Job Submission Tutorial

Job Submission Tutorial

Grid Induction
NA3 Training Team, Israel

After this tutorial you will be able to submit a simple job to the Grid and retrieve its output.

We will first learn how to submit jobs through the command line UI.
All commands and output will look like this

% This is the command
This is the output

Prerequisites - a certificate, joining a VO and accessing a User Interface (UI) machine

There are 3 prerequisites for starting this workshop:

Receiving a certificate.
Signing for a VO.
Obtaining access to a User Interface (UI) machine.

Gilda tutorial users	Grid users
You already have a certificate and were temporarily added to GILDA VO for the purpose of the tutrial	Follow the Instructions for joining the grid document, which describes the steps needed for fulfilling these prerequisites

Connecting to the UI

Users of Unix/Linux can login directly via ssh to the specific machine.

Windows users can use PuTTY or any other ssh terminal window such as Tera Term.

Below are examples of available tools.

Gilda tutorial users	Grid users
You have to connect to glite-tutor.ct.infn.it server with the login name and password given to you by the instructor. Please see Be'er Sheva-specific details	Connect to your account on the CS servers.

Before we begin, a clarification regarding passwords that are used throughout the tutorial:

There are typically two passwords involved.

The user and password of your account (your UI -the entering point to the grid).
GRID pass phrase - The password that protects the private key of the certificate.
It is not necessarily the one given when exporting the certificate from a browser.
This is the password needed in the command line in order to create a proxy certificate.
The certificate (a file containing your private key, protected by password) is located at a directory called .globus under your root directory.

Users that use the graphic user interface (GUI) will encounter a third password:

MyProxy pass phrase - The passphrase which relates to myproxy.
The user will give on when initializing MyProxy (see MyProxy section)

Installing the certificate

Gilda tutorial users

Grid users

Your certificate is already installed under the .globus directory.
Nothing further is needed.

This operation is needed only once when receiving a new certificate

Please create a directory called .globus under your root directory
and place the certificate (a file containing your private key, protected by password) in it.

% mkdir .globus

% mv MyCertificateFile .globus

Create userkey.pem which contains the private key.
The first required password is the one given when exporting the certificate from your browser.
The second protects the created userkey.pem file. They can be the same.

% openssl pkcs12 -nocerts -in MyCertificateFile -out userkey.pem

Create usercert.pem which contains the public key
The required password is the one given when exporting the certificate from your browser. No need for protecting the created usercert.pem file.

% openssl pkcs12 -clcerts -nokeys -in MyCertificateFile -out usercert.pem

Allow the public key to be read by anyone, but only deleted by the owner.

% chmod 644 usercert.pem

Allow only the owner to have read-access to the private key.

% chmod 400 userkey.pem

You can see your certificate info using the command

% grid-cert-info

Using the VO

Gilda tutorial users	Grid users
Replace the VO name MyVO with gilda in all relevant commands.	Replace the VO name MyVO with your chosen VO, such as see or biomed in all relevant commands.

Some of the outputs are taken from runs on the see VO. Using other VOs affects only the name convention of the computing elements and WMS.

Creating a proxy

Now that we have the certificate installed, we need to produce a proxy for running jobs through the command line UI. This proxy is used to authorize actions on all Grid elements (SE, CE, RB....) and avoids the need for sending your key over the network.

The command that creates a proxy that the UI machine will attach to any job you submit is

% voms-proxy-init --voms MyVO
Enter GRID pass phrase:
Your identity: <your certificate details>
Creating temporary proxy .................................................................. Done
Contacting <voms server> Done

Creating proxy ....................................................... Done
Your proxy is valid until <12 hours from request>

It will create a proxy valid for 12 hours. Uses the password of the userkey.pem.

Note: VOMS means VO Membership System which enables a person to be a part of more than one VO (which was not possible in the past)
This is why it is contacting the VOMS (a database) to verify your VO in the output and why you need to specify the --voms flag.

You can check your proxy status using

% voms-proxy-info --all
subject : <your certificate details with the additional specification that it is a proxy>
issuer : <your certificate details>
identity : <your certificate details>
type : proxy
strength : 512 bits
path : /tmp/x509up_u1860
timeleft : <12 hours from request>
=== VO MyVO extension information ===
VO :MyVO
subject : <your certificate details with the addiotional specification that it is a proxy>
issuer : <your certificate details> with specification that it is voms
attribute : /see/Role=NULL/Capability=NULL
timeleft : <12 hours from request>

Note: The --all flag is used to show the voms extension

Running a job

For now, let's start with a simple jdl we will call hostname.jdl:

Type="Job";
JobType="Normal";
Executable = "/bin/sh";
StdOutput = "hostname.out";
StdError = "hostname.err";
InputSandbox ={"start_hostname.sh"};
OutputSandbox = {"hostname.err", "hostname.out"};
RetryCount = 3;
Arguments = "start_hostname.sh";
VirtualOrganisation="MyVO";
Requirements = other.GlueCEPolicyMaxWallClockTime < 86000;

Which calls the shell script start_hostname.sh

#!/bin/sh
sleep 5
hostname -f

As you can see, this jdl describes a regular job running a shell script.

