1. Artem Trunov, Günter Quast EKP – Uni Karlsruhe
Phedex and VO BOX
Artem Trunov, Günter Quast
EKP – Uni Karlsruhe

2. What is a VO Box
It’s a machine configured as LCG/gLite UI plus a couple of services:
Gsissh daemon
for remote login with a X509 certificate
Proxy renewal daemon
To keep admin’s proxy alive for a longer time (to run Phedex)
A standard LCG concept to run experiment’s services at sites, when needed
Adopted by LHCb, Atlas (T1s), Alice (all LCG sites)
CMS does not officially require a VO BOX, but since this is a standard, convenient and more secure setup, sites could still take advantage of it.
At CMS VO Box model is employed at Lyon, and possibly at some other sites.

3. CMS VO Box at T1 GridKa Approved
cms-fzk.gridke.de machine will be setup as a VO BOX
CMS will have a gsissh login as cmssgm
This account will be used to run CMS Phedex service instead of current cmsadmin account.
Initially, a static grid-mapfile will be maintained.
Artem to name a short list of people whose DN will be in this list.
Later, The following will be used: a new role "phedex" will be created in D-CMS group of CMS VOMS. Only phedex and software managers for DECH federation will have this role.
GridKa admins will extend a gridmapfile making script to read this info from the CMS VOMS and map people with this role to cmssgm account on the cms-fzk machine.
Artem to find out if gsissh from gLite package will honor VOMS extensions of the new glite grid-mapfile format.
This cmssgm account will be naturally used for fixes and updates in the $VO_CMS_SW_DIR area, as it's configured +w for cmssgm.
cmsadmin account will be kept as it exists right now, until a new procedure allowing special privilegies for cms admins and users in need to debug jobs is worked out. Time scale - weeks.
Thanks to Manfred Alef, Ingrid Schaffner from GridKa for working with us on this deployment model.

4. CMS VO Box at all DECH sites
Proposal
Identical environment everywhere.
Standard setup helps to reduce burden of management at a single site.
Will make a “Phedex expert network” where all experts can login to all VO Boxes and fix/detect/report problems
Still a primary site expert exists, who knows well site’s storage and grid environment. But he is covered when he is not available for any reasons
Especially important for providing maximal uptime of services (think service challenge or next year production)
The same people should be able to work in the $VO_CMS_SW_DIR area – install new SW, fix grid installation.
Phedex experts will have a role “phedex” within the DCMS group in LCG VOMS
Etiquette
Non-local experts will have to report in detail their intervention
Drastic configuration changes have to be made by local experts or with their approval
Login scripts should provide a login banner and/or a README file describing local setup, i.e. Phedex dir, etc.

5. Backup slides

6. More on the VO BOX at GridKa
We will discuss a possibility to setup identically all VO boxes at GridKa, so that if one fails (hardware problem), another can be used as a hot spare.
Logins and mapping to *sgm account are standard
VO SW will have to be installed and newly configured when switching the boxes.
The idea is also verified at Lyon, use ALICE and CMS boxes
ALICE responsible (Killian), is in favor of this.
GridKa right now doesn’t provide a hot spare machine, but commits to replace a box on the following day.
This may be too long when real data is coming!
Shared VO Box setup provides a hot spare for free.