Beginner Administrator

This page tells you what to do when you're a new team member (a.k.a newby) and need to set up your (CERN) development environment.

General document for new-comers (IT GOV ENG shared document).

CERN Services

To be able to access most of CERN services without tipping every time your password, you should configure a Kerberos client in your computer and request a new "ticket".

Kerberos

• To set up Kerberos in your computer, follow this documentation: Accessing CERN Linux machines via Kerberos.
  • For MAC users:
    • Installation for MAC clients.
    • If you have installed conda before setting up Kerberos have a look to troubleshooting.

2 Factor Authentication

Most of the times you will be accessing a CERN service (email, aiadm...), you will need a two-factor-authentication (2FA) to identify yourself. To configure CERN 2FA:

• follow this documentation - Within this link you will find a step-by-step tutorial (CERN account needed).

Computing Resources

Access the main computing resources used by all experiments at CERN and connected to large file systems. These are lxplus and aiadm.

ssh <cern-user-name>@lxplus[NONE/7/8/9].cern.ch

The lxplus machines should contain common CERN packages. Among others, these machines (should) have already installed gfal2, fts, eos clients.

ssh <cern-user-name>@aiadm.cern.ch

Once connected, services as tbag can be accessed.

Password Security with tbag

You can find the CERN documentation here, useful commands are:

• tbag showkeys --hg <hostgroup>
• tbag show --hg <hostgroup> <keyname>
• tbag set --hg <hostgroup> <new-keyname> then enter the secret key when prompted Our is tbag showkeys escapewp2c. The output of --help:

tbag --help
usage: tbag [-h] [--tbag-timeout TBAG_TIMEOUT] [--tbag-hostname TBAG_HOSTNAME]
            [--tbag-port TBAG_PORT] [--config CONFIG] [--dereference_alias]
            [--nodereference_alias] [--show_url] [-v] [-d]
            {set,delete,deletekeys,show,showkeys} ...

Tool for secrets handling

optional arguments:
  -h, --help            show this help message and exit
  --tbag-timeout TBAG_TIMEOUT
                        Timeout for trusted bag operations
  --tbag-hostname TBAG_HOSTNAME
                        Trusted bag hostname
  --tbag-port TBAG_PORT
                        Trusted bag port
  --config CONFIG       Configuration file
  --dereference_alias   dereference any lb aliases
  --nodereference_alias
                        do not dereference any lb aliases
  --show_url            show REST urls
  -v, --verbose         Be chatty
  -d, --dryrun          Don't do the requests that alter data

subcommands:
  {set,delete,deletekeys,show,showkeys}
    set                 Set a secret in the store
    delete              Delete a secret from the store
    deletekeys          Delete all keys for the given host, hostgroup or
                        service
    show                Show a secret from the store
    showkeys            Show all keys for the given host, hostgroup or service

Configure ssh connection

In order to save some time every time you are making a ssh connection, you can define a ProxyJump to go through CERN lxplus to your vm:

# ** Working for MAC OS. Might differ for Linux/Windows OS **

# Use ssh agent if you want to forward your rsa key securely!
ForwardAgent yes

# Enable ssh <pcname>, which resolves to <pcname>.cern.ch
CanonicalDomains cern.ch
CanonicalizeHostname yes

Host lxplus.cern.ch aiadm.cern.ch lxtunnel.cern.ch lxplus lxplus8 aiadm lxtunnel
  User <cern-user>
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  ForwardX11 yes

Host vm
    HostName <your-vm-name>.cern.ch
    User root
    ProxyJump lxplus
    AddressFamily inet

ssh key for .gitconfig

Follow the instructions here and then do:

# This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
        name = Your Name 
        email = <mail>@users.noreply.github.com 
        signingkey = /root/.ssh/<your-key>.pub
[commit]
        gpgsign = false 
[gpg]
        format = ssh

OpenStack@CERN

• To create a Virtual Machine, follow the CERN OpenStack documentation
• Log in the CERN Openstack to see all the VMs composing the cluster. On the top, be sure to be in the ESCAPE WP2 CERN project and in the cern region.

Database Operations

The database of the Data Lake is the central component of the VRE. In our case, it is a PostegreSQL database, but you can decide the one that suits you best. It is managed with Rucio, but accessed by the Jupyterhub extension, by Reana and by Dask. It is therefore crucial to be able to interact and inspect the database and get comfortable with tools to do so. Here are a few suggestions.

PSQL CLI (Postgres)

Download the PSQL Tools, install them, and connect to an instance with psql -h <instance-url> -U <admin-user> -p <port>.

Useful commands:

• \l list databases
• \du+ shows user/roles details
• \c <dbname> switch db
• CREATE DATABASE <name>;
• CREATE USER <username>;
• `GRANT TO ;
• ALTER DATABASE <name> OWNER TO <username>;
• ALTER USER <username> WITH PASSWORD '<password>';

Additional documentation can be found here.

Desktop applications

We suggest using an application to view the data instead of interacting with it from the terminal. Get the passwords to access the DB with tbag in aiadm (see above). Download pgAdmin or DBeaver and add the new database connection with all the necessary information (in DBeaver, for example, Open DBeaver > tab Database > New database connection > PostgreSQL).