Objectives
- Get ready to do the tutorial
- Understand the authentication procedures
- Set up your environment for DUNE
- Do an exercise to help us check if all is good
- Get streaming and grid access
Requirements
You must be on the DUNE Collaboration member list and have a valid FNAL or CERN account. See the Indico Requirement page for more information. Windows users are invited to review the Putty Setup page.
Note
The instructions below are for FNAL accounts. If you do not have a valid FNAL account but a CERN one, go at the bottom of this page to the “Setup on CERN machines”.
1. Kerberos business
If you already are a Kerberos aficionado, go to the next section. If not, we give you a little tour of it below.
What is it? Kerberos is a computer-network authentication protocol that works on the basis of tickets.
Why does FNAL use Kerberos? Fermilab uses Kerberos to implement strong authentication, so that no passwords go over the internet (if a hacker steals a ticket, it is only valid for a day).
How does it work? Kerberos uses tickets to authenticate users. Tickets are made by the kinit command, which asks for your kerberos password (info on kerberos password here). The kinit command reads the password, encrypts it and sends it to the Key Distribution Centre (KDC) at FNAL. The Kerberos configuration file, which lists the KDCs, is stored in a file named krb5.conf. On Linux and Mac, it is located here:
/etc/krb5.conf
If you do not have it, create it. A FNAL template is available here for each OS (Linux, Mac, Windows). More explanations on this config file are available here if you’re curious.
To log in to a machine, you need to have a valid kerberos ticket. You don’t need to do this every time you login, only when your ticket is expired. Kerberos tickets last for 26 hours. To create your ticket:
kinit -f username@FNAL.GOV
The -f option means your ticket is forwardable. A forwardable ticket is one that originated on computer A, but can be forwarded to computer B and will remain valid on computer B. Careful: you need to write FNAL.GOV in uppercase.
To know if you have a valid ticket, type:
klist
Typical output of klist on macOS looks like this:
Mac-124243:~ trj$ klist
Credentials cache: API:6A0A9594-540A-45DC-8D2C-47FF774F4E4C
Principal: trj@FNAL.GOV
Issued Expires Principal
Apr 19 15:02:41 2022 Apr 20 16:52:20 2022 krbtgt/FNAL.GOV@FNAL.GOV
Tickets are stored in /tmp and have file permissions so that only you can read and write them. If your ticket has not expired yet but will soon, you can refresh it for another 26 hours by typing:
kinit -R
Refreshing a ticket can be done for up to one week after it was initially issued.
Running into issues? Users logging in from outside the Fermilab network may be behind Network Address Translation (NAT) routers. If so, you may need an “addressless” ticket. For this, add the option -A:
kinit -A -f username@FNAL.GOV
Some users have reported problems with the Kerberos utilities provided by Macports and Anaconda. Macintosh users should use the system-provided Kerberos utilities – like /usr/bin/kinit. Hint: use the command
which kinit
to report the path of the kinit that’s first in your $PATH search list. If you have another, non-working one, a suggestion is to make an alias like this one:
alias mykinit="/usr/bin/kinit -A -f myusername@FNAL.GOV"
Then you can simply use:
mykinit
If you need to remove a ticket (for example, you are logged in at CERN with one Kerberos account but want to log in to a Fermilab machine with your Fermilab account), you can use the command
kdestroy
After executing this command, you will have to use kinit again to get a new ticket.
2. ssh-in
What is it? SSH stands for Secure SHell. It uses an encrypted protocol used for connecting to remote machines and it works with Kerberos tickets when configured to do so. The configuration is done in your local file in your home directory:
cat ~/.ssh/config
If it does not exist, create it. A minimum working example to connect to FNAL machines is as follows:
Host *.fnal.gov
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Now you can try to log into a machine at Fermilab. There are now 15 different machines you can login to: from dunegpvm01 to dunegpvm15 (gpvm stands for ‘general purpose virtual machine’ because these servers run on virtual machines and not dedicated hardware, others nodes which are indented for building code run on dedicated hardware). The dunegpvm machines run Scientific Linux Fermi 7 (SLF7). To know the load on the machines, use this monitoring link: dunegpvm status.
