test: add rucio to the integration_tests.py

integration_tests.py

@@ -160,6 +160,7 @@ def create(
     install_server()
     install_client()
     install_pilot()
+    configure_rucio()
     exit_code = 0
     if run_server_tests:
         try:
@@ -253,7 +254,7 @@ def prepare_environment(
     typer.secho("Running docker compose to create containers", fg=c.GREEN)
     with _gen_docker_compose(modules, diracx_dist_dir=diracx_dist_dir) as docker_compose_fn:
         subprocess.run(
-            ["docker", "compose", "-f", docker_compose_fn, "up", "-d", "dirac-server", "dirac-client", "dirac-pilot"]
+            ["docker", "compose", "-f", docker_compose_fn, "up", "-d", "dirac-server", "dirac-client", "dirac-pilot", "rucio-server"]
             + extra_services,
             check=True,
             env=docker_compose_env,
@@ -505,6 +506,16 @@ def install_pilot():
         check=True,
     )
 
+@app.command()
+def configure_rucio():
+    """Configure Rucio in the rucio server container."""
+    _check_containers_running()
+    typer.secho("Running rucio configuration", fg=c.GREEN)
+    base_cmd = _build_docker_cmd("rucio-server")
+    subprocess.run(
+        base_cmd + ["bash", "/home/dirac/LocalRepo/TestCode/DIRAC/tests/CI/configure_rucio.sh"],
+        check=True,
+    )
 
 @app.command()
 def test_server():
@@ -655,7 +666,7 @@ def _gen_docker_compose(modules, *, diracx_dist_dir=None):
     input_fn = Path(__file__).parent / "tests/CI/docker-compose.yml"
     docker_compose = yaml.safe_load(input_fn.read_text())
     # diracx-wait-for-db needs the volume to be able to run the witing script
-    for ctn in ("dirac-server", "dirac-client", "dirac-pilot", "diracx-wait-for-db"):
+    for ctn in ("dirac-server", "dirac-client", "dirac-pilot", "diracx-wait-for-db", "rucio-wait-for-db"):
         if "volumes" not in docker_compose["services"][ctn]:
             docker_compose["services"][ctn]["volumes"] = []
     volumes = [f"{path}:/home/dirac/LocalRepo/ALTERNATIVE_MODULES/{name}" for name, path in modules.items()]
@@ -664,6 +675,7 @@ def _gen_docker_compose(modules, *, diracx_dist_dir=None):
     docker_compose["services"]["dirac-client"]["volumes"].extend(volumes[:])
     docker_compose["services"]["dirac-pilot"]["volumes"].extend(volumes[:])
     docker_compose["services"]["diracx-wait-for-db"]["volumes"].extend(volumes[:])
+    docker_compose["services"]["rucio-wait-for-db"]["volumes"].extend(volumes[:])
 
     module_configs = _load_module_configs(modules)
     if diracx_dist_dir is not None:
@@ -675,6 +687,11 @@ def _gen_docker_compose(modules, *, diracx_dist_dir=None):
             "diracx-wait-for-db",
             "diracx-init-db",
             "diracx",
+            "rucio-db",
+            "rucio-wait-for-db",
+            "rucio-server",
+            "rucio-init",
+            "rucio-storage-1",
         ]:
             docker_compose["services"][container_name].setdefault("volumes", []).append(
                 f"{diracx_dist_dir}:/diracx_sources"

tests/CI/check_rucio_db_initialised.sh

@@ -0,0 +1,24 @@
+# Should be called with PGPASSWORD=mysecretpassword
+
+#!/bin/bash
+dbMissing=true;
+allDBs=(rucio)
+while ${dbMissing};
+do
+    dbMissing=false;
+    allExistingDBs=$(psql -U postgres -h rucio-db -p 5432 -c "\l");
+    for db in "${allDBs[@]}";
+    do
+        if grep -q "${db}" <<< "${allExistingDBs}";
+        then
+            echo "${db} OK";
+        else
+            echo "${db} not created";
+            dbMissing=true;
+        fi;
+    done;
+    if ${dbMissing};
+    then
+        sleep 1;
+    fi
+done

tests/CI/configure_rucio.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -eux -o pipefail
+
+# copy user certs to fix permissions
+voms-proxy-init -valid 9999:00 -cert /home/user/.globus/usercert.pem -key /home/user/.globus/userkey.pem
+
+
+# add the storage element (xrd)
+RSE="STORAGE-1"
+rucio rse add --rse-name "STORAGE-1"
+rucio rse protocol add \
+    --rse-name "${RSE}" \
+    --host "rucio-storage-1" \
+    --scheme root \
+    --prefix //rucio \
+    --port 1094 \
+    --impl rucio.rse.protocols.gfal.Default \
+    --domain-json '{"wan": {"read": 1, "write": 1, "delete": 1, "third_party_copy_read": 1, "third_party_copy_write": 1}, "lan": {"read": 1, "write": 1, "delete": 1}}' \
+
+rucio rse attribute add --rse "${RSE}" --key fts --value https://fts:8446
+
+# this is for some reason I really don't understand needed by the DIRAC-Rucio integration
+rucio rse attribute add --rse "${RSE}" --key ANY --value true
+rucio account limit add --account root --rse-exp "${RSE}" --bytes "infinity"
+
+# add a scope
+rucio scope add --account root --scope test
+fts-rest-whoami -s https://fts:8446
+fts-rest-delegate -vf -s https://fts:8446 -H 9999
+
+# also needed for the DIRAC integration, due to idiosyncrasies of the belle2 code
+rucio scope add --account root --scope root
+# the root container for the VO already needs to exist
+rucio did add --type container -d /testvo.example.org

