Report of JRA2 workshop @ ESRF

23-24 May 2018

This report summarises the JRA2 workshop held at the ESRF in May 2018 and next steps. The workshop for JRA2 of CALIPSOplus was held at the ESRF on 23rd May and 24th May, 2018 as a noon to noon meeting. It was preceded by a dedicated meeting on UmbrellaID. The agenda is enclosed as Annex 1.

Despite difficulties due to train and air strikes in France, all partners were represented by at least one delegate. The list of participants in the kick-off meeting is available from Annex 2.

UmbrellaID (UID) Meeting - see slides https://indico.esrf.fr/indico/event/17/

• Welcome and status update by Mirjam VAN DAALEN - Umbrella is connected to EduGain.

Kick-off Meeting of CALIPSOplus at HZDR, May 19th, 2017

- The EduTeam pilot (GEANT) attribute handling can now be exploited (basis for connection to EOSC).

- Umbrella is used as a critical service at PSI and the first company from ParkInnovaare is now connected via Umbrella to use PSI’s infrastructure.

- With the EduGain connection Umbrella can now bridge to various other communities such as: Elixir, Orcid, EGI CheckIn

- Subcontractor is being hired for CALIPSOplus. - UID participation in the FIM4R editors group were Umbrella is one of the involved

user communities. Paper published at: https://doi.org/10.5281/zenodo.1296031 - UID has grown 16% in the last year. - UID has to become an essential service. Mirjam send out an email with request to

all members of the collaboration send out in October 2017 (see ANNEX 3): Requirement for a sustainable development of Umbrella are the following topics: governance, development and operations. How will the governance of Umbrella look, how do the development plans for Umbrella look within the different facilities? There was nearly no feedback on this email, contribution and participation of all UID partners is needed for this. PR activities have been minimal this has to change.

- Discussion is postponed to the end of the UID meeting, to take into account the information by the next speakers.

• Umbrella & EduGAIN by Björn Abt

- UID now an IdP in eduGAIN. We can use it wherever eduGAIN is possible - Ideally all scientific flow should be UID compatible at all facilities.

• Umbrella as critical service by Björn Abt - How to become a critical service? If everyone uses it – it is critical! How to get to the

point that everyone uses it? Be attractive! – Or force them! Or maybe a mix of both?

- Ideally the whole scientific workflow at a facility is supported by umbrellaID - A very central part of the scientific workflow is non-browser based! And umbrellaID

needs to support them as well! o Data acquisition, Data analysis, Remote access, Industry integration

- Industry integration at PSI (not in eduGAIN, so UID is usable). Park InnovAARE at PSI uses UID for logins to the local infrastructure, PSI doesn't want industry users (IUs) in their IAM, neither do IUs want to be part of PSI. IUs want to manage themselves. PSI uses 802.1X with UID for IUs. PSI uses VPN access with UID. Access to PSI using umbrellaID.

Discussion: Concept above could be used by ESRF for guest login, or for access to wifi at EPN campus?

• FIM4R & AARC wrt Umbrella by Stefan Paetow

- UID participation in the FIM4R editors group were Umbrella is one of the involved user communities. Stefan and Mirjam presented the status of UID in several FIM4R meetings. A white paper called “Federated Identity Management for Research Collaborations” is published at: https://doi.org/10.5281/zenodo.1296031

• Umbrella as AAI in PaNOSC

Jean-Francois reports on the role of UID in PaNOSC - UID foreseen as AAI in PaNOSC, integration with EOSC - Due to DP we obfuscated/hashed the email address, but with GDPR, we may need

to have to store this unhashed, and then email people when a security incident has occurred! Umbrella has few metadata, we may have difficulties to locate the user. Who is liable? We are lacking a more secure organisation.

- Who will run the UID service? For ILL this is a big issue that they can't maintain the 2nd IdP

- Given the challenges between EOSC and sustainability, we have to think carefully. - E-infrastructures are developing their services EGI-checkin; GEANT EduTeams (UID

pilot in this project from the beginning). All based on the AARC blueprints. AAI for EOSC. UID should collaborate with GEANT.

- Options: a) Continue like we are and change the way we work, b) drop UID, or c) collaborate for security.

