Installing HTTPs services in DIRAC
Background
For many years, DIRAC services have been exposed through the historical DISET (dips://
) protocol.
Few years ago DIRAC developers started exposing DIRAC services using the HTTPs protocol.
This page explains how to migrate existing DIPs protocol to HTTPs. For a developer view, refer to HTTPS Services with Tornado.
For a summary presentation you can check this.
NB: not all DIPs services can be exposed through HTTPs. For a comprehensve list, please refer to Dirac Service Limitations.
General principle
Contrary to the DISET protocol where each service would have its own process and port opened, HTTPs services are served by a unique process and port, based on Tornado.
There are exceptions to that, due to the use of global variables in some parts of DIRAC. Namely:
Master CS
All other services can follow the standard procedure described below.
First, the following configuration subsections have to be added to CS:
# "Main" section
DIRAC
{
Setups
{
...
Tornado = Production
}
}
# Add Tornado to Systems section
Systems
{
...
Tornado
{
Production
{
Port = 443
}
}
}
Installation of an HTTPs based service
This procedure is to be used if you are want to serve a new service with HTTPs.
Case 1: you do NOT run the equivalent DISET service
This is the most trivial case. Just run dirac-install-tornado-service
with the service you are interested in. This will install an runit
component running tornado-start-all
.
Case 2: you run the equivalent DISET service
Because the CS already contains the handler definition for DISET, dirac-install-tornado-service
will not modify it. Thus, you have to update it yourself, before running the command, otherwise tornado-start-all
will not find any service to run, and the installation will be shown as failed.
Procedure:
Update by hand the CS of the desired service:
Remove the port definition
Modify the handler to point to the Tornado handler
add
Protocol=https
The example the follows is for the “DIRAC File Catalog” (DFC) service. This would normally be in CS as:
Systems
{
...
DataManagement
{
Production
{
URLs
{
...
FileCatalog = dips://my.server.org:9197/DataManagement/FileCatalog
}
Services
{
...
FileCatalog
{
...
Port = 9197
Protocol = dips
...
}
}
...
}
}
}
And you need to change it to:
Systems
{
...
DataManagement
{
Production
{
URLs
{
...
FileCatalog = https://my.server.org:8443/DataManagement/FileCatalog
}
Services
{
...
FileCatalog
{
...
Protocol = https
HandlerPath = DIRAC/DataManagementSystem/Service/TornadoFileCatalogHandler.py
...
}
}
...
}
}
}
Run
dirac-install-tornado-service
or restart the tornado component if already running.
Note
This means that from now on, the DISET service cannot be restarted anymore, as its configuration would be wrong. So, go ahead and remove (by hand, for now) the runit-related directories of the DISET service.
Example of configuration before/after:
JobMonitoring
{
Port = 9130
Authorization
{
Default = authenticated
}
}
TornadoJobMonitoring
{
Protocol = https
Authorization
{
Default = authenticated
}
}
In any case, do not forget to update the URL of the service you just installed, such that other services can reach it.
Adding more tornado instances on a different machine
Simply use dirac-install-tornado-service
with no arguments on the new machine.
MasterCS special case
The master Configuration Server is different and needs to be run in a separate process. In order to do so:
Do NOT specify
Protocol=https
in the service description, otherwise it will be ran with all the other Tornado services.If you run on the same machine as other TornadoService, specify a
Port
in the service description (you can keep the existing 9135, if already there).Modify the content of the Configuration so that URLs are updated to use HTTPs instead of DIPs.
Add HandlerPath = DIRAC/ConfigurationSystem/Service/TornadoConfigurationHandler.py in the etc/dirac.cfg configuration file of the machine where the master CS is running (needed for bootstrap).
Finally, there is no automatic installations script. So just install a CS as you normally would do, and then edit the run
file like that:
#!/bin/bash
rcfile=/opt/dirac/bashrc
[ -e $rcfile ] && source $rcfile
#
export DIRAC_USE_TORNADO_IOLOOP=Yes
exec 2>&1
#
[ "service" = "agent" ] && renice 20 -p $$
#
#
exec tornado-start-CS -ddd