Can someone help with a minimal clustered config

[mickenordin]

I want to set up a small cluster that have:

2 redirectors
3 xrootd-s3-http proxies

This is for transferring large amounts of data into our s3 storage/

I have successfully set up a very simple single xrootd-s3-http proxy that can read and write to a bucket using this config (in erb template format):

# Enable the HTTP protocol on port <%= @port %> (1094 is the default XRootD port)
xrd.protocol http:<%= @port %> libXrdHttp.so

# Allow access to path with given prefix.
all.export  <%= @export %>

# Setting up S3 plugin
ofs.osslib libXrdS3-5.so

# Upon last testing, the plugin did not yet work in async mode
xrootd.async off

# Bucket specific s3 options
# these must be in this order to allow parsing of multiple entries
s3.begin
s3.url_style        path
s3.path_name        /<%= bucket['name']%>
s3.bucket_name      <%= bucket['name']%>
s3.service_name     <%= bucket['service_name']%>
s3.region           <%= bucket['region']%>
s3.access_key_file  /etc/xrootd/<%= bucket['name']%>/access-key
s3.secret_key_file  /etc/xrootd/<%= bucket['name']%>/secret-key
s3.service_url      <%= bucket['service_url']%>
s3.end


# Global s3 options
s3.url_style path

However, now with a more complex config I am struggeling.

For example, I understand that I need to run a cmsd instance on each of the nodes. Is this correct? Do I understand correctly that the xrootd and cmsd use the same config file?

This is my current, non working try:

# Enable the HTTP protocol on port <%= @port %> (1094 is the default XRootD port)
xrd.protocol http:<%= @xrootd_port %> libXrdHttp.so

# Allow access to path with given prefix.
all.export  <%= @export %>

# Setting up S3 plugin
ofs.osslib libXrdS3.so

# Upon last testing, the plugin did not yet work in async mode
xrootd.async off

# Tell everyone the location of each manager.
# Set the role to either proxy manager or proxy server
<% @managers.each do |manager| -%>
all.manager <%= manager %>
all.role = proxy manager if <%= manager %> 
<% end -%>
all.role = proxy server

# Tell the cmsd which machines are allowed to connects
<% @cms_allow_hosts.each do |host| -%>
cms.allow host <%= host %>
<% end -%>

# Bucket specific s3 options
# these must be in this order to allow parsing of multiple entries
s3.begin
s3.url_style        path
s3.path_name        /<%= bucket['name']%>
s3.bucket_name      <%= bucket['name']%>
s3.service_name     <%= bucket['service_name']%>
s3.region           <%= bucket['region']%>
s3.access_key_file  /etc/xrootd/<%= bucket['name']%>/access-key
s3.secret_key_file  /etc/xrootd/<%= bucket['name']%>/secret-key
s3.service_url      <%= bucket['service_url']%>
s3.end


# Global s3 options
s3.url_style path

A specific problem is the role "proxy manager" and "proxy server" seems wrong, but this is what I see in: https://xrootd.slac.stanford.edu/doc/dev53/cms_config.htm

Obviously I have misunderstood something, and if someone can point these misunderstandings to me or otherwise point me in the right direction I would be very grateful. I am a total noob when it comes to xrootd.

[amadio]

Hi, I was asked by email to comment on this, but this looks like it is pretty Pelican specific (i.e. the libXrdS3 plugin is not in vanilla XRootD), so maybe either @bbockelm or @osschar could comment, as they are much more familiar with both XCache and Pelican.

[bbockelm]

Hi @amadio -

Actually, I think the problem is more about plain ol' xrootd clustering (it just happens that the OSS backend is the S3 one). I think that's why we were struggling within the Pelican team to get someone to answer (besides me, not a lot of folks know how to setup the cmsd). @osschar -- do you recall any of the cmsd stuff?

Brian

[osschar]

Well ... I sure do recall some of it :) You guys are setting up a cache cluster over S3? Hmmh ... how does that make sense? You want to have multiple caches all writing into the same S3 space as DFS? I guess we should really meet in person and talk about it.

