Skip to content
fstagni edited this page May 24, 2022 · 58 revisions

Python3

DIRAC 8.0 drops the python2 support, both client and server. Before moving to DIRAC 8.0, all clients, pilots and servers need to be moved to Python3. Instructions can be found in https://github.com/DIRACGrid/DIRAC/wiki/DIRAC-7.3-(v7r3).

The default python version for running DIRAC services is provided by DIRACOS2 (3.9).

The python2 support is kept in certain sections of the code specifically for starting Pilots on nodes that don't provide Python 3.

ElasticSearch support

This version drops the support for ElasticSearch 6. If you are using ES6, you need to move to ES7 (or OpenDistro, or OpenSearch) before installing version 8.0 of DIRAC.

DataManagement System

SRM + HTTPs

Following https://github.com/DIRACGrid/DIRAC/pull/6061, it is now possible to submit transfers TPC between SRM and https via FTS. Note that the TURL parameter must be set by the FTS team.

Framework System

Removal of gMonitor and Framework/Monitoring

  • The following services can be uninstalled:
    • Framework/Monitoring
    • Framework/Plotter

On the machine hosting the Framework/Monitoring service, the directory /opt/dirac/data/monitoring can be removed. The MySQL database "ComponentMonitoringDB" can be removed.

Following this, the ActivityMonitor on the WebApp has also been removed.

The code of any DIRAC extension using gMonitor or contacting the Framework/Monitoring service should be removed. If you happen to have this case, an alternative is provided through an ElasticSearch backend.

Flag for disabling the SecurityLogging service

Please see https://github.com/DIRACGrid/DIRAC/pull/5760 for details on how to use ElasticSearch for reaching the same result. The SecurityLogging service will be removed from later releases.

New agent

The new agent Framework/ProxyRenewalAgent has to be installed. The agent Framework/MyProxyRenewalAgent is instead discontinued and should be removed (its functionalities are part of ProxyRenewalAgent).

WorkloadManagement System

JobDB: move from BLOB to TEXT

While introduced with https://github.com/DIRACGrid/DIRAC/pull/5840, this can of course be done at any time (also while running 7.3)

use JobDB;
ALTER TABLE `JobJDLs` MODIFY COLUMN `JDL` MEDIUMTEXT, MODIFY COLUMN `JobRequirements` TEXT, MODIFY COLUMN `OriginalJDL` MEDIUMTEXT;
ALTER TABLE `JobParameters` MODIFY COLUMN `Value` TEXT;
ALTER TABLE `OptimizerParameters` MODIFY COLUMN `Value` MEDIUMTEXT;
ALTER TABLE `AtticJobParameters` MODIFY COLUMN `Value` TEXT;
ALTER TABLE `SiteMask` MODIFY COLUMN `Comment` TEXT;
ALTER TABLE `SiteMaskLogging` MODIFY COLUMN `Comment` TEXT;
ALTER TABLE `HeartBeatLoggingInfo` MODIFY COLUMN `Value` TEXT;
use PilotAgentsDB;
ALTER TABLE `PilotAgents` MODIFY COLUMN `GridRequirements` TEXT;
ALTER TABLE `PilotOutput` MODIFY COLUMN `StdOutput` MEDIUMTEXT, MODIFY COLUMN `StdError` MEDIUMTEXT;

Production System

ProductionDB: move from BLOB to TEXT

While introduced with https://github.com/DIRACGrid/DIRAC/pull/5931, this can of course be done at any time (also while running 7.3)

USE ProductionDB;
ALTER Table `Productions` MODIFY COLUMN Description LONGTEXT;
ALTER Table `ProductionSteps` MODIFY COLUMN LongDescription TEXT;
ALTER Table `ProductionSteps` MODIFY COLUMN Body LONGTEXT

Transformation System

TransformationDB: move from BLOB to TEXT

While introduced with https://github.com/DIRACGrid/DIRAC/pull/5828, this can of course be done at any time

ALTER TABLE `TransformationMetaQueries` MODIFY COLUMN `MetaDataValue` TEXT;
ALTER TABLE `AdditionalParameters` MODIFY COLUMN `ParameterValue` LONGTEXT;
ALTER TABLE `Transformations` MODIFY COLUMN `Body` LONGTEXT, MODIFY COLUMN `LongDescription` TEXT;

Monitoring System

New Flag System

In order to simplify the system of flags that are used to enable the monitoring in DIRAC, there is now a new section in the CS under Operations called MonitoringBackends, where there is a flag Default which can be set as Accounting(always set as default) and Monitoring and will decide the monitoring backend for all monitoring types.

There is also an option to override this default flag to set a specific backend for a monitoring type, for which you would need to create a new specific flag. More information on https://dirac.readthedocs.io/en/integration/AdministratorGuide/Systems/MonitoringSystem/index.html#enable-the-monitoring-system.

Note: Please do remove the old flags that are specified for each type in the following sections.

