=Paper=
{{Paper
|id=Vol-2363/paper9
|storemode=property
|title=EGI Applications On Demand Service Catering for the Computational Needs of the Long Tail of Science
|pdfUrl=https://ceur-ws.org/Vol-2363/paper9.pdf
|volume=Vol-2363
|dblpUrl=https://dblp.org/rec/conf/iwsg/SiposRSS17
}}
==EGI Applications On Demand Service Catering for the Computational Needs of the Long Tail of Science==
9th International Workshop on Science Gateways (IWSG 2017), 19-21 June 2017 EGI Applications On Demand Service Catering for the computational needs of the long tail of science Gergely Sipos Giuseppe La Rocca EGI Foundation EGI Foundation Amsterdam, Netherlands Amsterdam, Netherlands gergely.sipos@egi.eu giuseppe.larocca@egi.eu Diego Scardaci Peter Solagna INFN/EGI Foundation EGI Foundation Catania, Italy Amsterdam, Netherlands diego.scardaci@egi.eu peter.solagna@egi.eu Abstract—This paper describes the new EGI ‘Applications on communities via ‘Virtual Organisations’ (VOs), according to demand service’, that the EGI collaboration specifically designed institutional or regional/national priorities. A VO is the online for individual researchers, small research teams and early phase representation of a scientific user group whose members are research infrastructures that do not have dedicated usually work in similar or related research areas, or are part of computational and storage resources, online applications and the same scientific collaboration, for which reason they need science gateways to perform scientific data analysis. The the same applications, software and underlying hardware described service is available at http://access.egi.eu and through a capabilities. Some of the biggest VOs of EGI represent lightweight registration and user identity vetting process allows experiments of the Large Hadron Collider (ALICE, ATLAS, user-friendly access to a growing number of scientific CMS, LHCb) [2], the VIRGO experiment [3], the Cerenkov applications and application hosting frameworks (science gateways, VREs) that are configured to use the dedicated pool of Telescope Array Observatory [4] or life science researchers cloud computing and HTC clusters from EGI. The service from multiple countries and diverse background (biomed VO) operates as an open and extensible ‘hub’ for providers and e- [5]. infrastructure user support teams who wish to federated and Since its start in 2010, EGI has well defined processes to share applications and services with individual researchers, or create and operate VOs for large, structured, international user small, fragmented communities, typically referred to as ‘the long communities. These communities have well established and tail of science’. long-term presence, moreover they are resourced well enough to sustain skilled IT support teams who can instantiate and Keywords—long-tail; SaaS; e-infrastructures; cloud; HTC/HPC operate VO services for the researchers. The most advanced research infrastructures from the ESFRI Research Infrastructure Roadmap [6] are the typical operators of the I. INTRODUCTION largest VOs in EGI. EGI is an e-Infrastructure collaboration that provides At the same time individual researchers, small research advanced computing and data services for research and teams and members of early phase research infrastructures innovation. The collaboration operates a federated, publicly- often struggle to access applications, compute and data services funded e-infrastructure that currently comprises more than 300 in EGI. The tools and resource allocation policies that were resource centers from Europe and beyond. Over the last decade designed for long-living, structured communities were this infrastructure was the enabler of digital research conducted recognized as unsuitable for these type of users because they by over 40,000 researchers through the whole spectrum of typically involve: science from High-Energy Physics, to Earth Sciences, Life Sciences, Chemistry, Astrophysics, and Humanities. • Obtaining and using an X.509 personal digital certificate from Certification Authority (CA) EGI resource centers rely on the expertise of the ‘EGI Foundation’, EGI’s coordinating institute located in recognized by EGI. Amsterdam. EGI members – national compute/data centers (so • Joining an existing VO that matches the requester’s called NGIs) and Intergovernmental Research Organizations, research subject/goals, or setting up a new VO. such as CERN – operate the compute, storage, application and software services that comprise the ‘EGI infrastructure’. These • Integrating relevant scientific applications with the VO compute/storage providers allocate resources to scientific and fulfilling operational responsibilities, such as VO 9th International Workshop on Science Gateways (IWSG 2017), 19-21 June 2017 membership management, resource allocation 2. 100% coverage: anyone with Internet access can negotiations and community/application specific become a user, no need to ask for personal travel to service monitoring. obtain special credentials (e.g. X.509 certificate). These individuals are often referred to as the ‘long tail of 3. Extendible and open: The service must be extendible science’ [1] and they share the common characteristic of (1) with additional application services to support missing dedicated arrangement to computational and storage specialized scientific disciplines and users. The resources and online applications and services to manage and extension should be possible via open interfaces and analyze large amount of data, and (2) lacking the skills and protocols. experience with deploying and scaling applications to distributed computer architectures. Despite some NGIs operate 4. User-centric: Support for users should be available in as many EGI member countries as possible. national services for the long tail of science, such national ‘catch-all’ VOs are not available or not well maintained any more in several cases [21]. B. Service providers’ constaints: 1. Realistic: Define an architecture that’s implementable Recognizing the needs of this unique group, and trying to under the available effort levels. Reuse existing EGI compensate for the loss of NGI services in this domain we technological building blocks as much as possible. designed and developed a new service within EGI: the ‘Applications on demand service’. The service was designed in 2. Secure: Provide as high quality user identity vetting, late 2014, demonstrated in November 2015, reached Alpha and tracking of user activities as possible (close to the release for early adopters in January 2017, and was opened for existing solutions that are based on personal X.509 the general public in April 2017 as a Beta1 service. The service certificates). is available at http://access.egi.eu. 3. Scalable: Be able to scale to 100s of This paper introduces this new service offering and details compute/data/application providers. (The number and the technologies and components that were developed and size of providers limits the users too). integrated to realize the service. The rest of the paper is 4. Recognized: Have sufficient policies and tools that organized as follows: Section II introduces the user and enforce the users to acknowledge the use of the service provider requirements that drove the system development. in scientific publications resulted from this use. Section III describes the overall architecture and the main design considerations. Section IV provides details about the different system components that were developed/customized III. IMPLEMENTATION from existing EGI tools to establish the service. Section V in a The architecture of the Applications on Demand service is table the already integrated applications and components of the presented in Figure 1. In the heart of the service there is a 'User service. In Section VI we describe the steps that an applications Registration Portal' (URP). This is where new users enter to the hosting framework provider has to follow to make his service. The list of applications and underpinning services can framework accessible within the EGI Applications on Demand be publicly browsed on the URP. Usage requires login. Login service. In Section VII we present our plans for the extensions is possible with Google, Facebook and EGI Single-Sign-On and improvement of the service, while in Section VIII we draw accounts – All un-vetted accounts that are available for anyone conclusions from the described work. with Internet access. Within the URP the user can setup a personal profile and can submit a resource access requests. The II. REQUIREMENTS request includes an estimate of the compute and storage capacity that the user would like to use through the The design process for the new service started with a application(s) he/she would like to use in the service. The requirement collection and analysis that helped us to request can use the default capacity allocation (at the time of understand the needs/preferences of the long tail of science, as writing this is 1000 CPUh and 10 TB storage) or can be a well as the constraints from the EGI resource/service customized request. providers’ side that we have to consider as we are aiming at a sustainable service. These needs and constraints are The access request is forwarded to the distributed service summaries in this section: support team. A team member – from the applicant’s country or from the EGI Foundation responds to the request and vets A. Users’ needs: the user identity, checks the capacity request. The vetting is 1. Zero-barrier access: any user who carries out non-for- done by assessing the validity of the information provided by profit research should be able to get an account with a the user in the profile, including links to departmental websites ‘start-up’ resource allocation on EGI to access scalable and scientific publications and projects relating to the requested application services together with the underlying e-infrastructure use. If needed, the support teams contacts the cloud/HTC/storage resources. applicant in email or by phone. Routing the access requests to national EGI members not only allows us to conduct such conversation in local languages, but also to connect long tail 1 EGI Beta service: Service being developed while available for users to national EGI support teams, reaching recognition and testing publicly. trust in national e-infrastructure initiatives. If the capacity 9th International Workshop on Science Gateways (IWSG 2017), 19-21 June 2017 request exceeds the default allocation then the estimate is IV. ENABLING TECHNOLOGIES double-checked and if needed negotiated resource providers of The service was created by customizing various existing the service. EGI components, and by developing a few new ones in order to glue together the required elements into a single service. The following customizations and developments were made: • The User Registration Portal (URP) was developed by CYFRONET as an extension of the e-GRANT EGI resource allocation tool [7]. The URP includes forms that guide users through the profile setup, resource request and application selection workflow. The tool was extended with web forms and an email notification subsystem to help the distributed user support team during the user identity vetting and user approval process. The URP provides an identity federation for the whole service, i.e. a user can authenticate to this portal and after his/her account is validated he/she will be able to login to any of the connected application hosting frameworks and respective hosted applications. • A resource pool was formed from EGI cloud and HTC Figure 1. Infrastructure architecture sites. The participating sites feel institutionally or nationally responsible for supporting the long tail of After the applicant’s resource access request is approved, science, and therefore contribute with capacity into this the user profile is set to ‘active’ in the URP. This information is pool. The sites are joined together into an EGI Virtual propagated to the connected application hosting environments Organization called ‘vo.access.egi.eu’ [25]. The sites in (science gateways, Virtual Research Environments or similar). this pool accept special X.509 proxy certificates that are These environments operate as applications hosting unique for the Applications on demand service and frameworks, being equipped with a set of applications and user which identify user workloads from the application interfaces, manuals/guides best suited for those applications. hosting frameworks (See details under next point). At For example, some gateways can be suited for workflow type the time of writing the resource pool includes cloud applications, others for parameter study jobs, yet others for resources from Italy (INFN-Catania and INFN-Bari) applications of a certain scientific discipline. The service is and Spain (BIFI, CESGA) and HTC clusters from open for any application hosting framework (See Section VI Belgium (VUB), Italy (INFN-Catania and INFN-Bari), for more details). Science gateway and Virtual Research Poland (CYFRONET) and Spain (CESGA). Environments supported by the European Commission FP7 and H2020 work programmes are for example ideal candidates for • Access to EGI resources requires short-living X.509 integration. proxy certificates from the client side. The traditional method is to generate such proxies either from a long- Approved users can login to any of the connected term personal certificate, or from a robot certificate [8] application hosting frameworks and use the embedded that is used by an application hosting framework. applications. These applications are already configured to scale Unfortunately neither of these approaches were to the distributed compute and storage systems that are sufficient for the Applications on Demand service, contributed to the service by EGI members. The resources are because (1) personal certificates are found difficult to made accessible for the applications in the form of handle or impossible to obtain by certain long tail users, Infrastructure as a Service clouds joint into the ‘EGI Federated and (2) robot-proxies do not include any information Cloud’ [22], or cluster resources federated with grid about the individual end-users, hiding all users middleware into the EGI ‘HTC Service’ [23]. workload under a single identity, making impossible for the identification of excessive or harmful use by certain The application use generates load on these resources and individuals. To overcome these limitations a new, so- this is reported by the resources into the EGI accounting called ‘Per-User Sub-Proxy’ (PUSP) mechanism was system. From this accounting system the user support teams developed. PSUPs are short-term proxies that are can obtain statistics about individual users, as well as about generated from robot certificates in a special way: The application hosting frameworks, cloud/HTC/HPC sites. When ‘distinguished name’ (DN) field of the proxy includes a