In [None]:
# The objective of this notebook is to create a SENSE-ready XRootD Installation
# either a Server or a Redirector, with N IPv6 addresses (N >=2)
# then run N separated instances of xrootd/cmsd each on its own network namespace

from fabrictestbed_extensions.fablib.fablib import FablibManager as fablib_manager
from datetime import datetime
from datetime import timezone
from datetime import timedelta

fablib = fablib_manager()

In [None]:
#Create Slice
slice = fablib.new_slice(name="slice_UCSD")

# Create 1 node
node1 = slice.add_node(name="node1", site="UCSD")
iface1 = node1.add_component(model='NIC_Basic', name="nic1").get_interfaces()[0]
iface2 = node1.add_component(model='NIC_Basic', name="nic2").get_interfaces()[0]

# We need N Networks i.e N interfaces (we use IPv6Ext to be able to access them outside the FABRIC network)
slice.add_l3network(name="net1", interfaces=[iface1], type='IPv6Ext')
slice.add_l3network(name="net2", interfaces=[iface2], type='IPv6Ext')

#Submit Slice Request
slice.submit();

In [None]:
# Get the objects again (not sure why)
node1 = slice.get_nodes()[0]
net1 = slice.get_network(name="net1")
net2 = slice.get_network(name="net2")

# Get 1 available IP for each interface
avail_ip1 = net1.get_available_ips()[0]
avail_ip2 = net2.get_available_ips()[0]

In [None]:
# Request the IP to be routable outside FABRIC (only if need to access the node outside FARBIRC's network)
#net1.make_ip_publicly_routable(ipv6=[str(avail_ip1)])
#net2.make_ip_publicly_routable(ipv6=[str(avail_ip2)])

#slice.submit();

In [None]:
# Install XRootD
commands = []
commands.append(f'sudo yum install https://repo.opensciencegrid.org/osg/23-main/osg-23-main-el8-release-latest.rpm -y')
commands.append(f'sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y')
commands.append(f'sudo yum install xrootd-server xrootd-voms xrootd-scitokens osg-ca-certs -y')
for command in commands:
    #print(command)
    stdout, stderr = node1.execute(command)

In [None]:
# create netns systemd file
commands = []
commands.append(f''' cat << EOF > /tmp/netns@.service
    [Unit]
    Description=Named network namespace %i
    StopWhenUnneeded=true
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    
    # Ask systemd to create a network namespace
    PrivateNetwork=yes
    
    # Ask ip netns to create a named network namespace
    # (This ensures that things like /var/run/netns are properly setup)
    ExecStart=/sbin/ip netns add %i
    
    # Drop the network namespace that ip netns just created
    ExecStart=/bin/umount /var/run/netns/%i
    
    # Re-use the same name for the network namespace that systemd put us in
    ExecStart=/bin/mount --bind /proc/self/ns/net /var/run/netns/%i
    
    # Clean up the name when we are done with the network namespace
    ExecStop=/sbin/ip netns delete %i
    ''')
commands.append(f'sudo mv /tmp/netns@.service /usr/lib/systemd/system/netns@.service')

for command in commands:
    #print(command)
    stdout, stderr = node1.execute(command)

In [None]:
# Modify XRootD's systemd
commands = []

commands.append(f'sudo sed -i "/Unit/a Requires=netns@webserver-%i.service" /usr/lib/systemd/system/xrootd@.service')
commands.append(f'sudo sed -i "/Unit/a After=netns@webserver-%i.service" /usr/lib/systemd/system/xrootd@.service')
commands.append(f'sudo sed -i "/Unit/a JoinsNamespaceOf=netns@webserver-%i.service" /usr/lib/systemd/system/xrootd@.service')

commands.append(f'sudo sed -i "/Service/a PrivateNetwork=true" /usr/lib/systemd/system/xrootd@.service')

# Reload for changes above to take effect
commands.append(f' sudo systemctl daemon-reload')

for command in commands:
    #print(command)
    stdout, stderr = node1.execute(command)

In [None]:
# Create config files for XRootD
commands = []