[mickenordin]

If you have some time Matevž, either tomorrow, or on wednesday afternoon, we could meet on Zoom? Micke Den 22 november 2024 18:53:23 CET, "Matevž Tadel" ***@***.***> skrev:

…

Well ... I sure do recall some of it :) You guys are setting up a cache cluster over S3? Hmmh ... how does that make sense? You want to have multiple caches all writing into the same S3 space as DFS? I guess we should really meet in person and talk about it. -- Reply to this email directly or view it on GitHub: #55 (comment) You are receiving this because you authored the thread. Message ID: ***@***.***>

[osschar]

Sure, let's try, shoot me an email. I'm on Pacific time.

[mickenordin]

I sent you an invite for today, hopefully it works!

[mickenordin]

Just to let everyone know, I got further thanks to @osschar !

This is what I have now:

Managers:

• xrdm1.drive.test.sunet.se
• xrdm2.drive.test.sunet.se

Servers:

• xrdp1.drive.test.sunet.se
• xrdp2.drive.test.sunet.se
• xrdp3.drive.test.sunet.se

They are each running two docker containers with a shared volume for ipc

services:
  xrootd:
    image: docker.sunet.se/staas/xrootd-s3-http:0.17.0-1
    dns:
      - 89.32.32.32
    hostname: xrdm1.drive.test.sunet.se
    volumes:
      - /opt/xrootd/config:/etc/xrootd:ro
      - /opt/xrootd/admin:/var/spool/xrootd:rw
      - /dev/log:/dev/log
    command: ["xrootd", "-c", "/etc/xrootd/xrootd.cfg"]
    ports:
      - "1094:1094"
    restart: always
  cmsd:
    image: docker.sunet.se/staas/xrootd-s3-http:0.17.0-1
    dns:
      - 89.32.32.32
    hostname: xrdm1.drive.test.sunet.se
    volumes:
      - /opt/xrootd/config:/etc/xrootd:ro
      - /opt/xrootd/admin:/var/spool/xrootd:rw
      - /dev/log:/dev/log
    command: ["cmsd", "-c", "/etc/xrootd/xrootd.cfg", "-p", "1213"]
    ports:
      - "1213:1213"

This is the config for the managers:

# Enable the HTTP protocol on port  (1094 is the default XRootD port)
xrd.protocol http:1094 libXrdHttp.so
if exec cmsd
  xrd.port 1213
fi
if exec xrootd
   xrd.port 1094
fi

# Upon last testing, the plugin did not yet work in async mode
xrootd.async off

# Allow access to path with given prefix.
all.export  /

# Tell everyone the location of each manager.
# Set the role to either proxy manager or proxy server
all.adminpath /var/spool/xrootd
all.pidpath /var/spool/xrootd
all.manager xrdm1.drive.test.sunet.se:1094 
all.manager xrdm2.drive.test.sunet.se:1094 
all.role manager

# Tell the cmsd which machines are allowed to connects
cms.allow host xrdp1.drive.test.sunet.se
cms.allow host xrdp2.drive.test.sunet.se
cms.allow host xrdp3.drive.test.sunet.se
cms.allow host xrdm1.drive.test.sunet.se
cms.allow host xrdm2.drive.test.sunet.se
cms.dfs limit 0 lookup distrib mdhold 0 redirect verify retries 2

# Bucket specific s3 options
# these must be in this order to allow parsing of multiple entries
s3.begin
s3.url_style        path
s3.path_name        /xrootd-test
s3.bucket_name      xrootd-test
s3.service_name     s3.sto4.safedc.net
s3.region           sto4
s3.access_key_file  /etc/xrootd/xrootd-test/access-key
s3.secret_key_file  /etc/xrootd/xrootd-test/secret-key
s3.service_url      https://s3.sto4.safedc.net
s3.end

# Global s3 options
s3.url_style path
# Debugging
# s3.trace all
# xrd.trace    all
# xrootd.trace all dump
# Setting up S3 plugin
ofs.osslib libXrdS3.so

And almost the same for the servers:

# Enable the HTTP protocol on port  (1094 is the default XRootD port)
xrd.protocol http:1094 libXrdHttp.so
if exec cmsd
  xrd.port 1213
fi
if exec xrootd
   xrd.port 1094
fi

# Upon last testing, the plugin did not yet work in async mode
xrootd.async off

# Allow access to path with given prefix.
all.export  /

# Tell everyone the location of each manager.
# Set the role to either proxy manager or proxy server
all.adminpath /var/spool/xrootd
all.pidpath /var/spool/xrootd
all.manager xrdm1.drive.test.sunet.se:1094 
all.manager xrdm2.drive.test.sunet.se:1094 
all.role server

