Note

The Grid Community Toolkit documentation was taken from the Globus Toolkit 6.0 documentation. As a result, there may be inaccuracies and outdated information. Please report any problems to the Grid Community Forums as GitHub issues.

GCTGridFTP → GCT 6.0 Component Guide to Public Interfaces: GridFTP

API Summary

Programming Model Overview

The Globus FTP Client library provides a convenient way of accessing files on remote FTP servers. In addition to supporting the basic FTP protocol, the FTP Client library supports several security and performance extensions to make FTP more suitable for Grid applications. These extensions are described in the GridFTP Protocol document.

In addition to protocol support for grid applications, the FTP Client library provides a plugin architecture for installing application or grid-specific fault recovery and performance tuning algorithms within the library. Application writers may then target their code toward the FTP Client library and, by simply enabling the appropriate plugins, easily tune their application to run it on a different grid.

All applications which use the Globus FTP Client API must include the header file globus_ftp_client.h and activate the and activate the GLOBUS_FTP_CLIENT_MODULE.

To use the Globus FTP Client API, one must create an FTP Client handle. This structure contains:

  • context information about FTP operations which are being executed,

  • a cache of FTP control and data connections, and

  • information about plugins which are being used.

The specifics of the connection caching and plugins are found in the "http://toolkit.globus.org/api/c-globus-6.0/group%5f%5fglobus%5f%5fftp%5f%5fclient%5f%5fhandleattr.html[Handle Attributes]" section of the API documentation.

Once the handle is created, one may begin transferring files or doing other FTP operations by calling the functions in the "http://toolkit.globus.org/api/c-globus-6.0/group%5f%5fglobus%5f%5fftp%5f%5fclient%5f%5foperations.html[FTP Operations]" section of the API documentation. In addition to whole-file transfers, the API supports partial file transfers, restarting transfers from a known point, and various FTP directory management commands. All FTP operations may have a set of attributes, defined in the operationattr section, associated with them to tune various FTP parameters. The data structures and functions needed to restart a file transfer are described in the "http://toolkit.globus.org/api/c-globus-6.0/group%5f%5fglobus%5f%5fftp%5f%5fclient%5f%5frestart%5f%5fmarker.html[Restart Markers]" section of the API documentation. For operations which require the user to send to or receive data from an FTP server they must call the functions described in the "globus_ftp_client_data" section of the manual.

The globus_ftp_control library provides low-level services needed to implement FTP clients and servers. The API provided is protocol specific. The data transfer portion of this API provides support for the standard data methods described in the FTP Specification as well as extensions for parallel, striped, and partial data transfer.

Component API

For information on the internationalization API, see C Common Libraries API.

GridFTP Commands

GLOBUS-URL-COPY(1)

NAME

globus-url-copy - globus-url-copy

SYNOPSIS

globus-url-copy [options] SOURCE-URL DESTINATION-URL

DESCRIPTION

The globus-url-copy program is a command line tool for multi-protocol data movement. It supports gsiftp:// (GridFTP), ftp://, http://, https://, sshftp:// and file:/// protocol specifiers in the URL.

OPTIONS

-help, -usage

Print help.

-versions

Print the versions of all modules that this program uses

-c, -continue-on-error

Do not die after any errors. By default, program will exit after most errors.

-a, -ascii

Convert the file to/from ASCII format to/from local file format

-b, -binary

Do not apply any conversion to the files. default

-f FILENAME

Read a list of URL pairs from filename. Each line should contain sourceURL destURL. Enclose URLs with spaces in double qoutes ("). Blank lines and lines beginning with # will be ignored.

-cd, -create-dest

Create destination directory if needed.

-r

Copy files in subdirectories

-fast

Recommended when using GridFTP servers. Use MODE E for all data transfers, including reusing data channels between list and transfer operations.

-t SECONDS

Run the transfer for this number of seconds and then end. Useful for performance testing or forced restart loops.

-q, -quiet

Suppress all output for successful operation.

-v, -verbose

Display URLs being transferred

-vb, -verbose-perf

During the transfer, display the number of bytes transferred and the transfer rate per second. Show URLs being transferred

-dbg, -debugftp

Debug ftp connections. Prints control channel communication to stderr

-rst, -restart

Restart failed ftp operations.

-rst-retries RETRIES

The maximum number of times to retry the operation before giving up on the transfer. Use 0 for infinite. Default is 5.

-rst-interval SECONDS

The interval in seconds to wait after a failure before retrying the transfer. Use 0 for an exponential backoff. Default is 0.

-rst-timeout SECONDS

Maximum time after a failure to keep retrying. Use 0 for no timeout. Default is 0.

-stall-timeout SECONDS, -st SECONDS

How long before cancelling/restarting a transfer with no data movement. Set to 0 to disable. Default is 600 seconds.

-df FILENAME, -dumpfile FILENAME

Path to a file where untransferred URLs will be saved for later restarting. Resulting file is the same format as the -f input file. If file exists, it will be read and all other URL input will be ignored.

-do FILENAME, -dump-only FILENAME

Perform no write operations on the destination. Instead, all files that would be transferred are enumerated and dumped to the specified file. Resulting file is the same format as the -f input file. Note: if you intend to use this file as input for a future transfer, the -create-dest option will be required if any destination directories do not already exist.

