Uploading rcauth proxy

[ernst pijper]

Hi,

I'm trying to upload a rcauth proxy to the dirac proxy manager but getting the error message:

Cannot upload proxy with DIRAC group or VOMS extensions

The proxy looks like this:

ernstp$ voms-proxy-info --file myrcauthcred2 --all

subject   : /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE/CN=900930670/CN=2143276564

issuer    : /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE/CN=900930670

identity  : /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE

type      : RFC3820 compliant impersonation proxy

strength  : 2048

path      : /home/ernstp/Grid/myrcauthcred2

timeleft  : 165:29:07

key usage : Digital Signature, Key Encipherment, Data Encipherment

So there are no voms attributes nor dirac group attributes present in the proxy.

Is not possible anymore to use a proxy to upload yet another proxy to the proxy manager? I remember that it used to work for an older dirac version.

-----------------------------------------------------------------------------------------------------------------------------

Here is the debug output from trying to upload the proxy:

ernstp$ dirac-proxy-init -g pvier_user -C myrcauthcred2 -K myrcauthcred2 -ddd

2021-09-20 14:46:16 UTC Framework [139940412053312] DEBUG: dirac.cfg should be at /etc/dirac/etc/dirac.cfg

2021-09-20 14:46:16 UTC Framework [139940412053312] DEBUG: CFG merged

2021-09-20 14:46:16 UTC Framework [139940412053312] DEBUG: Updating configuration internals

2021-09-20 14:46:16 UTC Framework [139940412053312] DEBUG: Updating configuration internals

Parsing command line

Trying to load Resources.LogBackends.StdoutBackend

Trying to load DIRAC.Resources.LogBackends.StdoutBackend

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Updating configuration internals

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] NOTICE: Generating proxy...

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] NOTICE: 

Your certificate will expire in 6 days. Please renew it!

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Contacting CS...

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Refreshing configuration...

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Refreshing from list ['dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server']

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Randomized server list is dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG:  Trying to refresh from dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server

2021-09-20 14:46:17 UTC dirac_proxy_init/DIRAC.Core.Tornado.Client.ClientSelector [139940412053312] DEBUG: Trying to autodetect client for dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Already given a valid url dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Trying to connect to: dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Connected to: dips://nl-dirac01.grid.surfsara.nl:9135/Configuration/Server

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: New connection -> 145.38.218.201:9135

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: New version available Updating to version 2021-09-14 10:48:46.070986...

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Updating configuration internals

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Updated to version 2021-09-14 10:48:46.070986

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Trying to load Resources.LogBackends.StdoutBackend

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Trying to load WebAppDIRAC.Resources.LogBackends.StdoutBackend

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] DEBUG: Trying to load DIRAC.Resources.LogBackends.StdoutBackend

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Checking DN /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Username is ernstp

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Creating proxy for ernstp@pvier_user (/DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE)

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] NOTICE: =======================================================================

  Your certificate will expire in less than 10 days. Please renew it!  

=======================================================================

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] NOTICE: Uploading proxy..

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Uploading /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE proxy to ProxyManager...

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Loading user proxy

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Uploading proxy on-the-fly

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Cert file myrcauthcred2

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Key file  myrcauthcred2

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: Loading cert and key

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO: User credentials loaded

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] INFO:  Uploading...

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] ERROR: Cannot upload proxy with DIRAC group or VOMS extensions

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] NOTICE: Proxy generated:

2021-09-20 14:46:17 UTC dirac_proxy_init [139940412053312] NOTICE: subject      : /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE/CN=900930670/CN=2143276564/CN=867924606

issuer       : /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE/CN=900930670/CN=2143276564

identity     : /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE

timeleft     : 23:59:59

DIRAC group  : pvier_user

path         : /tmp/x509up_u36545

username     : ernstp

properties   : NormalUser

[Andrei Tsaregorodtsev]

Hi Ernst,

This is most likely a problem that was fixed in the v7r2p26 client. Can you try and update it ?