# Tell the cmsd which machines are allowed to connects
cms.allow host xrdp1.drive.test.sunet.se
cms.allow host xrdp2.drive.test.sunet.se
cms.allow host xrdp3.drive.test.sunet.se
cms.allow host xrdm1.drive.test.sunet.se
cms.allow host xrdm2.drive.test.sunet.se
cms.dfs limit 0 lookup distrib mdhold 0 redirect verify retries 2

# Bucket specific s3 options
# these must be in this order to allow parsing of multiple entries
s3.begin
s3.url_style        path
s3.path_name        /xrootd-test
s3.bucket_name      xrootd-test
s3.service_name     s3.sto4.safedc.net
s3.region           sto4
s3.access_key_file  /etc/xrootd/xrootd-test/access-key
s3.secret_key_file  /etc/xrootd/xrootd-test/secret-key
s3.service_url      https://s3.sto4.safedc.net
s3.end

# Global s3 options
s3.url_style path
# Debugging
# s3.trace all
# xrd.trace    all
# xrootd.trace all dump
# Setting up S3 plugin
ofs.osslib libXrdS3.so

This is sufficient to get all the containers to start. This is what the managers say:

The cmsd container does not even complain :)

241127 15:18:25 001 Starting on Linux 6.1.0-27-cloud-amd64
241127 15:18:25 001 cmsd -c /etc/xrootd/xrootd.cfg -p 1213
Copr.  2004-2012 Stanford University, xrd version v5.7.1
++++++ cmsd anon@xrdm1.drive.test.sunet.se initialization started.
Config using configuration file /etc/xrootd/xrootd.cfg
=====> xrd.protocol http:1094 libXrdHttp.so 
=====> xrd.port 1213
=====> all.adminpath /var/spool/xrootd
=====> all.pidpath /var/spool/xrootd
Config maximum number of connections restricted to 1048576
Copr.  2003-2020 Stanford University/SLAC cmsd.
++++++ anon@xrdm1.drive.test.sunet.se phase 1 initialization started.
=====> all.export /
=====> all.manager xrdm1.drive.test.sunet.se:1094
=====> all.manager xrdm2.drive.test.sunet.se:1094
=====> all.role manager
=====> cms.allow host xrdp1.drive.test.sunet.se
=====> cms.allow host xrdp2.drive.test.sunet.se
=====> cms.allow host xrdp3.drive.test.sunet.se
=====> cms.allow host xrdm1.drive.test.sunet.se
=====> cms.allow host xrdm2.drive.test.sunet.se
=====> cms.dfs limit 0 lookup distrib mdhold 0 redirect verify retries 2
=====> ofs.osslib libXrdS3.so 
------ anon@xrdm1.drive.test.sunet.se phase 1 manager initialization completed.
Plugin loaded xrdhttp v5.7.1 from protocol libXrdHttp-5.so
++++++ anon@xrdm1.drive.test.sunet.se phase 2 manager initialization started.
241127 15:18:25 015 s3_CurlWorker::Run: Started a curl worker
241127 15:18:25 016 s3_CurlWorker::Run: Started a curl worker
241127 15:18:25 017 s3_CurlWorker::Run: Started a curl worker
241127 15:18:25 018 s3_CurlWorker::Run: Started a curl worker
241127 15:18:25 019 s3_CurlWorker::Run: Started a curl worker
------ Initializing the S3 filesystem plugin.
=====> s3.begin 
=====> s3.url_style path 
=====> s3.path_name /xrootd-test 
=====> s3.bucket_name xrootd-test 
=====> s3.service_name s3.sto4.safedc.net 
=====> s3.region sto4 
=====> s3.access_key_file /etc/xrootd/xrootd-test/access-key 
=====> s3.secret_key_file /etc/xrootd/xrootd-test/secret-key 
=====> s3.service_url https://s3.sto4.safedc.net 
=====> s3.end 
=====> s3.url_style path 
Config round robin scheduling in effect.
------ anon@xrdm1.drive.test.sunet.se phase 2 manager initialization completed.
Copr. 2012 CERN IT, an HTTP implementation for the XRootD framework.
++++++ HTTP protocol initialization started.
Config warning: HTTPS functionality was not configured.
241127 15:18:25 001 sysConfig: XRDROLE:  manager
241127 15:18:25 001 sysConfig: Configured as HTTP(s) redirector.
------ HTTP protocol initialization completed.
------ cmsd anon@xrdm1.drive.test.sunet.se:1094 initialization completed.
241127 15:19:55 009 Config: manager service enabled.
241127 15:19:55 028 State: Status changed to suspended + nostaging

