UCC Manual
Overview
The UNICORE Commandline Client (UCC) is a full-featured client for the UNICORE middleware. UCC has client commands for all the UNICORE basic services and the UNICORE workflow system.
It offers the following functions
Batch mode job submission and processing with many performance tuning options
Data movement (upload, download, server-to-server copy, etc) using the UNICORE storage management functions and available data transfer protocols
Storage functions (ls, mkdir, ...) including creation of storage instances via storage factories
Support for UNICORE workflow submission and management
Support for the UNICORE metadata system
Support for sharing UNICORE resources via ACLs
Information about the available services is provided via the system-info command
Various utilities like a shell mode, low-level REST API operations and others
Extensibility through custom commands and the possibility to run scripts written in the Groovy programming language
For more information about UNICORE visit https://www.unicore.eu.
Installation and configuration
Prerequisites
To run UCC, you need a Java runtime version 11 or later (OpenJDK preferred).
Download
You can get the UCC latest version from SourceForge UNICORE download page.
Installation and configuration
To install, unpack the distribution in a directory of your choice. It’s a good idea
to add the bin/ directory to your PATH variable,
$ export PATH=$PATH:<UCC_HOME>/bin
where UCC_HOME is the directory you installed UCC in.
Note
Windows only
Please do not install UCC into a directory containing spaces such as Program files.
Also avoid long path names, this can lead to errors due to the Windows limit on command line length.
Setting environment variables can be done (as administrator) using the .
Though you can specify many parameters on the commandline, it is easiest to use a config file, so that you do not have to key in this information repeatedly.
Preferences file
UCC checks by default whether the file <userhome>/.ucc/preferences exists, and reads it.
A minimal example that specifies username, password and your preferred UNICORE registry URL would look as follows:
registry=<your registry>
authentication-method=username
username=demouser
password=test123
truststore.type=directory
truststore.directoryLocations.1=<path to CA file(s)>
client.serverHostnameChecking=NONE
Please refer to Common options to UCC for a full description of available options.
Note
If you are worried about security, and do not want specify the password: UCC will ask for it if it is not given in the preferences or on the commandline.
Note
Windows only
The preferences are usually searched in the c:\Users\<user_name>\.ucc
folder.
To create the .ucc folder, you might have to use the
command prompt mkdir command.
When specifying paths in the preferences file, the backslash \
character needs to be written using an extra backslash \\.
For example, if you are using a local UNICORE installation for testing, you could use
registry=https://localhost:8080/DEMO-SITE/rest/core/registries/default_registry
Tip
If you wish to change the default property file location, you can set a Java VM property in the UCC start script, for example by editing the command that starts UCC
$ java .... -Ducc.preferences=<preferences location> ....
Logging
UCC writes some messages to the console, more if you choose the
verbose mode (-v option). If you need real logging (e.g. when using
the batch mode), you can edit the <UCC_HOME>/conf/logging.properties
file, which configures the Log4J logging
infrastructure used in UNICORE.
Installing UCC extensions
UCC can be extended with additional commands. It is enough
to copy the libraries (.jar files) of the extension into a directory
that is scanned by UCC: in general these are the UCC lib
and the ${HOME}/.ucc/lib directory.
Testing the installation
To test your UCC installation and to get information about the services available in the UNICORE system you’re connecting to, do
$ ucc system-info -l -v
Getting started with UCC
Assuming you have successfully installed UCC, this section shows how to get going quickly.
Getting help
Calling UCC with the -h option will show the available options.
To get a list of available commands, type:
$ ucc -h
To get help on a specific command, type:
$ ucc <command> -h
See also Common options to UCC for a list of common options.
Connecting
First, contact UNICORE and make sure you have access to some target systems:
$ ucc connect
List available sites
Then, list the sites available to you using:
$ ucc list-sites
Running your first job
The UCC distribution contains samples
that you can run. Let’s run the date.u
sample. The -v switch prints more info so you can see what’s going on.
$ ucc run -v <UCC_HOME>/samples/date.u
This will run date on a randomly chosen site, and retrieve the output.
To run on a particular site, use the -s option to specify a particular
target system.
Note
Look for UCC samples in the /usr/share/doc/unicore/ucc/samples directory.
Listing your jobs
The command
$ ucc list-jobs -l
will print a list of job URLs with their respective status
(RUNNING, SUCCESSFUL, etc).
Common options to UCC
The following table lists the options understood by most UCC commands. Most
commands have additional options. You can always get a summary of all available
options for a command by calling UCC with the -h or --help option, for example,
$ ucc run --help
Since it is not possible to give all the required options on the commandline, it is mandatory to create a preferences file containing e.g. your settings for keystore, registry, etc.
Option (short and long form) |
Description |
|---|---|
-c,–configuration <Properties_file> |
Properties file containing your
preferences. By default, a file
|
-k,–authentication-method <auth> |
Authentication method to use (default: USERNAME) |
-o,–output <Output_dir> |
Directory for any output produced (default is the current directory) |
-r,–registry <List_of_Registry_URLs> |
The comma-separated list of URLs of UNICORE registries |
-v,–verbose |
Verbose mode |
-h,–help |
Print help message |
-y,–with-timing |
Timing mode |
User preferences
If you have multiple user IDs or are a member of multiple Unix Groups on the target system, you may wish to control the user attributes that are used when invoking UCC.
Here is a list of options related to user attributes:
Option (short and long form) |
Description |
|---|---|
-Z, –preference |
Select from your remote attributes (e.g. xlogin) |
The preference option accepts multiple arguments of the form <name>:<value>
where name:
Name |
Description |
|---|---|
uid |
Remote login |
pgid |
Primary group ID |
supgids |
Secondary group IDs (comma-separated) |
role |
UNICORE role (user, admin, …) |
vo |
virtual organisation |
Configuration file
By default, UCC checks for the existence of a file <userhome>/.ucc/preferences and reads
settings from there. As shown above, you can use a different file by specifying
it on the commandline using the -c option.
The configuration file can contain default settings for many commandline options,
which are given in the form <option name>=<value> where <option name> is the long
form of the option. The property values may contain variables in the form ${VAR_X},
which are automatically replaced with the environmental variable values with the same name.
Additionally a special variable ${UCC_CONFIG} is recognized and is replaced with the
absolute path of your configuration file.
The most important part of configuration is how UCC should authenticate you to the UNICORE server(s) and what server(s) should be trusted.
An overview of the available authentication options can be retrieved using:
$ ucc help-auth
A minimal example for using the quickstart installation would be:
registry=https://localhost:8080/DEMO-SITE/services/Registry?res=default_registry
authentication-method=username
username=demouser
password=test123
truststore.type=directory
truststore.directoryLocations.1=<path to CA file(s)>
Important
To protect your passwords, you should make the file non-readable by others,
for example on Unix using a command such as chmod 600 preferences.
Note
If required passwords are not given in the properties file, they will be queried interactively.
Username and password authentication
To authenticate with username and password, set the following:
authentication-method=username
username=<your remote username>
password=<your remote password>
Support for token based authentication
UCC has three different options for using token-based authentication:
via oidc-agent
directly contact an OIDC server as an OIDC client (requires client ID and secret)
specify the token directly as a config property
OIDC-Agent
UCC supports the oidc-agent tool that allows to interact with common OIDC servers to retrieve new access tokens.
To configure oidc-agent, UCC supports the following properties:
Property name |
Type |
Default value / mandatory |
Description |
|---|---|---|---|
oidc-agent.account |
string |
|
Account short name. |
oidc-agent.lifetime |
integer >= 1 |
Minimum lifetime of the issued access token. |
|
oidc-agent.scope |
string |
OpenID scope(s) to request. |
Your config file would require at least:
authentication-method=oidc-agent
oidc-agent.account=<oidc-agent account to be used>
OIDC Server
This is a low-level approach that requires the details on how to act as an OIDC client, you’ll need at least an OIDC token endpoint, client ID and secret.
Property name |
Type |
Default value / mandatory |
Description |
|---|---|---|---|
oidc.authentication |
[BASIC, POST] |
BASIC |
How to authenticate (i.e. send client id/secret) to the OIDC server (BASIC or POST). |
oidc.clientID |
string |
Client ID for authenticating to the OIDC server. |
|
oidc.clientSecret |
string |
Client secret for authenticating to the OIDC server. |
|
oidc.endpoint |
string |
|
The OIDC server endpoint for requesting a token |
oidc.grantType |
string |
client_credentials |
Grant type to request. |
oidc.otp |
string |
Additional one-time password for two-factor authentication. Set this to ‘QUERY’ to query it interactively. |
|
oidc.password |
string |
Password used to log in. It is suggested not to use this option for security reasons. If not given in configuration, it will be asked interactively. |
|
oidc.refreshInterval |
integer number |
300 |
Interval (seconds) before refreshing the token. |
oidc.refreshTokenFile |
string |
(internal) Filename for storing the refresh token between UCC invocations. |
|
oidc.request_key_for_otp |
string |
otp |
(internal) How to send the OTP value to the server. |
oidc.username |
string |
Username used to log in. If not given in configuration, it will be asked interactively. |
authentication-method=oidc-server
oidc.endpoint=<oidc server token endpoint>
oidc.username=...
oidc.password=...
UCC also supports sending an OTP (one-time password) to Keycloak. To enable, add
oidc.otp=QUERY
to your config. The OTP token is queried from the command-line (the OTP value can also be placed verbatim
in the preferences as oidc.otp=your_otp_value ).
UCC stores the refresh token (if any) and tries to use it, before using the username/password again, also accross UCC invocations. (The token is stored in a file “$HOME/.ucc/refresh-tokens”, this default can be changed via a config variable)
Bearer token in config
Last not least, if you have a Bearer token via some other means, you can directly put the token into your config file:
authentication-method=bearer-token
token=...
Certificate-based authentication
For UNICORE installations that support (or even require) client certficates for authentication, set:
authentication-method=X509
credential.path=<your keystore>
credential.password=XXXXXXX
Truststore options
In most cases you only need a truststore directory containing trusted certificates:
truststore.type=directory
truststore.directoryLocations.1=/trust/dir/*.pem
A full list of options related to truststore management is available in the following table:
Property name |
Type |
Default value / mandatory |
Description |
|---|---|---|---|
truststore.allowProxy |
[ALLOW, DENY] |
ALLOW |
Controls whether proxy certificates are supported. |
truststore.type |
[keystore, openssl, directory] |
|
The truststore type. |
truststore.updateInterval |
integer number |
600 |
How often the truststore should be reloaded, in seconds. Set to negative value to disable refreshing at runtime.(runtime updateable) |
truststore.directoryConnectionTimeout |
integer number |
15 |
Connection timeout for fetching the remote CA certificates in seconds. |
truststore.directoryDiskCachePath |
filesystem path |
Directory where CA certificates should be cached, after downloading them from a remote source. Can be left undefined if no disk cache should be used. Note that directory should be secured, i.e. normal users should not be allowed to write to it. |
|
truststore.directoryEncoding |
[PEM, DER] |
PEM |
For directory truststore controls whether certificates are encoded in PEM or DER. Note that the PEM file can contain arbitrary number of concatenated, PEM-encoded certificates. |
truststore.directoryLocations.* |
list of properties with a common prefix |
List of CA certificates locations. Can contain URLs, local files and wildcard expressions.(runtime updateable) |
|
truststore.keystoreFormat |
string |
The keystore type (jks, pkcs12) in case of truststore of keystore type. |
|
truststore.keystorePassword |
string |
The password of the keystore type truststore. |
|
truststore.keystorePath |
string |
The keystore path in case of truststore of keystore type. |
|
truststore.opensslNewStoreFormat |
[true, false] |
false |
In case of openssl truststore, specifies whether the trust store is in openssl 1.0.0+ format (true) or older openssl 0.x format (false) |
truststore.opensslNsMode |
[GLOBUS_EUGRIDPMA, EUGRIDPMA_GLOBUS, GLOBUS, EUGRIDPMA, GLOBUS_EUGRIDPMA_REQUIRE, EUGRIDPMA_GLOBUS_REQUIRE, GLOBUS_REQUIRE, EUGRIDPMA_REQUIRE, EUGRIDPMA_AND_GLOBUS, EUGRIDPMA_AND_GLOBUS_REQUIRE, IGNORE] |
EUGRIDPMA_GLOBUS |
In case of openssl truststore, controls which (and in which order) namespace checking rules should be applied. The ‘REQUIRE’ settings will cause that all configured namespace definitions files must be present for each trusted CA certificate (otherwise checking will fail). The ‘AND’ settings will cause to check both existing namespace files. Otherwise the first found is checked (in the order defined by the property). |
truststore.opensslPath |
filesystem path |
/etc/grid-security/certificates |
Directory to be used for opeenssl truststore. |
truststore.crlConnectionTimeout |
integer number |
15 |
Connection timeout for fetching the remote CRLs in seconds (not used for Openssl truststores). |
truststore.crlDiskCachePath |
filesystem path |
Directory where CRLs should be cached, after downloading them from remote source. Can be left undefined if no disk cache should be used. Note that directory should be secured, i.e. normal users should not be allowed to write to it. Not used for Openssl truststores. |
|
truststore.crlLocations.* |
list of properties with a common prefix |
List of CRLs locations. Can contain URLs, local files and wildcard expressions. Not used for Openssl truststores.(runtime updateable) |
|
truststore.crlMode |
[REQUIRE, IF_VALID, IGNORE] |
IF_VALID |
General CRL handling mode. The IF_VALID setting turns on CRL checking only in case the CRL is present. |
truststore.crlUpdateInterval |
integer number |
600 |
How often CRLs should be updated, in seconds. Set to negative value to disable refreshing at runtime.(runtime updateable) |
truststore.ocspCacheTtl |
integer number |
3600 |
For how long the OCSP responses should be locally cached in seconds (this is a maximum value, responses won’t be cached after expiration) |
truststore.ocspDiskCache |
filesystem path |
If this property is defined then OCSP responses will be cached on disk in the defined folder. |
|
truststore.ocspLocalResponders.<NUMBER> |
list of properties with a common prefix |
Optional list of local OCSP responders |
|
truststore.ocspMode |
[REQUIRE, IF_AVAILABLE, IGNORE] |
IF_AVAILABLE |
General OCSP ckecking mode. REQUIRE should not be used unless it is guaranteed that for all certificates an OCSP responder is defined. |
truststore.ocspTimeout |
integer number |
10000 |
Timeout for OCSP connections in miliseconds. |
truststore.revocationOrder |
[CRL_OCSP, OCSP_CRL] |
OCSP_CRL |
Controls overal revocation sources order |
truststore.revocationUseAll |
[true, false] |
false |
Controls whether all defined revocation sources should be always checked, even if the first one already confirmed that a checked certificate is not revoked. |
Truststore examples
Here are some examples for commonly used trust store configurations.
Most commonly used is a directory (with a minimal set of options):
truststore.type=directory
truststore.directoryLocations.1=/trust/dir/*.pem
OpenSSL trust store:
truststore.type=openssl
truststore.opensslPath=/etc/grid-security/
truststore.opensslNsMode=EUGRIDPMA_GLOBUS_REQUIRE
truststore.updateInterval=1200
truststore.crlMode=IF_VALID
Java keystore used as a trust store:
truststore.type=keystore
truststore.keystorePath=/some/dir/truststore.jks
truststore.keystoreFormat=JKS
truststore.keystorePassword=xxxxxx
Client options
The configuration file may also contain low-level options, for example, if you need to specify connection timeouts, http proxies, etc.
Property name |
Type |
Default value / mandatory |
Description |
|---|---|---|---|
client.digitalSigningEnabled |
[true, false] |
true |
Controls whether signing of key web service requests should be performed. |
client.httpAuthnEnabled |
[true, false] |
false |
Whether HTTP basic authentication should be used. |
client.httpPassword |
string |
empty string |
Password for use with HTTP basic authentication (if enabled). |
client.httpUser |
string |
empty string |
Username for use with HTTP basic authentication (if enabled). |
client.maxWsCallRetries |
integer number |
3 |
Controls how many times the client should try to call a failing web service. Note that only the transient failure reasons cause the retry. Note that value of 0 enables unlimited number of retries, while value of 1 means that only one call is tried. |
client.messageLogging |
[true, false] |
false |
Controls whether messages should be logged (at INFO level). |
client.securitySessions |
[true, false] |
true |
Controls whether security sessions should be enabled. |
client.serverHostnameChecking |
[NONE, WARN, FAIL] |
WARN |
Controls whether server’s hostname should be checked for matching its certificate subject. This verification prevents man-in-the-middle attacks. If enabled WARN will only print warning in log, FAIL will close the connection. |
client.sslAuthnEnabled |
[true, false] |
true |
Controls whether SSL authentication of the client should be performed. |
client.sslEnabled |
[true, false] |
true |
Controls whether the SSL/TLS connection mode is enabled. |
client.wsCallRetryDelay |
integer number |
10000 |
Amount of milliseconds to wait before retry of a failed web service call. |
client.http.allow-chunking |
[true, false] |
true |
If set to false, then the client will not use HTTP 1.1 data chunking. |
client.http.connection-close |
[true, false] |
false |
If set to true then the client will send connection close header, so the server will close the socket. |
client.http.connection.timeout |
integer number |
20000 |
Timeout for the connection establishing (ms) |
client.http.maxPerRoute |
integer number |
6 |
How many connections per host can be made. Note: this is a limit for a single client object instance. |
client.http.maxRedirects |
integer number |
3 |
Maximum number of allowed HTTP redirects. |
client.http.maxTotal |
integer number |
20 |
How many connections in total can be made. Note: this is a limit for a single client object instance. |
client.http.socket.timeout |
integer number |
0 |
Socket timeout (ms) |
client.http.nonProxyHosts |
string |
Space (single) separated list of hosts, for which the HTTP proxy should not be used. |
|
client.http.proxy.password |
string |
Relevant only when using HTTP proxy: defines password for authentication to the proxy. |
|
client.http.proxy.user |
string |
Relevant only when using HTTP proxy: defines username for authentication to the proxy. |
|
client.http.proxyHost |
string |
If set then the HTTP proxy will be used, with this hostname. |
|
client.http.proxyPort |
integer number |
HTTP proxy port. If not defined then system property is consulted, and as a final fallback 80 is used. |
|
client.http.proxyType |
string |
HTTP |
HTTP proxy type: HTTP or SOCKS. |
Other options
The following table lists other options, that are more rarely used:
Property name |
Description |
|---|---|
blacklist |
Comma separated patterns for sites / URLs to ignore |
contact-registry |
Do not attempt to contact the registry, even if one is configured |
Running jobs
Introduction
The UCC can run jobs specified in the JSON job description format that is used by the UNICORE REST API, plus a few extensions related to handling of local files, submission options, etc. See Job description format for all the details.
In the following it is assumed that you have UCC installed Installation and configuration and tried some examples Getting started with UCC.
For example, assume the file myjob.u looks as follows:
{
"ApplicationName": "Date",
"ApplicationVersion": "1.0"
}
To run this through UCC, issue the following command:
$ ucc run myjob.u
This will submit the job, wait for completion, download the stdout and
stderr files, and place them in your default output directory. The run
command has a number of options, to see all the possibilities use the
built-in help:
$ ucc run -h
Controlling the output location and file names
Output files will be placed in the directory given by the -o option, if not given, the current
directory is used. Also, file names will be put into a subdirectory named as the job id,
to prevent accidental overwriting of existing files. This behaviour can be changed using the
-b option. When -b is given on the command line, no subdirectory will be created.
Specifying the site
In the example above, a random site will be chosen to execute the
job. To control it, you can use the -s option. This will accept the
name of a target system. The target systems available to you can be
listed by
$ ucc list-sites
Accessing a job’s working directory
Using the UCC’s data management functions, the job working directory can be accessed at any time after job submission. Please see section Data management functions for details.
Options overview
The following options are available when running jobs (see also the general options overview in Common options to UCC):
Option (Short and long form) |
Description |
|---|---|
-a,–asynchronous |
Run asynchronously |
-b,–brief |
Do not create a sub-directory for output files |
-B,–broker |
Select the type of resource broker to use (see |
-s,–sitename <SITE> |
Site where the job shall be run |
-S,–schedule <Time> |
Schedule the submission of the job at the given time |
-o,–output <Output_dir> |
Directory for any output produced (default is the current directory) |
Resource selection
In general the user selects the execution site.
If no site is specified upon submission, UCC will select a matching site, where the requirements (resources, applications) are met.
In case there are other types of brokers available, they can be
selected using the -B or --broker option.
LOCAL (default): brokering is done by UCC itself
To see if other brokers exist, execute ucc run -h, the available
options will be listed in the help for the -B option.
Processing jobs asynchronously
In case of long-running jobs, you will want to run the job asynchronously, i.e. just submit the job, stage in any files and start it, in order to get the results later.
Asynchronous submission
Use the -a flag when submitting a job:
$ ucc run -a <job file>
This will submit the job, stage-in any local files, start the job and exit.
A job file will be written that contains information about the job endpoint
and any exports that should be performed once the job has finished.
You can use this file later with the get-output and job-status commands.
Get the status of particular jobs
The command
$ ucc job-status <job_file_or_url> <job_file_or_url_2> ...
will retrieve the status of the given jobs. If not given on the command line, a job URL will be read from the console.
The arguments can be either a job URL, or the name of a job file (as
written by the run -a command).
Download results
To get stdout and stderr as well as other files marked for export, do:
$ ucc get-output -o <outdir> <job_file_or_url> <job_file_or_url_2> ...
Here, the option -o specifies the directory where to put the output,
by default the current directory is used. As before, a job address
can also be read from the console.
Referencing a job by its URL (endpoint address)
In case you want to check on a job not submitted through UCC, you can refer to a job by its URL. The list-jobs command will produce a list of all job URLs that you can access.
Note that in this case UCC will only retrieve stdout and stderr files. To download other result files, you’ll have to use the data movement functions described in Data management functions.
Scheduling job submission to the batch system
Sometimes a user wishes to control the time when a job is submitted to the batch queue, for example, because he/she knows that a certain queue will be empty at that time.
To schedule a job, you can either use the -S option to the ucc run
command:
$ ucc run -S "12:24" ...
Alternatively, you can specify the start time in your job file using the Not before keyword:
{
"Not before": "12:30",
}
In both cases, the specified start time can be given in the brief “HH:mm” (hours and minutes) format shown above, or in the full ISO 8601 format including year, date, time and time zone:
{
"Not before": "2011-12-24T12:30:00+0200",
}
Executing a command
If you just want to execute a simple command remotely (i.e. without data staging,
resource specifications etc), you can use the exec command.
This will run the given command remotely (similarly to ssh), and print the
output to the console. You can specify the site with the -s option.
If you do not specify the site, a random site will be chosen.
UNICORE will run the command on the login node, it will not be submitted to the batch system.
For example, try
$ ucc exec /bin/date
To safely pass arguments to the executable, use “–” to end the UCC part of the command line, for example
$ ucc exec -- date --rfc-email
Job description format
UCC uses the JSON Job description format that is used by the UNICORE REST API, adding support for handling local files.
Several complete job samples can be found in the samples
directory of the distribution.
On Linux, check also the /usr/share/unicore/ucc/samples directory.
To view an example job showing most of the available options, run:
$ ucc run -H
(most of the options shown are not mandatory, of course).
UCC extensions to the UNICORE job description format
It is often the case that your job requires files from your local workstation, or you want UCC to download result files once the job has finished.
UCC achieves this by allowing paths to local files in the To and/or From
directives of the data staging part(s) in your job.
Local files can be given as an absolute or relative path; in the latter case the configured output directory will be used as base directory.
Importing local files into the job workspace
To import files from your local computer, you can use the usual
Imports keyword, with a path as the From argument.
You can of course mix local and remote files. This example shows some of the possibilities:
{
"Imports": [
#
# import a local file from the client machine
# into the job workspace
#
{ "From": "/work/data/fileName", "To": "fileName" },
#
# import a set of local files from the client machine
# into the job workspace
#
{ "From": "/work/data/pdf/*.pdf", "To": "/" },
#
# import a remote file from a UNICORE storage using the UFTP protocol
#
{ "From": "UFTP:https://gw:8080/DEMO-SITE/rest/core/storages/Home/files/testfile",
"To": "testfile" },
# create a symlink from a file on the compute machine to the job workspace
{ "From": "link:/work/data/testfile", "To": "linked-file" },
# copy a file on the compute machine to the job workspace
{ "From": "file:/work/data/testfile", "To": "copied-file" },
],
}
If for some reason an import fails, but you want the job to run anyway,
there is a flag FailOnError that can be set to false:
"Imports": [
{ "From": "/work/data/fileName",
"To": "fileName",
"FailOnError": "false"
},
],
Note
UCC supports simple wild cards (* and ?) for importing and exporting files.
Exporting result files from the job workspace
To export files from the job’s working directory to your local machine, use the normal Exports keyword,
with a file path as the To argument. Here is an example Exports section that specifies two exports:
{
"Exports": [
# this exports all png files to a local directory
{ "From": "*.png", "To": "/home/me/images/" },
# this exports a single file to a to local directory
# failure of this data transfer will be ignored
{ "From": "error.log",
"To": "/home/me/logs/error.log",
"FailOnError": "false" },
# this exports to a UNICORE storage
{ "From": "stdout",
"To": "https://gw:8080/DEMO-SITE/rest/core/storages/Home/files/results/myjob/stdout"
},
]
}
As a special case, UCC also supports downloading files from other UNICORE storages
(after the job has finished), using the Exports keyword:
{
"Exports": [
# this exports a file from a UNICORE storage
{ "From": "https://gw:8080/DEMO-SITE/rest/core/storages/Work/files/somefile",
"To": "/home/me/somefile"
},
]
}
Data management functions
UCC offers access to all the data management functions in UNICORE. You can upload or download data from a remote server, initiate a server-to-server transfer, create directories and so on.
Specifying remote locations
Remote locations are specified via URIs that includes protocol, storage server (host/port), site name, and filename. For example,
BFT:https://mygateway:8080/SITE/rest/core/storages/HOME/files/my_file
specifies a file named /my_file on the storage instance https://mygateway:8080/SITE/rest/core/storages/HOME, using the BFT protocol.
Paths are always relative to the storage root, not the root of the actual file system.
The protocol is optional, and will default to BFT if not given.
Data movement
cp
The cp command is a generic command for copying source file(s) to a
target destination, where source and target can be remote locations or
files on the local machine. Wild card characters * and ?
are supported.
Examples for client-server transfers:
$ ucc cp data/*.pdf https://server/rest/core/storages/SHARE/files/pdfs
$ ucc cp https://server/rest/core/storages/SHARE/files/pdfs .
The -R option allows to choose whether subdirectories are to be copied too.
The -X option allows to resume a previous transfer. Missing data will be appended to an
existing target file (if the chosen protocol supports it).
Examples for server-server transfer:
$ ucc cp https://server/rest/core/storages/SHARE/files/*.pdf \
https://otherserver/rest/core/storages/WORK/data/
For server-to-server transfers, the cp command supports several
additional options.
The -S option allows to schedule a transfer for a certain time.
For example,
$ ucc cp -S "23:00" ...
The format is simply HH:mm (hours and minutes). Alternatively, you can give the time in the full ISO 8601 format including year, date, time and time zone:
$ ucc cp -S "2011-12-24T12:30:00+0200" ...
Another useful option is -a which will execute the server-server transfer
asynchronously, i.e. the client will not wait for the transfer to finish.
copy-file-status
This will print the status of the given data transfer. As argument, it expects a file name containing the transfer reference, or directly the reference.
Example (for Unix) which captures the reference into a shell variable:
$ export ID=$(ucc cp -a ...
$ ucc copy-file-status $ID
Specifying the file transfer protocol
To use a different protocol from the default BFT, you can use the -P
option to specify your preferred protocol. UCC will try to match them
with the capabilities of the storage and use the first match. Your
preferred protocol can also be listed in your preferences file using
the protocols key:
protocols=UFTP
Note
If necessary, you can specify additional filetransfer options in your preferences file as well. For example, to use the UFTP protocol you may need to specify the client host address and the number of parallel streams explicitely:
uftp.client.host=your_client_ip_address
uftp.streams=2
# encrypt data (at the cost of performance)
uftp.encryption=true
# compress data
uftp.compression=true
Use the special value all to enable all available client IP addresses
for UFTP.
uftp.client.host=all
You can also override the UFTP server host, which can be useful in case the UFTP server is accessible via multiple network interfaces:
uftp.server.host=myhost.com
UCC will try to use reasonable defaults for any missing parameters.
General commands
mkdir
This will create a directory (including required parent directories) remotely.
Example:
$ ucc mkdir https://mygateway:8080/SITE/rest/core/storages/HOME/files/pdfs
rm
This will remove a file or directory remotely. By default, UCC will ask for a confirmation.
Use the --quiet or -q option to disable this confirmation (e.g. when using
this command in scripts).
Example:
$ ucc rm https://mygateway:8080/SITE/rest/core/storages/HOME/files/pdfs
rename
This will rename/move a remote file/directory on the same storage.
Example:
$ ucc rename https://mygateway:8080/SITE/rest/core/storages/HOME/files/data/foo1.pdf /files/data/foo2.pdf
will rename the file foo1.pdf to foo2.pdf.
stat
This command shows full information on a certain file or directory.
Add the -m flag to also print user-defined metadata.
Example:
$ ucc stat -m https://mygateway:8080/SITE/rest/core/storages/HOME/files/foo.txt
Finding data
ls
This will list a remote directory. Useful options are: -l (detailed output), -H
(human-friendly) and -R (recurse).
Example:
$ ucc ls -l -H https://mygateway:8080/SITE/rest/core/storages/HOME/
If the storage supports metadata, you can get the metadata of a single file using ls -l -m:
$ ucc ls -l -m https://mygateway:8080/SITE/rest/core/storages/HOME/.bashrc
Using the StorageFactory service
UNICORE sites may allow users to dynamically create storage resources, which even can be linked to special back-end systems like Apache HDFS, iRODS, or cloud storage like Amazon S3.
You can find out if there are sites supporting this StorageFactory
service either by running the system-info -l command, or better using
$ ucc create-storage -i
This will list the available StorageFactory services and also show which types of storage are supported and how much space is left on each of them.
UCC supports creating storages via the create-storage command.
The simple
$ ucc create-storage
will create a new storage resource using the default storage type at some site.
Usually you want to control at least where the storage is created. Additionally, the type of storage and some parameters can be passed to UCC.
As an example, creating a storage of type S3 would look like this:
$ ucc create-storage -t S3 accessKey=... secretKey=...
You can also read parameters from a file. Say you have your S3 keys in a file s3.properties, then you can use the following syntax:
$ ucc create-storage -t S3 @s3.properties
You can also mix this with the normal key=value syntax, or mix it like this:
$ ucc create-storage -t S3 accessKey=@s3.accessKey secretKey=@s3.secretKey
The last version key=@file causes just the value to be read from the named file.
Metadata management functions
UCC offers a simple interface to access the metadata management service in UNICORE.
Basics
The metadata functions are all accessed via a single UCC command
metadata. The actual operation to be performed is given
with the -C (i.e. command) option.
The storage to be operated upon is given using the -s option.
In addition to the URL, the name of the target file on the storage is required.
Metadata is represented in JSON format. The metadata operations
usually read metadata from a file (or write results to a file), which
is specified using the -f option.
In the following examples, <STORAGE> denotes the URL of a storage
capable of handling metadata.
Available commands
Creating metadata
To create metadata, a file in JSON format is required containing key-value pairs. For example, edit the file meta.json to contain:
{
"foo": "bar"
}
Say we have a file test on our storage, then you can create metadata as follows:
$ ucc metadata -C create -f meta.json -s <STORAGE> /test
If you now look at the file with ls -l -m,
$ ucc ls -l -m <STORAGE>/test
you should get something like this:
-rw- 3344 2011-06-27 22:32 /test
{
"foo": "bar",
"resourceName": "/test"
}
Reading metadata
Apart from the ls -l -m used above, there is also an explicit
read command, which can write the metadata to a file as well:
$ ucc metadata -C read -s <STORAGE> /test -f out.json
The -f option is optional.
Updating metadata
Using update, the given metadata is merged with any existing metadata.
Say we have a file x.json containing:
{
x: y
}
We can append this to the existing metadata:
$ ucc metadata -C update -s <STORAGE> /test -f x.json
Check that the metadata has indeed been appended.
Deleting metadata
Explicitely deleting is also possible:
$ ucc metadata -C delete -s <STORAGE> /test
Check that the metadata has indeed been deleted.
Searching
Searching requires a search string (according to the rules
of Apache Lucene), and is triggered by the search command:
$ ucc metadata -C search -q "foo" -s <STORAGE> /
Triggering metadata extraction
To trigger the extraction of metadata on the server, use the start-extract
command:
$ ucc metadata -C start-extract -s <STORAGE> /
In this case the / denotes the base path from which to start the extraction process.
Workflows
Introduction
UCC supports the UNICORE Workflow service and allows to submit workflows and manage them.
The workflows are executed server-side, and UCC is used only for submitting, managing data and getting results. UCC also provides helper features for dealing with the workflows’ input/output data and parametrised workflow templates.
Note
Version 8.x of the Workflow service has changed a lot, and existing 7.x XML workflows will need to be converted / refactored.
Command overview
The following commands are provided:
workflow-submit: submit a workflow file
workflow-control: abort or resume a running workflow
list-workflows: list information about workflows
More details and examples follow below.
Basic use
To check the availability of the Workflow service in the configured registry, issue the following command:
$ ucc system-info -l
This should show at least an accessible Workflow service.
The distribution contains some example workflow files in the samples/workflows directory
that you can edit and submit.
$ ucc workflow-submit yourworkflow.json
which will submit the workflow and print the address of the workflow to standard output.
To get the workflow status:
$ ucc list-workflows <workflow_address>
To list all your workflows, you can use the list-workflows command without an explicit
workflow address:
$ ucc list-workflows -l
Workflow description format
The JSON format used by that the Workflow service can be found here.
Managing workflow data
Importing local data for use by a workflow
If you have local files that need to be imported before starting
the workflow, you can use a normal UCC job file that
contains only an Imports section:
{
"Imports":
[
{ "From": "local_file_1", "To": "wf:workflow_file_name_1", },
{ "From": "local_file_2", "To": "wf:workflow_file_name_2", },
...
],
}
UCC will upload the local files to a remote storage (which you can specify) and automatically register them with the workflow upon submission.
Your workflow JSON can then reference them as wf:... in the workflow
activities.
You can also manually register files by adding in inputs section to your
workflow JSON.
{
"inputs": {
"wf:infile1" : "remote_url_1",
"wf:infile2" : "remote_url_2",
},
}
Workflow templates
If the workflows contains a Template parameters section, the
corresponding replacement will be done by reading parameter values
from the .u file. These so-called workflow templates can be a very
simple and safe way to make adjustments in complex workflows before
submission. As an example, consider the following workflow:
{
"Template parameters": {
"SLEEPTIME": {
"type" : "INTEGER",
"default": "10",
}
},
"activities" : [
{
"id": "sleep1",
"job": {
"Executable": "sleep",
"Arguments": ["${SLEEPTIME}"],
},
},
],
}
This introduces a parameter SLEEPTIME with default value 10.
When the workflow is submitted, you can specify a JSON file with the -u option,
which will be checked for a parameter named SLEEPTIME
{
"SLEEPTIME": "1",
}
and if present, the value will be replaced in the workflow.
Resuming a held workflow
A workflow in status HELD can be resumed using the workflow-control resume command. If the workflow
has variables/parameters, updated values can be sent with the resume command.
Batch processing
The batch command allows you to run many jobs without having to start
UCC each time. You can control how many jobs should go to which site.
This allows efficient job processing, while putting some load on the
client machine. If you need to take the client offline, you should consider
using the workflow system instead, which also allows efficient high-throughput
processing.
Assume you have a bunch of jobs in UCC’s job description format stored in a directory jobs. The output should go to a directory out. You can run them all through UCC using a single invocation as follows:
$ ucc batch -i jobs -o out
As job files, UCC will accept files ending in .u.
Options
You can run in follow mode, where UCC will watch the input directory, and will process new files as they arrive:
$ ucc batch -f -i jobs -o out
Performance tuning options
Getting the most performance out of UCC and the UNICORE installation can be a challenging task. Sending too many jobs to a site might decrease throughput, sometimes the client machine can be the limiting factor, etc.
You should experiment a bit to get the best performance for your specific setup. UCC has many options available for tuning. Here is an overview:
Option (short and long form) |
Description |
|---|---|
-K,–keep |
Do not delete finished jobs on the server. By default, finished jobs are destroyed. |
-m,–max <MaxRunningJobs> |
Limit on jobs submitted by UCC at one time (default: 100) |
-t,–threads <NumThreads> |
Number of threads to be used for processing (default: 4) |
-u,–update <UpdateInterval> |
Minimum time in milliseconds between status requests on a single job (Default: 1000) |
-R,–no-resource-check |
Do not check if the necessary application is available on the target system (will increase performance a bit) |
-X,–no-fetch-outcome |
Do not fetch standard output and error |
-S,–submit-only |
Only submit the jobs, do not wait for them to finish |
-M,–max-new-jobs |
Limit the number of job submissions (default: 100) |
-s,–sitename |
Specify which site to use |
-W,–site-weights |
Specify a file containing site weights |
Resource selection in batch mode
By default, the UCC batch mode will select a random site for running a job. You can modify the selection in different ways:
using the
-soption or aSite: <sitename>,entry in the job file, you can specify the site directlyuse the
-Woption to specify a file containing site weights
Say you have two sites where one site is a big cluster and the other a small cluster. To send more jobs to the big cluster, you can use the site weights file:
#example site weights file for use with "ucc batch -W ..."
BIG-CLUSTER = 100
SMALL-CLUSTER = 10
#send no jobs to this site
BAD-CLUSTER = 0
# set default weight (for any sites not specified here)
UCC_DEFAULT_SITE_WEIGHT = 10
This would tell UCC to send 10 times more jobs to the BIG-CLUSTER site, and send no jobs to the BAD-CLUSTER. All other sites would get weight 10, i.e. the same as SMALL-CLUSTER.
The UCC shell
If you want to run a larger number of UCC commands, the overhead of starting
the Java VM or checking the registry may become annoying. For this scenario,
UCC offers a shell that allows the user to enter UCC commands interactively.
It is started by
$ ucc shell <options>
If you want to process a list of commands from a file instead of typing them, you can start the shell like this:
$ ucc shell -f commandsfile
or on Unix you can use the redirection features:
$ ucc shell < commandsfile
Changing property settings
To change a property setting in shell mode, you can use the set command.
Without additional arguments, current properties are listed:
ucc> set registry=https://... output=/tmp ...
To set one or more properties, add space separated key=value strings:
ucc> set output=/work registry=https://....
You can also clear a property (set it to null) by using unset:
ucc> unset registry
Variables referenced via $var_name or ${var_name} will be replaced
in commands. You can use this to make commands shorter and more
readable. It’s also possible and useful to pre-set certain things in
your preferences file.
For example,
ucc> set S1=https://myserver/my_site/rest/core/storages/HOME
ucc> ls -l $S1
A special variable $_ exists that is set by various commands to
the last thing that was created or accessed.
For example,
ucc> run -a date.u
ucc> job-status $_
Running an external command
You can run an external command via the system (or simply !) shell
command. For example,
ucc> system vi job.u
or simply
ucc> ! cat job.u
Exiting the shell
To exit, type exit or press Control-D.
Sharing resources
Accessing UNICORE resources (jobs, storages, …) is usually only possible when you own the resource or when there are special server-side policies in place that allow you access.
UNICORE supports ACLs on a per-service instance basis. This means, that you can give other users access to your jobs, storages, etc.
For example, you might want to allow others to check your jobs’ status, or even allow them to abort jobs.
Note that to access actual files the permissions on file system level still need to match. Usually this is achieved by using Unix groups.
Editing ACLs
The ACLs are managed via the share command.
Use the basic
$ ucc share <URL>
to share the current ACL for the given resource, where URL is the full URL of the resource, e.g.
$ ucc share https://localhost:8080/DEMO-SITE/rest/core/storages/HOME
To add an ACL entry use:
$ ucc share ACE1 ACE2 ... <URL>
where ACE is an access control entry expressed in a simple format:
[read|modify]:[DN|VO|GROUP|UID]:[value]
For example, to give modify permission to a user whose UNIX user id on the target system is test, you would use:
$ ucc share modify:UID:test <URL>
To delete entries use the -d option:
$ ucc share -d modify:UID:test <URL>
To delete all entries use the -b option:
$ ucc share -b <URL>
Permission levels
The permissions controlled by ACLs are as follows:
read: access resource properties
modify: perform actions e.g. job submission or creating a file export
Only the owner of a resource can edit the ACL or destroy the resource.
Port forwarding / tunneling
Starting with UNICORE 9.1.0, it is possible to open a tunnel (TCP socket connection) from the client to a service running on the HPC cluster. The service can run on a login node or even on a compute node.
Since this mechanism uses only the established UNICORE communication channels, it will work in any situation, unhindered by firewalls.
Traffic is forwarded from the client through the UNICORE HTTPS stack down to the cluster login node, where a (TSI) process is in charge of connecting to the backend service and forwarding data back through the UNICORE stack to the client. So there is chain of connections forwarding data through the following stack
Client application
Client-side listener (e.g. UCC)
Gateway
UNICORE/X
Server-side listener (TSI process) on the login node
Service
(in both directions).
That is quite a number of hops, so latency and throughput will be limited accordingly.
To establish the client side, UCC has a command open-tunnel, which behaves similarly to an
SSH tunnel (ssh -L ...)
It is started by
$ ucc open-tunnel -L <listen-port> <endpoint>
The listen-port is the port where a local application can connect. You can use “0” to use any free port.
The endpoint is a UNICORE job endpoint URL, with a few extra parameters added:
/forward-port?port=<service_port>&host=<service_host>&loginNode=<tsinode
The port parameter is mandatory, and denotes the port where the backend service is listening.
The host and loginNode are optional:
hostis the host where the service is running, must be reachable from the TSI (login node). It defaults tolocalhost(as seen from the login node!).
loginNodeis useful in cases where there are multiple login nodes, and you wish to control on which login node the forwarding process is launched.
Upon connection, the tunneling process is initiated, and the forwarding of data is started. To stop listening and forwarding, press Control-C, or use some other method to stop the UCC process.
Example
While usually the backend service is also started via UNICORE, that is not strictly necessary. Any of your job endpoints will do.
In this example, however, we launch a Python web server via UNICORE, and then connect to that Python service via a tunnel.
Launch a UCC shell with ucc shell ... and run the following job to
start the service, which will be listening on port 8877:
run -a
{ "Executable" : "python3 -m http.server 8877" }
(type CTRL-D to to launch the job)
Make sure to wait until this job is running, i.e.
job-status $_
shows it as RUNNING. The UCC shell special variable $_ automatically contains
the last URL, i.e. the new job’s URL.
To open the tunnel:
open-tunnel -L 4321 $_/forward-port?port=8877
this will open a local listener on port 4321.
To test your tunnel, run something like the following (from ANOTHER terminal, don’t kill UCC):
wget http://localhost:4321/stdout
You might also try and open "http://localhost:4321" in a browser.
Final notes
Attention
USE RESPONSIBLY! This tool is not intended for high volume data streaming or a very high number of concurrent connections, since it does incur some overhead on the UNICORE infrastructure.
UCC for site administrators
UCC can be used for administrative and user support tasks, like checking server status, or getting the full details of a user job.
Security considerations
Usually, each UNICORE user has only access to his or her own resources (such as jobs). For administrative use, you will need to aquire administrator privileges. There are two ways to achieve this:
create dedicated user credentials (e.g. a certificate) and map them to the role admin (in the XUUDB, or whatever attribute source you are using). This method is recommended if you want to remotely administrate UNICORE/X.
use the server keystore (of the UNICORE/X server you want to administrate) as UCC keystore. This will also give you administrator privileges. For this you will need to be logged on to the UNICORE/X server, and UNICORE/X must accept certificate authentication.
Admin commands
UCC has dedicated commands for accessing the AdminService of a UNICORE/X container. To get started, try:
$ ucc admin-info -l
UCC will try to access the admin service on each availabe UNICORE/X server. For each server, a list of statistical and performance data will be listed.
It will also list the available admin commands for each server, with a short description of their parameters. For example, here is a sample output:
https://localhost:8080/DEMO-SITE/services/AdminService?res=default_admin
Services:
TargetSystemFactoryService[1]
...
Monitors:
use.externalConnectionStatus.REST_UnitySAMLAuthenticator: OK
use.security.overview: ServerIdentity: CN=Demo UNICORE/X,O=UNICORE,C=EU;Expires: Thu Sep 09 12:01:19 CEST 2032;IssuedBy: CN=Demo CA,O=UNICORE,C=EU
....
Metrics:
use.externalConnectionStatus.REST_UnitySAMLAuthenticator: OK
use.rest.callFrequency: 0.016677196376660174
...
Available commands:
ShowJobDetails : parameters: jobID, [xnjsReference]
ShowServerUsageOverview : parameters: [clientDN]
ToggleResourceAvailability : 'resources' - comma separated list of IDs
ToggleJobSubmission : parameters: [message]
ToggleBESJobSubmission :
To invoke a command, the admin-runcommand is used. It can take
optional parameters.
Disabling/enabling job submission
For example, it is possible to disable/enable job
submission to the server, using the ToggleJobSubmission command,
which can take an optional message:
$ ucc admin-runcommand ToggleJobSubmission message="Maintenance"
The service will reply:
$> SUCCESS, service reply: OK - job submission is disabled
If a user now tries to submit, she will receive an error message on submission. Running the command again will re-enable the service:
$ ucc admin-runcommand ToggleJobSubmission message="Maintenance"
$> SUCCESS, service reply: OK - job submission is now enabled
Getting job details
To get the full job details (for example in user support), try:
$ ucc admin-runcommand ShowJobDetails jobID=<unique_jobid>
For example,
ucc admin-runcommand ShowJobDetails jobID=461f78c7-82a6-4887-9c33-6f538a4b0cb2
SUCCESS, service reply: Job information for 461f78c7-82a6-4887-9c33-6f538a4b0cb2
{Info=Action ID : 461f78c7-82a6-4887-9c33-6f538a4b0cb2
Action type : JSON
Status : DONE (trans.: none)
Result : SUCCESSFUL [Success.]
Owner : CN=Demo User, O=UNICORE, C=EU
Job Definition: {"Job type":"interactive","DetailedStatusDisplay":"true","KeepFinishedJob":"true","Output":"/tmp","IDLocation":"/tmp","Executable":"date","haveClientStageIn":"false","Tags":["testing"]}
Processing context: de.fzj.unicore.xnjs.ems.ProcessingContext@17f4b0b6
Application Info: Application <unnamed>
Job log:
Thu Feb 25 16:25:07 CET 2021: Created with ID 461f78c7-82a6-4887-9c33-6f538a4b0cb2
Thu Feb 25 16:25:07 CET 2021: Created with type 'JSON'
Thu Feb 25 16:25:07 CET 2021: Client: Name: CN=Demo User,O=UNICORE,C=EU
Xlogin: uid: [schuller], gids: [schuller:audio, active=schuller, addingOSgroups: true]
Role: user: role from attribute source
Security tokens: User name: CN=Demo User,O=UNICORE,C=EU
Delegation to consignor status: true, core delegation status: false
Message signature status: UNCHECKED
Client's original IP: 127.0.0.1
Thu Feb 25 16:25:07 CET 2021: No staging in needed.
Thu Feb 25 16:25:07 CET 2021: Status set to READY.
Thu Feb 25 16:25:07 CET 2021: Status set to PENDING.
Thu Feb 25 16:25:08 CET 2021: Execution on login node
Thu Feb 25 16:25:08 CET 2021: Command is:
Thu Feb 25 16:25:08 CET 2021: #!/bin/bash -l
export PROJECTS_DIR=/opt/shared-data
#TSI_EXECUTESCRIPT
#RESOURCES
#TSI_DISCARD_OUTPUT true
#TSI_SCRIPT
#TSI_UMASK 77
umask 77
cd /opt/shared-data/UNICORE-Jobs//461f78c7-82a6-4887-9c33-6f538a4b0cb2/
{ date > /opt/shared-data/UNICORE-Jobs//461f78c7-82a6-4887-9c33-6f538a4b0cb2/stdout 2> /opt/shared-data/UNICORE-Jobs//461f78c7-82a6-4887-9c33-6f538a4b0cb2/stderr; echo $? > /opt/shared-data/UNICORE-Jobs//461f78c7-82a6-4887-9c33-6f538a4b0cb2//UNICORE_SCRIPT_EXIT_CODE ; } & echo $! > /opt/shared-data/UNICORE-Jobs//461f78c7-82a6-4887-9c33-6f538a4b0cb2//UNICORE_SCRIPT_PID
Thu Feb 25 16:25:08 CET 2021: TSI reply: submission OK.
Thu Feb 25 16:25:11 CET 2021: Submitted to classic TSI as [schuller schuller:DEFAULT_GID] with PID=30112 on [localhost]
Thu Feb 25 16:25:11 CET 2021: Exit code 0
Thu Feb 25 16:25:11 CET 2021: Job completed on BSS.
Thu Feb 25 16:25:11 CET 2021: Status set to DONE.
Thu Feb 25 16:25:11 CET 2021: Result: Success.
Thu Feb 25 16:25:11 CET 2021: Total: 3 sec., Stage-in: 0 sec., Queued: 0 sec., Main: 0 sec., Stage-out: 0 sec.}
Thus you can get a full view of what the user submitted and what was executed.
Listing jobs, sites, …
You can also use all normal UCC commands to access the server. Note however that due to the authentication and authorisation system in UNICORE, this may not always work as expected: the admin user might not have the required Unix permissions to access files, list directories, etc.
The UCC commands that list server-side things (list-jobs, etc.) accept a filtering option, that can be used to limit the results of the operation. Filtering works on the XML resource properties of the resource in question.
Filtering is enabled by the -f or --filter option of the form:
-f NAME OPERATOR VALUE
where NAME is the name of an element from the JSON resource properties.
For example, to list all jobs:
$ ucc list-jobs -f status equals RUNNING
To list all jobs submitted on Nov 13, 2007:
$ ucc list-jobs -f submissionTime contains 2007-11-13
Operator (long and short form) |
Description |
|---|---|
equals, eq |
String equality (ignoring case) |
notequals, neq |
String inequality (ignoring case) |
contains, c |
Substring match |
notcontains, nc |
substring non-match |
greaterthan, gt |
Lexical comparison |
lessthan, lt |
Lexical comparison |
Low-level operations
UCC supports low-level access to REST API endpoints using the rest
command, specifically you can execute HTTP GET, PUT, POST and DELETE
requests with JSON content.
For example, to delete (destroy) a resource:
$ ucc rest delete <Address>
To get a complete property listing (i.e. print the JSON resource property document):
$ ucc rest get <Address>
To change properties, use the put command with JSON content:
$ ucc rest put '{"Tags": ["tests", "hpc" ]}'
These commands can be abbreviated, e.g. ucc rest d <Address>
Scripting
UCC can execute Groovy scripts. Groovy is a dynamic scripting language similar to Python or Ruby, but very closely integrated with Java. The scripting facility can be used for automation tasks or implementation of custom commands, but it needs a bit of insight into how UCC and UNICORE work.
Script context
Your Groovy scripts can access some predefined variables that are summarized in the following table:
variable |
description |
Java type |
|---|---|---|
registry |
A preconfigured client for accessing the registry |
eu.unicore.client.registry.IRegistryClient |
configurationProvider |
Security configuration provider (truststore, etc) |
de.fzj.unicore.ucc.authn.UCCConfigurationProvider |
auth |
REST authentication mechanism |
eu.unicore.services.rest.client.IAuthCallback |
registryURL |
the URL of the registry |
java.lang.String |
messageWriter |
for writing messages to the user |
de.fzj.unicore.ucc.MessageWriter |
commandLine |
the command line |
org.apache.commons.cli.CommandLine |
properties |
defaults from the user’s properties file |
java.util.Properties |
Examples
Some example Groovy scripts can be found in the samples directory of the UCC distribution.
Frequently asked questions
Configuration
🤔 Do I really have to store my password in the preferences file? Isn’t this insecure?
Putting the password in a file or giving it as a commandline parameter can be considered insecure. The file could be read by others, and the commandline parameters may be visible in for example in the output of the
pscommand. Thus, UCC will simply ask for the password in case you did not specify it.
🤔 How can I enable more detailed logging?
UCC uses Log4j 2, by default the configuration is done in
<UCC_HOME>/conf/logging.properties. You can edit this file and increase the logging levels, choose to log to a file or to the console, etc.
Usage
🤔 Can I use multiple registries with UCC?
Yes. Simply use a comma-separated list of URLs for the
-coption. However, you may only use a single key/truststore, so all registries (and sites listed in them) must accept the same security credentials.
🤔 Can I upload and execute my own executable?
Yes. Check Running jobs.
🤔 Can I use UCC to list the contents of the registry?
Using the rest command (and optionally the UNIX
jqutility for formatting the output), this is very easy. For example,$ ucc rest get https://localhost:8080/DEMO-SITE/rest/core/registries/default_registry | jqwill list the content of the registry.