# Authfile
commands.append(f'echo "u ruciouser / a" > /tmp/Authfile')

# Grid-mapfile
commands.append(f''' cat << EOF > /tmp/grid-mapfile
"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=jbalcas/CN=751133/CN=Justas Balcas" ruciouser
"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=aaarora/CN=852377/CN=Aashay Arora" ruciouser
"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddavila/CN=815177/CN=Diego Davila Foyo" ruciouser
"/DC=org/DC=incommon/C=US/ST=California/O=University of California, San Diego/CN=rucio-sense.t2.ucsd.edu" ruciouser
''')

# http ban-robots
commands.append(f''' cat << EOF > /tmp/ban-robots.txt
User-agent: *
Disallow: /
''')


# xrootd-standalone
commands.append(f''' cat << EOF > /tmp/xrootd-standalone.cfg
all.role server
xrd.port 1094
all.adminpath /var/spool/xrootd
all.pidpath /run/xrootd
cms.allow host *
ofs.authorize
acc.authdb /etc/xrootd/Authfile
xrootd.tls capable all
all.sitename FABRIC-CERN-TEST
oss.localroot /rucio
sec.protocol ztn
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/xrd/xrdcert.pem -key:/etc/grid-security/xrd/xrdkey.pem -crl:try -vomsfun:libXrdVoms.so -vomsfunparms:certfmt=pem|grpopt=useall -gmapopt:trymap -gmapto:0 -gridmap:/etc/grid-security/grid-mapfile 
xrootd.chksum max 10 adler32
all.export /

macaroons.secretkey /etc/xrootd/macaroon-secret
ofs.authlib ++ libXrdMacaroons.so

# HTTP
if exec xrootd
  xrd.network keepalive kaparms 10m,1m,5
  xrd.timeout idle 60m
  xrd.protocol http:1094 /usr/lib64/libXrdHttp.so
  xrd.tlsca certdir /etc/grid-security/certificates
  xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem
  http.header2cgi Authorization authz
  http.gridmap /etc/grid-security/grid-mapfile
  http.exthandler xrdtpc libXrdHttpTPC.so
  http.exthandler xrdmacaroons libXrdMacaroons.so
  http.listingdeny yes
  http.desthttps yes
  http.secxtractor /usr/lib64/libXrdVoms.so
  http.staticpreload http://static/robots.txt /etc/xrootd/ban-robots.txt 
fi
''')

# Create macaroon-secret
# NOTE: if you are creating an XRootD cluster, make sure this file is the same
# in all servers (including the redirector)
commands.append(f'sudo openssl rand -base64 -out /etc/xrootd/macaroon-secret 64')

# Create ruciouser
commands.append(f'sudo useradd ruciouser')

# Move tmp files created above
commands.append(f'sudo mv /tmp/Authfile /etc/xrootd/Authfile')
commands.append(f'sudo mv /tmp/ban-robots.txt /etc/xrootd/ban-robots.txt')
commands.append(f'sudo mv /tmp/grid-mapfile /etc/grid-security/grid-mapfile')

# We need a separated config file per instance so we can call systemctl with a different name
# Both files can be the identical
commands.append(f'sudo cp /tmp/xrootd-standalone.cfg /etc/xrootd/xrootd-standalone-1.cfg')
commands.append(f'sudo cp /tmp/xrootd-standalone.cfg /etc/xrootd/xrootd-standalone-2.cfg')
commands.append(f'sudo mkdir /rucio')

#Set Permissions
commands.append(f'sudo chown xrootd: /etc/xrootd/*')
commands.append(f'sudo chown -R xrootd: /rucio')


for command in commands:
    #print(command)
    stdout, stderr = node1.execute(command)