- We have to work to connect new technologies. Discussion The discussion centered on how to make Umbrella a critical service and how to maintain it. It was agreed that if we continue to maintain Umbrella it should be a critical service. What is the roadmap for UID in the coming year? We need a strategic decision, how will the service continue? We need to write this down in a document. ILL ( Jean-Francois Perrin) accepted the task of leading a working group to gather requirements + formulate strategy. After reformulation, there should be a strong commitment for implementation. Not just lip service. Working group members: JFP (ILL; lead), Andrew R. (DLS); Toni P. (ALBA); Dominique P. (ESRF); Frank S. (DESY); Majid O. (SOLEIL); Björn A. (PSI); Mirjam vD. (PSI) ACTION: JFP to gather input from all sites about the future direction of Umbrella. Deadline is September 2018

JRA2 Workshop – afternoon session day 1

• DAAS requirements by Andy Götz The requirements discussion was integrated in the blueprint brainstorming.

• Kubernetes intro Everyone was encouraged to take a look at this video as introduction to Kubernetes: https://www.youtube.com/watch?v=o85VR90RGNQ and to check out the tutorials https://kubernetes.io/docs/tutorials/kubernetes-basics/ on the basics and of course RTFM!

• Docker @ DESY Johannes presented the developments @ DESY using containers for DAAS (slides). The main points were the use of Docker on the DESY Maxwell HPC cluster, convertin data analysis applications to run as Function as Service and the JupyterHub service @ DESY. He showed how DESY is using docker containers to package scientific applications and run them on the Maxwell HPC cluster without degradation in performance. Containers offer many advantages for deploying scientific applications. Security is addressed via the use of namespaces. In case of trusted containers the use of namespaces can be circumvented thereby enabling other features to be exploited. The SIMEX platform for simulating photon experiments has been dockerized (see presentation on second day). The use of Function as a Service to address scalability issues using Apache’s OpenWhisk was presented. The idea is to move computing to the data. A Notebook service is being deployed with JupyterHub running on an OpenStack infrastructure. Two kernels are currently supported – Ipython and CrystFel. Scalability is addressed via Kubernetes, SLURM (batch scheduler) on HPC cluster and Function as a Service.

• DAAS & Kubernetes @ PSI Stephan presented the DAAS project @ PSI and their use of Kubernetes (slides). He presented the architecture of the data flow at PSI. Main technical solutions used are ZMQ (transporting data from detector to online storage), GPFS (parallel file system for offline analysis), Globus Online (for exporting data), tape library (100 PB offsite @ CSCS). Software environments supported include Ipython, Matlab, and JupyterHub for remote service. SLURM is used as batch scheduler. Remote access provided by NoMachine. SciCat data catalog implements the data policy and provides access to long term storage. SciCat uses Kubernetes to orchestrate microservices. PSI is starting

to explore the use of containers for data analysis applications. Open questions concern the choice of container – Docker, Shifter-NG or Singularity. Docker was intended for isolated applications while HPC applications typically share resources. Kubernetes is a good choice and has extended concepts like Job and Batch resources which could be well adapted to DaaS.

• Docker & Kubernetes @ DLS Andrew presented the progress @ DLS on DAAS and test with cloud technologies (slides). DLS has identified 3 main use cases for cloud computing – bursting to handle peak demand, post processing and long term data archiving. Commercial cloud has been tested as well as the use of OpenStack with the help of an external contractor. Docker was found to be widely supported and mature for deploying across multiple cloud platforms. DLS has setup a docker repository to be able to manage security concerns over trusted docker containers. Tests were done to integrate cloud bursting in the local batch scheduler (UGE). Docker containers were found to be even better adapted to post processing than online processing. Cold (tape) storage in the cloud for long term archiving was costed at between 25 $ and 70 $ per TB per year. DLS has adopted Kubernetes for managing production infrastructure. Apache Camel is bein used for transferring dat ato AWS S3 storage.

• DAAS @ ALBA Toni presented the progress at ALBA with DAAS (slides). He presented the HPC infrastructure at ALBA, the 1st use case for DaaS, pilot studies with Kubernetes, the Géant cloud framework and configuration management with Salt Stack.

• Blueprint brainstorming An interactive session was held held to define the main elements of the DAAS blueprint and the needs of each site to implement DAAS for their use cases. The main elements which were identified are :

JRA2 workshop – morning session day 2

• Status JRA2 Mirjam presented the status of the JRA2 (WP24 CALIPSOplus): June 24-26th 2017: meeting @ESRF 24.06.2017 Future Umbrella 25.06.2017 Kick off JRA2 (D24.1)

Divison of tasks between the partners Organisation and logistics

26.06.2017 kick off LEAPS WG3 Deliverable D24.1 accomplished report on kick-off workshop Deliverable D24.3 accomplished cross site use case requirement Telco‘s every month 1st telco 29.08.2017 16:00-17:00 Website on CALIPSOplus website for JRA2 will be filled by Mandy, http://www.calipsoplus.eu/work-packages/wp24-jra2-demonstrator-photon-science-analysis-service-daas/ The deliverables and internal documents of the WP24 will be published on the internal part of the website http://www.calipsoplus.eu/internal-2/internal-work-packages/ Report on the different tasks in JRA 2 was done by task leaders themselves (see below)

• DAAS portal Daniel presented a full update of the DAAS portal (slides). The main points were : Alex Camps has been hired to develop the portal. He has focused on the page structure, main features and the technological challenges for the short, mid and long term e.g. how to integrate with the existing facilities. Login is currently implemented for the local AAI. UmbrellaID will be added in the near future. A REST API has been identified to synchronise user/experiment relationship. A telco was held with Jamie Hall (ILL) to discuss the technologies they have chosen for DaaS viz. Apache Guacamole (HTML5 remote desktop), Dropwizard, SocketIO and OpenStack. Django has been chosen as CMS for the DaaS portal. The solution is divided into a common portal for guiding users to the facility portal and a facility specific part which connects to the local service. The common part is the same for all sites and satisfies the requirement to give users a common UI experience. The next steps are to integrate Kubernetes, local storage and access to the Docker images.

• Packages and deployment Johannes presented packaging and deployment for SIMEX, a use case @ XFEL (slides). SIMEX is a simulation platform for optical lasers and x-rays sources being developed as WP4 of the EUCALL project (https://www.eucall.eu/). SIMEX provides users interfaces to advanced simulation codes and data formats. It supports HPC via SLURM batch scheduler. A Docker image is available for SIMEX - https://hub.docker.com/r/yakser/simex/ .

• Testing Ivan presented the work being done at ELETTRA to prepare the testing framework (slides). The main points were: ELETTRA is preparing a testbed. They have evaluated Ceph file system, object storage, Guacamole, VMs and Docker. ELETTRA is locally focusing on PyMca and Ptycho Shelves for the beamlines TwinMic and XRF. Extra resources will be hired later on in the project when testing can start.

• Next steps The next steps are: complete the blueprint for the different use cases, write up the blueprint, package software with Docker, link Kubernetes to the data portal, link the data portal to UmbrellaID.

Next Meetings:

ALBA+ESRF proposed that a subset of the JRA2 collaboration have a hands-on meeting in Barcelona to work on the blueprint and linking the portal to the DAAS service orchestrator. The meeting will take place in Autumn 2018. The doodle for the meeting is https://doodle.com/poll/3vsq6uh4qbqm85ki. The next face-to-face meeting of the JRA2 will take place in May 2019. PSI has offered to host it.

Annex 1 - Agenda

UmbrellaID pre-workshop meeting agenda

JRA2-workshop meeting agenda – afternoon session day 1

JRA2-workshop meeting agenda – morning session day 2

Annex 2

List of participants

Mr. ABT, Björn Erik Paul Scherrer Institute Villigen PSI Switzerland Dr. ANDRIAN, Ivan Elettra Sincrotrone

Trieste Trieste Italy

Dr. ASHTON, Alun Diamond Light Source Didcot United Kingdom

Mr. CAMERLENGHI, marco EMBL Hamburg Germany Mr. CAMPS, Alex ALBA Cerdanyola Spain Dr. EGLI, Stephan PSI Villigen Switzerland Mr. GÖTZ, Andy ESRF Grenoble France Dr. GROBOSCH, Mandy Helmholtz Zentrum

Dresden-Rossendorf Dresden Germany

Mr. HALL, Jamie ILL GRENOBLE France Dr. KIEFFER, Jerome ESRF Grenoble France Dr. MANN, Gerd Paul Scherrer Institute 5232 Villigen PSI Switzerland Mr. OUNSY, Majid Majid Ounsy ST AUBINBP 4891192

GIF SUR YVETTE France

Mr. PAETOW, Stefan Jisc Oxford United Kingdom

Mr. PEREZ FONT, Antoni CELLS Cerdanyola del Vallès (Barcelona)

Spain

Mr. PERRIN, Jean-François ILL Grenoble France Mr. REPPIN, Johannes DESY Hamburg Germany Dr. RICHARDS, Andrew Diamond Light Source

Ltd Harwell United

Kingdom Mr. ROUSSELLE, Benoit ESRF Grenoble France Mr. SALVAT, Daniel ALBA Synchrotron Barcelona Spain Mr. SCHMEIßER, Nils Helmholtz-Zentrum

Dresden-Rossendorf Dresden Germany

Mr. THORNE, Luke Diamond Light Source Oxon United Kingdom

Dr. VAN DAALEN, Mirjam PSI Villigen Switzerland

Annex 3

Email to Umbrella collaboration from October 2017

Dear Umbrella collaborators,

Please find below a follow up on the Umbrella face-to-face meeting at ESRF in June 2017

Umbrella has to become an essential service:

Requirement for a sustainable development of Umbrella are the following topics: governance, development and operations. How will the governance of Umbrella look, how do the development plans for Umbrella look within the different facilities?

