From e667fe6571e0bdf46030375ad90f377e3148c788 Mon Sep 17 00:00:00 2001 From: Brian P Bockelman Date: Tue, 12 Nov 2024 08:09:58 -0600 Subject: [PATCH 1/2] Modest tweaks from reviewing doc --- docs/data/osdf/install-cache-rpm.md | 30 +++++++++++++---------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/docs/data/osdf/install-cache-rpm.md b/docs/data/osdf/install-cache-rpm.md index e038edf88..218af0b8f 100644 --- a/docs/data/osdf/install-cache-rpm.md +++ b/docs/data/osdf/install-cache-rpm.md @@ -3,9 +3,9 @@ title: Installing the OSDF Cache by RPM Installing the OSDF Cache ========================= -This document describes how to install a Pelican-based Open Science Data Federation (OSDF) Cache service via RPMs. +This document describes how to install an Open Science Data Federation (OSDF) Cache service via RPMs. This service allows a site or regional network to cache data frequently used in Open Science Pool jobs, -reducing data transfer over the wide-area network and decreasing access latency. +reducing data transfer over the wide-area network and increasing throughput to jobs. Before Starting @@ -19,8 +19,7 @@ Before starting the installation process, consider the following requirements: * __Host certificate:__ Required for authentication. See note below. * __Network ports:__ The cache service requires the following ports open: * Inbound TCP port 8443 for file access via the HTTP(S) and XRoot protocols. - * (Optional) Inbound TCP port 8444 for access to the web interface for monitoring and configuration; - if enabled, access to this port should be restricted to the LAN. + * Inbound TCP port 8444 for access to the web interface for monitoring and configuration. * __Service requirements:__ * A cache serving the OSDF federation as a regional cache should have at least: * 8 cores @@ -33,6 +32,7 @@ Before starting the installation process, consider the following requirements: * 40 Gbps connectivity * 2 TB of NVMe disk for the cache partition * 24 GB of RAM + * The cache should be a mounted filesystem; its mount location is referred to as `` in the documentation below. We suggest that several gigabytes of local disk space be available for log files, although some logging verbosity can be reduced. @@ -42,14 +42,12 @@ As with all OSG software installations, there are some one-time steps to prepare * Prepare [the required Yum repositories](../../common/yum.md) -!!! note "OSG 23" - In OSG 23, the Pelican-based OSDF RPMs are only available in the "osg-upcoming" repositories. - !!! note "Host certificates" - Caches should use a CA that is accepted by major browsers and operating systems, - such as InCommon RSA or [Let's Encrypt](../../security/host-certs/lets-encrypt.md). - IGTF certs are not recommended because clients are not configured to accept them by default. - Note that you will need the full certificate chain, not just the certificate. + Caches are accessed by users through browsers, meaning caches need a certificate from a CA acceptable to a standard browser. + Examples include [Let's Encrypt](../../security/host-certs/lets-encrypt.md) or the InCommon IGTF CA. + Caches without a valid certificate for the browser cannot be added to the OSDF. + Note that, unlike legacy grid software, the public certificate file will need to contain the "full chain", including any + intermediate CAs (if you're unsure about your setup, try accessing your cache from your browser). The following locations should be used (note that they are in separate directories): @@ -74,13 +72,12 @@ OSG 23: root@host # yum install --enablerepo=osg-upcoming-testing osdf-cache ``` +!!! note "osdf-cache 7.11.1" + This document covers versions 7.11.1 and later of the `osdf-cache` package; ensure the above installation + results in an appropriate version. Configuring the Cache Server ---------------------------- - -!!! note "osdf-cache 7.11.1" - This configuration requires version 7.11.1 or newer of the `osdf-cache` - and `pelican` RPMs. In `/etc/pelican/config.d/20-cache.yaml`, set `Cache.LocalRoot`, `Cache.DataLocation` and `Cache.MetaLocation` as follows, replacing `` with the mount point of the partition you will use for the cache. @@ -91,7 +88,6 @@ Cache: MetaLocation: "/meta" ``` - Preparing for Initial Startup ----------------------------- @@ -105,7 +101,7 @@ before starting the cache for the first time, it is generate a keypair. The newly created files, `issuer.jwk` and `issuer-pub.jwks` are the private and public keys, respectively. -1. **Save these files**; if you lose them, your cache will need to be re-approved. +1. **Save these files**; if you lose the `issuer.jwk`, your cache will need to be re-approved. Validating the Cache Installation From 0109773d4344e6d532a71ccde27add6098a3bd2d Mon Sep 17 00:00:00 2001 From: Matyas Selmeci Date: Thu, 21 Nov 2024 12:27:07 -0600 Subject: [PATCH 2/2] Put back port 8444 warning pending discussion --- docs/data/osdf/install-cache-rpm.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/data/osdf/install-cache-rpm.md b/docs/data/osdf/install-cache-rpm.md index 218af0b8f..70d30960b 100644 --- a/docs/data/osdf/install-cache-rpm.md +++ b/docs/data/osdf/install-cache-rpm.md @@ -19,7 +19,8 @@ Before starting the installation process, consider the following requirements: * __Host certificate:__ Required for authentication. See note below. * __Network ports:__ The cache service requires the following ports open: * Inbound TCP port 8443 for file access via the HTTP(S) and XRoot protocols. - * Inbound TCP port 8444 for access to the web interface for monitoring and configuration. + * (Optional) Inbound TCP port 8444 for access to the web interface for monitoring and configuration; + if enabled, access to this port should be restricted to the LAN. * __Service requirements:__ * A cache serving the OSDF federation as a regional cache should have at least: * 8 cores