The xrootd container however has errors in the log:

241127 15:18:29 001 Starting on Linux 6.1.0-27-cloud-amd64
241127 15:18:29 001 xrootd -c /etc/xrootd/xrootd.cfg
Copr.  2004-2012 Stanford University, xrd version v5.7.1
++++++ xrootd anon@xrdm2.drive.test.sunet.se initialization started.
Config using configuration file /etc/xrootd/xrootd.cfg
=====> xrd.protocol http:1094 libXrdHttp.so 
=====> xrd.port 1094
=====> all.adminpath /var/spool/xrootd
=====> all.pidpath /var/spool/xrootd
Config maximum number of connections restricted to 1048576
Plugin loaded xrdhttp v5.7.1 from protocol libXrdHttp-5.so
Copr.  2012 Stanford University, xroot protocol 5.1.0 version v5.7.1
++++++ xroot protocol initialization started.
=====> xrootd.async off
=====> all.export /
Config exporting /
Config warning: 'xrootd.seclib' not specified; strong authentication disabled!
Config Routing for xrdm2.drive.test.sunet.se: local pub4 prv4 pub6 prv6
Config Route pub4: xrdm2.drive.test.sunet.se Dest=[::89.46.20.123]:1094
Config Route prv4: xrdm2.drive.test.sunet.se Dest=[::172.16.1.3]:1094
Config Route all6: xrdm2.drive.test.sunet.se Dest=[2001:6b0:6c::14]:1094
++++++ File system initialization started.
=====> all.role manager
=====> ofs.osslib libXrdS3.so 
241127 15:18:29 014 s3_CurlWorker::Run: Started a curl worker
241127 15:18:29 015 s3_CurlWorker::Run: Started a curl worker
241127 15:18:29 016 s3_CurlWorker::Run: Started a curl worker
241127 15:18:29 017 s3_CurlWorker::Run: Started a curl worker
241127 15:18:29 018 s3_CurlWorker::Run: Started a curl worker
------ Initializing the S3 filesystem plugin.
=====> s3.begin 
=====> s3.url_style path 
=====> s3.path_name /xrootd-test 
=====> s3.bucket_name xrootd-test 
=====> s3.service_name s3.sto4.safedc.net 
=====> s3.region sto4 
=====> s3.access_key_file /etc/xrootd/xrootd-test/access-key 
=====> s3.secret_key_file /etc/xrootd/xrootd-test/secret-key 
=====> s3.service_url https://s3.sto4.safedc.net 
=====> s3.end 
=====> s3.url_style path 
++++++ Configuring manager role. . .
=====> all.adminpath /var/spool/xrootd
=====> all.manager xrdm1.drive.test.sunet.se:1094
=====> all.manager xrdm2.drive.test.sunet.se:1094
Config 2 manager(s) started.
Config POSC has been disabled by the osslib plugin.
Config effective /etc/xrootd/xrootd.cfg ofs configuration:
       all.role manager
       ofs.maxdelay   60
       ofs.persist    off hold 600
       ofs.trace      0
       ofs.osslib libXrdS3-5.so 
------ File system manager initialization completed.
------ xroot protocol initialization completed.
Copr. 2012 CERN IT, an HTTP implementation for the XRootD framework.
++++++ HTTP protocol initialization started.
Config warning: HTTPS functionality was not configured.
241127 15:18:29 001 sysConfig: XRDROLE:  manager
241127 15:18:29 001 sysConfig: Configured as HTTP(s) redirector.
------ HTTP protocol initialization completed.
------ xrootd anon@xrdm2.drive.test.sunet.se:1094 initialization completed.
241127 15:18:29 009 XrdProtocol: anon.0:35@xrdm2 terminated matching protocol not found
241127 15:18:29 019 XrdLink: Unable to receive from anon.0:34@xrdm2; connection reset by peer
241127 15:18:29 019 cms_Login: xrdm2 login failed; rejected
241127 15:18:29 020 cms_Login: xrdm1 login failed; rejected

I have not yet tried to enable authentication, so maybe not surprising, that it fails to login.