In [None]:
# Install self-signed certs
#*******************************************************************************************
# *************** NOTE: this is just for testing: this is NOT secure ***********************
# You should get your own certs and install them in /etc/grid-security/xrdcert.pem, xrdkey.pem
# If you use this, you will need to do the following in the node you are using to test:
#   a) copy the additions made below into /etc/hosts into your /etc/hosts 
#   b) install the dummy CA
#     sudo curl http://uaf-1.t2.ucsd.edu/dummy_ca/560061af.0 -o /etc/grid-security/certificates/560061af.0
#     sudo chmod 644 /etc/grid-security/certificates/560061af.0
#     sudo chown root: /etc/grid-security/certificates/560061af.0
#   c) Get rid of the CRLs
#     rm -f /etc/cron.d/fetch-crl
#     rm -rf /etc/grid-security/certificates/*.r0
#     rm -rf /var/spool/xrootd/.xrdtls/*
# To test
#   gfal-ls davs://sub1.node1.rucio.sense.org:1094/ OR
#   gfal-ls davs://sub2.node1.rucio.sense.org:1094/
#*******************************************************************************************

commands = []
#Install our dummy CA
commands.append(f'sudo curl http://uaf-1.t2.ucsd.edu/dummy_ca/560061af.0 -o /etc/grid-security/certificates/560061af.0')
commands.append(f'sudo chmod 644 /etc/grid-security/certificates/560061af.0')
commands.append(f'sudo chown root: /etc/grid-security/certificates/560061af.0')

# Get rid of CRLs since our dummy CA don't support them
commands.append(f'rm -f /etc/cron.d/fetch-crl')
commands.append(f'rm -rf /etc/grid-security/certificates/*.r0')
commands.append(f'rm -rf /var/spool/xrootd/.xrdtls/*')

commands.append(f''' cat << EOF > /tmp/xrdcert.pem
-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIUT2FdHyN/hj7zAkKVbwBwk2/uzXQwDQYJKoZIhvcNAQEL
BQAwSjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD19EZXZlbG9wbWVudCBDQTEhMB8G
A1UEAwwYRGV2ZWxvcG1lbnQgY2VydGlmaWNhdGVzMB4XDTI0MDcyNjE3MDUyMloX
DTI1MDcyNjE3MDUyMlowSTELMAkGA1UEBhMCVVMxGjAYBgNVBAoMEUxvY2FsIERl
dmVsb3BtZW50MR4wHAYDVQQDDBVub2RlMS5ydWNpby5zZW5zZS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBX7GzU4+ZbD3eryigTokRNqArKkyc
afesDp8kx/yk1SHUhATbhTdu6mDCCpQm+lnwOCMrAwjwYKj6jcPyHtgdP/afdHqj
kvsk6Qjs0zWfhCjhvDhS1GpVkPC3IwtwcJ1TdpJZJzGIHUXZMUXok6xMY0aUYBq4
qNjuSaoVlh1fNq05gMkiTKZYspUXjwDmNY+52O/ZGHjOaQAADwtE+OyuiBvKdaKq
HfGkvDQLh9t3d5Uee4XfsScvk8Ry9RQDjtRJNks3bJCchZIho28Trjrua6N0j65m
BGC5LKIclvNsJLsCTT/r8jxKQ7dZw4ioR/wzFNykfJ4CTO4DK3jWUHd9AgMBAAGj
gZYwgZMwHwYDVR0jBBgwFoAU9r4Dt0UIBfHniJqMhlU6uM5PLU4wCQYDVR0TBAIw
ADALBgNVHQ8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDkG
A1UdEQQyMDCCFW5vZGUxLnJ1Y2lvLnNlbnNlLm9yZ4IXKi5ub2RlMS5ydWNpby5z
ZW5zZS5vcmcwDQYJKoZIhvcNAQELBQADggEBADiBRDr3fNdr6Vew8t25ZOqE8bKb
i4adzH6xYChM1SxvTmxJdCmHavVUo6ljovmNFjYzckmR7ohWNTz9SQgJ//kYxLZc
uCw0C5kHbhuvUHjD0NBndnr//W+5k4742i32NANG8FQIrJvSFJHYIsz+HtzDb0+n
7b0EkaOtyRqA4NgNLgjt8uycx7DRID+8TxutzfYZcv/XJDUHD4be2Uf15fjSxeRv
wCzytkXInsZB+OWjXrQyQYNSfIZqhS8WResJwIXF7YGmsIg695OgI6B1NVDi2jhy
WWDVMbK5Cw76G827XZAqzuT/U+pRkJ8lXAlnoVN87JIFzDfzO4CG++lNf0I=
-----END CERTIFICATE-----
''')