-rp, -relative-paths

The path portion of ftp URLs will be interpreted as relative to the user’s starting directory on the server. By default, all paths are root-relative. When this flag is set, the path portion of the ftp URL must start with %2F if it designates a root-relative path.

-s SUBJECT, -subject SUBJECT

Use this subject to match with both the source and dest servers.

-ss SUBJECT, -source-subject SUBJECT

Use this subject to match with the source server

-ds SUBJECT, -dest-subject SUBJECT

Use this subject to match with the destination server.

-tcp-bs SIZE, -tcp-buffer-size SIZE

Specify the size (in bytes) of the buffer to be used by the underlying ftp data channels.

-bs block SIZE, -block-size block SIZE

Specify the size (in bytes) of the buffer to be used by the underlying transfer methods.

-p PARALLELISM, -parallel PARALLELISM

Specify the number of parallel data connections should be used.

-notpt, -no-third-party-transfers

Turn third-party transfers off (on by default).

-nodcau, -no-data-channel-authentication

Turn off data channel authentication for ftp transfers.

-dcsafe, -data-channel-safe

Set data channel protection mode to SAFE

-dcpriv, -data-channel-private

Set data channel protection mode to PRIVATE

-off, -partial-offset

Offset for partial ftp file transfers, defaults to 0.

-len, -partial-length

Length for partial ftp file transfers, used only for the source url, defaults the full file.

-list URL

List the files located at URL.

-stripe

Enable striped transfers on supported servers.

-striped-block-size, -sbs

Set layout mode and block size for striped transfers. If not set, server defaults will be used. If set to 0, Partitioned mode will be used. If set to > 0, Blocked mode will be used, with this as the block size.

-ipv6

Use ipv6 when available (EXPERIMENTAL)

-udt

Use UDT, a reliable udp based transport protocol, for data transfers

-g2, -gridftp2

Use GridFTP v2 protocol enhancements when possible.

-dp, -delayed-pasv

Enable delayed passive.

-mn NAME, -module-name NAME

Set the back-end storage module to use for both the source and destination in a GridFTP transfer.

-mp PARAMETERS, -module-parameters PARAMETERS

Set the back-end storage module arguments to use for both the source and destination in a GridFTP transfer.

-smn NAME, -src-module-name NAME

Set the back-end storage module to use for the source in a GridFTP transfer.

-smp PARAMETERS, -src-module-parameters PARAMETERS

Set the back-end storage module arguments to use for the source in a GridFTP transfer.

-dmn NAME, -dst-module-name NAME

Set the back-end storage module to use for the destination in a GridFTP transfer.

-dmp PARAMETERS, -dst-module-parameters PARAMETERS

Set the back-end storage module arguments to use for the destination in a GridFTP transfer.

-aa FILE, -authz-assert FILE

Use the assertions in FILE to authorize the access with both source and destination servers.

-saa FILE, -src-authz-assert FILE

Use the assertions in this file to authorize the access with source server.

-daa FILE, -dst-authz-assert FILE

Use the assertions in this file to authorize the access with dest server.

-cache-aa, -cache-authz-assert

Cache the authz assertion for subsequent transfers.

-cache-saa, -cache-src-authz-assert

Cache the src authz assertion for subsequent transfers.

-cache-daa, -cache-dst-authz-assert

Cache the dst authz assertion for subsequent transfers.

-pipeline, -pp

Enable pipelining support for multi-file ftp transfers. Currently third-party transfers benefit from this. EXPERIMENTAL

-concurrency, -cc

Number of concurrent ftp connections to use for multiple transfers.

-nl-bottleneck, -nlb

Use NetLogger to estimate speeds of disk and network read/write system calls, and attempt to determine the bottleneck component.

-sp COMMANDS, -src-pipe COMMANDS

Set the source end of a remote transfer to use piped in input with the given command line. Do not use with -fsstack.

-DP COMMANDS, -dst-pipe COMMANDS

Set the destination end of a remote transfer to write data to then standard input of the program run via the given command line. Do not use with -fsstack.

-pipe COMMANDS

Sets both -src-pipe and -dst-pipe to the same thing.

-dcstack STACK, -data-channel-stack STACK

Set the XIO driver stack for the network on both the source and the destination. Both must be GridFTP servers. The stack should contain all network drivers to use, in the order specified from bottom to top (e.g. -dcstack tcp,gsi). If the gsi driver is not included in the stack and data channel authentication is enabled, it will be inserted above the transport driver in the stack.

-fsstack STACK, -file-system-stack STACK

Set the XIO driver stack for the disk on both the source and the destination. Both must be GridFTP servers. The stack should contain all file system drivers to use, in the order specified from bottom to top.

-src-dcstack STACK, -source-data-channel-stack STACK

Set the XIO driver stack for the network on the source GridFTP server. See -dcstack above for description of the STACK string.

-src-fsstack STACK, -source-file-system-stack STACK

Set the XIO driver stack for the disk on the source GridFTP server. See -fsstack above for description of the STACK string.

-dst-dcstack STACK, -dest-data-channel-stack STACK

Set the XIO driver stack for the network on the destination GridFTP server. See -dcstack above for description of the STACK string.

-dst-fsstack STACK, -dest-file-system-stack STACK

Set the XIO driver stack for the disk on the destination GridFTP server. See -fsstack above for description of the STACK string.

-cred PATH

Set the credentials to use for both ftp connections.

