Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration.

Published byMarion Matthews Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration."— Presentation transcript:

1 1 Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration  Introduction  Configuration  Monitoring  Virtualization  Security and access  Support  Next steps and conclusions

2 Diana Scannicchio 2 Elba 2009 Diana Scannicchio 2 12 March 2013 Introduction: run efficiency The usage of big farms of computers is needed to take data (run)  ALICE: ~450 PCs  ATLAS: ~3000 PCs, ~150 switches  CMS: ~2900 PCs, ~150 switches  LHCb: ~2000 PCs, ~200 switches Achieve a good efficiency within the limits of available hardware, manpower, cost, …  High availability, from the system administration (not DAQ) point of view:  minimize the number of single points of failure  critical systems are unavoidable  have a fast recovery to minimize the downtime  usage of configuration management tools and monitoring systems  Complementing DAQ capability of adapting to the loss of nodes The common goal is Run Efficiency

3 Diana Scannicchio 3 Elba 2009 Diana Scannicchio 3 12 March 2013 Run  The farms are composed by nodes fulfilling various functions  Trigger and Data Acquisition  Detector Control Systems  Services  monitoring, authorization, access, LDAP, NTP, MySQL, Apache, …  Control Rooms  Run should survive GPN disconnection  any vital IT service is duplicated (DNS, NTP, DHCP, LDAP, DC)  event data can be locally stored for 1-2 days  ATLAS and CMS

4 Diana Scannicchio 4 Elba 2009 Diana Scannicchio 4 12 March 2013 Farm Architecture - ATLAS  Hierarchical structure  Central File Server (CFS)  Local File Server (LFS)  netbooted nodes  Flat structure  local installed  NetApp: centralized storage  home directories and different project areas  84 disks (6 spares), ~10 TB CFS LFS … CFSLFS LDAP MySQL DCS Web Servers NetApp Control Room Virtual Hosts Core Nagios Public Nodes DNS

5 Diana Scannicchio 5 Elba 2009 Diana Scannicchio 5 12 March 2013 Farm Architecture CMS  Flat structure  all nodes are local installed  NetApp: centralized storage home directories and different project areas ~17 TB CMS  Flat structure  all nodes are local installed  NetApp: centralized storage home directories and different project areas ~17 TB LHCb  Hierarchical structure  all nodes are netbooted LHCb  Hierarchical structure  all nodes are netbooted ALICE  Flat structure  all nodes are local installed ALICE  Flat structure  all nodes are local installed

6 Diana Scannicchio 6 Elba 2009 Diana Scannicchio 6 12 March 2013 Efficiency  Single points of failure are impossible to avoid  ATLAS: DCS, ROS, NetApp (but it is redundant)  CMS: during LS1 DCS will move to blades for a large portion, with failover to a blade on surface  Core services: DNS/DHCP/kerberos, LDAP, LFS are redundant  Fast recovery  needed especially to recover a “single point of failure” system  monitoring is a fundamental tool  to get promptly informed about failure or degradation  configuration management  to quickly (re-)install a machine as it was, e.g. on new hardware (20~40 min.)  moving DNS alias (~15 min., due to propagation, caches)  diskless nodes have no re-install downtime (~5 min.) (ATLAS, LHCb)  flexible system designed in-house to configure diskless nodes  redundant boot servers to serve boot images, NFS shares, …  Efficiency loss due to hardware failures has been negligible compared to operator errors or detector failures

7 7 Diana Scannicchio 7 12 March 2013

8 Diana Scannicchio 8 Elba 2009 Diana Scannicchio 8 12 March 2013 Configuration  Central configuration management is needed to speed up and keep under control the installation (OS and other software) on  local installed nodes  netbooted nodes  Various configuration management tools are available, the ones used are:  Quattor  CERN IT standard Configuration Management Tool being dismissed in favour of Puppet  tight control on installed packages  lack of flexibility for complex configuration and service dependencies  Puppet  high flexibility  active development community

