GridFTP

From PHASTA Wiki
Revision as of 17:22, 29 August 2011 by Mrasquin (talk | contribs)
Jump to: navigation, search

Introduction

GridFTP is a high performance file transfer tool supported by many of the large super-compute sites. It uses parallelism to hide the effects of latency and TCP's congestion controls.

GridFTP is part of the larger Globus Toolkit, which also includes (among other things) a custom PKI based authentication mechanism. This can be used to achieve password-less authentication with supported sites (most of TeraGrid for example).

Setup

GridFTP should already be in your path and configured by default on jumpgate-phasta.colorado.edu. If it is not (due to unusual shell configuration or other issues) you can usually get it by running

 source /etc/profile

To test if you have GridFTP in your path correctly you can run these command (each should give you some output)

 which globus-url-copy
 which myproxy-logon
 echo $GLOBUS_LOCATION
 echo $LD_LIBRARY_PATH | grep gt5

To use sshftp mode, you'll also want to have a SSH preshared key configured with your account, (either without a password, or with ssh-agent)

Authentication

Most sites support the use of "GSI" password-less authentication. If the site you want to connect to offers this option, you probably want to use it.

The way GSI authentication is usually implemented uses a tool called "myproxy" which generates a key which you can use for a short time to authenticate without a password.

The first step to using GSI authentication is to install the necessary certificates in your home directory. Most sites will allow you to do this automatically using the myproxy tool's "-T" option. You only need to use this option the first time you use myproxy.

For example, to configure my account to connect to the GridFTP/myproxy server at ANL, I could use this command:

 myproxy-logon -T -l matthb -t 300 -s gs1.intrepid.alcf.anl.gov

This command can be disected as follows: -T tells myproxy to fetch the trust roots (CA, etc). You should only need to do this the first time you connect to a particular server and when the server's CA is updated.

-l matthb specifies my username (replace "matthb" with your username)

-t 300 specifies that I want my session key to expire in 300 hours (the default is 24)

-s gs1.intrepid.alcf.anl.gov specifies the myproxy server (*not* necessarily the gridftp server)


Common myproxy Servers

Intrepid and Eureka (ALCF/ANL)

 gs1.intrepid.alcf.anl.gov

(authenticate with your CryptoCard and pin)

Teragrid (Kraken, Ranger, etc)

 myproxy.teragrid.org

(authenticate with your Teragrid portal username/password)

  • -phasta.colorado.edu
 myproxy-phasta.colorado.edu

(authenticate with your normal UNIX/LDAP username/password) (coming soon)

GSISSH

Once you have a GSI key/ticket, many sites allow you to use it to gain shell access as well as do file transfers. For example, even if I don't have my SecureID for Kraken handy, I can still log-in using GSI and my TeraGrid credentials as follows:

 ssh jumpgate-phasta.colorado.edu
 myproxy-logon -T -l myteragriduser -s myproxy.teragrid.org
 gsissh -v mykrakenuser@kraken-gsi.nics.utk.edu

GridFTP

The primary tool for doing GridFTP transfers is called "globus-url-copy" To see it's complete usage you can run

 globus-url-copy -help

In general, you should start with the following set of options:

 globus-url-copy -r -cd -rst -rst-retries 0 -fast -vb -p 64 -g2 -stripe -tcp-bs 4M

followed by your source and destination URLs.

To transfer to/from jumpgate-phasta.colorado.edu your URL should look something like this

sshftp://username@jumpgate-phasta.colorado.edu/users/username/file

Please see the site specific documentation for other site's URLs. These URLs may be helpful to get you started: https://wiki.alcf.anl.gov/index.php/Using_GridFTP https://www.teragrid.org/web/user-support/transfer_location http://www.olcf.ornl.gov/kb_articles/gridftp/

Recent versions of globus-url-copy also support a mode which behaves somewhat like rsync, enabled by the

 -sync -sync-level 3

flags.