How to connect? The ssh command does the job. The -Y option turns on the xwindow protocol so that you can have graphical display and keyboard/mouse handling (quite useful). But if you have the line “ForwardX11Trusted yes” in your ssh config file, this will do the -Y option. For connecting to e.g. dunegpvm07, the command is:
ssh username@dunegpvmXX.fnal.gov
where XX is a number from 01 to 15. If you experience long delays in loading programs or graphical output, you can try connecting with VNC. More info: Using VNC Connections on the dunegpvms.
3. Get a clean shell
To run DUNE software, it is necessary to have a ‘clean login’. What is meant by clean here? If you work on other experiment(s), you may have some environment variables defined (for NOvA, MINERvA, MicroBooNE). Theses may conflict with the DUNE environment ones.
Two ways to clean your shell once on a DUNE machine:
Cleanup option 1: Manual check and cleanup of your custom environment variables To list all of your environment variables:
env
The list may be long. If you want to know what is already setup (potentially conflicting later with DUNE), you can grep the environment variables for a specific experiment (here the -i option is ‘case insensitive’). Here is an example to list all NOvA-specific variables:
env | grep -i nova
Another useful command that will detect UPS products that have been set up is
ups active
A “clean” response to the above command is:
bash: ups: command not found...
and if your environment has UPS products set up, the above command will list the ones you have.
Once you identify environment variables that might conflict with your DUNE work, you can tweak your login scripts, like .bashrc, .profile, .shrc, .login etc., to temporarily comment out those (the “export” commands that are setting custom environment variables, or UPS’s setup command). Note: files with names that begin with .
are “hidden” in that they do not show up with a simple ls
command. To see them, type ls -a
which lists all files.
Cleanup option 2: Back up your login scripts and go minimal at login (recommended)
A simpler solution would be to rename your login scripts (for instance .bashrc as .bashrc_save and/or .profile as .profile_bkp) so that your setup at login will be minimal and you will get the cleanest shell. For this to take into effect, you will need to exit and reconnect through ssh.
4. Setting up DUNE software
To set up your environment with DUNE, the command is:
source /cvmfs/dune.opensciencegrid.org/products/dune/setup_dune.sh
You should see in your terminal the following output:
Setting up larsoft UPS area... /cvmfs/larsoft.opensciencegrid.org/products/
Setting up DUNE UPS area... /cvmfs/dune.opensciencegrid.org/products/dune/
How to make custom setup command with aliases
Not familiar with aliases? Read below.
To create unix custom commands for yourself, we use ‘aliases’:
alias my_custom_commmand='the_long_command_you_want_to_alias_in_a_shorter_custom_name'
For DUNE setup, you can type for instance:
alias dune_setup='source /cvmfs/dune.opensciencegrid.org/products/dune/setup_dune.sh'
So next time you type:
dune_setup
Your terminal will execute the long command. This will work for your current session (if you disconnect, the alias won’t exist anymore). You can store this in your (minimal) .bashrc or .profile if you want this alias to be available in all sessions. The alias will be defined but not executed. Only if you type the command
dune_setup
yourself.
5. Exercise! (it’s easy)
This exercise will help organizers see if you reached this step or need help.
1) Start in your home area cd ~
on the DUNE machine (normally CERN or FNAL) and create the file dune_presetup_202205.sh
. Write in it the following:
export DUNESW_VERSION=v09_48_01d00
alias dune_setup='source /cvmfs/dune.opensciencegrid.org/products/dune/setup_dune.sh'
When you start the training, you will have to source this file:
source ~/dune_presetup_202205.sh
Then, to setup DUNE, use the created alias:
dune_setup
2) Create working directories in the dune/app
and pnfs/dune
areas (these will be explained during the training):
mkdir -p /dune/app/users/${USER}
mkdir -p /pnfs/dune/scratch/users/${USER}
mkdir -p /pnfs/dune/persistent/users/${USER}
3) Print the date and add the output to a file named my_first_login.txt
:
date >& /dune/app/users/${USER}/my_first_login.txt
4) With the above, we will check if you reach this point. However we want to tailor this tutorial to your preferences as much as possible. We will let you decide which animals you would like to see in future material, between: “puppy”, “cat”, “squirrel”, “sloth”, “unicorn pegasus llama” (or “prefer not to say” of course). Write your desired option on the second line of the file you just created above.
