-
Notifications
You must be signed in to change notification settings - Fork 176
DIRAC 8.0
DIRAC 8.0 drops the python2 support, both client and server. Before moving to DIRAC 8.0, all clients, pilots and servers need to be moved to Python3. Instructions can be found in https://github.com/DIRACGrid/DIRAC/wiki/DIRAC-7.3-(v7r3).
The default python version for running DIRAC services is provided by DIRACOS2 (3.9).
The python2 support is kept in certain sections of the code specifically for starting Pilots on nodes that don't provide Python 3.
This version drops the support for ElasticSearch 6. If you are using ES6, you need to move to ES7 (or OpenDistro, or OpenSearch) before installing version 8.0 of DIRAC.
Following https://github.com/DIRACGrid/DIRAC/pull/6091 the Time module was renamed TimeUtilities and was significantly simplified.
Following https://github.com/DIRACGrid/DIRAC/pull/6061, it is now possible to submit transfers TPC between SRM and https via FTS. Note that the TURL parameter must be set by the FTS team.
- The following services can be uninstalled:
- Framework/Monitoring
- Framework/Plotting
On the machine hosting the Framework/Monitoring service, the directory /opt/dirac/data/monitoring can be removed.
The MySQL database "ComponentMonitoringDB" can be removed.
Following this, the ActivityMonitor on the WebApp has also been removed.
The code of any DIRAC extension using gMonitor or contacting the Framework/Monitoring service should be removed. If you happen to have this case, an alternative is provided through an ElasticSearch backend.
Please see https://github.com/DIRACGrid/DIRAC/pull/5760 for details on how to use ElasticSearch for reaching the same result. The SecurityLogging service will be removed from later releases.
The new agent Framework/ProxyRenewalAgent has to be installed. The agent Framework/MyProxyRenewalAgent is instead discontinued and should be removed (its functionalities are part of ProxyRenewalAgent).
While introduced with https://github.com/DIRACGrid/DIRAC/pull/5840, this can of course be done at any time (also while running 7.3)
use JobDB;
ALTER TABLE `JobJDLs` MODIFY COLUMN `JDL` MEDIUMTEXT, MODIFY COLUMN `JobRequirements` TEXT, MODIFY COLUMN `OriginalJDL` MEDIUMTEXT;
ALTER TABLE `JobParameters` MODIFY COLUMN `Value` TEXT;
ALTER TABLE `OptimizerParameters` MODIFY COLUMN `Value` MEDIUMTEXT;
ALTER TABLE `AtticJobParameters` MODIFY COLUMN `Value` TEXT;
ALTER TABLE `SiteMask` MODIFY COLUMN `Comment` TEXT;
ALTER TABLE `SiteMaskLogging` MODIFY COLUMN `Comment` TEXT;
ALTER TABLE `HeartBeatLoggingInfo` MODIFY COLUMN `Value` TEXT;
use PilotAgentsDB;
ALTER TABLE `PilotAgents` MODIFY COLUMN `GridRequirements` TEXT;
ALTER TABLE `PilotOutput` MODIFY COLUMN `StdOutput` MEDIUMTEXT, MODIFY COLUMN `StdError` MEDIUMTEXT;While introduced with https://github.com/DIRACGrid/DIRAC/pull/5931, this can of course be done at any time (also while running 7.3)
USE ProductionDB;
ALTER Table `Productions` MODIFY COLUMN Description LONGTEXT;
ALTER Table `ProductionSteps` MODIFY COLUMN LongDescription TEXT;
ALTER Table `ProductionSteps` MODIFY COLUMN Body LONGTEXTWhile introduced with https://github.com/DIRACGrid/DIRAC/pull/6114, this can of course be done at any time (also while running 7.3)
USE ReqDB;
ALTER Table `Operation` MODIFY COLUMN Arguments TEXT;
ALTER Table `Request` MODIFY COLUMN SourceComponent TEXT;While introduced with https://github.com/DIRACGrid/DIRAC/pull/5828, this can of course be done at any time
ALTER TABLE `TransformationMetaQueries` MODIFY COLUMN `MetaDataValue` TEXT;
ALTER TABLE `AdditionalParameters` MODIFY COLUMN `ParameterValue` LONGTEXT;
ALTER TABLE `Transformations` MODIFY COLUMN `Body` LONGTEXT, MODIFY COLUMN `LongDescription` TEXT;In order to simplify the system of flags that are used to enable the monitoring in DIRAC, there is now a new section in the CS under Operations called MonitoringBackends, where there is a flag Default which can be set as Accounting(always set as default) and Monitoring and will decide the monitoring backend for all monitoring types.
