Merge remote-tracking branch 'upstream/master'

Author: timtheisen

docs/other/install-cvmfs-stratum1.md

@@ -11,7 +11,7 @@ Before starting the installation process, consider the following points:
 
 - **User IDs and Group IDs:** If your machine is also going to be a repository server like OSG Operations, the installation will create the same user and group IDs as the [cvmfs client](../worker-node/install-cvmfs.md).  If you are installing frontier-squid, the installation will also create the same user id as [frontier-squid](../data/frontier-squid.md).
 -  **Network ports:** This installation will host the stratum 1 on ports 80, 8000 and 8080, and if squid is installed it will host the uncached apache on port 8081.  Port 80 is default but sometimes runs into operational problems, port 8000 is the alternate for most production use, and port 8080 is for Cloudflare (https://openhtc.io).
-- **Host choice:** -  Make sure there is adequate disk space for the repositories that will be served, at `/srv/cvmfs`. About 10GB should be reserved for apache and squid logs under /var/log on a production server, although they normally will not get that large.
+- **Host choice:** -  Make sure there is adequate disk space for all the repositories that will be served, at `/srv/cvmfs`. In addition, about 100GB should be reserved for apache and squid logs under /var/log on a production server, although they normally will not get that large.  Apache logs get larger than squid logs because by default they are rotated much less frequently.  Many installations share that space with the filesystem used for /srv/cvmfs by turning that directory along with /var/log/squid and /var/log/httpd into symlinks pointing to directories on the big filesystem.
 - **SELinux** - Ensure SELinux is disabled
 
 As with all OSG software installations, there are some one-time (per host) steps to prepare in advance:
@@ -114,8 +114,8 @@ insertline("^http_access deny all", "acl CVMFSAPI urlpath_regex ^/cvmfs/[^/]*/ap
 insertline("^http_access deny all", "cache deny !CVMFSAPI")
 
 # port 80 is also supported, through an iptables redirect 
-setoption("http_port", "8000 accel defaultsite=localhost:8081 no-vhost")
-insertline("TAG: http_port","http_port 8080 accel defaultsite=localhost:8081 no-vhost")
+setoption("http_port", "8080 accel defaultsite=localhost:8081 no-vhost")
+insertline("^http_port","http_port 8000 accel defaultsite=localhost:8081 no-vhost")
 setoption("cache_peer", "localhost parent 8081 0 no-query originserver")
 
 # allow incoming http accesses from anywhere

docs/release/osg-36.md

@@ -25,7 +25,11 @@ The following issues are known to currently affect packages distributed in OSG 3
 
 ### HTCondor-CE ###
 
--   If you are using HTCondor from the Upcoming repository,
+-   `default_CERequirements` in the the new Job Router ClassAd transform syntax is ignored.
+    To fix this, apply the change in [this patch](https://github.com/htcondor/htcondor-ce/pull/530/files) to
+    `/usr/share/condor-ce/config.d/01-ce-router-defaults.conf`.
+    The next release of HTCondor-CE will contain this fix and will not require any additional action post-update.
+-   If you are using HTCondor from the 3.6 Upcoming repository,
     C-style comments, e.g. `/* comment */`, in `JOB_ROUTER_ENTRIES` will prevent the JobRouter from routing jobs
     ([HTCONDOR-864](https://opensciencegrid.atlassian.net/browse/HTCONDOR-864)).
     For the time being, remove any comments if you are still using the

docs/release/supported_platforms.md

@@ -4,16 +4,14 @@ Supported Platforms
 The OSG [release series](../release/release_series.md) are supported on Red Hat Enterprise Linux (RHEL) compatible platforms
 for 64-bit Intel architectures according to the following table:
 
-!!! note
-    As of July 2020, only of a subset of the software stack is supported on RHEL 8-compatible platforms.
-    You can track packages released for EL8 through our [release notes](../release/notes.md).
-
 | Platform                   | OSG 3.5 | OSG 3.6 |
 |----------------------------|---------|---------|
 | CentOS 7                   | ✅ | ✅ |
-| CentOS 8                   | ✅ | ✅ |
+| CentOS Stream 8            | ✅ | ✅ |
+| Alma Linux 8               | ✅ | ✅ |
 | Red Hat Enterprise Linux 7 | ✅ | ✅ |
 | Red Hat Enterprise Linux 8 | ✅ | ✅ |
+| Rocky Linux 8              | ✅ | ✅ |
 | Scientifix Linux 7         | ✅ | ✅ |
 
 OSG builds and tests its RPMs on the latest releases of the relevant platforms (e.g., in 2021, the RHEL 7 builds were based on RHEL 7.9).

docs/release/updating-to-osg-36.md

@@ -16,7 +16,7 @@ If you have verified that your VO(s) support token-based pilot submission and HT
 use this document to update your OSG software to OSG 3.6.
 
 Many software packages, such as HTCondor and HTCondor-CE, use Python 3 scripts. If you are using Enterprise Linux 7,
-you must upgrade to at least version 7.8 to get Python 3 support.
+you must upgrade to at least version 7.8 for Python 3 support.
 
 Updating the OSG Repositories
 -----------------------------
@@ -219,8 +219,14 @@ To update OSG-Configure, perform the following steps:
 
 #### HTCondor-CE ####
 
+!!! bug "Passing along non-HTCondor batch system directives"
+    `default_CERequirements` in the the new Job Router ClassAd transform syntax is ignored.
+    To fix this, apply the change in [this patch](https://github.com/htcondor/htcondor-ce/pull/530/files) to
+    `/usr/share/condor-ce/config.d/01-ce-router-defaults.conf`.
+    The next release of HTCondor-CE will contain this fix and will not require any additional action post-update.
+
 !!! bug "Remove comments from `JOB_ROUTER_ENTRIES`"
-    If you are using HTCondor from the Upcoming repository,
+    If you are using HTCondor from the 3.6 Upcoming repository,
     C-style comments, e.g. `/* comment */`, in `JOB_ROUTER_ENTRIES` will prevent the JobRouter from routing jobs
     ([HTCONDOR-864](https://opensciencegrid.atlassian.net/browse/HTCONDOR-864)).
     For the time being, remove any comments if you are still using the

docs/security/tokens/overview.md

@@ -0,0 +1,78 @@
+DateReviewed: 2022-03-10
+
+Bearer Token Overview
+=====================
+
+
+
+
+Validating Tokens in Pilot Jobs
+-------------------------------
+
+If an incoming (pre-routed) pilot on a CE has a token, it will have the following classad attributes:
+
+| Attribute        | Meaning                             |
+|------------------|-------------------------------------|
+| AuthTokenId      | A UUID of the token                 |
+| AuthTokenIssuer  | The URL of the issuer of the token  |
+| AuthTokenScopes  | Any scope restrictions on the token |
+| AuthTokenSubject | The 'sub' field of the token        |
+
+(A pre-routed job is a job without `RoutedJob=True` in its classad.)
+
+!!! note
+    A job may have both a token and an X.509 proxy.
+    Presence of any `x509*` attributes does not indicate the absence of a token.
+
+To see which authentication method was used for a job:
+-   Examine the `/var/log/condor-ce/AuditLog*` files.
+-   Find a line saying `Submitting new job <JOBID>` (where `<JOBID>` is a job ID like `21249.0`).
+    The line before that should say what authentication method was used.
+    -   Authentication via a token will say `AuthMethod=SCITOKENS`.
+    -   Authentication via a proxy will say `AuthMethod=GSI`.
+
+See the [upstream documentation](https://htcondor.com/htcondor-ce/v5/troubleshooting/common-issues/#jobs-fail-to-submit-verify-scitoken-contents)
+for more details.
+
+Collaboration support
+---------------------
+
+!!! info "Verify support with collaborations"
+    The tables of collaborations below are updated as frequently as possible.
+    If a collaboration you support is listed as not supporting tokens or WebDav, please contact your collaboration
+    directly to verify that this information is up-to-date.
+
+### Pilot job submission ###
+
+These are the collaborations that support or partially support using tokens for pilot submission:
+
+| Collaboration | Supports Bearer Tokens |
+|:--------------|------------------------|
+| ATLAS         | Undergoing testing     |
+| CLAS12        | Undergoing testing     |
+| CMS           | Undergoing testing     |
+| EIC           | Undergoing testing     |
+| GLOW          | Yes                    |
+| GlueX         | Undergoing testing     |
+| IceCube       | Undergoing testing     |
+| LIGO          | Undergoing testing     |
+| OSG           | Yes                    |
+
+Until all of the collaborations you support are using tokens in production, your CE should remain on OSG 3.5,
+with the 3.5-upcoming repositories enabled.
+
+### WebDAV/XRootD File transfer ###
+
+The following collaborations support support file transfer using WebDAV or XRootD:
+
+| Collaboration | Supports WebDAV or XRootD |
+|:--------------|---------------------------|
+| ATLAS         | Yes                       |
+| CMS           | Yes                       |
+| CLAS12        | Yes                       |
+| EIC           | N/A                       |
+| GLOW          | N/A                       |
+| GlueX         | No                        |
+| IceCube       | Undergoing testing        |
+| LIGO          | Undergoing testing        |
+| OSG           | N/A                       |