Note
If you experience difficulties, refer to the support options mentioned on Indico. Please mention in your message this is about the Setup step 5. Thanks!
6. Getting setup for streaming and grid access
In addition to your kerberos access, you need to be in the DUNE VO (Virtual Organization) to access to global DUNE resources. This is necessary in particular to stream data and submit jobs to the grid. If you are on the DUNE collaboration list and have a Fermilab ID you should have been added automatically to the DUNE VO.
To check if you are on the VO, two commands. The kx509 gets a certificate from your kerberos ticket. On a DUNE machine, type:
kx509
Authorizing ...... authorized
Fetching certificate ..... fetched
Storing certificate in /tmp/x509up_u55793
Your certificate is valid until: Wed Jan 27 18:03:55 2021
To access the grid resources, you will need a proxy. More information on proxy is available here. This is to be done once every 24 hours per login machine you’re using to identify yourself:
export ROLE=Analysis
voms-proxy-init -rfc -noregen -voms=dune:/dune/Role=$ROLE -valid 120:00
Your identity: /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Claire David/CN=UID:cdavid
Contacting voms1.fnal.gov:15042 [/DC=org/DC=incommon/C=US/ST=Illinois/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=voms1.fnal.gov] "dune" Done
Creating proxy .................................... Done
Your proxy is valid until Mon Jan 25 18:09:25 2021
Report this by appending the output of voms-proxy-info
to your first login file:
voms-proxy-info >> /dune/app/users/${USER}/my_first_login.txt
Issues
If you have issues here, please refer to the Indico event page to get support. Please mention in your message it is the Step 6 of the setup. Thanks!
Success
If you obtain the message starting with
Your proxy is valid until
… Congratulations! You are ready to go!
Set up on CERN machines
Caution: the following instructions are for those of you who do not have a valid FNAL account but have access to CERN machines.
1. Source the DUNE environment setup script
CERN access is mainly for ProtoDUNE collaborators. If you have a valid CERN ID and access to lxplus via ssh, you can setup your environment for this tutorial as follow:
source /cvmfs/dune.opensciencegrid.org/products/dune/setup_dune.sh
Setting up larsoft UPS area... /cvmfs/larsoft.opensciencegrid.org/products/
Setting up DUNE UPS area... /cvmfs/dune.opensciencegrid.org/products/dune/
2. Access tutorial datasets
Normally, the datasets are accessible through the grid resource. But with your CERN account, you may not be part of the DUNE VO yet (more on this during the tutorial). We found a workaround: some datasets have been copied locally for you. You can check them here:
ls /afs/cern.ch/work/t/tjunk/public/may2022tutorialfiles/
np04_raw_run005387_0019_dl5_reco_12900894_0_20181102T023521.root
PDSPProd4_protoDUNE_sp_reco_stage1_p1GeV_35ms_sce_datadriven_41094796_0_20210121T214555Z.root
3. Notify us
You should be good to go, and you might revisit Indico event page. If however you are experiencing issues, please contact us as soon as possible. Be sure to mention “Setup on CERN machines” if that is the case, and we will do our best to assist you.
Success
If you can list the files above, you should be able to do most of the tutorial on LArSoft.
Warning
Connecting to CERN machines will not give you the best experience to understand storage spaces and data management. If you obtain a FNAL account in the future, you can however do the training through the recorded videos that will be made available after the event.
Issues
If you have issues here, please refer to the Indico event page to get support. Please note that you are on a CERN machine in your message. Thanks!
Useful Links
The DUNE FAQ in GitHub
The January 2021 DUNE training setup tutorial in the DUNE Wiki
May 2021 DUNE Computing training
Wiki page on DUNE’s interactive computing resources, including tips on using Kerberos and VNC