-src-cred CRED-FILE, -sc CRED-FILE

Set the credentials to use for source ftp connections.

-dst-cred CRED-FILE, -dc CRED-FILE

Set the credentials to use for destination ftp connections.

-af FILENAME, -alias-file FILENAME

File with mapping of logical host aliases to lists of physical hosts. When used with multiple concurrent connections, each connection uses the next host in the list. Each line should either be an alias, noted with the @ symbol, or a hostname[:port]. Currently, only the aliases @source and @destination are valid, and they are used for every source or destination URL.

-sync

Only transfer files where the destination does not exist or differs from the source. -sync-level controls how to determine if files differ.

-sync-level number

Criteria for determining if files differ when performing a sync transfer. The default sync level is 2. The available levels are:

  • Level 0 will only transfer if the destination does not exist.

  • Level 1 will transfer if the size of the destination does not match the size of the source.

  • Level 2 will transfer if the time stamp of the destination is older than the time stamp of the source.

  • Level 3 will perform a checksum of the source and destination and transfer if the checksums do not match.

AUTHOR

Copyright © 1999-2014 University of Chicago

Interactive clients for GridFTP

The Grid Community Toolkit does not include an interactive client for GridFTP. Any normal FTP client will work with a GridFTP server, but it cannot take advantage of the advanced features of GridFTP. The interactive clients listed below take advantage of the advanced features of GridFTP.

There is no endorsement implied by their presence here. We make no assertion as to the quality or appropriateness of these tools, we simply provide this for your convenience. We will not answer questions, accept bugs, or in any way shape or form be responsible for these tools, although they should have mechanisms of their own for such things.

UberFTP was developed at the NCSA under the auspices of NMI and TeraGrid:

GLOBUS-GRIDFTP-SERVER(8)

NAME

globus-gridftp-server - The Globus GridFTP server daemon

SYNOPSIS

globus-gridftp-server OPTIONS

DESCRIPTION

The globus-gridftp-server program is a ftp server with support for GridFTP protocol extensions, including strong authentication, parallel data transfers, and parallel data layouts.

OPTIONS

The list below contains the command-line options for the server, and also the name of the configuration file entry that implements that option. Note that any boolean option can be negated on the command line by preceding the specified option with -no- or -n. example: -no-cas or -nf.

Informational Options

-h,-help

Show usage information and exit.

This option can also be set in the configuration file as help. The default value of this option is FALSE.

-hh,-longhelp

Show more usage information and exit.

This option can also be set in the configuration file as longhelp. The default value of this option is FALSE.

-v,-version

Show version information for the server and exit.

This option can also be set in the configuration file as version. The default value of this option is FALSE.

-V,-versions

Show version information for all loaded globus libraries and exit.

This option can also be set in the configuration file as versions. The default value of this option is FALSE.

Modes of Operation

-i,-inetd

Run under an inetd service.

This option can also be set in the configuration file as inetd. The default value of this option is FALSE.

-s,-daemon

Run as a daemon. All connections will fork off a new process and setuid if allowed.

This option can also be set in the configuration file as daemon. The default value of this option is TRUE.

-S,-detach

Run as a background daemon detached from any controlling terminals.

This option can also be set in the configuration file as detach. The default value of this option is FALSE.

-ssh

Run over a connected ssh session.

This option can also be set in the configuration file as ssh. The default value of this option is FALSE.

-exec string

For statically compiled or non-GLOBUS_LOCATION standard binary locations, specify the full path of the server binary here. Only needed when run in daemon mode.

This option can also be set in the configuration file as exec.

-chdir

Change directory when the server starts. This will change directory to the dir specified by the chdir_to option.

This option can also be set in the configuration file as chdir. The default value of this option is TRUE.

-chdir-to string

Directory to chdir to after starting. Will use / if not set. Note that this is the directory of the process, not the client’s home directory.

This option can also be set in the configuration file as chdir_to.

-threads number

Enable threaded operation and set the number of threads. The default is 0, which is non-threaded. When threading is required, a thread count of 1 or 2 should be sufficient.

This option can also be set in the configuration file as threads.

-f,-fork

Server will fork for each new connection. Disabling this option is only recommended when debugging. Note that non-forked servers running as root will only accept a single connection, and then exit.

This option can also be set in the configuration file as fork. The default value of this option is TRUE.

-1,-single

Exit after a single connection.

This option can also be set in the configuration file as single. The default value of this option is FALSE.

-chroot-path string

Path to become the new root after authentication. This path must contain a valid certificate structure, /etc/passwd, and /etc/group. The command globus-gridftp-server-setup-chroot can help create a suitable directory structure.

This option can also be set in the configuration file as chroot_path.

Authentication, Authorization, and Security Options

-auth-level number

Add levels together to use more than one.

  • 0 = Disables all authorization checks.

  • 1 = Authorize identity.

  • 2 = Authorize all file/resource accesses.

  • 4 = Disable changing process uid to authenticated user (no setuid) — DO NOT use this when process is started as root.

    If not set uses level 2 for front ends and level 1 for data nodes. Note that levels 2 and 4 imply level 1 as well.

    This option can also be set in the configuration file as auth_level.

-ipc-allow-from string

Only allow connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.1. will match and allow a connection from 192.168.1.45. Note that if this option is used any address not specifically allowed will be denied.

This option can also be set in the configuration file as ipc_allow_from.

-ipc-deny-from string

Deny connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.2. will match and deny a connection from 192.168.2.45.

This option can also be set in the configuration file as ipc_deny_from.

-allow-from string

Only allow connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.1. will match and allow a connection from 192.168.1.45. Note that if this option is used any address not specifically allowed will be denied.

This option can also be set in the configuration file as allow_from.

-deny-from string

Deny connections from these source ip addresses. Specify a comma separated list of ip address fragments. A match is any ip address that starts with the specified fragment. Example: 192.168.2. will match and deny a connection from 192.168.2.45.

This option can also be set in the configuration file as deny_from.

-si,-secure-ipc

Use GSI security on ipc channel.

This option can also be set in the configuration file as secure_ipc. The default value of this option is TRUE.

-ia string,-ipc-auth-mode string

Set GSI authorization mode for the ipc connection. Options are: none, host, self or subject:[subject].

This option can also be set in the configuration file as ipc_auth_mode. The default value of this option is host.

-aa,-allow-anonymous

Allow clear text anonymous access. If server is running as root anonymous_user must also be set. Disables ipc security.

This option can also be set in the configuration file as allow_anonymous. The default value of this option is FALSE.

-anonymous-names-allowed string

Comma separated list of names to treat as anonymous users when allowing anonymous access. If not set, the default names of anonymous and ftp will be allowed. Use * to allow any username.

This option can also be set in the configuration file as anonymous_names_allowed.

-anonymous-user string

User to setuid to for an anonymous connection. Only applies when running as root.

This option can also be set in the configuration file as anonymous_user.

-anonymous-group string

Group to setgid to for an anonymous connection. If unset, the default group of anonymous_user will be used.

This option can also be set in the configuration file as anonymous_group.

-sharing-dn string

Allow sharing when using the supplied DN. A client connected with these credentials will be able to access any user for which sharing is enabled.

This option can also be set in the configuration file as sharing_dn.

-sharing-state-dir string

Full path to a directory that will contain files used by GridFTP to control sharing access for individual local accounts. The special variables $HOME and $USER can be used to create a dynamic path that is unique to each local account. This pathmust be writable by the associated account. The default path is $HOME/.globus/sharing/. This must refer to a path on the filesystem, not a path that is only accessible via a DSI plugin.

This option can also be set in the configuration file as sharing_state_dir.

-sharing-control

Allow a local user account to control its own sharing access via special GridFTP client commands. The user account must have filesystem write access to the sharing state dir.

This option can also be set in the configuration file as sharing_control. The default value of this option is TRUE.

-sharing-rp string

Sharing specific path restrictions. This completely replaces the normal path restrictions (-rp) when an account is being shared by a sharing-dn login.Follows normal path restriction semantics.

This option can also be set in the configuration file as sharing_rp.

-sharing-users-allow string

Comma separated list of usernames that are allowed to share unless matched in the user deny lists. If this list is set, users that are not included will be denied unless matched in the group allow list.

This option can also be set in the configuration file as sharing_users_allow.

-sharing-users-deny string

Comma separated list of usernames that are denied sharing even if matched in the user or group allow lists.

This option can also be set in the configuration file as sharing_users_deny.

-sharing-groups-allow string

Comma separated list of groups whose members are allowed to share unless matched in the user or group deny lists. If this list is set, groups that are not included will be denied unless matched in the user allow list.

This option can also be set in the configuration file as sharing_groups_allow.

-sharing-groups-deny string

Comma separated list of groups whose members will be denied sharing unless matched in the user allow list.

This option can also be set in the configuration file as sharing_groups_deny.

-allow-root

Allow clients to be mapped to the root account.

This option can also be set in the configuration file as allow_root. The default value of this option is FALSE.

-allow-disabled-login

Do not check if a user’s system account is disabled before allowing login.

This option can also be set in the configuration file as allow_disabled_login. The default value of this option is FALSE.

-password-file string

Enable clear text access and authenticate users against this /etc/passwd formatted file.

This option can also be set in the configuration file as pw_file.

-connections-max number

Maximum concurrent connections allowed. Only applies when running in daemon mode. Unlimited if not set.

This option can also be set in the configuration file as connections_max.

-connections-disabled

Disable all new connections. For daemon mode, issue a SIGHUP to the server process after changing the config file in order to not affect ongoing connections.

This option can also be set in the configuration file as connections_disabled. The default value of this option is FALSE.

-offline-msg string

Custom message to be displayed to clients when the server is offline via the connections_disabled or connections_max = 0 options.

This option can also be set in the configuration file as offline_msg.

-disable-command-list string

A comma separated list of client commands that will be disabled.

This option can also be set in the configuration file as disable_command_list.

-authz-callouts,-cas

Enable the GSI authorization callout framework, for callouts such as CAS.

This option can also be set in the configuration file as cas. The default value of this option is TRUE.

-use-home-dirs

Set the starting directory to the authenticated users home dir. Disabling this is the same as setting -home-dir /.

This option can also be set in the configuration file as use_home_dirs. The default value of this option is TRUE.

-home-dir string

Set a path to override the system defined home/starting directory for authenticated users. The special variable strings $USER and $HOME may be used. The authenticated username will be substituted for $USER, and the user’s real home dir will be substituted for $HOME. Be sure to escape the $ character if using these on the command line.

This option can also be set in the configuration file as home_dir.

-rp string,-restrict-paths string

A comma separated list of full paths that clients may access. Each path may be prefixed by R and/or W, denoting read or write access, otherwise full access is granted. If a given path is a directory, all contents and subdirectories will be given the same access. Order of paths does not matter — the permissions on the longest matching path will apply. The special character \~ will be replaced by the authenticated user’s home directory, or the -home-dir option, if used. Note that if the home directory is not accessible, \~ will be set to /. By default all paths are allowed, and access control is handled by the OS. In a striped or split process configuration, this should be set on both the frontend and data nodes.

This option can also be set in the configuration file as restrict_paths.

-rp-follow-symlinks

Do not verify that a symlink points to an allowed path before following. By default, symlinks are followed only when they point to an allowed path. By enabling this option, symlinks will be followed even if they point to a path that is otherwise restricted.

This option can also be set in the configuration file as rp_follow_symlinks. The default value of this option is FALSE.

-em string,-acl string

A comma separated list of ACL or event modules to load.

This option can also be set in the configuration file as acl.

Logging Options

-d string,-log-level string

Log level. A comma separated list of levels from: ERROR, WARN, INFO, TRANSFER, DUMP, ALL. TRANSFER includes the same statistics that are sent to the separate transfer log when -log-transfer is used. Example: error,warn,info. You may also specify a numeric level of 1-255. The default level is ERROR.

This option can also be set in the configuration file as log_level. The default value of this option is ERROR.

-log-module string

globus_logging module that will be loaded. If not set, the default stdio module will be used, and the logfile options apply. Built in modules are stdio and syslog. Log module options may be set by specifying module:opt1=val1:opt2=val2. Available options for the built in modules are interval and buffer, for buffer flush interval and buffer size, respectively. The default options are a 64k buffer size and a 5 second flush interval. A 0 second flush interval will disable periodic flushing, and the buffer will only flush when it is full. A value of 0 for buffer will disable buffering and all messages will be written immediately. Example: -log-module stdio:buffer=4096:interval=10

This option can also be set in the configuration file as log_module.

-l string,-logfile string

Path of a single file to log all activity to. If neither this option or log_unique is set, logs will be written to stderr unless the execution mode is detached or inetd, in which case logging will be disabled.

This option can also be set in the configuration file as log_single.

-L string,-logdir string

Partial path to which gridftp.(pid).log will be appended to construct the log filename. Example: -L /var/log/gridftp/ will create a separate log ( /var/log/gridftp/gridftp.xxxx.log ) for each process (which is normally each new client session). If neither this option or log_single is set, logs will be written to stderr unless the execution mode is detached or inetd, in which case logging will be disabled.

This option can also be set in the configuration file as log_unique.

-Z string,-log-transfer string

Log netlogger style info for each transfer into this file. You may also use the log-level of TRANSFER to include this info in the standard log.

This option can also be set in the configuration file as log_transfer.

-log-filemode string

File access permissions of log files. Should be an octal number such as 0644.

This option can also be set in the configuration file as log_filemode.

-disable-usage-stats

Disable transmission of per-transfer usage statistics. See the Usage Statistics section in the online documentation for more information.

This option can also be set in the configuration file as disable_usage_stats. The default value of this option is FALSE.

-usage-stats-target string

Comma separated list of contact strings (host:port) for usage statistics receivers. The usage stats sent to a particular receiver may be customized by configuring it with a taglist (host:port!taglist) The taglist is a list of characters that each correspond to a usage stats tag. When this option is unset, stats are reported to usage-stats.globus.org:4810. If you set your own receiver, and wish to continue reporting to the Globus receiver, you will need to add it manually. The list of available tags follow. Tags marked * are reported by default.

*(e) START - start time of transfer
*(E) END - end time of transfer
*(v) VER - version string of GridFTP server
*(b) BUFFER - tcp buffer size used for transfer
*(B) BLOCK - disk blocksize used for transfer
*(N) NBYTES - number of bytes transferred
*(s) STREAMS - number of parallel streams used
*(S) STRIPES - number of stripes used
*(t) TYPE - transfer command: RETR, STOR, LIST, etc
*(c) CODE - ftp result code (226 = success, 5xx = fail)
*(D) DSI - DSI module in use
*(A) EM - event modules in use
*(T) SCHEME - ftp, gsiftp, sshftp, etc. (client supplied)
*(a) APP - guc, rft, generic library app, etc. (client supplied)
*(V) APPVER - version string of above. (client supplied)
(f) FILE - name of file/data transferred
(i) CLIENTIP - ip address of host running client (control channel)
(I) DATAIP - ip address of source/dest host of data (data channel)
(u) USER - local user name the transfer was performed as
(d) USERDN - DN that was mapped to user id
(C) CONFID - ID defined by -usage-stats-id config option
(U) SESSID - unique id that can be used to match transfers in a session and
    transfers across source/dest of a third party transfer. (client supplied)

This option can also be set in the configuration file as usage_stats_target.

-usage-stats-id string

Identifying tag to include in usage statistics data. If this is set and usage-stats-target is unset, CONFID will be added to the default usage stats data.

This option can also be set in the configuration file as usage_stats_id.

Single and Striped Remote Data Node Options

-r string,-remote-nodes string

Comma separated list of remote node contact strings.

This option can also be set in the configuration file as remote_nodes.

-hybrid

When a server is configured for striped operation with the remote_nodes option, both a frontend and backend process are started even if the client does not request multiple stripes. This option will start backend processes only when striped operation is requested by the client, while servicing non-striped requests with a single frontend process.

This option can also be set in the configuration file as hybrid. The default value of this option is FALSE.

-dn,-data-node

This server is a backend data node.

This option can also be set in the configuration file as data_node. The default value of this option is FALSE.

-sbs number,-stripe-blocksize number

Size in bytes of sequential data that each stripe will transfer.

This option can also be set in the configuration file as stripe_blocksize. The default value of this option is 1048576.

-stripe-count number

Number of number stripes to use per transfer when this server controls that number. If remote nodes are statically configured (via -r or remote_nodes), this will be set to that number of nodes, otherwise the default is 1.

This option can also be set in the configuration file as stripe_count.

-sl number,-stripe-layout number

Stripe layout. 1 = Partitioned 2 = Blocked.

This option can also be set in the configuration file as stripe_layout. The default value of this option is 2.

-stripe-blocksize-locked

Do not allow client to override stripe blocksize with the OPTS RETR command

This option can also be set in the configuration file as stripe_blocksize_locked. The default value of this option is FALSE.

-stripe-layout-locked

Do not allow client to override stripe layout with the OPTS RETR command

This option can also be set in the configuration file as stripe_layout_locked. The default value of this option is FALSE.

Disk Options

-bs number,-blocksize number

Size in bytes of data blocks to read from disk before posting to the network.

This option can also be set in the configuration file as blocksize. The default value of this option is 262144.

-sync-writes

Flush disk writes before sending a restart marker. This attempts to ensure that the range specified in the restart marker has actually been committed to disk. This option will probably impact performance, and may result in different behavior on different storage systems. See the manpage for sync() for more information.

This option can also be set in the configuration file as sync_writes. The default value of this option is FALSE.

-perms string

Set the default permissions for created files. Should be an octal number such as 0644. The default is 0644. Note: If umask is set it will affect this setting — i.e. if the umask is 0002 and this setting is 0666, the resulting files will be created with permissions of 0664.

This option can also be set in the configuration file as perms.

-file-timeout number

Timeout in seconds for all disk accesses. A value of 0 disables the timeout.

This option can also be set in the configuration file as file_timeout.

Network Options

-p number,-port number

Port on which a frontend will listen for client control channel connections, or on which a data node will listen for connections from a frontend. If not set a random port will be chosen and printed via the logging mechanism.

This option can also be set in the configuration file as port.

-control-interface string

Hostname or IP address of the interface to listen for control connections on. If not set will listen on all interfaces.

This option can also be set in the configuration file as control_interface.

-data-interface string

Hostname or IP address of the interface to use for data connections. If not set will use the current control interface.

This option can also be set in the configuration file as data_interface.

-ipc-interface string

Hostname or IP address of the interface to use for ipc connections. If not set will listen on all interfaces.

This option can also be set in the configuration file as ipc_interface.

-hostname string

Effectively sets the above control_interface, data_interface and ipc_interface options.

This option can also be set in the configuration file as hostname.

-ipc-port number

Port on which the frontend will listen for data node connections.

This option can also be set in the configuration file as ipc_port.

-control-preauth-timeout number

Time in seconds to allow a client to remain connected to the control channel without activity before authenticating.

This option can also be set in the configuration file as control_preauth_timeout. The default value of this option is 120.

-control-idle-timeout number

Time in seconds to allow a client to remain connected to the control channel without activity.

This option can also be set in the configuration file as control_idle_timeout. The default value of this option is 600.

-ipc-idle-timeout number

Idle time in seconds before an unused ipc connection will close.

This option can also be set in the configuration file as ipc_idle_timeout. The default value of this option is 900.

-ipc-connect-timeout number

Time in seconds before canceling an attempted ipc connection.

This option can also be set in the configuration file as ipc_connect_timeout. The default value of this option is 60.

-allow-udt

Enable protocol support for UDT with NAT traversal if the udt driver is available. Requires threads.

This option can also be set in the configuration file as allow_udt. The default value of this option is FALSE.

-port-range string

Port range to use for incoming connections. The format is "startport,endport". This, along with -data-interface, can be used to enable operation behind a firewall and/or when NAT is involved. This is the same as setting the environment variable GLOBUS_TCP_PORT_RANGE.

This option can also be set in the configuration file as port_range.

User Messages

-banner string

Message to display to the client before authentication.

This option can also be set in the configuration file as banner.

-banner-file string

File to read banner message from.

This option can also be set in the configuration file as banner_file.

-banner-terse

When this is set, the minimum allowed banner message will be displayed to unauthenticated clients.

This option can also be set in the configuration file as banner_terse. The default value of this option is FALSE.

-banner-append

When this is set, the message set in the banner or banner_file option will be appended to the default banner message rather than replacing it.

This option can also be set in the configuration file as banner_append. The default value of this option is FALSE.

-version-tag string

Add an identifying string to the existing toolkit version. This is displayed in the default banner message, the SITE VERSION command, and usage stats.

This option can also be set in the configuration file as version_tag.

-login-msg string

Message to display to the client after authentication.

This option can also be set in the configuration file as login_msg.

-login-msg-file string

File to read login message from.

This option can also be set in the configuration file as login_msg_file.

Module Options

-dsi string

Data Storage Interface module to load. File and remote modules are defined by the server. If not set, the file module is loaded, unless the remote option is specified, in which case the remote module is loaded. An additional configuration string can be passed to the DSI using the format [module name]:[configuration string] to this option. The format of the configuration string is defined by the DSI being loaded.

This option can also be set in the configuration file as load_dsi_module.

-allowed-modules string

Comma separated list of ERET/ESTO modules to allow, and optionally specify an alias for. Example: module1,alias2:module2,module3 (module2 will be loaded when a client asks for alias2).

This option can also be set in the configuration file as allowed_modules.

-dc-whitelist string

A comma separated list of drivers allowed on the network stack.

This option can also be set in the configuration file as dc_whitelist.

-fs-whitelist string

A comma separated list of drivers allowed on the disk stack.

This option can also be set in the configuration file as fs_whitelist.

-popen-whitelist string

A comma separated list of programs that the popen driver is allowed to execute, when used on the network or disk stack. An alias may also be specified, so that a client does not need to specify the full path. Format is [alias:]prog,[alias:]prog. example: /bin/gzip,tar:/bin/tar

This option can also be set in the configuration file as popen_whitelist.

-xnetmgr string

An option string to pass to the XIO Network Manager Driver, which will then be loaded for all data channel connections. This must be in the form "manager=module;option1=value;option2=value;". See the Network Manager documentation for more info.

This option can also be set in the configuration file as xnetmgr.

-dc-default string

A comma separated list of XIO drivers and options representing the default network stack. Format is of each driver entry is driver1[:opt1=val1;opt2=val2;…​]. The bottom of the stack, the transport driver, is always first.

This option can also be set in the configuration file as dc_default.

-fs-default string

A comma separated list of XIO drivers and options representing the default disk stack. Format is of each driver entry is driver1[:opt1=val1;opt2=val2;…​]. The bottom of the stack, the transport driver, is always first.

This option can also be set in the configuration file as fs_default.

Other

-c string

Path to main configuration file that should be loaded. Otherwise will attempt to load $GLOBUS_LOCATION/etc/gridftp.conf and /etc/grid-security/gridftp.conf.

-C string

Path to directory holding configuration files that should be loaded. Files will be loaded in alphabetical order, and in the event of duplicate parameters the last loaded file will take precedence. Files with a . in the name (file.bak, file.rpmsave, etc.) will be ignored. Note that the main configuration file, if one exists, will always be loaded last.

This option can also be set in the configuration file as config_dir.

-config-base-path string

Base path to use when config and log path options are not full paths. By default this is the current directory when the process is started.

This option can also be set in the configuration file as config_base_path.

-debug

Sets options that make server easier to debug. Forces no-fork, no-chdir, and allows core dumps on bad signals instead of exiting cleanly. Not recommended for production servers. Note that non-forked servers running as root will only accept a single connection, and then exit.

This option can also be set in the configuration file as debug. The default value of this option is FALSE.

-pidfile string

Write PID of the GridFTP server to this path. May contain variable references to ${localstatedir}

This option can also be set in the configuration file as pidfile.

EXIT STATUS

0

Successful program execution.

GLOBUS-GRIDFTP-SERVER-SETUP-CHROOT(8)

NAME

globus-gridftp-server-setup-chroot - Set up a chroot for the Globus GridFTP server

SYNOPSIS

globus-gridftp-server-setup-chroot [-h] [-c CERT-DIR] -r NEW-CHROOT

DESCRIPTION

The globus-gridftp-server-setup-chroot program creates a chroot directory tree that can be used for the globus-gridftp-server(8). This chroot contains a copy of essential POSIX devices in dev; hosts, group, passwd, and grid-security configuration files in etc; and a temporary file directory in tmp.

The -c CERT-DIR option copies certificate files from a different directory than the default [/etc/grid-security/certificates].

OPTIONS

-h

Print short usage and exit

-r NEW-CHROOT

Specify the new chroot directory to create.

-c CERT-DIR

Specify the trusted certificate dir source.

EXIT STATUS

0

Successful program execution.

1

Error

AUTHOR

Copyright © 1999-2015 University of Chicago

SEE ALSO

globus-gridftp-server(8)

Graphical User Interface

Globus Online

Grid Community Toolkit does not provide a client with Graphical User Interface (GUI) but Globus Service provides a web GUI for GridFTP data movement. It has the following features: * With a one-click Globus Connect Personal installed on your local system, you can browse the local file system and transfer files and directories between the local system and remote GridFTP servers and between two remote GridFTP servers (third-party transfers). * Supports file system operations such as creating, deleting and renaming files and directories.

Supported Platforms: * Windows * Linux * Mac

Configuring GridFTP

GridFTP server configuration overview

[overview]

The configuration interface for GridFTP is the admin tool, , which can be used with a configuration file and/or run-time options.

Note

Command line options and configuration file options may both be used, but the command line overrides the config file.

The configuration file for the GridFTP server is read from the following locations, in the given order. Only the first file found will be loaded:

  • Path specified with the -c <configfile> command line option.

  • $GLOBUS_LOCATION/etc/gridftp.conf

  • /etc/grid-security/gridftp.conf

Options are one per line, with the format:

<option> <value>

If the value contains spaces, they should be enclosed in double-quotes ("). Flags or boolean options should only have a value of 0 or 1. Blank lines and lines beginning with # are ignored.

