed in a remote site?

The VO software is installed by a user requesting the software manager role on the special shared storage area available in each grid site. The path to the share software area is provided by the environment variable VO_<VO_NAME>_SW_DIR configured and available in all grid execution machines.

How to access VO activity history?

The EGI Accounting Portal offers the access to the VO activity history under several costumizable views.

How to get information about VO resources?

VO managers can access a list of VO resources via the

  • Choose VO List option and select the proper VO scope and Discipline
  • Choose the R.D link for the VO (R.D., Resource Distribution)
  • Browse through the regions and sites supporting the VO

Documentation for reference

Installation / Administration guides

Operational Links