There is also an option to override this default flag to set a specific backend for a monitoring type, for which you would need to create a new specific flag. More information on https://dirac.readthedocs.io/en/integration/AdministratorGuide/Systems/MonitoringSystem/index.html#enable-the-monitoring-system.
Note: Please do remove the old flags that are specified for each type in the following sections.
PR https://github.com/DIRACGrid/DIRAC/pull/5788 introduces a new PilotSubmissionMonitoring. The functionalities are the same of PilotSubmissionAccounting, but using the DIRAC Monitoring system (ElasticSearch) as backend.
Old flags to be removed: SendPilotSubmissionMonitoring and SendPilotSubmissionAccounting, located in WorkloadManagement/SiteDirector in the CS.
Enabled by setting Monitoring value in MonitoringBackends flag.
Data Operation can now also be monitored by the DIRAC Monitoring System. Whether the data is sent to Accounting and/or Monitoring depends on the MonitoringBackends flag.
Old flag to be removed is DataManagement/MonitoringBackends in Operations/Defaults.
Following this Pull Request, ComponentMonitoring is being replaced by two new types that monitor agents and services respectively instead of all in one: AgentMonitoring and ServiceMonitoring. These won't be present on the DIRAC WebApp but will be available on Kibana/Grafana dashboards.
Also these are enabled by setting Monitoring value in MonitoringBackends flag.
Old flag to be removed: EnableActivityMonitoring in Operations/Defaults.
New monitoring type that sends a snapshot of PilotAgentsDB to Elasticsearch every 15m, as it is similarly done with WMSHistory. Won't be implemented for Accounting.
Enabled by setting Monitoring value in MonitoringBackends flag.
If requests to DIRAC server are processed by nginx, then you need to make the following updates:
- pass the X-SSL-CERT header to the escaped user certificate pem by adding the following to the nginx configuration:
location ~ /DIRAC/ {
...
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
A portal compatible with this version no longer contains path "/" to "/DIRAC/" redirects, administrator must add this to the nginx configuration as needed:
location = / {
rewrite ^ https://$server_name/DIRAC/ permanent;
}
OAuth2 authorization - a feature that you can try, for this you will need more actions:
- add new upstream that describe REST endpoints
upstream tornadoserver_8443 {
server 127.0.0.1:8443;
}
- add location to describe REST endpoints access
location ~ ^/(?!(DIRAC|pilot)) {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass https://tornadoserver_8443;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_set_header X-Ssl_client_verify $ssl_client_verify;
proxy_set_header X-Ssl_client_s_dn $ssl_client_s_dn;
proxy_set_header X-Ssl_client_i_dn $ssl_client_i_dn;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
gzip on;
gzip_proxied any;
gzip_comp_level 9;
gzip_types text/plain text/css application/javascript application/xml application/json;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
break;
}
- Describe WebApp client credentials in
/DIRAC/Security/Authorization
Authorization
{
Clients
{
DIRACWeb
{
client_id = <any string> # Should be in the local dirac.cfg as secret information
client_secret = <any string> # Should be in the local dirac.cfg as secret information
redirect_uri = https://<your domain>/DIRAC/loginComplete
}
}
}
- register an OAuth 2 client on the your Identity Provider and write received client credentials in a
/Resources/IdProviders
IdProviders
{
CheckIn # Identity Provider name
{
ProviderType = CheckIn # Can be also IAM or just OAuth2
issuer = https://aai.egi.eu/oidc
scope = openid+profile+offline_access+eduperson_entitlement # Default scope
client_id = <EGI client ID> # Should be in the local dirac.cfg as secret information
client_secret = <EGI client secret> # Should be in the local dirac.cfg as secret information
}
}
- Describe
TokenManagerservice, OAuth 2REST APIanddatabasesin a/Systems/Framework/<instance name>section
Services
{
TokenManager
{
Protocol = https
}
}
URLs
{
TokenManager = https://<domain name>:8443/Framework/TokenManager # Service that will manage tokens
AuthAPI = https://<domain name>/auth # OAuth 2 REST API
}
Databases
{
AuthDB
{
DBName = AuthDB # Registers long sessions
}
TokenDB
{
DBName = TokenDB # Store user refresh tokens
}
}
To forbid receiving a proxy as a result of authorization, set /Systems/Framework/<instance name>/APIs/Auth/downloadablePersonalProxy configuration option to False.
Please, use:
from DIRAC.Base.Core.Script import Script
@Script
def main(self):
Script.parseCommandLine()
...OR to load configuration without parsing arguments:
from DIRAC import initialize
initialize()instead of:
from DIRAC.Core.Utilities.DIRACScript import DIRACScript
...