Merge pull request #3 from hufnagel/Theta

adding Theta specific files

Author: mambelli

site_specific/Theta/README.md

@@ -0,0 +1,30 @@
+# ALCF Theta
+
+ALCF Theta is a KNL based HPC cluster at Argonne Labs
+
+As an LCF it is very restrictive compared to a "standard" grid site. Mainly that means no outbound
+internet connectivity from the worker nodes. One can work around this by implementing gateway
+services at the edge of the cluster, i.e. the HPC worker node connects to the gateway, which itself
+has outbound internet connectivity. At Theta this also runs into technical limitations since the
+connection from the worker nodes to the gateway is routed through RSIP, which has a very small
+limit on number of connections (order 5 to 10 per node maximum).
+
+At Theta we use:
+* site squid proxy maineted by ALCF Theta support
+* local node squid proxy that connects to the site squid
+* cvmfsexec to mount cvmfs in user space (using site squid proxy)
+* stageout wrapper, allowing xrdcp from worker nodes to FNAL dCache (through site squid proxy)
+
+This directory contains:
+* customize.sh : configuration for local node squid proxy
+* default.local : cvmfsexec configuration
+* example_wrapper.sh : example node wrapper script setting up local squid and cvmfsexec
+* proxychains.conf : stageout wrapper configuration
+* proxychains.sh : stageout wrapper
+
+List of needed external software:
+* frontier-squid : https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid
+* cvmfsexec : https://github.com/cvmfs/cvmfsexec
+* proxychains-ng : https://github.com/rofl0r/proxychains-ng
+
+**NB This repository is public, do not add any credential, password, or private information.**

site_specific/Theta/customize.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Edit customize.sh as you wish to customize squid.conf.
+# It will not be overwritten by upgrades.
+# See customhelps.awk for information on predefined edit functions.
+# In order to test changes to this, run this to regenerate squid.conf:
+#	/local/scratch/uscms//frontier-cache/utils/bin/fn-local-squid.sh
+# and to reload the changes into a running squid use
+#	/local/scratch/uscms//frontier-cache/utils/bin/fn-local-squid.sh reload
+# Avoid single quotes in the awk source or you have to protect them from bash.
+#
+
+awk --file `dirname $0`/customhelps.awk --source '{
+setoption("cache_peer", "theta-proxy.tmi.alcf.anl.gov parent 3128 0 no-query")
+setoption("acl NET_LOCAL src", "127.0.0.1/32")
+setoption("cache_mem", "128 MB")
+setoptionparameter("cache_dir", 3, "10000")
+print
+}'

site_specific/Theta/default.local

@@ -0,0 +1,4 @@
+CVMFS_HTTP_PROXY="http://theta-proxy.tmi.alcf.anl.gov:3128"
+CVMFS_CACHE_BASE=/local/scratch/uscms/cvmfs-cache
+CVMFS_QUOTA_LIMIT=10000
+CMS_LOCAL_SITE=T3_US_ANL

site_specific/Theta/example_wrapper.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# clean possible leftovers from previous jobs
+/usr/bin/fusermount -u /local/scratch/uscms/cvmfsexec/dist/cvmfs/config-osg.opensciencegrid.org >& /dev/null
+/usr/bin/fusermount -u /local/scratch/uscms/cvmfsexec/dist/cvmfs/cms.cern.ch >& /dev/null
+/usr/bin/fusermount -u /local/scratch/uscms/cvmfsexec/dist/cvmfs/unpacked.cern.ch >& /dev/null
+/usr/bin/fusermount -u /local/scratch/uscms/cvmfsexec/dist/cvmfs/oasis.opensciencegrid.org >& /dev/null
+rm -rfd /local/scratch/uscms >& /dev/null
+
+# local squid
+mkdir -p /local/scratch/uscms
+cd /local/scratch/uscms
+tar xzf /projects/HEPCloud-FNAL/frontier-cache_local_scratch.tgz
+/local/scratch/uscms/frontier-cache/utils/bin/fn-local-squid.sh start
+
+# cvmfs
+mkdir -p /local/scratch/uscms/cvmfs-cache
+cd /local/scratch/uscms
+tar xzf /projects/HEPCloud-FNAL/cvmfsexec_local_scratch.tgz
+
+# unpriviliged singularity from cvmfs
+/local/scratch/uscms/cvmfsexec/cvmfsexec cms.cern.ch unpacked.cern.ch oasis.opensciencegrid.org -- /cvmfs/oasis.opensciencegrid.org/mis/singularity/bin/singularity exec --pid --ipc --contain --bind /etc/hosts --bind /projects/HighLumin --bind /projects/HEPCloud-FNAL --bind /cvmfs --home $HOME /cvmfs/unpacked.cern.ch/registry.hub.docker.com/cmssw/cms:rhel7 hostname
+
+# locally installed singularity
+#/local/scratch/uscms/cvmfsexec/cvmfsexec cms.cern.ch unpacked.cern.ch -- singularity exec -u --pid --ipc --contain --bind /etc/hosts --bind /projects/HighLumin --bind /projects/HEPCloud-FNAL --bind /cvmfs --home $HOME /cvmfs/unpacked.cern.ch/registry.hub.docker.com/cmssw/cms:rhel7 hostname
+
+/local/scratch/uscms/frontier-cache/utils/bin/fn-local-squid.sh stop
+
+# clean up
+rm -rfd /local/scratch/uscms >& /dev/null