A complete example to copy a directory from ALCF to jumpgate would be:

 globus-url-copy -r -cd -rst -rst-retries 0 -fast -vb -p 64 -stripe -tcp-bs 4M -g2 -sync -sync-level 3 gsiftp://gridftp.intrepid.alcf.anl.gov/intrepid-fs0/users/matthb/scratch/ sshftp://matthb2@jumpgate-phasta.colorado.edu/scratch/matthb2/scratch_from_anl/

UberFTP

A simpler (but less powerful) tool to do GridFTP transfers is UberFTP. First get a certificate from myproxy as before then run:

 uberftp hostname

Set the number of streams with

 parallel 128

then interact as you would with traditional ftp. The full list of commands is available by typing "help"

 UberFTP> help
 Usage "help [topic]" where topic is one of:
 !               ?               active          ascii             binary          
 blksize         bugs            bye             cat             cd              
 cdup            chgrp           chmod           cksum             close           
 dcau            debug           dir             family            get             
 glob            hash            help            keepalive          lcat            
 lcd             lcdup           lchgrp          lchmod            lclose          
 ldir            lls             lmkdir          lopen             lpwd            
 lquote          lrename         lrm             lrmdir          ls              
 lsize           lstage          mget            mkdir           mode            
 mput            open            order           parallel        passive         
 pbsz            pget            pput            prot            put             
 pwd             quit            quote           rename          resume          
 retry           rm              rmdir           runique           size            
 stage           sunique         tcpbuf          versions            wait            

You probably will need at least the "ls", "get", "put", and "mget"/"mput" commands

GridFTP Tuning

Depending on the network conditions, you can see massive GridFTP can perform very well or very poorly. You can often improve things by changing a few parameters:

 -p 64

Specifies that you want to use 64 streams. Because TCP needs to receive an acknowledgment before more data can be sent latency can drastically reduce performance over long distances. By adding more streams you can increase the amount of in-transit data and somewhat hide the effects of latency. If performance is poor try increasing this number until you stop seeing improvement. Using excessive numbers of streams won't help and will increase the load on the servers involved. You shouldn't need more than one or two more doublings of the value recommended here.

 -pp

Enable pipelining. This can help with large number of files (particularly relatively small ones), but can also be buggy. If your transfers hang, try disabling this. If you're transferring lots of files, try enabling it.

 -cc 4

Split the transfer over several (4 in this case) concurrent GridFTP sessions. This can also help with large numbers of small files. Use sparingly, and disable if you experience stalled/crashed transfers.

 -sync-level 3

If you're using "sync" mode (similar to rsync) this determines the algorithm used to decide which files need to be (re) transferred. Level 3 uses checksums and will be the most reliable, but slowest. Level 2 is probably fine for most uses. See the globus-url-copy documentation for all the options.

More Examples

Kraken:

 myproxy-logon -T -l teragriduser -s myproxy.teragrid.org
 globus-url-copy -dbg -r -cd -rst -rst-retries 0 -pp -fast -vb -p 64 -stripe -tcp-bs 4M -g2 gsiftp://user@gridftp.kraken.nics.teragrid.org:2811/lustre/scratch/bmatth/test.img sshftp://user@jumpgate-phasta.colorado.edu/scratch/user/

Script to transfer from Kraken to jumpgate-phasta and vice versa (easy to update for other destinations): transfer.sh

Note that it is faster to transfer a tar file than a directory that contains many files. But to tar or untar an archive on Kraken or Intrepid can take much more time so that it is recommended (so far) not to tar any directory and transfer its content directly.

Troubleshooting

If you get a message from myproxy that looks like this, try adding the "-b" option as prompted the (you should only need this option the first time you connect)

 Error authenticating: GSS Major Status: Authentication Failed
 GSS Minor Status Error Chain:
 globus_gss_assist: Error during context initialization
 OpenSSL Error: s3_clnt.c:985: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE:   certificate verify failed  
 globus_gsi_callback_module: Could not verify credential
 globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed   certificate in chain with hash 9b95bbf2
 
 The CA that signed the myproxy-server's certificate is untrusted.
 If you want to trust the CA, re-run with the -b option.


You command would then look something like this

 myproxy-logon -s myproxy.teragrid.org -l matthb2 -T -b