a user exceeds the amount of compute/storage/network unique string that is specific to the requester user. The capacity that was allocated for him/her, the account can be DN is the same for a specific user for multiple user suspended in the URP, blocking the user from further sessions, even if those sessions are initiated by different consumption through this service. The continued use requires a application hosting frameworks. The compute and new justification from the user and a corresponding evaluation storage resources report the proxy DN into the EGI by the support team. accounting system, and based on the user-specific DNs 9th International Workshop on Science Gateways (IWSG 2017), 19-21 June 2017 we are able to trace back every e-infrastructure • 17 applications from different scientific areas and tools operation to the initiating user. The user-specific strings have been already integrated into the existing are generated during the identity vetting and approval applications hosting frameworks and are offered ‘as process, and they are propagated to every participating services’ to users: application hosting framework. This tracing process is graphically presented in Figure 2. o Molecular Docking, Workflow and parameter study tool (WS-PGRADE portal). • The connected application hosting frameworks must generate PSUPs from robot certificates. This is possible o Galaxy, Docker, Octave, Apache Tomcat, GnuPlot, NAMD, Hadoop, Marathon, Chronos, in two ways: (1) from a robot certificate that is deployed either locally on a USB smartcard on the server that Jupyter Notebook, Cloud orchestrator (in the EC3/IM portal). hosts the framework. (2) Because robot certificates are not available from EGI-recognised CAs in every o Chipster, ClustalW2, Semantic Search, the country, we setup an ‘eToken server’ at INFN-Catania Statistical R for Computing (in the Catania that can serve any participating application hosting Science Gateway). frameworks with PSUPs. The application hosting frameworks can send a PSUP generation request to the Additional applications will be integrated into the server via its network API, including the userID as a frameworks following cost-value assessment parameter. The eToken server responds with the short- (more impactful, more broadly relevant term proxy certificate that can be used by the applications have priority). framework to interact with the VO resources (See step 5 • Two policies were developed: A security policy for and 6 in Figure 2.). resource centers offering cloud/HTC/HPC/storage and an Acceptable Use Policy (AUP) for users. o The first policy is compulsory to accept and implement by participating Resource Centers. The policy defines that offering resources in this service shall not negatively affect the security or change the security risk of any other VO. In particular, security incidents originating in the Applications on Demand service should not impact the IT Infrastructure in ways that are incompatible with the operational model of other VOs. This document also provides guidelines on the implementation of security procedures and controls to facilitate offering of the Service by Resource Centers and Science Gateways. The Guidelines contain normative information on how to implement the Policy. o The user AUP defines the conditions of use, and responsibilities of the users – such as using the services only for activities that relate to the work Figure 2. Tracing user activity on VO resources that was described in the access request form; or what text to use in scientific publications to acknowledge the use of the infrastructure. • Application hosting frameworks that can provide user- friendly interfaces to conduct scientific applications on V. ELEMENTS OF THE SERVICE VO platform resources in cloud or HTC/HPC clusters. The gateways use the identity federation of the URP to The following Table 1 provides a summary of the allow access to approved users, and user the PUSP components that are currently operated within the EGI mechanism to interact with cloud and HTC resources. Applications on Demand service. The service currently includes three applications hosting frameworks: the WS-PGRADE [9], the EC3/IM [10] and the CSG [11]. The service is open for any additional framework that wish to make applications and application development/hosting services available at the European/worldwide scale. Technical instructions to integrate a new applications hosting framework to the service are provided in Section VI. 9th International Workshop on Science Gateways (IWSG 2017), 19-21 June 2017 Table 1. Already connected services and resources. first requirement to integrate a new applications hosting framework into the service is to register the framework in Type of resource/service Providers Unity to get a clientID and secretKey. These credentials will BIFI (Spain) be used by Unity to identify the new provider and implement a CESGA (Spain) secure connection with it. IaaS clouds (compute and storage) For applications