The executable is the shell and the argument is the simple shell script which sleeps for 5 seconds and returns the host name. The shell script has also to be transferred in the InputSandbox.
Putting the shell script name as the executable is also possible.
Pay attention that you do not need to put the executable in the InputSandbox, because there is a shell executable already present on the running CEs.
A proprietary executable has to be included in the InputSandbox.
The error and output are inserted to hostname.err and hostname.out files respectively and are destined to be retrieved through the OutputSandbox variable.
The requirements of type other.GlueCEPolicyMaxWallClockTime are important when specifying the > sign.
It ensures that if we have a long job, we will not arrive at a CE that removes too long jobs and get aborted.
We've put the Virtual Organisation under which the job will run. We also want it to retry in case of failure at most 3 times.

Please create the previous two files anywhere under your home directory, via:

Editing tool such as VI, pico, emacs etc. You can paste it from this page.
Windows users can edit on their local machine and copy using, for instance, WinSCP.

Now Let's get to work...

There are two ways now to submit a job - the fast and annoying or the slower and easy.
Every job submission need to delegate the proxy certificate to the broker called WMProxy.
This can be done on each submission automatically, making it slightly slower or can be done once explicitly before all submissions.
For doing it explicitly, choose a string identifier with the following command

% glite-wms-job-delegate-proxy -d MyString
Connecting to the service https://wms.phy.bg.ac.yu:7443/glite_wms_wmproxy_server

================== glite-wms-job-delegate-proxy Success ==================
Your proxy has been successfully delegated to the WMProxy:
https://wms.phy.bg.ac.yu:7443/glite_wms_wmproxy_server

with the delegation identifier: MyString

==========================================================================

The command for job submission is glite-wms-job-submit. The minimum parameters are

the type of delegation of the proxy.
either -d DelegIDString if you used glite-wms-job-delegate-proxy or automatic delegetion using -a flag
the jdl name to run

Submit your first job with the command (we'll use automatic delegation, but you can use explicit)

% glite-wms-job-submit -a hostname.jdl
Connecting to the service https://wms.phy.bg.ac.yu:7443/glite_wms_wmproxy_server

====================== glite-wms-job-submit Success ======================

The job has been successfully submitted to the WMProxy
Your job identifier is:

https://wms.phy.bg.ac.yu:9000/qTijWt8ofnnKzGU5RtxWwA

==========================================================================

you get in response a job identifier in the form of a URI (as in the example above).
Tip: use the -o MyJobIdFile if you don't want to remember the job ids and to be able to query all of them at once.

Check your job status until you get the status of Done using

% glite-wms-job-status MyJobID
*************************************************************
BOOKKEEPING INFORMATION:
Status info for the Job : https://glite-rb.ct.infn.it:9000/bBo1R79o4R00pSceyRMo6w
Current Status: MyJobStatus
Submitted: Thu Aug 24 10:19:36 2006 CEST
*************************************************************

And when it's done you'll get

*************************************************************
BOOKKEEPING INFORMATION:
Status info for the Job : https://glite-rb.ct.infn.it:9000/bBo1R79o4R00pSceyRMo6w
Current Status: Done (Success)
Exit code: 0
Status Reason: Job terminated successfully
Destination: ce01.afroditi.hellasgrid.gr:2119/jobmanager-pbs-see
Submitted: Thu Feb 14 22:05:37 2008 IST
*************************************************************

Now we can retrieve the files listed in OutputSandbox. Be aware that the directory specified will be created.
If a directory already exists, you will receive a warning that it will be overwritten and a prompt asking whether you approve.
Pay attention that the --dir flag must come before the URI (even when taken from a file using -i job.id)

% glite-wms-job-output --dir output MyJobId;
Connecting to the service https://147.91.84.25:7443/glite_wms_wmproxy_server

================================================================================
JOB GET OUTPUT OUTCOME

Output sandbox files for the job:
https://wms.phy.bg.ac.yu:9000/S0NjHO5qKS72qrPtRBYBLA
have been successfully retrieved and stored in the directory:
/home/<your account>/output

*********************************************************************************

You can verify that the status has changed to CLEARED.

% glite-wms-job-status MyJoBID
*************************************************************
BOOKKEEPING INFORMATION:

Status info for the Job : https://wms.phy.bg.ac.yu:9000/S0NjHO5qKS72qrPtRBYBLA
Current Status: Cleared
Status Reason: user retrieved output sandbox
Destination: ce01.afroditi.hellasgrid.gr:2119/jobmanager-pbs-see
Submitted: Thu Feb 14 22:06:37 2008 IST
*************************************************************

That's it, You've submitted a job yourself !

Let's recap on the preparations and running:

We installed the certificate.
We created a proxy (for 12 hours).
We ran the job, got a unique job description which we used both to inspect the status and retrieve the output.

Tip: If you don't want to type the VO name every time (with --vo option), you can set the following environment variable to your vo:

% export LCG_GFAL_VO=MyVO

For more complex jobs such as DAG, Collection and Parametric jobs see the Advanced topics part of the tutorial.

Q: Hold on a second - what happens if my job is longer than the proxy life time (12 hours)?

A: Whoops. You're job is aborted. But have no fear, MyProxy is here.

Lets learn about MyProxy