Tier-0 New Operator Setup

Getting your computer account

Computing account at FNAL

  • Follow the instructions at http://www.uscms.org/uscms_at_work/computing/getstarted/getaccount_fermilab.shtml
  • When using the FNAL service now mask should not select “Computing/IT professional access only”. Although this is technically correct, this will end up requesting a service provider account at FNAL, as if you would run SAM or jobsub.

Computing account at CERN

  • If you will be Working at CERN, follow the steps to get registered at CERN here: http://www.uscms.org/uscms_at_work/working_cern/registration.shtml
  • Follow the instructions here: https://twiki.cern.ch/twiki/bin/view/CMSPublic/WorkBookGetAccount
  • You must be in the 'zh' group (CMS Computing Group) in order to access some of the services.
    • On lxplus execute
       phonebook --all --email <new_awesome_operator>@cern.ch 
    • In the output check the Coumputer accounts section. You should see something like this:
       Computer account(s):
       Login    Grp St Uid   Gid  Last login    Shell    Home directory
       <your_user> zh  PA 74299 1399 01/07/17 20:20 /bin/bash /afs/cern.ch/user/<initial>/<your_user> 
  • When asking for the different access, remember to CC cms-tier0-operations@cernNOSPAMPLEASE.ch telling that you need access (This will keep the whole team informed and will help them to help you if needed).

CERN user certificate installed on your web browser

  • Go to https://ca.cern.ch/ca/ and click on "New User Certificate"
  • Download the certificate and install it in the browsers you will use to access the CERN and CMS sites. Be careful, this certificate identifies you. Avoid leaving it in public locations.

CMS VO Registration

  • Go to the CMS VOMS server, and follow the instructions
  • Select all the necessary roles for your functions (Ask Jen or David Mason)
    • You need at least be in:
      • /cms/TEAM

CMS hypernews account* and useful Hypernews forums

  • Go to https://hypernews.cern.ch/HyperNews/CMS/add-member.pl

  • Commissioning and Run Coordination
    • CMS Commissioning

  • Category: Computing Development
    • Computing Technical Project Discussions
    • Computing Project Announcements
    • Tier-0 Development Discussions

  • Computing Integration/Operations
    • CERN Computing Announcements
    • Computing Operations
    • Offline and Computing Monitoring
    • Tier-0 Operations

  • Online/Trigger
    • Storage Manager Operations

  • Software Development
    • Alignment/Calibration Discussions (AlCa HN)
    • Data Quality Monitoring Development (DQM)
    • Framework and Edm Development
    • Reconstruction Development
    • Software Release Announcements

* Other Hypernews that might eventually be useful:

    • PhEDEx Discussions
    • Computing Integration/Commissioning
    • Data Operations Requests
    • Grid Announcements
    • PhEDEx Operations
    • Production and Reprocessing Operations
    • Dataset Announcements
    • Web Interface Discussions
    • Storage Manager Development
    • Package Release Announcements
    • Release Integration
    • Software Release Announcements
    • Workflow Management Development

Elog account

  • to get this, go to https://cmslogbook.cern.ch/elog/Workflow+processing/?cmd=New+user
  • Write an e-mail to cms-voc@cernNOSPAMPLEASE.ch describing shortly who why you want access to the "Workflow Processing" e-log.

TWiki registration

  • go to https://twiki.cern.ch/twiki/bin/view/Main/WebHome and select Registration

Github account

  • https://github.com/

Getting access to cmst1 account

  1. Send an email to CMS VOC <cms-voc@NOSPAMPLEAScern.ch> providing your CERN AFS/Nice username with CC to cms-tier0-operations@NOSPAMPLEASEcern.ch. Since you need to:
    1. be added to the AFS cmst1:users
    2. be added to the cms-comp-ops egroup
    3. be added to the cmst1.pp puppet manifest

Subscribe to E-groups

  • to do this, go to https://e-groups.cern.ch/ and log in with your CERN username and password
  • search for and subscribe to these e-groups:
    1. cms-comp-ops
    2. cms-comp-ops-workflow-team
    3. cms-tier0-monitoring-alerts

GGUS account

  • Go to https://ggus.eu
  • Load your certificate information.