  Cheers,

  Andrei

[ernst pijper]

Hi Andrei,

I updated both the server and client to version v7r2p26 but still getting the same error. Any ideas?

Ernst

Op dinsdag 21 september 2021 om 00:39:16 UTC+2 schreef Andrei Tsaregorodtsev:

[Andrei Tsaregorodtsev]

Sorry, v7r2p26 does not yet have the necessary fix, please retry with v7r2p27.

Andrei

[ernst pijper]

Hi Andrei,

It works! Great, thanks. Now let's see if I can run a rcauth job...

Ernst

Op woensdag 22 september 2021 om 00:30:34 UTC+2 schreef Andrei Tsaregorodtsev:

[ernst pijper]

Hi Andrei,

My single core rcauth job run fine but my 8 core job failed.

I created a proxy on Friday afternoon and submitted a job that evening. This morning I noticed my job had failed after having reached the maximum number of rescheduling attempts.

The reason for rescheduling the job, what I believe, is a failed attempt to retrieve a payload proxy for longer than the credential in the proxy manager is still valid:

2021-09-25 12:04:22 UTC WorkloadManagement/JobAgent ERROR: Could not retrieve payload proxy Can't get proxy for 446400 seconds: /DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE<at>projectmine.com_user has no proxy registered, try to generate new; Cannot generate proxy: No proxy providers found for "/DC=eu/DC=rcauth/DC=rcauth-clients/O=surfsara.nl/CN=Ernst Pijper MDHrwY8vryUXzFGE"

subject      : /DC=org/DC=terena/DC=tcs/C=NL/O=SURF B.V./CN=Ernst Pijper pijpe001<at>surf.nl/CN=5109919558/CN=8792188227/CN=4100439843/CN=589442842/CN=657702736

issuer       : /DC=org/DC=terena/DC=tcs/C=NL/O=SURF B.V./CN=Ernst Pijper pijpe001<at>surf.nl/CN=5109919558/CN=8792188227/CN=4100439843/CN=589442842

identity     : /DC=org/DC=terena/DC=tcs/C=NL/O=SURF B.V./CN=Ernst Pijper pijpe001<at>surf.nl

timeleft     : 122:55:10

DIRAC group  : projectmine.com_pilot

path         : /tmp/yqKLDm9XwnznCifV3nVLvLKmABFKDmABFKDmLHHKDmABFKDm6nnZYn/user.proxy

username     : ernstp

properties   : GenericPilot, LimitedDelegation, Pilot

VOMS         : True

VOMS fqan    : [u'/projectmine.com']

2021-09-25 12:04:26 UTC WorkloadManagement/JobAgent ERROR: Invalid Proxy Error retrieving proxy

2021-09-25 12:04:26 UTC WorkloadManagement/JobAgent WARN: Failure ==> rescheduling (during Failed to setup proxy: Error retrieving proxy)

2021-09-25 12:04:26 UTC WorkloadManagement/JobAgent INFO: Job will be rescheduled

2021-09-25 12:04:27 UTC WorkloadManagement/JobAgent INFO: Job Rescheduled 576

At this point the proxy in the proxy manager is valid till Sept 30th 14:43, so slightly less than 124 hours.

This problem goes to the heart of rcauth certificate/proxy: they are only valid for a short period of time (7 days in our case). After this the job is rescheduled another 2 times and then fails.

Anything we can do about this? Where does the value  446400 exactly come from and can we change this?

Op donderdag 23 september 2021 om 16:39:24 UTC+2 schreef ernst pijper:

[Andrei Tsaregorodtsev]

Hi Ernst,

By default we require 5 days long proxy. You can change the default by defining the /Registry/DefaultProxyLifeTime option (in secs)

in the configuration service. If you can reasonably evaluate the (max) time length of your typical payloads, put this value with some margin

into this option.

  Cheers,

  Andrei

[ernst pijper]

Hi Andrei,

it worked. I successfully ran a 8 core rcauth job.

Ernst

Op maandag 27 september 2021 om 13:37:31 UTC+2 schreef Andrei Tsaregorodtsev: