docs (tornado): document how to install HTTPs services

Author: chaen

docs/source/AdministratorGuide/ServerInstallations/HTTPSServices.rst

@@ -0,0 +1,194 @@
+.. _https_services:
+
+==================================
+Installing HTTPs services in DIRAC
+==================================
+
+.. contents::
+
+Background
+**********
+
+For many years, DIRAC services have been exposed through the historical DISET (``dips://``) protocol.
+Few years ago DIRAC developers started exposing DIRAC services using the HTTPs protocol.
+This page explains how to migrate existing DIPs protocol to HTTPs. For a developer view, refer to :ref:`httpsTornado`.
+
+For a summary presentation you can check `this <https://indico.cern.ch/event/852597/contributions/4331720/attachments/2241040/3799728/HttpsInDIRAC.pdf>`_.
+
+NB: not all DIPs services can be exposed through HTTPs. For a comprehensve list, please refer to :ref:`scalingLimitations`.
+
+General principle
+=================
+
+Contrary to the DISET protocol where each service would have its own process and port opened, HTTPs services are served by a unique process and port, based on Tornado.
+
+There are exceptions to that, due to the use of global variables in some parts of DIRAC. Namely:
+
+* Master CS
+
+All other services can follow the standard procedure described below.
+
+First, the following configuration subsections have to be added to CS::
+
+  # "Main" section
+  DIRAC
+  {
+    Setups
+    {
+      ...
+      Tornado = Production
+    }
+  }
+
+  # Add Tornado to Systems section
+  Systems
+  {
+    ...
+    Tornado
+    {
+      Production
+      {
+        Port = 443
+      }
+    }
+  }
+
+
+Installation of an HTTPs based service
+======================================
+
+This procedure is to be used if you are want to serve a new service with HTTPs.
+
+
+Case 1: you do NOT run the equivalent DISET service
+---------------------------------------------------
+
+This is the most trivial case. Just run ``dirac-install-tornado-service`` with the service you are interested in. This will install an ``runit`` component running ``tornado-start-all``.
+
+Case 2: you run the equivalent DISET service
+--------------------------------------------
+
+Because the CS already contains the handler definition for DISET, ``dirac-install-tornado-service`` will not modify it. Thus, you have to update it yourself, before running the command, otherwise ``tornado-start-all`` will not find any service to run, and the installation will be shown as failed.
+
+Procedure:
+
+#. Update by hand the CS of the desired service:
+
+  * Remove the port definition
+  * Modify the handler to point to the Tornado handler
+  * add ``Protocol=https``
+
+The example the follows is for the "DIRAC File Catalog" (DFC) service. This would normally be in CS as::
+
+  Systems
+  {
+    ...
+    DataManagement
+    {
+      Production
+      {
+        URLs
+        {
+          ...
+          FileCatalog = dips://my.server.org:9197/DataManagement/FileCatalog
+        }
+        Services
+        {
+          ...
+          FileCatalog
+          {
+            ...
+            Port = 9197
+            Protocol = dips
+            ...
+          }
+        }
+        ...
+      }
+    }
+  }
+
+
+And you need to change it to::
+
+  Systems
+  {
+    ...
+    DataManagement
+    {
+      Production
+      {
+        URLs
+        {
+          ...
+          FileCatalog = https://my.server.org:8443/DataManagement/FileCatalog
+        }
+        Services
+        {
+          ...
+          FileCatalog
+          {
+            ...
+            Protocol = https
+            HandlerPath = DIRAC/DataManagementSystem/Service/TornadoFileCatalogHandler.py
+            ...
+          }
+        }
+        ...
+      }
+    }
+  }
+
+
+#. Run ``dirac-install-tornado-service`` or restart the tornado component if already running.
+
+.. note::
+  This means that from now on, the DISET service cannot be restarted anymore, as its configuration would be wrong.
+  So, go ahead and remove (by hand, for now) the `runit`-related directories of the DISET service.
+
+Example of configuration before/after:
+
+.. literalinclude:: /../../src/DIRAC/WorkloadManagementSystem/ConfigTemplate.cfg
+   :start-after: ##BEGIN JobMonitoring
+   :end-before: ##END
+   :dedent: 2
+   :caption: JobMonitoring configuration for DISET
+
+.. literalinclude:: /../../src/DIRAC/WorkloadManagementSystem/ConfigTemplate.cfg
+   :start-after: ##BEGIN TornadoJobMonitoring
+   :end-before: ##END
+   :dedent: 2
+   :caption: JobMonitoring configuration for HTTPs
+
+In any case, do not forget to update the URL of the service you just installed, such that other services can reach it.
+
+
+Adding more tornado instances on a different machine
+====================================================
+
+Simply use ``dirac-install-tornado-service`` with no arguments on the new machine.
+
+
+MasterCS special case
+=====================
+
+The master Configuration Server is different and needs to be run in a separate process. In order to do so:
+
+* Do NOT specify ``Protocol=https`` in the service description, otherwise it will be ran with all the other Tornado services.
+* If you run on the same machine as other TornadoService, specify a ``Port`` in the service description (you can keep the existing 9135, if already there).
+* Modify the content of the Configuration so that URLs are updated to use HTTPs instead of DIPs.
+* Add `HandlerPath = DIRAC/ConfigurationSystem/Service/TornadoConfigurationHandler.py` in the etc/dirac.cfg configuration file of the machine where the master CS is running (needed for bootstrap).
+
+Finally, there is no automatic installations script. So just install a CS as you normally would do, and then edit the ``run`` file like that::
+
+  #!/bin/bash
+    rcfile=/opt/dirac/bashrc
+    [ -e $rcfile ] && source $rcfile
+    #
+    export DIRAC_USE_TORNADO_IOLOOP=Yes
+    exec 2>&1
+    #
+    [ "service" = "agent" ] && renice 20 -p $$
+    #
+    #
+    exec tornado-start-CS -ddd