commands.append(f''' cat << EOF > /tmp/xrdkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwV+xs1OPmWw93q8ooE6JETagKypMnGn3rA6fJMf8pNUh1IQE
24U3bupgwgqUJvpZ8DgjKwMI8GCo+o3D8h7YHT/2n3R6o5L7JOkI7NM1n4Qo4bw4
UtRqVZDwtyMLcHCdU3aSWScxiB1F2TFF6JOsTGNGlGAauKjY7kmqFZYdXzatOYDJ
IkymWLKVF48A5jWPudjv2Rh4zmkAAA8LRPjsrogbynWiqh3xpLw0C4fbd3eVHnuF
37EnL5PEcvUUA47USTZLN2yQnIWSIaNvE6467mujdI+uZgRguSyiHJbzbCS7Ak0/
6/I8SkO3WcOIqEf8MxTcpHyeAkzuAyt41lB3fQIDAQABAoIBAQCb+xTcEgtDNoyx
k5ixtqfZurZ4GyaxBMlDgIfeo3Kng0RGqDdC27JbRbPG0cGvr0HdA2taxpfvTgkA
Elp8c2TgMzg8ZziFuYnbvB326mfWxEQ10h2csrsTSlbhYuNXT3+YU4y5XWQW54Xw
LE63zGavN2U3Sk5Dpe9WRxVrVCtdINYVrwa1QIXLBIAeIUm0bAkQZAjEIHUsiG/d
Vxg1Jt/CkjNeBZEXjhe4ItnRNsqhY63m3gIHMVAHYoA/uKi+mP3VSXARq96s4lqj
C6D1UE9O2eXJeguha6ez4HRoIj0hv+uFq+YRulQBlAxZtYfT1T6j0QOKi2LJL+IU
R5WtK3ABAoGBAOtn3uQAt3LCKIqPZIb1+uq5h0Rhwp7p/0X3yWynvoMrlcKVbNa3
HXDE/gPK0iz6FR7f7cjLX4p5tMggebit5sJeH7mwJeU9wp8ta5kSrJfaA8vcI6K6
VWeu4xoIWcq2JoSejPwTCKdbX57fjsdYkgkQ0dldkcJB4DQqjt/45WaZAoGBANJK
erTqsM8dniHrLk/+OboX9wyWv5Gdwtkm68qQho2SgtLGbKzQwkn8l6upYnx5cPRV
bjzmM2/Oa6fbMbVBgLn8GVT2GEGQp6OWH/PAnONkyYY5HsV+ee5ZltF9gSmfEpp4
F8M9LAiOT0NV73qaQy/px3ibJTcUonGc52V4r7qFAoGBAMn5tw3dZ4i4+dvYqCH7
zyuxv1N2pWt/zZyUu2fUjOsybC4l0tpvBn2JJ4DNdoNMlu6EpxpPFExVnDzRUF6a
JpHB/GpvrjQAR4oXiGgv05H+Zp9048ZtJXXuYcAmRhRdMLM87i4hjp05EtPXcEOt
xK6ulb5wP+1yZBGeKjQU846RAoGARqZjJ1kZ4duvfvHGc3WT62OVypLy9XctOUuM
OFfp/LJWZX3okP7p53WHd1LHFc6vFkeFa8xjR5LwNEq+HolNOC7sS9EKQSzaRWlw
frIdg4Ae/ItAPVXKnTtYIjWqKVOaKm9ifGOW4aD+HD9I38XoALboHyrwi9rQ4J64
Vyz+zQkCgYBjLx884jNfcsrAs/W8oxHT900ScV11Su7CRfhp1cgYONWxUf+5TLe/
XPfLfzHj5uHZFfWFCXcjl18lt+ojOKAd2Bx71wOzTLEGbT6/IHYQXbxyo03tXfts
2gVxAZAiULO7l1qnzyEv1kNrnSuG5jH+rHpj63QD7/QQK47sd+a58w==
-----END RSA PRIVATE KEY-----
''')