9 Diana Scannicchio 9 Elba 2009 Diana Scannicchio 9 12 March 2013 Quattor and Puppet  Quattor  CMS  LHCb  ATLAS  still nodes configured by mixing with Puppet  finalizing the dismissing of Quattor in the next months  Puppet  ALICE  the first configuration is done through kickstart, then puppet  ATLAS  in use for ~3 years, ~15000 LOC  complicated servers have been the first to be managed by Puppet  on the HLT farm is complementing Quattor

10 Diana Scannicchio 10 Elba 2009 Diana Scannicchio 10 12 March 2013 Packages and updates  Software distribution and package management  SLC and other public RPMs from CERN repositories  ALICE, ATLAS and CMS also have repositories mirrored in P2, P1 and P5  Trigger and DAQ software packaged as RPMs  ALICE and CMS: installed locally on each node  ATLAS: installed from CFS, synchronized to LFS, NFS-mounted on clients  LHCb: in-house package distribution systems (Pacman, same as for GRID)  Update policy  ATLAS  snapshot of yum repositories, versioned test/production/… groups  Quattor clients receive version list based on repository group  Puppet clients pull directly from assigned repository group  CMS  Quattor/SPMA controlled, updates are pushed as needed  ALICE  updates are propagated at well-defined moments  LHCb  updates are deployed at well-defined moments See next Thursday for detailed news

11 11 Diana Scannicchio 11 12 March 2013

12 Diana Scannicchio 12 Elba 2009 Diana Scannicchio 12 12 March 2013 Monitoring and alerting  Large infrastructure must be monitored automatically  proactively warned of any failure or degradation in the system  avoid or minimize downtime  What does monitoring mean?  data collection  visualization of collected data (performance, health)  alert (sms, mail) on collected data  Various monitoring packages are available, the ones in use are:  Icinga  Ganglia  Lemon  Nagios  Zabbix

13 Diana Scannicchio 13 Elba 2009 Diana Scannicchio 13 12 March 2013 Current monitoring tools  Lemon is used by Alice for metrics retrieval and display, and alerting  monitoring Linux generic hosts and remote devices using SNMP  retrieving DAQ-specific metrics (rates, software configuration, etc)  reporting/alerting  Nagios (v2) was used by CMS and is used by ATLAS  problem with scaling in growing cluster  configuration is distributed over more servers in order to scale  Ganglia is used by ATLAS to provide detailed performance information on interesting servers (e.g. LFS, virtual hosts, …)  no alert capabilities  Icinga is already being used by CMS and LHCb  configuration is compatible with the Nagios one, so it is “easy” to migrate  data collection is performed using Gearman/mod_gearman (queue system) to distribute the work load

14 Diana Scannicchio 14 Elba 2009 Diana Scannicchio 14 12 March 2013 Future monitoring tools  ALICE will replace Lemon with Zabbix  ATLAS will complete the migration to Icinga complementing the information with GANGLIA  Gearman/mod_gearman to reduce workload on the monitoring server and improve scaling capabilities  LHCb will also use GANGLIA See next Thursday for detailed news

15 15 Diana Scannicchio 15 12 March 2013

16 Diana Scannicchio 16 Elba 2009 Diana Scannicchio 16 12 March 2013 Virtualization in the present ALICE  none ALICE  none CMS  domain controllers  Icinga workers and replacement server  few detector machines CMS  domain controllers  Icinga workers and replacement server  few detector machines ATLAS  gateways  domain controllers  few windows services  development web servers  core Nagios servers  Puppet and Quattor servers  one detector machine  public nodes ATLAS  gateways  domain controllers  few windows services  development web servers  core Nagios servers  Puppet and Quattor servers  one detector machine  public nodes LHCb  web services  infrastructure services  DNS, Domain Controller, DHCP, firewalls  always a tandem for critical systems: one VM, one real  few control PCs LHCb  web services  infrastructure services  DNS, Domain Controller, DHCP, firewalls  always a tandem for critical systems: one VM, one real  few control PCs

