Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customisable policies. The data can be spread across globally distributed locations and across heterogeneous data centers, uniting different storage and network technologies as a single federated entity. Rucio offers advanced features such as distributed data recovery or adaptive replication, and is highly scalable, modular, and extensible. Rucio has been originally developed to meet the requirements of the high-energy physics experiment ATLAS, and is continuously extended to support LHC experiments and other diverse scientific communities.
This repository contains the Docker container and configuration file templates for the new React Based WebUI. For the older WebUI, please go here.
Instructions to use and deploy the docker image for the new Rucio WebUI can be found here. General information and latest documentation about Rucio can be found here.
This section decribes deploying the Rucio WebUI via Docker. For Kubernetes deployment, please refer to the helm-charts instead.
This image provides the Rucio WebUI which works as a web frontend to the Rucio server. The WebUI container can be built with the following command, where TAG
is the version of the webui to be used (should already be available on rucio/webui repository) and the build context is the directory containing the Dockerfile:
docker build --rm --no-cache --platform=linux/amd64 --build-arg TAG=33.0.0 -t rucio-webui:33.0.0 .
For ARM based platforms (For eg, Apple Silicone), the --platform
flag should be set to linux/arm64
instead.
docker build --rm --no-cache --platform=linux/arm64 --build-arg TAG=33.0.0 -t rucio-webui:33.0.0 .
Pre-built images are available on Docker Hub.
A WebUI instance with the minimal configuration can be started like this:
docker run \
--name rucio-webui \
-p 80:80 -p 443:443 \
-e RUCIO_ENABLE_SSL=False \
-e RUCIO_HOST=<rucio_server_url> \
rucio/rucio-webui:latest
The <rucio_server_url>
must point to the instance of rucio-server that the WebUI will connect to. The WebUI will be available at http://<host>:80
. Please note that without SSL, the WebUI will not be able to perform x509
authentication workflow.
To start the WebUI container with TLS Termination and x509 authentication, you must provide host certificate, key and the the CA certificate as volumes.
docker run --rm --name rucio-webui \
-e RUCIO_WEBUI_HOSTNAME=<public_hostname_of_webui> \
-e RUCIO_WEBUI_ENABLE_SSL=false \
-e RUCIO_WEBUI_RUCIO_HOST=<rucio_server_url> \
-e RUCIO_WEBUI_RUCIO_AUTH_HOST=<rucio_auth_server_url> \
-e RUCIO_WEBUI_PROJECT_URL=atlas.cern.ch \
-e RUCIO_WEBUI_MULTIVO_ENABLED=true \
-e RUCIO_WEBUI_VO_LIST=def \
-e RUCIO_WEBUI_VO_DEFAULT=def \
-e RUCIO_WEBUI_VO_DEF_NAME=default \
-e RUCIO_WEBUI_VO_DEF_LOGO=https://ep-news.web.cern.ch/sites/ep-news.web.cern.ch/files/RUCIO1.jpg \
-e NODE_EXTRA_CA_CERTS=/etc/grid-security/ca.pem \
-e RUCIO_WEBUI_OIDC_ENABLED=false \
-p 80:80 \
-p 443:443 \
--mount type=bind,src=$(pwd)/ca-bundle.pem,target=/etc/grid-security/ca.pem \
rucio-webui-33.0.0-alpha.1
The WebUI container can be configured using environment variables. There are two categories of the environment variables:
- NextJS Configuration
- Web Server (Apache) Configuration
The following sections list the available configuration variables:
The following environment variables are used to configure the NextJS App. As a convention, the environment variables are prefixed with RUCIO_WEBUI_
and are generated by the env-generator tool , which creates the environment file used by the NextJS application. When running the container, the -e
flag must specify the FULL_NAME
of the corresponding environment variable.
Variable Name | Full Name | Description | Example | Default |
---|---|---|---|---|
RUCIO_HOST | RUCIO_WEBUI_RUCIO_HOST | URL for the Rucio Server | https://rucio-lb-prod.cern.ch | |
RUCIO_AUTH_HOST | RUCIO_WEBUI_RUCIO_AUTH_HOST | URL for the Rucio authentication server | https://rucio-auth-host.ch:443 | |
HOSTNAME | RUCIO_WEBUI_HOSTNAME | Public HOSTNAME at which Rucio WebUI will be accessible. It may include port number. | rucio-ui.cern.ch | |
ENABLE_SSL | RUCIO_WEBUI_ENABLE_SSL | Enable or Disable TLS Termination (true or false) | true | false |
PROJECT_URL | RUCIO_WEBUI_PROJECT_URL | Public URL for your project | https://atlas.cern.ch | |
VO_DEFAULT | RUCIO_WEBUI_VO_DEFAULT | Short name for the default VO used for authentication | def | def |
VO_LIST | RUCIO_WEBUI_VO_LIST | CSV string containing the list of supported VOs | def, atl, cms | def |
MULTIVO_ENABLED | RUCIO_WEBUI_MULTIVO_ENABLED | Whether to enable multi-VO config (true or false) | true | |
OIDC_ENABLED | RUCIO_WEBUI_OIDC_ENABLED | Enable or Disable OIDC Authentication (true or false) | true | |
OIDC_PROVIDERS | RUCIO_WEBUI_OIDC_PROVIDERS | CSV string containing names of OIDC Providers | cern, indigo |
