The client side interaction is handled by CERN IT (Laurence Field atm). I am not sure how their whole system works, but the main point is that the client ends up booting an image: * contextualized by a user_data file which basically just specify the cvmfs path to use, and contain the MrBoincHost certificate and key (see below) * Start a pilot bootstrap script available here: https://gitlab.cern.ch/vc/vm/raw/master/bin/lhcb-pilot
Generate the MrBoinc host certificate¶
This certificate/key needs to be given to IT to add in the contextualization file.
/path/to/boincCertificate and there:
openssl_config_host.cnf file in the
# Generate the key openssl genrsa -out MrBoincHost/hostkey.pem 4096 chmod 400 MrBoincHost/hostkey.pem # Create the request openssl req -config MrBoincHost/openssl_config_host.cnf -key MrBoincHost/hostkey.pem -new -sha256 -out MrBoincHost/request.csr.pem # Sign it openssl ca -config ca/openssl_config_ca.cnf \ -extensions server_cert \ -in MrBoincHost/request.csr.pem \ -out MrBoincHost/hostcert.pem
This self-signed host certificate (MrBoinc Host) must then be saved on any BOINC VM in
Do not forget to add it to the list of trusted host for ProxyDelegation in the dirac.cfg of the gateway