site_specific/Theta/proxychains.conf

@@ -0,0 +1,118 @@
+# proxychains.conf  VER 4.x
+#
+#        HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.
+
+
+# The option below identifies how the ProxyList is treated.
+# only one option should be uncommented at time,
+# otherwise the last appearing option will be accepted
+#
+#dynamic_chain
+#
+# Dynamic - Each connection will be done via chained proxies
+# all proxies chained in the order as they appear in the list
+# at least one proxy must be online to play in chain
+# (dead proxies are skipped)
+# otherwise EINTR is returned to the app
+#
+strict_chain
+#
+# Strict - Each connection will be done via chained proxies
+# all proxies chained in the order as they appear in the list
+# all proxies must be online to play in chain
+# otherwise EINTR is returned to the app
+#
+#round_robin_chain
+#
+# Round Robin - Each connection will be done via chained proxies
+# of chain_len length
+# all proxies chained in the order as they appear in the list
+# at least one proxy must be online to play in chain
+# (dead proxies are skipped).
+# the start of the current proxy chain is the proxy after the last
+# proxy in the previously invoked proxy chain.
+# if the end of the proxy chain is reached while looking for proxies
+# start at the beginning again.
+# otherwise EINTR is returned to the app
+# These semantics are not guaranteed in a multithreaded environment.
+#
+#random_chain
+#
+# Random - Each connection will be done via random proxy
+# (or proxy chain, see  chain_len) from the list.
+# this option is good to test your IDS :)
+
+# Make sense only if random_chain or round_robin_chain
+#chain_len = 2
+
+# Quiet mode (no output from library)
+#quiet_mode
+
+# Proxy DNS requests - no leak for DNS data
+proxy_dns 
+
+# set the class A subnet number to use for the internal remote DNS mapping
+# we use the reserved 224.x.x.x range by default,
+# if the proxified app does a DNS request, we will return an IP from that range.
+# on further accesses to this ip we will send the saved DNS name to the proxy.
+# in case some control-freak app checks the returned ip, and denies to 
+# connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x.
+# of course you should make sure that the proxified app does not need
+# *real* access to this subnet. 
+# i.e. dont use the same subnet then in the localnet section
+#remote_dns_subnet 127 
+#remote_dns_subnet 10
+remote_dns_subnet 224
+
+# Some timeouts in milliseconds
+tcp_read_time_out 15000
+tcp_connect_time_out 8000
+
+### Examples for localnet exclusion
+## localnet ranges will *not* use a proxy to connect.
+## Exclude connections to 192.168.1.0/24 with port 80
+# localnet 192.168.1.0:80/255.255.255.0
+
+## Exclude connections to 192.168.100.0/24
+# localnet 192.168.100.0/255.255.255.0
+
+## Exclude connections to ANYwhere with port 80
+# localnet 0.0.0.0:80/0.0.0.0
+
+## RFC5735 Loopback address range
+## if you enable this, you have to make sure remote_dns_subnet is not 127
+## you'll need to enable it if you want to use an application that 
+## connects to localhost.
+# localnet 127.0.0.0/255.0.0.0
+
+## RFC1918 Private Address Ranges
+# localnet 10.0.0.0/255.0.0.0
+# localnet 172.16.0.0/255.240.0.0
+# localnet 192.168.0.0/255.255.0.0
+
+# ProxyList format
+#       type  ip  port [user pass]
+#       (values separated by 'tab' or 'blank')
+#
+#       only numeric ipv4 addresses are valid
+#
+#
+#        Examples:
+#
+#            	socks5	192.168.67.78	1080	lamer	secret
+#		http	192.168.89.3	8080	justu	hidden
+#	 	socks4	192.168.1.49	1080
+#	        http	192.168.39.93	8080	
+#		
+#
+#       proxy types: http, socks4, socks5
+#        ( auth types supported: "basic"-http  "user/pass"-socks )
+#
+[ProxyList]
+# add proxy here ...
+# meanwile
+# defaults set to "tor"
+#http 	127.0.0.1 3128
+http	10.236.1.189	3128
+
+

site_specific/Theta/proxychains.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export X509_USER_PROXY=$JOBSTARTDIR/myproxy.pem
+export X509_CERT_DIR=/cvmfs/oasis.opensciencegrid.org/mis/certificates/
+
+/projects/HEPCloud-FNAL/proxychains-ng-4.14/proxychains4 -f /projects/HEPCloud-FNAL/proxychains.conf $@