Cloud service

Subscribe the cloud service. This will allow you to access to the OpenStack projects http://clouddocs.web.cern.ch/clouddocs/tutorial_using_a_browser/subscribe_to_the_cloud_service.html

Proxy-ssh and SSH tunnels* to several machines at FNAL and CERN

  • In order to access the WMAgent instances and for some monitoring plots to show up, you will need to create ssh tunnels to several machines.
  • Follow the instructions HERE
  • It is useful if you place the proxy-ssh script in a known location of $PATH. For instance, you can place the file at /usr/local/bin.
  • If you would monitoring the agent machines, you should also be enroled in the cmst1 group. Ask who owns the cmst1 password to add you.

Proxy certificate: installing your cert in remote machines and getting a proxy

  • A proxy certificate is needed for any operation that uses ssl (authentication X509). These operations are: move files within the grid, to assign jobs, and to access to cmsweb.
  • This needs to be re-done once your proxy expires (usually 1 or 2 days)
    1. export your myCert.p12 from your browser to your home area [do cd ~ in shell to find out where is it]
  • Once a year you will need to renew your proxy. Directions for downloading the proxy from your firefox can be found here : https://www.physics.purdue.edu/Tier2/import_export_gridcert

    1. unpack it by doing the following:
      cd ~ # this moves to your home area openssl pkcs12 -in myCert.p12 -out myPublicCert.pem -clcerts -nokeys # this creates: myPublicCert.pem openssl pkcs12 -in myCert.p12 -out myPrivKey.pem -nocerts #this creates : myPrivKey.pem [enter a new password to protect your private key] 
      • more info: http://en.wikipedia.org/wiki/Public-key_cryptography
    2. now move these to your afs space:
      • from local machine do:
        ssh lxplus.cern.ch
        then in lxplus or cmspc do: 
        mkdir .globus [this is the standard place for voms certificates]
        from local machine do:
        cd ~
        scp ~/myPrivKey.pem lxplus.cern.ch:.globus/userkey.pem
        scp ~/myPublicCert.pem lxplus.cern.ch:.globus/usercert.pem
    3. now you need to change permissions on the files:
                                 chmod 400 userkey.pem   # owner read only
                                 chmod 600 usercert.pem   # owner R&W
    1. you are now ready to get your proxy:
      • lxplus (new SL6 machines)
        voms-proxy-init -voms cms 
      • lxplus5 (old SL5 machines):
        source /afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.sh voms-proxy-init -voms cms 
      • cmspc:
        source /uscmst1/prod/grid/gLite_SL5.sh voms-proxy-init -voms cms 
    1. Site Status Board (SSB):
      • Discuss with a workflow team leader <cms-comp-ops-workflow-team@cern.ch> if you need the permissions to change the production status of sites.
        • If yes, open a GGUS ticket to the Dashboard team requesting permissions on SSB to change the site status. In this ticket include your certificate DN.

  • *4. Use this url to register to the VO: https://voms2.cern.ch:8443/voms/cms/user/home.action*
Get VO roles for these groups:


6. The Tier-0 issues reporting

Tier-0 issues are reported and followed up in Jira

  • https://its.cern.ch/jira/projects/CMSTZ

The previous system, ELOG, is not used anymore. However it is a valuable source of knowledge, useful to investigate issues.

  • https://cms-logbook.cern.ch/elog/Tier-0+processing/?cmd=New+user

9. Some useful egroups for Tier-0 are:


Access to the repositories

  1. https://github.com/dmwm/T0
git remote add dmwm https://github.com/dmwm/T0.git

git checkout master
git fetch dmwm
git pull dmwm master
git push origin master

  1. Tier-0 gitlab projects.

  1. Github fork, upstream setup.

Old Instructions

Other stuff



Edit | Attach | Watch | Print version | History: r22 < r21 < r20 < r19 < r18 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r22 - 2019-05-16 - VytautasJankauskas
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback