From a42f8495e55fd48bb79dc7381d5d0c38345b228a Mon Sep 17 00:00:00 2001 From: ddavila0 Date: Fri, 6 Feb 2026 11:24:40 -0800 Subject: [PATCH] adding first version of x509less cmsxcache --- Dockerfile | 2 ++ cms-xcache/cron.d/fetch-scitoken | 2 ++ cms-xcache/sbin/fetch_scitoken.sh | 25 +++++++++++++++++++++ cms-xcache/supervisord.d/10-cms-xcache.conf | 2 +- 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 cms-xcache/cron.d/fetch-scitoken create mode 100644 cms-xcache/sbin/fetch_scitoken.sh diff --git a/Dockerfile b/Dockerfile index 281a4e81..4f812fa3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -116,6 +116,8 @@ RUN chmod 0644 /etc/cron.d/* COPY cms-xcache/image-config.d/* /etc/osg/image-init.d/ COPY cms-xcache/xcache-consistency-check-wrapper.sh /usr/bin/xcache-consistency-check-wrapper.sh COPY cms-xcache/rsyslog-cms-xcache.conf /etc/rsyslog.d/cms-xcache.conf +COPY cms-xcache/sbin/* /usr/local/sbin/ +RUN chmod 0544 /usr/local/sbin/fetch_scitoken.sh RUN mkdir -p /var/log/xrootd/cms-xcache && \ touch /var/log/xrootd/cms-xcache/xrootd.log && \ diff --git a/cms-xcache/cron.d/fetch-scitoken b/cms-xcache/cron.d/fetch-scitoken new file mode 100644 index 00000000..2f7afd3f --- /dev/null +++ b/cms-xcache/cron.d/fetch-scitoken @@ -0,0 +1,2 @@ +@reboot root /usr/local/sbin/fetch_scitoken.sh &>> /tmp/fetch-cms-scitoken.cron.log +0 */6 * * * root /usr/local/sbin/fetch_scitoken.sh &>> /tmp/fetch-cms-scitoken.cron.log diff --git a/cms-xcache/sbin/fetch_scitoken.sh b/cms-xcache/sbin/fetch_scitoken.sh new file mode 100644 index 00000000..4cb45db2 --- /dev/null +++ b/cms-xcache/sbin/fetch_scitoken.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +if [ -f /etc/grid-security/fetch_scitoken_secret ]; then + USER=`cat /etc/grid-security/fetch_scitoken_secret | awk -F ":" '{print $1}'` + PASS=`cat /etc/grid-security/fetch_scitoken_secret | awk -F ":" '{print $2}'` + + if [[ -z "$USER" || -z "$PASS" ]]; then + echo "Wrong format in secret file" + exit 1 + fi + + curl -s --user $USER:$PASS -d grant_type=client_credentials -d scope="storage.read:/" https://cms-auth.cern.ch/token \ + | python3 -c 'import sys,json; print(json.loads(sys.stdin.read())["access_token"])' > /tmp/jwt_xrdcache + + if [ $? -ne 0 ]; then + echo "Failed to retrieve token" + exit 2 + fi + + chown xrootd: /tmp/jwt_xrdcache + chmod 600 /tmp/jwt_xrdcache + +else + echo "Secret file not found" +fi diff --git a/cms-xcache/supervisord.d/10-cms-xcache.conf b/cms-xcache/supervisord.d/10-cms-xcache.conf index eefc783c..b6fdefa0 100644 --- a/cms-xcache/supervisord.d/10-cms-xcache.conf +++ b/cms-xcache/supervisord.d/10-cms-xcache.conf @@ -2,5 +2,5 @@ command=xrootd -c /etc/xrootd/xrootd-cms-xcache.cfg -k fifo -n cms-xcache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-cms-xcache.pid -l /var/log/xrootd/xrootd.log user=xrootd autorestart=true -environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 +environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10,BEARER_TOKEN_FILE=/tmp/jwt_xrdcache,XrdSecPROTOCOL="ztn"