From Duncan MacLeod:

I hope what follows are fairly straightforward instructions on how to deploy the igwn-accounting condor tool.

## Installing the tool

The official collector tool is called ‘igwn-accounting’ and is available from PyPI, as well as the LIGO (LSCSoft) YUM and Debian repositories. My understanding is that at least at Cascina you run a RHEL7 derivative, so using the RPM is probably easiest.

RPM option 1 --→ we choose this one

· Configure the LSCSoft RPM repo, using instructions here:

· Install the `igwn-accounting` package

RPM option 2

· Manually download and install the relevant RPMs from

o python36-igwn-accounting-1.2.1

o igwn-accounting-1.2.1

Alternative option 3:

· `pip` install the package directly from

For the record, the source code is here: The code is Python compatible with Python >=3.5 and requires htcondor (including the python bindings), and python-dateutil.

If you manually install, please ensure to install at least version 1.2.1.

## Running the tool

Once installed, the tool should be configured via ‘cron’ (or similar) to run once per day using the following invocation:

/usr/bin/igwn-accounting-report --cluster EGO-Cascina --utc $(date --utc +\%F --date='1 day ago') --output-file /var/www/html/accounting/EGO-Cascina-$(date --utc +\%F --date='1 day ago').txt


· The `date …` command just formats ‘yesterday’ as YYYY-MM-DD

· The ‘EGO-Cascina’ string is just a standard name for the site, it can probably be whatever you want as long as it has no whitespace

This will write a file that includes only lines of the following format:



duncan.macleod 12345 2021-01-01 EGO-Cascina

These files then need to be made available (currently) over HTTP(S) with a URL that is readable (at least) from the Caltech LDAS system. How you make these available within your site’s security policy is none of my business…

## What the tool actually does

In essence the tool just calls out to the condor_history executable with a call of the following form:

/usr/bin/condor_history -constraint 'JobUniverse = 7 && Owner = "igwn-pilot" && JobFinishedHookDone >= 1615766400.0 && JobFinishedHookDone < 1615852800.0' -jsonl -af LigoSearchUser LigoSearchTag CompletionDate CpusProvisioned CumulativeSuspensionTime EnteredCurrentStatus MATCH_GLIDEIN_Site Owner RemoteWallClockTime RequestCpus

where 1615766400 and 1615852800 are the Unix epochs for the start and end of the query interval (here, March 15th 2021). If you are running condor 8.8.x (as opposed to 8.9.x) the call will be subtly different (condor 8.8.x doesn’t support `-jsonl`) but will do the same job.

The tool then aggregates jobs across user and tag so there is only one entry in the output per (user, job, date) key.

on submit1:

needed expand life time of history files:
HISTORY         = <b>/var/lib/condor/spool/history
MAX_HISTORY_LOG = 104857600 (100MB)
#>cat /etc/crontab
50 23  * * * root /usr/bin/python3 -m --cluster EGO-Cascina --utc $(date --utc +\%F --date='1 day ago') --output-file /var/www/html/accounting/EGO-Cascina-$(date --utc +\%F --date='1 day ago').txt
55 23  * * * root rsync -var --progress /var/www/html/accounting/*


Web Server configuration
#>cat /etc/httpd/conf.d/igwacc-ego.conf

<VirtualHost *:80>
        Redirect  /

<VirtualHost *:443>
    DocumentRoot /var/www/html/
    SSLEngine on
    SSLCertificateChainFile /etc/httpd/conf/ssl.crt/sectigo-root-plus-geant-intermediate.pem
    SSLCertificateFile /etc/httpd/conf/ssl.crt/igwnacct-ego_virgo-gw_eu_cert.pem
    SSLCertificateKeyFile /etc/httpd/conf/ssl.crt/igwnacct-ego_virgo-gw_eu.key
#Ligo ssl client Authentication
  SSLVerifyClient none
  # ho unito i due certificati che hai mandato in CA_cert.pem
  #SSLCACertificateFile /etc/httpd/conf/ssl.crt/CA_cert.pem
  SSLCACertificateFile /etc/httpd/conf/ssl.crt/combined_CA.pem
  <Location /history>
        SSLVerifyClient require
        SSLVerifyDepth 10
        #SSOptions +StdEnvVars
        SSLRequire %{SSL_CLIENT_S_DN_CN} eq "Giuseppe Di Biase" or  %{SSL_CLIENT_S_DN_CN} eq "Stefano Cortese"  or %{SSL_CLIENT_S_DN_CN} eq "Stefano Cortese" or %{SSL_CLIENT_S_DN_CN} eq "Duncan Macleod" or  %{SSL_CLIENT_I_DN_CN} eq ""

RSYNC configuration

[root@igwnacct-ego ~]# cat /etc/rsyncd.conf 
# /etc/rsyncd: configuration file for rsync daemon mode

motd file = /etc/motd
max connections = 3

        comment = used by igwnacc-ego for accounting population
        path = /var/www/html/history
        read only = no
        list = yes
        hosts allow =
        uid = root
        gid = root


test WEB;
To test the X.509 authenticated access:
- created a proxy as usual with "ligo-proxy-init giuseppe.dibiase"
- create a .p12 bag from the pem credentials with: openssl pkcs12 -export -in /tmp/x509up_u1047 -out giuseppe_dibiase_cilogon_mics.p12 (in your case you must change the 1047 number with your unix uid on the system where you issued ligo-proxy-init)
- import the .p12 certificate in your browser (it will be valid for 11 days) 


Questo pull non funzionava almeno dal 19 aprile 2022, quando avevo abilitato l'https inspection per non ricordandomi che l'autenticazione e' basata su SSL client authentication.Ora ho disabilitato l'https inspection e messo una ACL per i client coinvolti (, e per i test
curl -L --cert /tmp/x509up_u1280 -v
Topic attachments
I Attachment Action Size Date Who Comment
CA_cert.pempem CA_cert.pem manage 4 K 22 Apr 2021 - 12:50 Main.Dibiase Jean/Sectigo
CILOGON_MICS_basic_CA.pempem CILOGON_MICS_basic_CA.pem manage 1 K 22 Apr 2021 - 12:47 Main.Dibiase  
CILOGON_MICS_silver_CA.pempem CILOGON_MICS_silver_CA.pem manage 1 K 22 Apr 2021 - 12:47 Main.Dibiase  
ldas-grid_ligo_caltech_edu.pempem ldas-grid_ligo_caltech_edu.pem manage 1 K 22 Apr 2021 - 12:48 Main.Dibiase  
Topic revision: r3 - 13 Oct 2022, Dibiase
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki_Virgo_LSC? Send feedback