Skip to content

Beginner Administrator

egazzarr edited this page Jun 28, 2023 · 2 revisions

This page tells you what to do when you're a new team member (a.k.a newby) and need to set up your (CERN) development environment.

General document for new-comers (IT GOV ENG shared document).

CERN Services

To be able to access most of CERN services without tipping every time your password, you should configure a Kerberos client in your computer and request a new "ticket".

Kerberos

2FA

Most of the times you will be accessing a CERN service (email, aiadm...), you will need a two-factor-authentication (2FA) to identify yourself. To configure CERN 2FA:

  • follow this documentation - Within this link you will find a step-by-step tutorial (CERN account needed).

lxplus

ssh <cern-user-name>@lxplus[NONE/7/8/9].cern.ch

The lxplus machines should contain common CERN packages. Among others, these machines (should) have already installed gfal2, fts, eos clients.

aiadm

ssh <cern-user-name>@aiadm.cern.ch

Once connected, services as tbag can be accessed.

tbag Password Safe

You can find the CERN documentation here, useful commands are:

  • tbag showkeys --hg <hostgroup>
  • tbag show --hg <hostgroup> <keyname>
  • tbag set --hg <hostgroup> <new-keyname> then enter the secret key when prompted Our is tbag showkeys escapewp2c. The output of --help:
tbag --help
usage: tbag [-h] [--tbag-timeout TBAG_TIMEOUT] [--tbag-hostname TBAG_HOSTNAME]
            [--tbag-port TBAG_PORT] [--config CONFIG] [--dereference_alias]
            [--nodereference_alias] [--show_url] [-v] [-d]
            {set,delete,deletekeys,show,showkeys} ...

Tool for secrets handling

optional arguments:
  -h, --help            show this help message and exit
  --tbag-timeout TBAG_TIMEOUT
                        Timeout for trusted bag operations
  --tbag-hostname TBAG_HOSTNAME
                        Trusted bag hostname
  --tbag-port TBAG_PORT
                        Trusted bag port
  --config CONFIG       Configuration file
  --dereference_alias   dereference any lb aliases
  --nodereference_alias
                        do not dereference any lb aliases
  --show_url            show REST urls
  -v, --verbose         Be chatty
  -d, --dryrun          Don't do the requests that alter data

subcommands:
  {set,delete,deletekeys,show,showkeys}
    set                 Set a secret in the store
    delete              Delete a secret from the store
    deletekeys          Delete all keys for the given host, hostgroup or
                        service
    show                Show a secret from the store
    showkeys            Show all keys for the given host, hostgroup or service

ssh config

In order to save some time every time you are making a ssh connection, you can define a ProxyJump to go through CERN lxplus to your vm:

# ** Working for MAC OS. Might differ for Linux/Windows OS **

# Use ssh agent if you want to forward your rsa key securely!
ForwardAgent yes

# Enable ssh <pcname>, which resolves to <pcname>.cern.ch
CanonicalDomains cern.ch
CanonicalizeHostname yes

Host lxplus.cern.ch aiadm.cern.ch lxtunnel.cern.ch lxplus lxplus8 aiadm lxtunnel
  User <cern-user>
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  ForwardX11 yes

Host vm
    HostName <your-vm-name>.cern.ch
    User root
    ProxyJump lxplus
    AddressFamily inet

Create a ssh key and add it to .gitconfig

Follow the instructions here and then do:

# This is Git's per-user configuration file.
[user]
# Please adapt and uncomment the following lines:
        name = Your Name 
        email = <mail>@users.noreply.github.com 
        signingkey = /root/.ssh/<your-key>.pub
[commit]
        gpgsign = false 
[gpg]
        format = ssh

Create a VM in OpenStack@CERN

Database Operations

The database of the Data Lake is the central component of the VRE. In our case, it is a PostegreSQL database, but you can decide the one that suits you best. It is managed with Rucio, but accessed by the Jupyterhub extension, by Reana and by Dask. It is therefore crucial to be able to interact and inspect the database and get comfortable with tools to do so. Here are a few suggestions.

PSQL CLI (Postgres)

Download the PSQL Tools, install them, and connect to an instance with psql -h <instance-url> -U <admin-user> -p <port>.

Useful commands:

  • \l list databases
  • \du+ shows user/roles details
  • \c <dbname> switch db
  • CREATE DATABASE <name>;
  • CREATE USER <username>;
  • `GRANT TO ;
  • ALTER DATABASE <name> OWNER TO <username>;
  • ALTER USER <username> WITH PASSWORD '<password>';

Additional documentation can be found here.

Desktop applications

We suggest using an application to view the data instead of interacting with it from the terminal. Get the passwords to access the DB with tbag in aiadm (see above). Download pgAdmin or DBeaver and add the new database connection with all the necessary information (in DBeaver, for example, Open DBeaver > tab Database > New database connection > PostgreSQL).

Clone this wiki locally