tests/CI/docker-compose.yml

@@ -1,10 +1,14 @@
 volumes:
+  # Volume used to store the certificates
+  dirac-certificates-store:
   # Volume used to store the config of diracx
   diracx-cs-store:
   # Volume used to store the pair of keys to sign the tokens
   diracx-key-store:
   # Volume used to store the jwks of the IAM service
   diracx-iam-key-store:
+  # Volume used to store the rucio config
+  rucio-server-config:
 
 services:
   mysql:
@@ -125,12 +129,17 @@ services:
     volumes:
       - diracx-cs-store:/cs_store
       - diracx-key-store:/signing-key
+      - dirac-certificates-store:/etc/DiracCertificates
+      - dirac-certificates-store:/etc/DiracCA
     environment:
       - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo
       - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key
     pull_policy: always
-    command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
-
+    # command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
+    # We need to allow everybody to read the private keys
+    # Because the users are different between the DIRAC and DiracX containers
+    entrypoint: |
+      bash -xc "chmod -R o=u /etc/DiracCertificates && chmod -R o=u /etc/DiracCA"
 
   dirac-client:
     image: ${CI_REGISTRY_IMAGE}/${HOST_OS}-dirac
@@ -248,3 +257,91 @@ services:
       retries: 15
       start_period: 60s
     pull_policy: always
+
+  ### Rucio
+
+  rucio-db:
+    hostname: rucio-db
+    image: "postgres:15"
+    environment:
+      POSTGRES_USER: rucio
+      POSTGRES_DB: rucio
+      POSTGRES_PASSWORD: secret
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      timeout: 10s
+      start_period: 30s
+    pull_policy: always
+
+  rucio-wait-for-db:
+    image: "postgres:15"
+    container_name: rucio-wait-for-db
+    environment:
+      POSTGRES_USER: rucio
+      POSTGRES_DB: rucio
+      PGPASSWORD: secret
+    depends_on:
+      rucio-db:
+        condition: service_healthy
+    command: /home/dirac/LocalRepo/ALTERNATIVE_MODULES/DIRAC/tests/CI/check_rucio_db_initialized.sh
+    pull_policy: always
+
+  rucio-init:
+    profiles:
+      - init
+    image: rucio/rucio-init:release-36.1.0
+    environment:
+      RUCIO_CFG_DATABASE_DEFAULT: "postgresql://rucio:secret@rucio-db/rucio"
+      RUCIO_CFG_BOOTSTRAP_USERPASS_IDENTITY: "test-user"
+      RUCIO_CFG_BOOTSTRAP_USERPASS_PWD: "secret"
+      RUCIO_CFG_BOOTSTRAP_X509_IDENTITY: "CN=Test User"
+      RUCIO_CFG_BOOTSTRAP_X509_EMAIL: "[email protected]"
+      RUCIO_CFG_POLICY_PACKAGE: "dirac_rucio_policy"
+      RUCIO_CFG_COMMON_EXTRACT_SCOPE: "dirac"
+      RUCIO_CFG_POLICY_LFN2PFN_ALGORITHM_DEFAULT: "dirac"
+      PYTHONPATH: /opt/rucio
+    depends_on:
+      rucio-db:
+        condition: service_healthy
+    volumes:
+      - rucio-server-config:/opt/rucio/etc/
+      - ./rucio_policy:/opt/rucio/dirac_rucio_policy
+
+  rucio-server:
+    hostname: rucio-server
+    image: rucio/rucio-server:release-36.1.0
+    environment:
+      RUCIO_ENABLE_SSL: "True"
+      RUCIO_HTTPD_ENCODED_SLASHES: "True"
+      RUCIO_HTTPD_GRID_SITE_ENABLED: "True"
+    depends_on:
+      dirac-server:
+        condition: service_started
+      rucio-db:
+        condition: service_healthy
+      rucio-storage-1:
+        condition: service_started
+    volumes:
+      - rucio-server-config:/opt/rucio/etc/
+      - dirac-certificates-store:/etc/grid-security
+      # - ./certs/hostcert_rucio-server.pem:/etc/grid-security/hostcert.pem:z
+      # - ./certs/hostcert_rucio-server.key.pem:/etc/grid-security/hostkey.pem:z
+      # - ./certs/test_ca.pem:/etc/grid-security/ca.pem:z
+      - ${RUCIO_REPOSITORY:-/dev/null}:/src/rucio
+
+  rucio-storage-1:
+    hostname: rucio-storage-1
+    image: rucio/xrootd
+    environment:
+      XRDPORT: "1094"
+    volumes:
+      - dirac-certificates-store:/etc/grid-security
+      - dirac-certificates-store:/certs
+      # - ./certs/test_ca.pem:/etc/grid-security/certificates/37cc428d.0
+      # - ./certs/hostcert_rucio-storage-1.pem:/tmp/xrdcert.pem:z
+      # - ./certs/hostcert_rucio-storage-1.key.pem:/tmp/xrdkey.pem:z
+    ulimits:
+      nofile:
+        soft: 1024
+        hard: 2048
+

tests/Jenkins/utilities.sh

@@ -391,7 +391,7 @@ generateCA() {
   fi
 
   # Initialize the ca
-  mkdir -p newcerts certs crl
+  mkdir -p certs crl
   touch index.txt
   echo 1000 > serial
   echo 1000 > crlnumber
@@ -484,6 +484,12 @@ generateCertificates() {
        -out hostcert.pem
 
   cd -
+
+  # This is for volume sharing
+  cp "${SERVERINSTALLDIR}/etc/grid-security/hostcert.pem" /etc/DiracCA/
+  cp "${SERVERINSTALLDIR}/etc/grid-security/hostcert.pem" /etc/DiracCA/
+
+
 }