Can you please clarify if it is possible to directly enable TPC (with delegated credentials) in EOS and if so what is the typical example of the ofs.tpc directive that we need to include in the /etc/xrd.cf.mgm? (I am aware of the need to set EOS_FST_NO_SSS_ENFORCEMENT=1 in /etc/sysconfig/eos_env)
EOS can do delegated xrootd TPC transfers and indeed it needs a XRootD proxy service in front that will handle the traffic. The EOS_FST_NO_SSS_ENFORCEMENT=1 is not needed in case you use the proxy service in front. This env can be used for instances that you control (both source and destination) but is not a recommended way for doing TPC with external sites.
All the steps to set this up are already laid out in the link that you pasted.
Thanks for your reply. Almost everything is set up except one last thing that I would like to double check with you.
The MGM correctly redirects the TPC to the XRootD proxy service (short hostname: cta-eos13) but then it looks like the daemon user on cta-eos13 (that is running the XRootD proxy service) is trying to open a file in the EOS name space via unix auth and it fails (plese see below). Does this mean that we need to have a vid tident mapping of daemon@cta-eos13 for every local EOS user (e.g. dteam, atlas, etc)?
eos vid set map -tident daemon@cta-eos13 vuid:1000 vgid:1000
The proxy service should contact the MGM with the delegated proxy certificate (gsi) so there is something not right on the proxy configuration. You definitely don’t need to add such mappings manually but only rely on the identity in the certificate. Could you paste the xrootd-tpc.cfg file that you use?
Please see below he contents of /etc/xrootd/xrdcp-tpc.sh and /etc/xrootd/xrootd-proxy.cfg
The command I use on the client side is
xrdcp --tpc delegate only root://ceph-gw1.gridpp.rl.ac.uk//dteam:georgep/lcgcclient02.tar root://cta-eos14.scd.rl.ac.uk//eos/antaresdev/dteam/tape/lcgcclient02.tar
Thanks for reference config. I am trying to use the XRootD 5 compliant values for the gsi params. So -dlgpxy:request is the equivalent of -dlgpxy:1 (Scalla Extension: Security). I will switch back to the number values.
I was wondering if I need to add sth like this in the /etc/xrdf.mgm
The file is written into EOS space (can see it with eos file info). One th thing I can’t understant is why the progress bar doesn’t appear (even though the transfer is completed)
xrdcp --tpc delegate only --verbose root://ceph-gw1.gridpp.rl.ac.uk//dteam:georgep/random_32MB root://cta-eos14.scd.rl.ac.uk//eos/antaresdev/dteam/random_32MB
[0B/32MB][ 0%][> ][0B/s]
This is an issue that was fixed in XRootD 5.3.0 - the basic problem is that the xrootd proxy can not relay any info about the progress of the TPC job to the client. You can find more details about the fix in the release notes:
Many thanks for this info. All the three client/server/proxy need to run XRootD 5.3.0?
Right now, we have XRootD 4.12.8 on the proxy and on the MGM (which runs EOS 4.8.37-1) assuming that the XRootD versions need to match. Is it possible to update the proxy but not the MGM? Is EOS 5 available by the way as a stable release?
Can you please let me know how do you run the XRootD TPC proxy for the EOS disk instance at CERN: do you run it on a seperate/dedicated hardware (if so, how many
nodes and with what NIC specs) or on the EOS nodes themselves?
We seem to be hitting a performance bootleneck with a single node (NIC 25Gb/s) running as a TPC proxy.