Category: Program Dev-Data Movement
GridFTP is a high-performance, secure, reliable data transfer protocol optimized for high-bandwidth wide-area networks. It is based upon the Internet FTP protocol, and it implements extensions for high-performance operation.
GridFTP uses basic Grid security on both control (command) and data channels. Other features include multiple data channels for parallel transfers, partial file transfers, third-party (direct server-to-server) transfers, reusable data channels, and command pipelining.
To use GridFTP, you must have a "certificate". We first show how you use GridFTP assuming you have a certificate. Then we show how to obtain certificates.
The client that NICS supports for GridFTP is globus-url-copy. The URL for the NICS GridFTP is gridftp.nics.teragrid.org. A listing of other GridFTP servers around the teragrid can be found here.
For example, to copy everything in Joe's directory on a Lustre file system to the corresponding directory on the XT5, use the following command:
% globus-url-copy -r \ gsiftp://gridftp-co.ncsa.teragrid.org:2811/joe/ \ gsiftp://gridftp.nics.teragrid.org/lustre/scratch/joe/
Note that the tailing forward slashes are required for directories. If the
-r
(recursive) is omitted and a directory is being transferred,
the files in that directory will be transferred, but not the files in
subdirectories.
You may also use GridFTP via uberftp
, either one-liners or
interactively. The syntax of uberftp
is very similar to
sftp
.
Certificates can be handled locally or remotely. For one-time use, it is generally easier to use the myproxy server method, however, if you are routinely signing in from the same computer, it is probably worthwhile to set up a local grid certificate.
First, make sure the Globus toolkit is in your path (to check, try which myproxy-init
). On Kraken, you must load the Globus module:
kraken> module load globus
Other sites may have it loaded by default, or by a different mechanism. Now you can get a proxy certificate from the main myproxy server:
kraken> myproxy-logon [-l TG_Portal_Username] Enter MyProxy pass phrase: A credential has been received for user userjd in /tmp/x509up_u000.
By default, myproxy-logon
uses your current username. You must
specify your TeraGrid Portal username if it is different. For your pass
phrase, enter your TeraGrid Portal password. This credential is only valid for
12 hours by default, though this may be lowered with the -t
flag.
This method requires that you create a Grid Certificate. This may be used to create proxy certificates, and is valid for a year.
userjd@local:~> ssh userjd@tg-login.ncsa.teragrid.org [...] userjd@ncsa:~> ncsa-cert-request To continue, please enter the NCSA Kerberos password for userjd: For increased security, your NCSA default password is also needed. To continue, please enter the NCSA default password for userjd: [...] Please enter your private key encryption passphrase: Verifying private key passphrase, please reenter passphrase:
Your "NCSA default password" is as it appears on the password sheet you received when first receiving a TeraGrid account—this also had your initial Portal password. When you set your "private key encryption passphrase," note that it must be at least 12 characters.
You should now have a .globus
folder with your grid
certificate. You need to put this on the machine you wish to log in from,
Kraken in this instance. This machine must have Grid capabilities.
userjd@ncsa:~> scp -r \ ~/.globus userjd@kraken-pwd.nics.teragrid.org:~/.globusCreating the Proxy Certificate: Every Time
Now log in to the machine you wish to log in from. Make sure the Globus tools are in the path, and enter the following:
userjd@some:~> grid-proxy-init Your identity: [...] Enter GRID pass phrase for this identity: Creating proxy ............................. Done Your proxy is valid until: [...]
Enter the 12+ character passphrase you chose when creating the cert, and you should be good to connect to TeraGrid sites without further passwords for the duration of the proxy.
Proxy certificates are usually valid for 12 hours. If you finish early, it
is a good practice to remove the proxy certificate using
grid-proxy-destroy
. To check a proxy certificate, use
grid-proxy-info
, or to check a grid certificate, use
grid-cert-info
. In general, myproxy-*
commands
communicate with the myproxy server, grid-proxy-*
commands deal
with your proxy certificate, and grid-cert-*
commands deal with
your local grid certificate.
This is OpenSSH, which has been modified to use the security described
above. If grid-proxy-info
shows that you have a proxy, you should
be able to connect to any gsissh
-enabled machine. Note that not
every target supports gsissh
: kraken-pwd
(tg-login-pwd
) does support it, but kraken
,
login
, and verne
at NICS only accept OTP
authentication. If GSI authentication fails, gsissh
will default
to standard keyboard-interactive.
ncsa> gsissh kraken-pwd.nics.teragrid.org
It is not necessary to specify a username, your proxy identity is automatically mapped to the username on the machine you are trying to access.
You now have the required proxy certificate and can use GridFTP. The client that NICS supports for GridFTP is globus-url-copy. The URL for the NICS GridFTP is gridftp.nics.teragrid.org. A listing of other GridFTP servers around the teragrid can be found here.
For example, to copy everything in Joe's directory on a Lustre file system to the corresponding directory on the XT5, use the following command:
% globus-url-copy -r \ gsiftp://gridftp-co.ncsa.teragrid.org:2811/joe/ \ gsiftp://gridftp.nics.teragrid.org/lustre/scratch/joe/
Note that the tailing forward slashes are required for directories. If the
-r
(recursive) is omitted and a directory is being transferred,
the files in that directory will be transferred, but not the files in
subdirectories.
You may also use GridFTP via uberftp
, either one-liners or
interactively. The syntax of uberftp
is very similar to
sftp
.
This package has the following support level : Supported
All versions of this software are provided by the system vendor and are not installed by NICS staff.