XRootD proxy with caching

Hi all,

What about installing a XRootD proxy with caching? Afaik there is no such service installed. Let me know if I’m wrong in this point.

I think it would improve SWAN immensely for a lot of people! Let me give an example:
We run a ROOT hands-on with around 50 people. Each of them pull via XRootD a file with around 10 GB. Currently all of these transfers go through the network all the time. However, you could have local reading performance with the XRootD cache after the first user pulled the file. Wouldn’t that be awesome? :slight_smile:


Some interesting read:

I came here for the same question, is it possible to access files from tier2/tier3 via xrootd in swan? Or do I have to copy them local to my cernbox everytime that I need them?


Hi @algomez ,

Just to understand your use case, you want to read those files remotely with ROOT via xrootd? If that is the case, you just need to do a kinit from the SWAN terminal and you will be able to read those files remotely.

Thanks @etejedor for the reply.
What I want is to access remote files (from a T2/T3 somewhere else) and run some code in a notebook from swan. I guess that this can be done through xrootd. But I have two (stupid) technical questions:

  1. Do I need to set my grid certificate for that? and if yes, how?
  2. I can access those files through swan, like: ROOT.TFIle.Open(‘root://xrootd-cms.infn.it//store/mc/blahblah.root’)

thanks for the help.


How would you do it, say on lxplus, or from your laptop? In SWAN you should be able to follow the same procedure.

I found these instructions online (I don’t know if this is how it is supposed to be done in your case, just shooting in the dark):


It seems that the first thing you would need to do is copy your grid certificate in your CERNBox. After that, you should run voms-proxy-init (available in SWAN) from the SWAN terminal to get your proxy certificate. Then, from your notebook, you should be able to open the file with ROOT.

We had a presentation from a user in the SWAN workshop that did a similar thing for ALICE:

See e.g. slide 5 where he talks about setting up the grid certificate. @blim perhaps you can help @algomez out with this?


I tried this before contacting this forum, I installed my certificate as usual but then trying to run voms-proxy-init I am getting this message:

algomez@b02b398a660c:/home/algomez$ voms-proxy-init --voms cms
Enter GRID pass phrase:
Your identity: /DC=ch/DC=cern/OU=blahblah
Cannot find file or dir: /etc/vomses
VOMS Server for cms not known!

while from other machines this work. That is why I assumed that this does not work. Any suggestion?



What you copied here, did you run it from the SWAN terminal?

Indeed, in SWAN we don’t have an /etc/vomses directory with the configuration files of the voms servers, which does exist in lxplus:

[etejedor@lxplus758 ~]$ cd /etc/vomses
[etejedor@lxplus758 vomses]$ ls 
alice-lcg-voms2.cern.ch    dune-voms1.fnal.gov                           lhcb-voms2.cern.ch                        unosat-lcg-voms2.cern.ch              vo.gear.cern.ch-lcg-voms2.cern.ch
alice-voms2.cern.ch        dune-voms2.fnal.gov                           na48-lcg-voms2.cern.ch                    unosat-voms2.cern.ch                  vo.gear.cern.ch-voms2.cern.ch
atlas-lcg-voms2.cern.ch    envirogrids.vo.eu-egee.org-lcg-voms2.cern.ch  na48-voms2.cern.ch                        vo.aleph.cern.ch-lcg-voms2.cern.ch    vo.l3.cern.ch-lcg-voms2.cern.ch
atlas-voms2.cern.ch        envirogrids.vo.eu-egee.org-voms2.cern.ch      na62.vo.gridpp.ac.uk-voms02.gridpp.ac.uk  vo.aleph.cern.ch-voms2.cern.ch        vo.l3.cern.ch-voms2.cern.ch
cms-lcg-voms2.cern.ch      geant4-lcg-voms2.cern.ch                      na62.vo.gridpp.ac.uk-voms03.gridpp.ac.uk  vo.compass.cern.ch-lcg-voms2.cern.ch  vo.opal.cern.ch-lcg-voms2.cern.ch
cms-voms2.cern.ch          geant4-voms2.cern.ch                          na62.vo.gridpp.ac.uk-voms.gridpp.ac.uk    vo.compass.cern.ch-voms2.cern.ch      vo.opal.cern.ch-voms2.cern.ch
dream-voms.hpcc.ttu.edu    ilc-grid-voms.desy.de                         ops-lcg-voms2.cern.ch                     vo.delphi.cern.ch-lcg-voms2.cern.ch   vo.sixt.cern.ch-lcg-voms2.cern.ch
dteam-voms2.hellasgrid.gr  lhcb-lcg-voms2.cern.ch                        ops-voms2.cern.ch                         vo.delphi.cern.ch-voms2.cern.ch       vo.sixt.cern.ch-voms2.cern.ch

I created a ticket to install those voms server configuration files in the next SWAN update:

In the meantime, what you can do is copy the CMS voms server configuration files you need from lxplus to your CERNBox. Then, when you run voms-proxy-init, there is a parameter that you can pass to make it look elsewhere for voms server configuration files:

    -vomses <file>                 Non-standard location of configuration files.

That should work for now.

Hi @etejedor
thank you so much, yes this works like a charm! and thank you for the JIRA ticket as well.
Now I’ll try to run more complicated things in swan :smiley:


Hello, @etejedor I am reopening this issue since i am trying to do the same thing and see this problem:

voms-proxy-init -vomses voms_configs -valid 168:00 -voms cms

And I get the error:

Your proxy is valid until Mon Jul 13 23:18:32 2020
Error: verification failed.
Cannot verify AC signature!

So a proxy is created but without verifying the AC signature I cannot use features like xrootd.
Is this known and is there a solution? I see that the JIRA ticket is still open.

Dear @devdatta ,

Yes, that JIRA issue is still open since we need to install the VOMS server configuration files in SWAN. You can for now copy them e.g. from lxplus into your CERNBox as described in this post.

However, the error you show is more related to RQF1600959. We are trying to figure out why the AC signature verification failure happens in SWAN. I added you as watcher of that ticket, so I suggest you follow the progress there.

Hi @etejedor,

Thanks for the prompt reply. I did copy the VOMS server configs from /etc/vomses to SWAN. That’s how I managed to generate the proxy. However, without the AC signature, seems I cannot access files using the XROOT protocol. Is this expected and is there a workaround?

BTW, the link to the ticket seems to be broken. It says " Record not found".

Dear @devdatta,

No, it’s not expected, we are in contact with other IT colleagues to see how we can fix this, basically we need to reproduce the same configuration that exists on lxplus.

You should be able to access the ticket now.

Thanks @etejedor I can see the topic now.