docs/source/AdministratorGuide/ServerInstallations/index.rst

@@ -12,6 +12,7 @@ This sections constains the documentation for installing new DIRAC Servers or se
 
    InstallingDiracServer
    InstallingWebAppDIRAC
+   HTTPSServices
    centralizedLogging
    rabbitmq
    scalingAndLimitations

docs/source/DeveloperGuide/TornadoServices/index.rst

@@ -17,6 +17,7 @@ This page summarizes the changes between DISET and HTTPS. You can all also see t
 - `Presentation of HTTPS migration <https://docs.google.com/presentation/d/1NZ8iKRv3c0OL1_RTXL21hP6YsAUXcKSCqDL2uhkf8Oc/edit?usp=sharing>`_.
 - `Summary presentation (latest) <https://indico.cern.ch/event/945474/>`_.
 
+For installing HTTPs services, please refer to :ref:`https_services` administration page.
 
 
 *******
@@ -147,29 +148,8 @@ Options available are:
 
 This start method can be useful for developing new service or create starting script for a specific service, like the Configuration System (as master).
 
-
-MasterCS special case
-*********************
-
-The master CS is different because it uses the same global variable (``gConfig``) but uses it also to write config. Because of that, it needs to run in a separate process. In order to do so:
-
-* Do NOT specify ``Protocol=https`` in the service description, otherwise it will be ran with all the other Tornado services
-* If you run on the same machine as other TornadoService, specify a ``Port`` in the service description
-
-Finally, there is no automatic installations script. So just install a CS as you normally would do, and then edit the ``run`` file like that::
-
-  diff --git a/run b/run.new
-  index d45dce1..f5f3b55 100755
-  --- a/run
-  +++ b/run.new
-  @@ -7,6 +7,6 @@
-    [ "service" = "agent" ] && renice 20 -p $$
-    #
-    #
-  -  exec python $DIRAC/DIRAC/Core/scripts/dirac-service.py Configuration/Server --cfg /opt/dirac/pro/etc/Configuration_Server.cfg < /dev/null
-  +  export DIRAC_USE_TORNADO_IOLOOP=Yes
-  +  exec tornado-start-CS -ddd
-
+The master CS is different because it uses the same global variable (``gConfig``) but uses it also to write config. Because of that, it needs to run in a separate process.
+It needs to be started with ``tornado-start-CS`` script.
 
 
 TransferClient
@@ -355,9 +335,17 @@ Two special python packages are needed:
 Install a service
 *****************
 
+Initial install: first modify one config (with port and so on) before running ``tornado-install``
+
 ``dirac-install-tornado-service`` is your friend. This will install a runit component running ``tornado-start-all``.
 Nothing is ready yet to install specific tornado service, like the master CS.
 
+Migrate from dips to https
+**************************
+
+comment out port, set Protocol = https, change handler
+
+
 Start the server
 ****************
 

src/DIRAC/WorkloadManagementSystem/ConfigTemplate.cfg

@@ -17,6 +17,7 @@ Services
       Default = authenticated
     }
   }
+  ##BEGIN JobMonitoring
   JobMonitoring
   {
     Port = 9130
@@ -25,6 +26,8 @@ Services
       Default = authenticated
     }
   }
+  ##END
+  ##BEGIN TornadoJobMonitoring
   TornadoJobMonitoring
   {
     Protocol = https
@@ -33,6 +36,7 @@ Services
       Default = authenticated
     }
   }
+  ##END
   JobStateUpdate
   {
     Port = 9136