Dear Experts,
I found that HTTP-TPC will failed in pull mode if the destination host is MGM-slave.
We have three MGM nodes with Master/Slave QuarkDB Configuration.
master: f-dpmp28
slave: f-dpmp35, f-dpmp31
Eos version is 4.8.40.
The XrdHttp is set to 9000 on /etc/xrd.cf.mgm.
This is the script which I run
export SRC=$2
export DST=$3
gfal-copy $1 $SRC -f > /dev/null
# Get macaroon for source
export TSRC=$(curl --silent --cert ~/cernproxy.pem --key ~/cernproxy.pem --cacert ~/cernproxy.pem --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-requ
est' -d '{"caveats": ["activity:DOWNLOAD"], "validity": "PT3000M"}' "$SRC" | jq -r '.macaroon')
# Get macaroon for destination
export TDST=$(curl --silent --cert ~/cernproxy.pem --key ~/cernproxy.pem --cacert ~/cernproxy.pem --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-requ
est' -d '{"caveats": ["activity:UPLOAD,DELETE,LIST"], "validity": "PT3000M"}' "$DST" | jq -r '.macaroon')
# Trigger HTTP TPC PUSH
curl --capath /etc/grid-security/certificates -L -X COPY -H 'Secure-Redirection: 1' -H 'X-No-Delegate: 1' -H 'Credentials: none' -H "Authorization: Bearer $TDST" -H "TransferHeaderAuthorizat
ion: Bearer $TSRC" -H "TransferHeaderTest: Test" -H "Source: $SRC" "$DST"
gfal-rm $SRC > /dev/null
gfal-rm $DST > /dev/null
Following is the curl output
[...loading CA file...]
CApath: /etc/grid-security/certificates
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=f-dpmp31.grid.sinica.edu.tw,OU=GRID,O=AS,C=TW
* start date: May 10 02:12:50 2021 GMT
* expire date: May 10 02:12:50 2022 GMT
* common name: f-dpmp31.grid.sinica.edu.tw
* issuer: CN=Academia Sinica Grid Computing Certification Authority Mercury,O=AS,C=TW
> COPY //eos/testarea/test.4101 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: f-dpmp31.grid.sinica.edu.tw:9000
> Accept: */*
> Secure-Redirection: 1
> X-No-Delegate: 1
> Credentials: none
> Authorization: Bearer MDAxNWxvY2F0aW9uIGVvc3Rlc3QKMDAzNGlkZW50aWZpZXIgNjQ1ZDlkNGEtNjVlMy00YWNlLTkyNzMtZDM4YjRiNzdlYzRmCjAwMTNjaWQgbmFtZTphdGxhcwowMDUyY2lkIGFjdGl2aXR5OlJFQURfTUVUQURBVEEsVVBMT0FELERPV05MT0FELERFTEVURSxNQU5BR0UsVVBEQVRFX01FVEFEQVRBLExJU1QKMDAyNGNpZCBhY3Rpdml0eTpVUExPQUQsREVMRVRFLExJU1QKMDAyNWNpZCBwYXRoOi9lb3MvdGVzdGFyZWEvdGVzdC40MTAxCjAwMjRjaWQgYmVmb3JlOjIwMjEtMDctMTdUMDc6NDQ6MDVaCjAwMmZzaWduYXR1cmUg6_1XgGMYJZYVMM9z8t3wDFpJL5CgUC6DrG6ZMx_1RJUK