For the servers, the situation is reversed, xrootd does not complain:

241127 08:53:31 001 Starting on Linux 6.1.0-27-cloud-amd64
241127 08:53:31 001 xrootd -c /etc/xrootd/xrootd.cfg
Copr.  2004-2012 Stanford University, xrd version v5.7.1
++++++ xrootd anon@xrdp2.drive.test.sunet.se initialization started.
Config using configuration file /etc/xrootd/xrootd.cfg
=====> xrd.protocol http:1094 libXrdHttp.so 
=====> xrd.port 1094
=====> all.adminpath /var/spool/xrootd
=====> all.pidpath /var/spool/xrootd
Config maximum number of connections restricted to 1048576
Plugin loaded xrdhttp v5.7.1 from protocol libXrdHttp-5.so
Copr.  2012 Stanford University, xroot protocol 5.1.0 version v5.7.1
++++++ xroot protocol initialization started.
=====> xrootd.async off
=====> all.export /
Config exporting /
Config warning: 'xrootd.seclib' not specified; strong authentication disabled!
Config Routing for xrdp2.drive.test.sunet.se: local pub4 prv4 pub6 prv6
Config Route pub4: xrdp2.drive.test.sunet.se Dest=[::89.46.20.204]:1094
Config Route prv4: xrdp2.drive.test.sunet.se Dest=[::172.16.1.3]:1094
Config Route all6: xrdp2.drive.test.sunet.se Dest=[2001:6b0:6c::500]:1094
++++++ File system initialization started.
=====> all.role server
=====> ofs.osslib libXrdS3.so 
241127 08:53:31 014 s3_CurlWorker::Run: Started a curl worker
241127 08:53:31 015 s3_CurlWorker::Run: Started a curl worker
241127 08:53:31 016 s3_CurlWorker::Run: Started a curl worker
241127 08:53:31 017 s3_CurlWorker::Run: Started a curl worker
241127 08:53:31 018 s3_CurlWorker::Run: Started a curl worker
------ Initializing the S3 filesystem plugin.
=====> s3.begin 
=====> s3.url_style path 
=====> s3.path_name /xrootd-test 
=====> s3.bucket_name xrootd-test 
=====> s3.service_name s3.sto4.safedc.net 
=====> s3.region sto4 
=====> s3.access_key_file /etc/xrootd/xrootd-test/access-key 
=====> s3.secret_key_file /etc/xrootd/xrootd-test/secret-key 
=====> s3.service_url https://s3.sto4.safedc.net 
=====> s3.end 
=====> s3.url_style path 
++++++ Configuring server role. . .
=====> all.adminpath /var/spool/xrootd
=====> all.manager xrdm1.drive.test.sunet.se:1094
=====> all.manager xrdm2.drive.test.sunet.se:1094
++++++ Checkpoint initialization started.
++++++ Checkpoint initialization completed.
Config POSC has been disabled by the osslib plugin.
Config effective /etc/xrootd/xrootd.cfg ofs configuration:
       all.role server
       ofs.maxdelay   60
       ofs.persist    off hold 600
       ofs.trace      0
       ofs.osslib libXrdS3-5.so 
------ File system server initialization completed.
241127 08:53:31 019 cms_Finder: Connected to cmsd via /var/spool/xrootd/.olb/olbd.admin
------ xroot protocol initialization completed.
Copr. 2012 CERN IT, an HTTP implementation for the XRootD framework.
++++++ HTTP protocol initialization started.
Config warning: HTTPS functionality was not configured.
241127 08:53:31 001 sysConfig: XRDROLE:  server
241127 08:53:31 001 sysConfig: Configured as HTTP(s) data server.
------ HTTP protocol initialization completed.
------ xrootd anon@xrdp2.drive.test.sunet.se:1094 initialization completed.

but cmsd does:

241127 15:03:40 025 Manager: manager.0:42@xrdm1 removed; lost connection
241127 15:03:43 009 Login: xrdm2 login failed; rejected
241127 15:03:43 009 Manager: manager.0:42@xrdm2 removed; lost connection
241127 15:03:49 025 Login: xrdm1 login failed; rejected

I see alot of potential issues here though, related to ip addresses, I see a mix of ipv6 and ipv4 and internal docker ip addresses, and also fqdn, vs host names. What do you guys think, what should be my next step?