For each VO
specified in the VO_LIST
variable, additional variables need to be specified. These variables should be added in the following format:
RUCIO_WEBUI_VO_<VO_SHORT_NAME>_<VARIABLE_NAME>=<VARIABLE_VALUE>
. An example for the default VO is shown below:
Variable Name | Full Name | Description | Example | Default |
---|---|---|---|---|
VO_DEF_NAME | RUCIO_WEBUI_VO_DEF_NAME | Full name of the default VO | default | |
VO_DEF_LOGO | RUCIO_WEBUI_VO_DEF_LOGO | URL to the logo of the default VO that will be rendered on the login page | ||
VO_DEF_OIDC_ENABLED | RUCIO_WEBUI_VO_DEF_OIDC_ENABLED | Enable or Disable OIDC Authentication for the default VO (true or false) | true | |
VO_DEF_OIDC_PROVIDERS | RUCIO_WEBUI_VO_DEF_OIDC_PROVIDERS | CSV string containing names of OIDC Providers for the default VO | cern, indigo |
For each OIDC Provider
specified in the OIDC_PROVIDERS
variable, the additional variables need to be specified. The variables should be added in the following format:
export RUCIO_WEBUI_OIDC_PROVIDER_<PROVIDER_NAME>_<VARIABLE_NAME>=<VARIABLE_VALUE>
. An example for the CERN OIDC provider is shown below:
Variable Name | Full Name | Description | Example | Default |
---|---|---|---|---|
OIDC_PROVIDER_CERN_CLIENT_ID | RUCIO_WEBUI_OIDC_PROVIDER_CERN_CLIENT_ID | The client id for the webui registered on the OIDC Provider dashboard | ||
OIDC_PROVIDER_CERN_CLIENT_SECRET | RUCIO_WEBUI_OIDC_PROVIDER_CERN_CLIENT_SECRET | The client secret for the webui obtained from the OIDC Provider | ||
OIDC_PROVIDER_CERN_AUTHORIZATION_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_AUTHORIZATION_URL | The authorization URL for the OIDC Provider | ||
OIDC_PROVIDER_CERN_TOKEN_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_TOKEN_URL | The token endpoint for the OIDC Provider | ||
OIDC_PROVIDER_CERN_REFRESH_TOKEN_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_REFRESH_TOKEN_URL | The refresh token endpoint | ||
OIDC_PROVIDER_CERN_USERINFO_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_USERINFO_URL | The URL to obtain user info from the OIDC Provider | ||
OIDC_PROVIDER_CERN_REDIRECT_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_REDIRECT_URL | The redirection URL configured on the OIDC Provider |
The following environment variables are used to configure the rucio specific aspects of the Apache Web Server.
Variable | Description | Defaults |
---|---|---|
RUCIO_HOSTNAME |
This variable sets the server name in the apache config. | |
RUCIO_SERVER_ADMIN |
This variable sets the server admin in the apache config. | |
RUCIO_ENABLE_SSL |
Enable SSL/TLS Termination. | Optional, default: False |
RUCIO_LOG_FORMAT |
The default rucio log format is %h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\"\t%{X-Rucio-RequestId}i\t%{X-Rucio-Client-Ref}i\t\"%r\"\t%>s\t%b You can set your own format using this variable. |
|
RUCIO_ENABLE_LOGS |
By default the log output of the web server is written to stdout and stderr. If you set this variable to True the output will be written to access_log and error_log under /var/log/httpd . |
|
RUCIO_LOG_LEVEL |
The log level of Apache | Default: info |
RUCIO_HTTPD_LOG_DIR |
If RUCIO_ENABLE_LOGS is set use this variable to change the default logfile output directory. |
|
RUCIO_CA_REVOCATION_CHECK |
Sets the SSLCARevocationCheck variable for Apache |
Default: chain |
The following environment variables are used to configure the Apache Web Server. Please take a look at httpd.conf.j2
for more information.
Variable | Description | Defaults |
---|---|---|
RUCIO_HTTPD_SERVER_LIMIT |
||
RUCIO_HTTPD_MAX_REQUESTS_PER_CHILD |
||
RUCIO_HTTPD_KEEP_ALIVE_TIMEOUT |
||
RUCIO_HTTPD_MAX_SPARE_THREADS |
||
RUCIO_HTTPD_TIMEOUT |
||
RUCIO_HTTPD_MPM_MODE |
This variable sets the MPM mode. | The default is "event". |
RUCIO_HTTPD_START_SERVERS |
||
RUCIO_HTTPD_MAX_CONNECTIONS_PER_CHILD |
||
RUCIO_HTTPD_KEEP_ALIVE |
||
RUCIO_HTTPD_MIN_SPARE_THREADS |
||
RUCIO_HTTPD_MAX_CLIENTS |
||
RUCIO_HTTPD_MAX_KEEP_ALIVE_REQUESTS |
||
RUCIO_HTTPD_MIN_SPARE_SERVERS |
||
RUCIO_HTTPD_THREADS_LIMIT |
||
RUCIO_HTTPD_MAX_SPARE_SERVERS |
||
RUCIO_HTTPD_MAX_REQUEST_WORKERS |
||
RUCIO_HTTPD_THREADS_PER_CHILD |
In addition to the environment, the following files can be mounted as volumes to the container:
File Path (inside container) | Description | Optional / Required |
---|---|---|
/etc/grid-security/hostcert.pem | The host certificate file for the webui host | Required, if running in HTTPS mode |
/etc/grid-security/hostkey.pem | The host key file for the webui host | Required, if running in HTTPS mode |
/etc/grid-security/ca.pem | The CA certificate file that can verify the RUCIO SERVER host. |
Required |
/patch | The directory containing the patch files for the webui | Optional |