hosting frameworks based on Liferay INFN-Bari (Italy) technology INFN-Catania has developed an OpenID Connect INFN-Catania (Italy) module [14] that enables Liferay-based gateways to CESGA (Spain) authenticate with OpenID Connect providers. This module is CYFRONET (Poland) adopted by the WS-PGRADE and CSG frameworks within HTC clusters (compute and storage) INFN-Bari (Italy) this service. INFN-Catania (Italy) A second step of integration is using the userID provided ULB-VUB (Belgium) by Unity to generate Per-User Sub-Proxies (PUSP) to secure Molecular Docking user interaction with the EGI resources. For this, the provider WS-PGRADE Workflow and can rely on the eToken server that was already presented in the (SZTAKI, Hungary) parameter study tool previous Section. Galaxy Lastly, the technical integration is complete when the Docker service support team together with the framework provider 1.) Octave registers the framework in the EGI service registry (GOCDB) Apache Tomcat to activate the availability and reliability monitoring for the GnuPlot framework with the EGI ARGO service [15], 2.) setup a NAMD framework-specific support unit in EGI Helpdesk [16] (this is EC3/IM (UPV, Spain) Applications Hadoop for example tickets will be opened when the framework is Marathon noticed inaccessible by the monitor system and 3.) sign an Chronos Operation Level Agreement (OLA) defining for example Jupyter Notebook availability and reliability targets, helpdesk ticket response Cloud orchestrator times. tool VII. FUTURE WORK Chipster Catania Science ClustalW2 Gateway The ‘EGI Applications on Demand service’ was opened Semantic Search (INFN-Catania, Italy) for public use in April 2017. In the next few months we are Statistical R working on promoting the system to potential users, mainly VI. HOW TO JOIN AS A GATEWAY/VRE PROVIDER through the user support teams of EGI member states. Promotion will be focused on countries where national support This section provides a short overview of the integration is lacking or insufficient for the long tail of science. steps that gateway/VRE providers must complete to contribute In parallel with broadening the uptake of the new service we to the service. Interested providers should consult with the are also planning to improve/expand the technical setup. This online manual for details [12]. Compute and storage providers work will cover the following areas: (cloud, HTC) can join the service by federating into the ‘vo.access.egi.eu’ Virtual Organisation [25], following the 1. Replacing PUSPs with short-term proxies generated by regular EGI guides for resource providers. the RC Auth service [17]. RC Auth was designed by the There are two fundamental prerequisites of integrating an AARC H2020 project [18] to have an open, European application hosting framework: (1) the framework must be a proxy factory service that can be used by any e- mature technology2 with demonstrated use within publicly infrastructure and Research Infrastructure that needs funded science and (2) the framework must be already able to X.509 proxies for service access. The use of RC Auth in use cloud, HTC or data services from EGI, or be ready to do the EGI Applications on Demand service would improve so (to enable the scale-out of the hosted applications). the compatibility of our architecture with other European As reported in the previous Sections, the URP provides the initiatives, simplifying the integration of additional identity federation that enables users to authenticate in any of applications and hosting environments. Besides, the the connected application hosting frameworks with either change would improve the sustainability of our setup, by social credentials or EGI SSO accounts. In the current eliminating components that EGI currently has to sustain implementation, this identity federation is implemented with alone. Unity [13], an authentication & authorization management 2. In the current architecture every application framework solution that uses OpenID Connect as standard interface. The and application should implement its own tools to 2 manage the users’ scientific data (for example importing For example at ‘Technology Readiness Level 8 or 9 [24] 9th International Workshop on Science Gateways (IWSG 2017), 19-21 June 2017 data into the infrastructure from external storage systems, REFERENCES exporting results into external repositories). We are [1] Unwinding the 'Long Tail' of Science, planning to integrate a data management service (or https://www.ci.uchicago.edu/blog/unwinding-long-tail-science, layer) into the EGI Applications on Demand service that Accessed: 8/Apr/2017. could be used by all applications hosting frameworks for [2] LHC experiments: https://home.cern/about/experiments, Accessed: 8/Apr/2017. data management. If properly designed, the service could [3] VIRGO experiment: http://www.virgo-gw.eu, Accessed: 8/Apr/2017. also help users curate and archive application outputs, [4] Cerenkov Telescope Array Observatory: https://www.cta- tackling the problem of ‘dark data in the long tail’ [19]. observatory.org/, Accessed 8/Apr/2017. The details of this data management layer are yet to be [5] Biomed Virtual Organisation: http://lsgc.org/biomed.html, Accessed defined. 