17 Diana Scannicchio 17 Elba 2009 Diana Scannicchio 17 12 March 2013 Virtualization in the future  Virtualization is a very fertile playground  Everyone thinking how to exploit  Offline software (analysis and simulation) will run on virtual machines on the ATLAS and CMS HLT farms  OpenStack is used for management See next Thursday for detailed news ALICE  Control Room PCs  Event Builders ALICE  Control Room PCs  Event Builders ATLAS  DCS windows systems ATLAS  DCS windows systems CMS  servers  DNS, DHCP, kerberos, LDAP slaves  DAQ services CMS  servers  DNS, DHCP, kerberos, LDAP slaves  DAQ services LHCb  general login services  gateways and windows remote desktop  all control PCs  PVSS, linux, windows, specific HW issues (CANBUS) LHCb  general login services  gateways and windows remote desktop  all control PCs  PVSS, linux, windows, specific HW issues (CANBUS)

18 18 Diana Scannicchio 18 12 March 2013

19 Diana Scannicchio 19 Elba 2009 Diana Scannicchio 19 12 March 2013 Authentication ATLAS  local LDAP for account information  usernames and local password if needed (e.g. generic accounts)  NICE authentication using the CERN Domain Controllers mirrors inside P1 ATLAS  local LDAP for account information  usernames and local password if needed (e.g. generic accounts)  NICE authentication using the CERN Domain Controllers mirrors inside P1 ALICE  internal usernames/passwords used for detector people  no sync with NICE users/passwords  RFID/Smartcard authentication after LS1  still no access to/from outside world ALICE  internal usernames/passwords used for detector people  no sync with NICE users/passwords  RFID/Smartcard authentication after LS1  still no access to/from outside world CMS  local kerberos server  same usernames and userID as in IT  LDAP is used to store user info and user to group mappings CMS  local kerberos server  same usernames and userID as in IT  LDAP is used to store user info and user to group mappings LHCb  Local LDAP  Local Domain Controllers  UIDs, usernames and user info are in sync with the CERN LDAP LHCb  Local LDAP  Local Domain Controllers  UIDs, usernames and user info are in sync with the CERN LDAP

20 Diana Scannicchio 20 Elba 2009 Diana Scannicchio 20 12 March 2013 Security and Access Restriction  Web pages and Logbooks are  accessible from outside CERN and secured through CERN SSO  firewalls and reverse proxies also used  The networks are separated from GPN and TN (for ATLAS, CMS, LHCb)  exceptions are implemented via CERN LanDB Control Sets ALICE  no external/GPN access to any DAQ services ALICE  no external/GPN access to any DAQ services LHCb  no external/GPN access to any DAQ services  access is possible only with an LHCb account through the linux gateways or windows terminal servers LHCb  no external/GPN access to any DAQ services  access is possible only with an LHCb account through the linux gateways or windows terminal servers

21 Diana Scannicchio 21 Elba 2009 Diana Scannicchio 21 12 March 2013 Security and Access Restriction ATLAS  access to the ATLAS network is controlled  RBAC (Role Based Access Control) mechanism in place to restrict user access to nodes and resources (i.e. Access Manager)  during Run Time the access is only authorized by ShiftLeader, and it is time limited  sudo rules define limited administration privileges for users  two steps for a user to login on a P1 node  first step on the gateway where roles are checked before completing the connection  second step to the internal host, managed by login script ATLAS  access to the ATLAS network is controlled  RBAC (Role Based Access Control) mechanism in place to restrict user access to nodes and resources (i.e. Access Manager)  during Run Time the access is only authorized by ShiftLeader, and it is time limited  sudo rules define limited administration privileges for users  two steps for a user to login on a P1 node  first step on the gateway where roles are checked before completing the connection  second step to the internal host, managed by login script CMS  access to the CMS network via boundary nodes (user head nodes) is not blocked at any time, any valid account can login  nodes are not restricted either (anyone can log into any machine)  sudo rules are restrictive to the types/uses of nodes  access is through password authentication only for the peripheral nodes (SSH keys not allowed)  The boundary nodes are fully fledged nodes similar to general nodes on the network CMS  access to the CMS network via boundary nodes (user head nodes) is not blocked at any time, any valid account can login  nodes are not restricted either (anyone can log into any machine)  sudo rules are restrictive to the types/uses of nodes  access is through password authentication only for the peripheral nodes (SSH keys not allowed)  The boundary nodes are fully fledged nodes similar to general nodes on the network