New PilotSubmissionMonitoring

PR https://github.com/DIRACGrid/DIRAC/pull/5788 introduces a new PilotSubmissionMonitoring. The functionalities are the same of PilotSubmissionAccounting, but using the DIRAC Monitoring system (ElasticSearch) as backend.

Old flags to be removed: SendPilotSubmissionMonitoring and SendPilotSubmissionAccounting, located in WorkloadManagement/SiteDirector in the CS. Enabled by setting Monitoring value in MonitoringBackends flag.

New DataOperationMonitoring

Data Operation can now also be monitored by the DIRAC Monitoring System. Whether the data is sent to Accounting and/or Monitoring depends on the MonitoringBackends flag.

Old flag to be removed is DataManagement/MonitoringBackends in Operations/Defaults.

Replacing ComponentMonitoring with two new types

Following this Pull Request, ComponentMonitoring is being replaced by two new types that monitor agents and services respectively instead of all in one: AgentMonitoring and ServiceMonitoring. These won't be present on the DIRAC WebApp but will be available on Kibana/Grafana dashboards.

Also these are enabled by setting Monitoring value in MonitoringBackends flag.

Old flag to be removed: EnableActivityMonitoring in Operations/Defaults.

New PilotsHistoryMonitoring

New monitoring type that sends a snapshot of PilotAgentsDB to Elasticsearch every 15m, as it is similarly done with WMSHistory. Won't be implemented for Accounting.

Enabled by setting Monitoring value in MonitoringBackends flag.

Nginx

If requests to DIRAC server are processed by nginx, then you need to make the following updates:

  • pass the X-SSL-CERT header to the escaped user certificate pem by adding the following to the nginx configuration:
location ~ /DIRAC/ {
    ...
    proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;

WebApp portal

A portal compatible with this version no longer contains path "/" to "/DIRAC/" redirects, administrator must add this to the nginx configuration as needed:

location = / {
    rewrite ^ https://$server_name/DIRAC/ permanent;
}

Technology Previews

OAuth2 authorization

OAuth2 authorization - a feature that you can try, for this you will need more actions:

Nginx

  • add new upstream that describe REST endpoints
upstream tornadoserver_8443 {
  server 127.0.0.1:8443;
}
  • add location to describe REST endpoints access
location ~ ^/(?!(DIRAC|pilot)) {
  proxy_pass_header Server;
  proxy_set_header Host $http_host;
  proxy_redirect off;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Scheme $scheme;
  proxy_pass https://tornadoserver_8443;
  proxy_read_timeout 3600;
  proxy_send_timeout 3600;

  proxy_set_header X-Ssl_client_verify $ssl_client_verify;
  proxy_set_header X-Ssl_client_s_dn $ssl_client_s_dn;
  proxy_set_header X-Ssl_client_i_dn $ssl_client_i_dn;
  proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;

  gzip on;
  gzip_proxied any;
  gzip_comp_level 9;
  gzip_types text/plain text/css application/javascript application/xml application/json;

  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  break;
}

DIRAC configuration

  • Describe WebApp client credentials in /DIRAC/Security/Authorization
Authorization
{
  Clients
  {
    DIRACWeb
    {
      client_id = <any string>       # Should be in the local dirac.cfg as secret information
      client_secret = <any string>   # Should be in the local dirac.cfg as secret information
      redirect_uri = https://<your domain>/DIRAC/loginComplete
    } 
  }
}

  • register an OAuth 2 client on the your Identity Provider and write received client credentials in a /Resources/IdProviders
IdProviders
{
  CheckIn                                                         # Identity Provider name
  {
    ProviderType = CheckIn                                        # Can be also IAM or just OAuth2
    issuer = https://aai.egi.eu/oidc
    scope = openid+profile+offline_access+eduperson_entitlement   # Default scope
    client_id = <EGI client ID>                                   # Should be in the local dirac.cfg as secret information
    client_secret = <EGI client secret>                           # Should be in the local dirac.cfg as secret information
  }
}
  • Describe TokenManager service, OAuth 2 REST API and databases in a /Systems/Framework/<instance name> section
Services
{
  TokenManager
  {
    Protocol = https
  }
}
URLs
{
  TokenManager = https://<domain name>:8443/Framework/TokenManager  # Service that will manage tokens 
  AuthAPI = https://<domain name>/auth                              # OAuth 2 REST API
}
Databases
{
  AuthDB                                                            
  {
    DBName = AuthDB                                                 # Registers long sessions
  }
  TokenDB
  {
    DBName = TokenDB                                                # Store user refresh tokens
  }
}

To forbid receiving a proxy as a result of authorization, set /Systems/Framework/<instance name>/APIs/Auth/downloadablePersonalProxy configuration option to False.

Deprecated

DIRACScript

Please, use:

from DIRAC.Base.Core.Script import Script

@Script
def main(self):
   Script.parseCommandLine()
   ...

OR to load configuration without parsing arguments:

from DIRAC import initialize

initialize()

instead of:

from DIRAC.Core.Utilities.DIRACScript import DIRACScript
...
Clone this wiki locally