[osschar]

Do you have ports open? Do the files for xrd/cms communication get created correctly -- and have the correct permissions / access across containers?

# standalone here is 'instance name', what is passed via -n to xrootd/cmsd executables
[1331] root@xrd-2 ~# ll -a /var/spool/xrootd/standalone/.olb/
total 0
drwx--x---. 2 xrootd xrootd 42 Nov 26 19:12 .
drwx------. 7 xrootd xrootd 91 Jul 11  2023 ..
srwx------  1 xrootd xrootd  0 Nov 26 19:12 olbd.admin
srwx------  1 xrootd xrootd  0 Nov 26 19:12 olbd.notes

I'm not exactly sure how multiple manager setup works if configured as you have it. What we do in CMS, for load balancing and redundancy -- we use DNS alias to register two managers together and then use the all and + postfix in all.manager directive to activate both of them.

matevz@black ~> host cmsxrootd.fnal.gov
cmsxrootd.fnal.gov has address 129.93.239.131
cmsxrootd.fnal.gov has address 131.225.184.17
cmsxrootd.fnal.gov has IPv6 address 2600:900:6:1101:5054:ff:fe00:70cb
cmsxrootd.fnal.gov has IPv6 address 2620:6a:0:187::184:17

and, on machines below those managers (in our case this is a bit more complicated as we have another level in manager hierarchy) you would do:

all.manager all cmsxrootd.fnal.gov+ 1213

Since you use default ports -- you do not need the xrd.port directives. But you do need to specify them in all.manager directives.

Are you able to 'talk' to the servers themselves? List "directories", copy files in and out?

[mickenordin]

Thank you. This was helpful. I noticed some bugs in my config, I had 1094 as port in the all.manager stanza instead of 1213 and I also needed to move the xrd.protocol http:1094 libXrdHttp.so line in to the conditional for xrootd only, as otherwise the cmsd container would also try to bind to port 1094.

I also changed the the all.manager to use the + trick with a dns round robin setup, although I did not try the old approach with several entries with the other bugs fixed, so maybe that would work too, as my reading of the docs indicated?

Now both containers/processes for xrootd and cmsd starts up without complaints in the log. I will now move on to see if I can interact with the setup by looking at files and adding/removing them and such. If that works, I will start looking in to tls and authenication.

[mickenordin]

Some amount of success:

xrdmapc xrdm.drive.test.sunet.se:1094
0**** xrdm.drive.test.sunet.se:1094
      Srv xrdp1.drive.test.sunet.se:1094
      Srv xrdp2.drive.test.sunet.se:1094
      Srv xrdp3.drive.test.sunet.se:1094

But also something is not working quite right with the s3-connection:

[xrdm.drive.test.sunet.se:1094] / > ls -l /xrootd-test/hopp.txt
[ERROR] Server responded with an error: [3011] Unable to access file; it does not exist.

I can see that it exists in s3 though

 rclone ls common-test:xrootd-test/
        4 hopp.txt

One interesting thing, is that when I try to access a directory that I know does not exist, I see an error message in the logs:

241129 10:06:37 010 XrootdXeq: micke.243275:39@c83-252-243-101.bredband.tele2.se pub IPv4 login
241129 10:06:37 010 ofs_stat: micke.243275:39@c83-252-243-101.bredband.tele2.se Unable to locate /micke-test; no such file or directory
241129 10:06:37 010 XrootdXeq: micke.243275:39@c83-252-243-101.bredband.tele2.se disc 0:00:00

But nothing in the logs if I try to access the directory that I know exists. I do get different answers from the cli depending on if the directory actually exists. For existing dir:

xrdfs xrdm.drive.test.sunet.se:1094 ls -l /xrootd-test     
[ERROR] Server responded with an error: [3011] Unable to access file; it does not exist.

For non-existing dir:

xrdfs xrdm.drive.test.sunet.se:1094 ls -l /micke-test 
[ERROR] Server responded with an error: [3011] Too many attempts to gain dfs read access to the file

Obviously I checked that the credentials for s3 are correct, they are the same as I use with rclone.

I do know that this is fundamentally insecure and accessible to anyone at this point, so you should even be able to access this set up from wherever without authentication. I will totally scrap these servers when I have something working and do a complete reinstall...

