-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathxrootd-redirector.cfg
134 lines (100 loc) · 3.7 KB
/
xrootd-redirector.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
###
#redirector config
###
#all
all.export /cephfs/grid
all.sitename UKI-NORTHGRID-LANCS-HEP
all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd
#cmsd
all.manager xgate.hec.lancs.ac.uk:3121
all.role manager
#control with firewall
cms.allow host *.lancs.ac.uk
#port - 1094 for redirector, 1095 for others
xrootd.port 1094
#checksum - prob safe
xrootd.chksum max 64 adler32
#checksum size -default 64m
ofs.cksrdsz 1024m
#test 14/11/22
cms.dfs lookup central redirect verify retries 2
#logging
#all.trace all
#try setting explicitly
#xrd.trace all -debug
#xrootd.trace all -debug
#ofs.trace all -debug
#sec.trace all -debug
http.trace all -debug
#cms.trace all -debug
xrootd.trace emsg login stall redirect request response
cms.trace files redirect
#http.trace request response
##temp for scitoken testing
#scitoken.trace all -debug
#report sending
xrd.report 10.41.5.42:9485 every 5m all
xrd.timeout read 10
#cmd load balancing
if exec cmsd
#cms.sched affinity none affpath full # no need to change
#cms.sched gshr 100 refreset 3600
cms.sched maxload 30 io 30 mem 20 cpu 20 pag 0 runq 0 space 0 fuzz 5
#remember from Tom and Jyothish's findings, decisions are made at
#2*ping*usage, so below is 30s between decisions
cms.ping 15 log 1 usage 1
fi
## auth stuff
#largely from Sam
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates \
-cert:/etc/grid-security/xrdcert.pem \
-key:/etc/grid-security/xrdkey.pem \
-crl:1 \
-authzfun:libXrdSecgsiAUTHZVO.so \
-gmapopt:10 -gmapto:0 \
-dlgpxy:1 -exppxy:=creds \
-vomsat:extract -vomsfun:libXrdVoms.so
#for the tokens
sec.protocol ztn
#needed? I don't think so for us, RAL specific, but record just in case
#sec.protbind * only ztn gsi
#point to our authdb
acc.authdb /etc/grid-security/authdb
ofs.authorize
# Config TLS
#from https://xrootd-howto.readthedocs.io/en/latest/tpc/#an-example-of-wlcg-tpc-configuration-with-x509-authentication
xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
xrootd.tls capable all
#xrd tpc
ofs.tpc fcreds ?gsi =X509_USER_PROXY ttl 60 70 xfr 100 autorm pgm /usr/bin/xrdcp -f
#ofs.tpc fcreds ?gsi =X509_USER_PROXY ttl 60 70 xfr 100 autorm pgm /etc/xrootd/xrdcp-lancs-tpc.sh
## http stuff (needs to be wrapped or else cmsd hogs the port)
if exec xrootd
#kick off xroot http, on 1094
xrd.protocol http:1094 /usr/lib64/libXrdHttp.so
http.selfhttps2http no
http.desthttps yes
#from James
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
# Require the use of the xrd.tls certificates (alternative is to use manual)
http.httpsmode auto
##old way from first config, if above set to manual
#http.cadir /etc/grid-security/certificates
#http.cert /etc/grid-security/xrdcert.pem
#http.key /etc/grid-security/xrdkey.pem
# HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy
http.secxtractor libXrdVoms.so
http.exthandler xrdtpc libXrdHttpTPC.so
http.header2cgi Authorization authz
# Please install libmacaroons rpm from EPEL.
# Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support
http.exthandler xrdmacaroons libXrdMacaroons.so
# secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440
macaroons.secretkey /etc/xrootd/macaroon-secret
## token stuff
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so
fi