22 22 Diana Scannicchio 22 12 March 2013

23 Diana Scannicchio 23 Elba 2009 Diana Scannicchio 23 12 March 2013 Workload and requests management  Ticket systems are used to track issues and requests  ALICE and CMS use Savannah and will move to Jira  ATLAS uses Redmine for 3 years (before Jira availability)  LHCb uses OTRS and has installed Redmine  Urgent matters are managed via on-call with different philosophies  ALICE: DAQ on-call and the other DAQ experts as needed  ATLAS: direct call to TDAQ SysAdmins  CMS and LHCb: DAQ on-call is the first line, then SysAdmins

24 24 Diana Scannicchio 24 12 March 2013

25 Diana Scannicchio 25 Elba 2009 Diana Scannicchio 25 12 March 2013 Next steps A lot of work is planned by all experiments during LS1  Updating the Operating Systems to  SLC6 on both local installed and netbooted nodes  Windows Server 2008 or later  Complete the migration to new configuration management tool  Upgrading and improving the monitoring systems  Looking more and more at virtualization  HLT Farms will be used as virtual machines to run offline software

26 Diana Scannicchio 26 Elba 2009 Diana Scannicchio 26 12 March 2013 Conclusions  Systems are working: we happily ran and took data  complex systems  24x7 support  Interesting and proactive “Cross Experiment” meetings to  share information  compare solutions and performances  Converging on using the same or similar tools for “objective” tasks  e.g. for monitoring and configuration management  Appropriate tools are now available to deal with big farms  big farms are now available outside in the world  CERN is no more a peculiarity  Differences observed for “subjective” tasks  restrict access or not  uniformity (netbooted) vs. flexibility (local installed)  Improvement is always possible… unfortunately it depends on costs, time and manpower

27 Diana Scannicchio 27 Elba 2009 Diana Scannicchio 27 12 March 2013 Thanks to…  ALICE  Adriana Telesca  Ulrich Fuchs  CMS  Marc Dobson  LHCb  Enrico Bonaccorsi  Christophe Haen  Niko Neufeld

Download ppt "1 Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration Diana Scannicchio on behalf of ALICE, ATLAS, CMS, LHCb System Administration."

Similar presentations

Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.

Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.
CHEP 2012 – New York City 1.  LHC Delivers bunch crossing at 40MHz  LHCb reduces the rate with a two level trigger system: ◦ First Level (L0) – Hardware.

CHEP 2012 – New York City 1.  LHC Delivers bunch crossing at 40MHz  LHCb reduces the rate with a two level trigger system: ◦ First Level (L0) – Hardware.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
S. Gadomski, ATLAS computing in Geneva, journee de reflexion, 14 Sept 20071 ATLAS computing in Geneva Szymon Gadomski description of the hardware the.

S. Gadomski, "ATLAS computing in Geneva", journee de reflexion, 14 Sept ATLAS computing in Geneva Szymon Gadomski description of the hardware the.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.

Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Integrating Lemon Monitoring and Alarming System with the new CERN Agile Infrastructure.

CERN IT Department CH-1211 Genève 23 Switzerland t Integrating Lemon Monitoring and Alarming System with the new CERN Agile Infrastructure.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
User Management in LHCb Gary Moine, CERN 29/08/2015 1.

User Management in LHCb Gary Moine, CERN 29/08/
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Successful Deployment and Solid Management … Close Relatives Tim Sinclair, General Manager, Windows Enterprise Management.

Successful Deployment and Solid Management … Close Relatives Tim Sinclair, General Manager, Windows Enterprise Management.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
An Introduction to IBM Systems Director

An Introduction to IBM Systems Director
October,18-22 2004 Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.

October, Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)

IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)

Similar presentations

Ads by Google