> TransferHeaderAuthorization: Bearer dpm-macaroonMDA0Y2xvY2F0aW9uIC9kcG0vZ3JpZC5zaW5pY2EuZWR1LnR3L2hvbWUvYXRsYXMvYXRsYXNzY3JhdGNoZGlzay90ZXN0LjQwMDQ2CjAwMTZpZGVudGlmaWVyIGNvbmZpZwowMDU4Y2lkIGRuOi9EQz1jaC9EQz1jZXJuL09VPU9yZ2FuaWMgVW5pdHMvT1U9VXNlcnMvQ049Y2hpZW5kZS9DTj04MzcxNDYvQ049Q2hpZW4tRGUgTGkKMDAxM2NpZCBmcWFuOmF0bGFzCjAwMTZjaWQgZnFhbjphdGxhcy90dwowMDRjY2lkIHBhdGg6L2RwbS9ncmlkLnNpbmljYS5lZHUudHcvaG9tZS9hdGxhcy9hdGxhc3NjcmF0Y2hkaXNrL3Rlc3QuNDAwNDYKMDAxYWNpZCBhY3Rpdml0eTpET1dOTE9BRAowMDI0Y2lkIGJlZm9yZToyMDIxLTA3LTE3VDA3OjQ0OjA1WgowMDJmc2lnbmF0dXJlICIy-2sO_EnVX1I1j-YMN1eIsY2y-lSIwPHtzOfW8MD8Cg
> TransferHeaderTest: Test
> Source: https://f-dpm000.grid.sinica.edu.tw//dpm/grid.sinica.edu.tw/home/atlas/atlasscratchdisk/test.40046
>
< HTTP/1.1 307 Unknown
< Connection: Keep-Alive
< Content-Length: 0
< Location: http://f-dpmp28.grid.sinica.edu.tw:1094///eos/testarea/test.4101
<
* Connection #0 to host f-dpmp31.grid.sinica.edu.tw left intact
* Issue another request to this URL: 'http://f-dpmp28.grid.sinica.edu.tw:1094///eos/testarea/test.4101'
* About to connect() to f-dpmp28.grid.sinica.edu.tw port 1094 (#1)
* Trying 2400:4500:0:2::1122...
* Permission denied
* Trying 202.140.171.34...
* Connected to f-dpmp28.grid.sinica.edu.tw (202.140.171.34) port 1094 (#1)
> COPY ///eos/testarea/test.4101 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: f-dpmp28.grid.sinica.edu.tw:1094
> Accept: */*
> Secure-Redirection: 1
> X-No-Delegate: 1
> Credentials: none
> TransferHeaderAuthorization: Bearer dpm-macaroonMDA0Y2xvY2F0aW9uIC9kcG0vZ3JpZC5zaW5pY2EuZWR1LnR3L2hvbWUvYXRsYXMvYXRsYXNzY3JhdGNoZGlzay90ZXN0LjQwMDQ2CjAwMTZpZGVudGlmaWVyIGNvbmZpZwowMDU4Y2lkIGRuOi9EQz1jaC9EQz1jZXJuL09VPU9yZ2FuaWMgVW5pdHMvT1U9VXNlcnMvQ049Y2hpZW5kZS9DTj04MzcxNDYvQ049Q2hpZW4tRGUgTGkKMDAxM2NpZCBmcWFuOmF0bGFzCjAwMTZjaWQgZnFhbjphdGxhcy90dwowMDRjY2lkIHBhdGg6L2RwbS9ncmlkLnNpbmljYS5lZHUudHcvaG9tZS9hdGxhcy9hdGxhc3NjcmF0Y2hkaXNrL3Rlc3QuNDAwNDYKMDAxYWNpZCBhY3Rpdml0eTpET1dOTE9BRAowMDI0Y2lkIGJlZm9yZToyMDIxLTA3LTE3VDA3OjQ0OjA1WgowMDJmc2lnbmF0dXJlICIy-2sO_EnVX1I1j-YMN1eIsY2y-lSIwPHtzOfW8MD8Cg
> TransferHeaderTest: Test
> Source: https://f-dpm000.grid.sinica.edu.tw//dpm/grid.sinica.edu.tw/home/atlas/atlasscratchdisk/test.40046
>
* Recv failure: Connection reset by peer
* Closing connection 1
curl: (56) NSS: client certificate not found (nickname not specified)
I expected the worlflow is to redirect to MGM-master with the 9000 port like the following diagram:
But curl output show the actual result like this:
Is this a bug or a missconfiguration ?
Thanks,
Chien-De