Secure webbased access to the farm

1
Secure web-based access to the farm

• Ian Bird
• Jefferson Lab
• HEPiX

2
JLAB Batch Farm - an update - and Linux

• Ian Bird
• Jefferson Lab
• HEPiX

3
Outline

• Batch farm
• Overview
• Status and plans
• secure access

• Linux use
• some comments

4
Batch farm

• Goal - accept and process a data rate of 10MB/S
  in real time
• Data flow
• experiment - dual ported RAID copied via
  fibre-channel into silo.
• staged out and into farm nodes (on dedicated
  switched network segments)
• process and stage back into silo and/or to RAID
  work areas

5
Batch Farm
bb
ep
(Planned FY98)
ep
(Hall A)
FastE
ep
Data Server
Hall B
Sun 2000E
ATM
Central Batch Interactive CPU Farms
100 MB/s
RedWood Tape drives
FastE Switch
Ethernet
Sun 4000E
Stage In
RAID
100 GB
Work Server
Work RAID
Stage out
RAID
200 GB
Sun 3000E
100 GB
AIX, HP-UX, Solaris Systems
6
Software architecture
Database
Farm
JDBC
DB Server
LSF
Farm submission
controlled by
LSF
JobServer
Tape Silo
TapeServer
Data transfer
uses OSM
User Interface
User interface
graphical or
command-line
7
Components

• LSF for job scheduling
• users do not see LSF
• JobServer provides remote access to LSF
• command line interface
• GUI in development
• User asks to process a list of files
• we take care of generating the appropriate jobs
• extracting and moving the data to/from the farm

8
Components

• Tape access - via OSM
• controlled by TapeServer
• guarantees drives for incoming raw data
• prioritizes and schedules other requests
• try to ensure optimum use of drives

9
Components

• Database (Ingres)
• state of all requests (pending, running and
  finished)
• used by servers to monitor state of jobs
• used to do error recovery
• Database server is an object interface to the
  RDBMS (in the new version)

10
Farm - status

• In operation since April
• Mainly used by low-rate experiments
• Seen data transfer rates gt 6 MB/s
• ping-pong mechanism works
• Expect full data rate end of the year

11
Farm - status

• Java
• hidden from users
• has not been a problem,
• software runs on most platforms as-is
• HP-UX JIT
• Linux 1.1.3 has bug in finding user id
• Teething troubles
• mainly with the JDBC product connecting to the
  Ingres database

12
Farm - future

• Expect to increase CPU power by 200 SPECint95
  later this year
• Dual-processor PentiumII/Linux

13
Pentium II
from http//www.intel.com
14
Performance

• Our local benchmarks
• JLAB analysis programs
• prime number search (floating point!)
• 266 MHz PII / 200 MHz Ppro
• 33 faster - agrees well with clock speed and
  SPECint95 ratios
• Price/performance - same within 5/SPECint95 for
  PPro200/PII233/266/300
• 5-6 better than current Sun/IBM farm

15
Farm - future

• Plans to provide 2 TB of RAID disk for analysis
• 1 TB on order, expand to 2 TB next year
• needs to be managed
• How can we best use OSM, do we need HPSS?
• Intelligent local data access - remote analysis
• even 10 of 300 TB/year is a lot of DLTs

16
Web based access

• Secure means
• authenticated users
• We have a secure web server running stronghold on
  top of apache
• applet clients will authenticate to the web
  server
• web server will then connect the client to the
  application server
• further communication is direct

17
applet
1. authenticate
Web server
3.direct
2. connect authenticated client to server
Farm
Server
Local client
Database
18
Web access

• To provide
• remote job submission
• remote tape handling
• remote database queries
• same mechanism for remote analysis
• need to define the model for this

19
Linux

• Some comments

20
Linux at JLAB

• As a central system
• treated as any other Unix system
• almost
• On the desktop
• problems

21
Linux as a central system

• Linux systems in the farm and ifarm
• no special problems
• provide same environment
• provide Linux apps like any other
• allow read-only export of certain file-systems
• This is available now

22
Linux on the desktop

• Cheap, easy to install
• well, only if you know what youre doing
• Often installed with no thought of maintenance,
  infrastructure support etc.
• Usually installed with everything on it
• including things with security holes
• I didnt know I was running a web server

23
Linux desktop - cont..

• Why cant I have the same /home?
• We dont have AFS or DFS (yet)
• Why cant I write on that disk?
• root access
• Perhaps you can..
• CIFS - SMB client access to fileserver

24
Linux policy

• Linux desktops are a reality
• Computer center will not support them
• but we will help given limited manpower
• Encourage use of NT desktops
• central Unix services are sufficient
• Assistance
• provide semi-generic pre-configured kernels
• standardize on RedHat 4.1/2
• provide all recommended patches

25
Future

• Linux is a stopgap
• lets us use cheap PCs in a way we already
  understand
• Our farms will be NT in 2 years?