# Move files created above
commands.append(f'sudo mkdir /etc/grid-security/xrd')
commands.append(f'sudo mv /tmp/xrdcert.pem /etc/grid-security/xrd/xrdcert.pem')
commands.append(f'sudo mv /tmp/xrdkey.pem /etc/grid-security/xrd/xrdkey.pem')

# Set right permissions
commands.append(f'sudo chown -R xrootd: /etc/grid-security/xrd')
commands.append(f'sudo chmod 600 /etc/grid-security/xrd/xrdkey.pem')

# Create local DNS records for the above cert to make sense locally
# NOTE: you need the same records in any place that interacts with this node
# The cert above has "Subject Alternative Name: *.node1.rucio.sense.org"
commands.append(f'sudo cat /etc/hosts > /tmp/hosts')
commands.append(f'sudo echo "{str(avail_ip1)}  sub1.node1.rucio.sense.org" >> /tmp/hosts')
commands.append(f'sudo echo "{str(avail_ip2)}  sub2.node1.rucio.sense.org" >> /tmp/hosts')
commands.append(f'sudo mv /tmp/hosts /etc/hosts')


for command in commands:
    #print(command)
    stdout, stderr = node1.execute(command)

In [None]:
# Get the device assigned to a given Network
def get_device(node, net_name):
    dev_name = None
    for interface in node.get_interfaces():
        name = interface.get_network().get_name()
        if  name == net_name:
            dev_name = interface.get_device_name()
            
            break
        
    return dev_name

# launch the xrootd instance and configure its namespace
def launch_and_configure_instance(inst_id, dev, ip, gateway):
    namespace="webserver-standalone-"+inst_id
    commands= []
    commands.append(f'sudo systemctl start xrootd@standalone-{inst_id}')
    commands.append(f'sudo ip link set dev {dev} netns {namespace}')
    commands.append(f'sudo ip netns exec {namespace} ip addr add {ip}/64 dev {dev}')
    commands.append(f'sudo ip netns exec {namespace} ip link set mtu 9000 dev {dev}')
    commands.append(f'sudo ip netns exec {namespace} ip link set dev {dev} up')
    commands.append(f'sudo ip netns exec {namespace} ip route add default via {gateway} dev {dev}')
    commands.append(f'sudo ip netns exec {namespace} sysctl net.ipv6.conf.{dev}.autoconf=0')
    commands.append(f'sudo ip netns exec {namespace} ip link set lo up')
    for command in commands:
        #print(command)
        stdout, stderr = node1.execute(command)


# The following creates 2 instances of XRootD, each in its own namespace
# each instance uses one of the NICs requested above

# Get the interface (eth1 or eth2) that matches the available ip. 
# We know that available_ip1 == net1 & available_ip2 == net2
dev1 = get_device(node1, "net1")
gateway1= str(avail_ip1)[:-1]+"1"
dev2 = get_device(node1, "net2")
gateway2= str(avail_ip2)[:-1]+"1"


launch_and_configure_instance("1", dev1, str(avail_ip1), gateway1)
launch_and_configure_instance("2", dev2, str(avail_ip2), gateway2)

# To test
#   gfal-ls davs://sub1.node1.rucio.sense.org:1094/ OR
#   gfal-ls davs://sub2.node1.rucio.sense.org:1094/

In [None]:
# Print the SSH command to log into the node
print({node1.get_ssh_command()})

In [None]:
# Set end host to now plus 15 days
end_date = (datetime.now(timezone.utc) + timedelta(days=15)).strftime("%Y-%m-%d %H:%M:%S %z")
slice.renew(end_date)

In [None]:
# Show lease end date/time
print(f"Lease End (UTC)        : {slice.get_lease_end()}")