8/Apr/2017. 3. The current EGI flagship project, EGI-Engage [20], is [6] European Strategy Forum on Research Infrastructures (ESFRI). close to establishing an ‘EGI Marketplace’. This Infrastructure roadmap 2016: http://www.esfri.eu/roadmap-2016 marketplace would offer a one-stop-shop for individual [7] EGI e-GRANT resource allocation tool: https://e-grant.egi.eu, Accessed 8/Apr/2017. researchers, research communities and industry to [8] IGTF Robot certificates: https://www.eugridpma.org/guidelines/robot/, browse and request services from EGI. The EGI Accessed 8/Apr/2017. Applications on Demand service and/or its individual [9] P. Kacsuk, Farkas, Z., Kozlovszky, M., Hermann, G., Balasko, Á., services will have to be connected/integrated into this Karóczkai, K., and Márton, I., “WS-PGRADE/gUSE Generic DCI marketplace to make them visible and accessible for Gateway Framework for a Large Variety of User Communities”, Journal potential users and customers. This will require some of Grid Computing, vol. 10, no. 4, pp. 601 - 630, 2012. sort of merge of the URP into the EGI Marketplace. [10] M Caballer, D Segrelles, G Moltó, I Blanquer, “A platform to deploy customized scientific virtual infrastructures on the cloud”, Concurrency VIII. CONCLUSIONS and Computation: Practice and Experience 27 (16), 4318-4329, 2015. [11] V. Ardizzone, R. Barbera, A. Calanducci, M. Fargetta, E. Ingrà, I. Porro, In this paper we presented a new EGI Applications on G. La Rocca, S. Monforte, R. Ricceri, R. Rotondo, D. Scardaci, A. Demand service. The service is specifically designed to cater Schenone, "The DECIDE Science Gateway", Journal of Grid Computing vol. 10, issue 4, pp. 689-707, 2002. for the needs of individual researchers, small research [12] Manual on how to connect an application hosting framework to the collaborations and early-phase Research Infrastructures. The infrastructure: https://wiki.egi.eu/wiki/Long-tail_of_science_- service provides easy to use environments for these user _information_for_providers, Accessed 8/Apr/2017. communities to request and access scalable scientific [13] https://www,unity-idm.eu applications and application porting environments. The service [14] OpenId Connect for Liferay: includes also distributed computing and storage resources, and https://github.com/csgf/OpenIdConnectLiferay eliminates the need for users to form community-specific [15] http://argo.egi.eu/ agreements with EGI providers, and to sustain skilled IT [16] https://wiki.egi.eu/wiki/FAQ_GGUS-New-Support-Unit-or-VO teams to operate VO services. [17] RCauth: The white-label Research and Collaboration Authentication CA The new service does not replace the ‘traditional’, Service for Europe. https://www.rcauth.eu/, Accessed: 8/Apr/2017. community/project specific and national VOs of EGI. [18] AARC H2020 project: https://aarc-project.eu/, Accessed 8/Apr/2017. Structured scientific collaborations and mature Research [19] Heidorn PB, “Shedding light on the dark data in the long tail of science”, Library Trends vol. 57, issue 2, pp.280–289., 2008. Infrastructures continue to require dedicated VOs in EGI [20] Engaging the EGI Community towards an Open Science Commons because only those can host fully customized, community- (EGI-Engage) H2020 project: https://wiki.egi.eu/wiki/EGI-Engage, specific services and only they can offer dedicated compute Accessed 8/Apr/2017. and storage capacity at extreme scales. National ‘long tail [21] EGI Accounting data about ‘catch-all’ Virtual Organisations: VOs’ are also here to remain in those NGIs that have effort to https://accounting.egi.eu/discipline/Miscellaneous/normcpu/VO/DATE/ support local users with national services. The EGI 2014/5/2017/5, Accessed 9/May/2017. Foundation continues to negotiate and secure services for [22] EGI Cloud Compute service: https://www.egi.eu/services/cloud- compute, Accessed 9/May/2017. community-specific VO through Service Level and [23] EGI HTC service: https://www.egi.eu/services/high-throughput- Operational Level Agreements (SLAs, OLAs). compute, Accessed 9/May/2017. [24] Technology Readiness Levels by the European Commission: ACKNOWLEDGMENT https://ec.europa.eu/research/participants/data/ref/h2020/wp/2014_2015/ The work presented in this paper has been supported by the annexes/h2020-wp1415-annex-g-trl_en.pdf, Accessed 9/May/2017. EGI-Engage H2020 project (Grant number 654142). The [25] vo.access.egi.eu Virtual Organisarion in the EGI Operations Portal: https://operations-portal.egi.eu/vo/view/voname/vo.access.egi.eu, authors would like to thank the contribution to the Accessed 9/May/2017. implementation of the described service to the following institutes: BIFI, CESGA, CNRS, CYFRONET, INFN-Catania, INFN-Bari, NIKHEF, SZTAKI, ULB-VUB, UPV.