With regard to the above PSI is planning the following steps: 1. Planning to adapt PSI infrastructure to make the access with Umbrella seamless, this

increases the value of Umbrella. A working group is in place and working on this task. Timeline: realisation 2nd half of 2018

2. PSI is planning to establish Umbrella as central authentication mechanism for PSI user facilities. Timeline related to point 2: realisation 2nd half of 2018

3. Access to PSI Indico will be established with the update to the latest version of Indico in the first half of 2018.

4. Umbrella is already in operation as access mechanism to the OPEN IRIS platform for sharing PSI equipment with third parties (i.e. Innovation Park InnovAare).

5. There is a request from the Bio community through the ELIXIR ERIC to bridge with Umbrella, we are currently working on this.

6. Furthermore we are looking at interconnection of Umbrella with EOSC and HPC centers. 7. We will make logs of the IdP in order to produce Umbrella User statistics.

Input needed from your side until end of October 2017 to make Umbrella an essential service:

In order to work out an Umbrella development and target plan between the different facilities we need the following information:

1. Please send us a list (similar to the example of PSI) with the developments with respect to Umbrella you are planning at your facility, helping us to define a target plan for Umbrella until mid November 2017.

2. If you have other ideas on new planned services with Umbrella please add them to your list. 3. What could your facilities contribute for the Umbrella collaboration, e.g. chair of TT or SC,

technical development or else… 4. Please suggest candidates for new chairs of SC and TT of Umbrella Collaboration.

For your information the list of Umbrella talks are:

Status Umbrella Seminar SOLEIL 11.09.2017: Mirjam van Daalen

Status Umbrella FIM4R Meeting Montreal 18.09.2017: Stefan Paetow

Status Umbrella European User Office Meeting Lund 24.10.2017: Mirjam van Daalen

Best wishes,

Mirjam

_________________________________________________________________________________

Replies:

Dear Mirjam,

Here is the input from EMBL Hamburg (sorry for the delay!):

1. Please send us a list (similar to the example of PSI) with the developments with respect to Umbrella you are planning at your facility, helping us to define a target plan for Umbrella until mid November 2017.

• For the time being, EMBL Hamburg will be only using Umbrella for proposal submission. 2. If you have other ideas on new planned services with Umbrella please add them to your list.

• Any new services joining Umbrella would be beneficial. • ISPYB is used in EMBL-Hamburg, so we may consider to introduce the Umbrella login for ISPYB in the future

if possible. 3. What could your facilities contribute for the Umbrella collaboration, e.g. chair of TT or SC, technical development or else…

• We will continue attending the Umbrella meetings • We may join more EMBL-Hamburg internal services to use Umbrella in the long term. • We could send mass mailings for promoting Umbrella.

4. Please suggest candidates for new chairs of SC and TT of Umbrella Collaboration. • Mirjam van Daalen (SC) • Björn Abt or Jean-François Perrin (TT)

Please let me know if you need further information. Best regards, Clemente

______________________________________________________________________________

Hello Mirjam,

as you know we are not providing user services any more. But we are using Umbrella for In-house Proposals for the synchrotron of KIT and also for the coming linear accelerator and THz source FLUTE.

KIT uses and is part of the DFN federation and from what I understand from our IT specialists will not change anything there.

I guess we are not in a position to be heading any of the teams you are mentioning.

I hope you recovered well from your last business trip! Have a good day.

Cheers, Michael

Karlsruhe Institute of Technology (KIT) _______________________________________________________________________________

Hello Mirjam,

Thanks for sending this. Our state absolutely now is that we are adding CAS authentication for selected IdPs from the UKAMF one of which should be UMBRELLA. These should work for WEB Login and JISC ASSENT (aka MOONShot). We do need UMBRELLA to be registered on UKAMF for the most effective result. (I do not believe there is any limit on UKAMF access)

Bill