[osschar]

What happens if you talk directly to the server, not the manager?
Can you also just try plain copy, directly form the server, like

xrdcp -f -d 2 root://xrdp2.drive.test.sunet.se//your-test-file /dev/null

After that we'd need to bump up the trace levels -- one way is to add various xxx.trace options into your config ... but for your test it's probably enough to just run xrootd with -d option -- this bumps up all the traces (very verbose if you run in an active environment).

Once we figure out what is going on Andy should be able to recommend the trace options, I'd have to go read the docs and scratch my head a bit :)

[mickenordin]

I suspect something is wrong with the xrootd config on the manager servers.

When I try to access the file via the round robin dns of the manager address, it does not redirect, but instead can not find the file, from xrdm1:

241206 11:15:57 009 Xrd_Sched: running main accept inq=0
241206 11:15:57 024 anon.0:37@c83-252-243-101.bredband.tele2.se Xrootd_Protocol: 0000 req=protocol dlen=0
241206 11:15:57 024 anon.0:37@c83-252-243-101.bredband.tele2.se Xrootd_Response: 0000 sending 8 data bytes; status=0
241206 11:15:57 024 anon.0:37@c83-252-243-101.bredband.tele2.se Xrootd_Protocol: 0000 req=login dlen=92
241206 11:15:57 024 micke.267706:37@c83-252-243-101.bredband.tele2.se Xrootd_Response: 0000 sending 16 data bytes
241206 11:15:57 024 XrootdXeq: micke.267706:37@c83-252-243-101.bredband.tele2.se pub IPv4 login
241206 11:15:57 024 micke.267706:37@c83-252-243-101.bredband.tele2.se Xrootd_Protocol: 0100 req=open dlen=21
241206 11:15:57 024 micke.267706:37@c83-252-243-101.bredband.tele2.se Xrootd_Protocol: 0100 open rt /xrootd-test/hopp.txt
241206 11:15:57 024 micke.267706:37@c83-252-243-101.bredband.tele2.se ofs_open: 0-600 (600) fn=/xrootd-test/hopp.txt
241206 11:15:57 019 cms_Receive: xrdm2 46 bytes on 6143
241206 11:15:57 019 cms_Decode: xrdm2 gave micke.267706:37@c83-252-243-101.bredband.tele2.se err -2 'Unable to access file; it does not exist.' /xrootd-test/hopp.txt
241206 11:15:57 024 micke.267706:37@c83-252-243-101.bredband.tele2.se Xrootd_Response: 0100 sending err 3011: Unable to access file; it does not exist.
241206 11:15:57 024 micke.267706:37@c83-252-243-101.bredband.tele2.se ofs_close: use=0 fn=dummy
241206 11:15:57 024 XrootdXeq: micke.267706:37@c83-252-243-101.bredband.tele2.se disc 0:00:00

This is what I seen in cmsd log at the same time, this time on xrdm2:

241206 11:15:57 024 cms_Dispatch: redirector.1:35@xrdm1 for select dlen=85
241206 11:15:57 010 Xrd_Sched: running redirector inq=0
241206 11:15:57 010 micke.267706:37@c83-252-243-101.bredband.tele2.se cms_do_Select: failed; Unable to access file; it does not exist. /xrootd-test/hopp.txt

[mickenordin]

I also see this:

241206 11:23:53 009 Manager: xrdm2.drive.test.sunet.se manager configuration differs from xrdm1.drive.test.sunet.se for site local; making file location unpredictable!

Not exactly sure what that is about, since they both get their config from puppet, so I am guessing it might have something to do with the generated config in /var/spool/xrootd?

[mickenordin]

Huh! I think I see the issue now.

On the manager servers cmsd starts up and binds to port 1213, just fine:

LISTEN    0         255                      *:1213                  *:*       users:(("cmsd",pid=1312092,fd=19))                                           
LISTEN    0         255                      *:1094                  *:*       users:(("xrootd",pid=1312099,fd=20))   

However on the server side, cmsd starts up using a random port:

LISTEN                           0                                255                                                                    *:1094                                                                   *:*                               users:(("xrootd",pid=3345856,fd=20))                                
LISTEN                           0                                255                                                                    *:35633                                                                  *:*                               users:(("cmsd",pid=3345860,fd=19)) 

And as such I suppose the managers cant talk to them...

What I cant figure out is why this happens:

diff templates/xrootd/xrootd-server.cfg.erb templates/xrootd/xrootd-manager.cfg.erb
21c21
< all.role server
---
> all.role manager

That is litteraly the only difference in the config for them.

[mickenordin]

Seems unrelated though. I opened all the ports between 32768 - 60999 in the firewall, but no change.

[mickenordin]

@osschar should I revert the firewall changes or do we still need them?

[mickenordin]

I got it working now!
I made this change, from

cms.dfs limit 0 lookup distrib mdhold 0 redirect verify retries 2

to:

cms.dfs limit 0 lookup central mdhold 0 redirect immed retries 2

[mickenordin]

But not fully:

[xrdm.drive.test.sunet.se:1094] / > cat /xrootd-test/hopp.txt
hej
[xrdm.drive.test.sunet.se:1094] / > ls /xrootd-test/hopp.txt
[ERROR] Server responded with an error: [3010] Unable to locate /xrootd-test/hopp.txt; operation not permitted

[osschar]

You can close the ports. Manager cmsds listen on 1213 for connections from servers. xrootd and cmsd on the sam machine communicate through FS sockets.

Server-side cmsd shouldn't even need to listen on any port, I think, hmmh.

With all.export / and without authorization this should go through the xrootd layer. What do the logs say if you bump up ofs and s3 trace levels (or run with -d -- not sue if this will also increase debug for s3)? I have no clue how read and list permissions are done / handled in s3.

@abh3, am I lying here about something? :)

[abh3]

Hi Matevz, Everything you said was true. Indeed, the server cmsd doesn't need to listen on a port as its only incoming connection is the named pipe. The -d option will not increase the debugging level as I don't think that code checks if the XRDDEBUG envar is set. Is it our S3 plugin or pelican's plugin? Wei is the person who knows the details of how a listing works in S3 and I know it's rather complicated and unusually baroque involving a lot of xml. Send him a ping. Andy

…

________________________________ From: Matevž Tadel ***@***.***> Sent: Friday, December 6, 2024 10:00 AM To: PelicanPlatform/xrootd-s3-http ***@***.***> Cc: Andrew Hanushevsky ***@***.***>; Mention ***@***.***> Subject: Re: [PelicanPlatform/xrootd-s3-http] Can someone help with a minimal clustered config (Discussion #55) BEWARE: This email originated outside of our organization. DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. You can close the ports. Manager cmsds listen on 1213 for connections from servers. xrootd and cmsd on the sam machine communicate through FS sockets. Server-side cmsd shouldn't even need to listen on any port, I think, hmmh. With all.export / and without authorization this should go through the xrootd layer. What do the logs say if you bump up ofs and s3 trace levels (or run with -d -- not sue if this will also increase debug for s3)? I have no clue how read and list permissions are done / handled in s3. @abh3<https://github.com/abh3>, am I lying here about something? :) — Reply to this email directly, view it on GitHub<#55 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAUIW55DN5R6BDSGCTVQLB32EHQ5PAVCNFSM6AAAAABR56VGNGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNBYG43TQMA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[osschar]

@jhiemstrawisc -- please advise what to do here :)

[jhiemstrawisc]

Hi all, ls against path-style S3 endpoints is an ongoing issue that we think we're close to squashing. Our target is to have a fix out within the next week.

In the meantime, if your S3 endpoint supports virtual/DNS-style buckets, the immediate fix is as trivial as switching s3.url_style to virtual. I'll note that AWS has deprecated path-style URLs, but it doesn't look like most other S3 implementations have caught up with this yet.

[jhiemstrawisc]

In general, the S3 permissions are decoupled from XRootD permissions. If XRootD accepts whatever form of authz it's given, the S3 plugin will pick up the S3 access/secret keys and use them to sign an HTTP request to the S3 endpoint. It's this signature generation step that isn't yet working with path-style list operations.

[mickenordin]

Alright, thanks. If this is expected behavior that is great for me, since it is not a mistake on my part then 😆

I can move on to adding auth and tls to my set up, and I'll try a new version of the plugin when you have shipped it :)

[jhiemstrawisc]

@mickenordin, we created a new v0.1.8 tag yesterday including what we hope are significant speedups and a few other bugfixes, including fixes for the issue we talked about earlier. It probably should have been a v0.2.0 tag because a lot of the underlying curl code has changed, but let us know how things are working if you decide to try it out.