For example:

  port 5000
  allow_anonymous 1
  anonymous_user bob
  banner "Welcome!"

For complete command documentation including all options, see .

This page includes information about general configuration of the GridFTP server. Security options are discussed here, and more advanced configuration is described here.

Typical configuration

The following describes a typical GridFTP configuration of the front end (control channel) and back end (data channels). For other alternatives that provide greater levels of security, see Advanced Configuration.

By default, the data channel and control channel are separate socket connections within the same process. The client sends a command and waits to finish before issuing the next command. This is good for a single host, traditional-type user. If you have a single host and you want an ultra-reliable and light weight file transfer service, this is a good choice. This configuration is also good for testing purposes.

Firewall requirements

If the GridFTP server is behind a firewall:

  1. Contact your network administrator to open up port 2811 (for GridFTP control channel connection) and a range of ports (for GridFTP data channel connections) for the incoming connections. If the firewall blocks the outgoing connections, open up a range of ports for outgoing connections as well.

  2. Set the environment variable GLOBUS_TCP_PORT_RANGE:

    export GLOBUS_TCP_PORT_RANGE=min,max

    where min,max specify the port range that you have opened for the incoming connections on the firewall. This restricts the listening ports of the GridFTP server to this range. Recommended range is 1000 (e.g., 50000-51000) but it really depends on how much use you expect.

  3. If you have a firewall blocking the outgoing connections and you have opened a range of ports, set the environment variable GLOBUS_TCP_SOURCE_RANGE:

    export GLOBUS_TCP_SOURCE_RANGE=min,max

    where min,max specify the port range that you have opened for the outgoing connections on the firewall. This restricts the GridFTP server to bind to a local port in this range for outbound connections. Recommended range is twice the range used for GLOBUS_TCP_PORT_RANGE, because if parallel TCP streams are used for transfers, the listening port would remain the same for each connection but the connecting port would be different for each connection.

Note

If the server is behind NAT, the --data-interface <real ip/hostname> option needs to be used on the server.

If the GridFTP client is behind a firewall:

  1. Contact your network administrator to open up a range of ports (for GridFTP data channel connections) for the incoming connections. If the firewall blocks the outgoing connections, open up a range of ports for outgoing connections as well.

  2. Set the environment variable GLOBUS_TCP_PORT_RANGE

    export GLOBUS_TCP_PORT_RANGE=min,max

    where min,max specify the port range that you have opened for the incoming connections on the firewall. This restricts the listening ports of the GridFTP client to this range. Recommended range is 1000 (e.g., 50000-51000) but it really depends on how much use you expect.

  3. If you have a firewall blocking the outgoing connections and you have opened a range of (local) ports, set the environment variable GLOBUS_TCP_SOURCE_RANGE:

    export GLOBUS_TCP_PORT_RANGE=min,max

    where min,max specify the port range that you have opened for the outgoing connections on the firewall. This restricts the GridFTP client to bind to a local port in this range for outbound connections. Recommended range is twice the range used for GLOBUS_TCP_PORT_RANGE, because if parallel TCP streams are used for transfers, the listening port would remain the same for each connection but the connecting port would be different for each connection.

Additional information on Grid Community Toolkit Firewall Requirements is available here.

Configuring Security for GridFTP

There are many security options in GridFTP ranging from no security to higher security via GSI .

Anonymous mode

Anonymous mode (using the -aa option) allows any user with an FTP client to read and write (and delete) files that the server process can similarly access (it is also a quick way to test that your server works).

globus% globus-gridftp-server -aa
Server listening at 127.0.0.1:58806
Warning

When the server is run in this way, anyone who can connect to the server will posses all the same rights as the user that the process is run as (directly or via -anonymous-user). If using this mode intentionally for open access, it is best to run under a dedicated account with limited filesystem permissions. You can also use the option below to disable FTP commands such as STOR, ESTO, DELE, RDEL, RNTO, etc to make sure that users can only read from the server and not write to it.

 -disable-command-list <string>

Where <string> represents a comma separated list of client commands that will be disabled. Default: not set.

Username/password

If you trust your network and want a minimal amount of security, you can run the globus-gridftp-server with clear text passwords. This security model is the one originally introduced in RFC959.

Warning

We do not recommend it for long running servers open to the internet.

Create password file

To run the server in clear text password mode, we first need to create a password file dedicated to it. The format of the password file is the same as standard system password files; however, it is ill-advised to use a system password file. To create an entry in a GridFTP password file, run the following commands:

globus% touch pwfile
globus% gridftp-password.pl >> pwfile
Password:

This will ask you for a password and then create an entry in the password file for the current user name and the given password. Take a look at the file created. You will notice that the password you typed in is not in the file in a clear text form. We have run it though a one way hash algorithm before storing it in the file.

Run the server in password mode

Simply start the server pointing it at the password file you just created.

globus% globus-gridftp-server -password-file  /full/path/of/pwfile
Server listening at 127.0.0.1:5555
Make a transfer

To run globus-url-copy with the password, use the following syntax:

globus% globus-url-copy file:///etc/group ftp://

SSHFTP (GridFTP-over-SSH)

This type of security introduces the sshftp control channel (frontend) protocol. This is a very simple means of obtaining strong security on the control channel only (the data channel is not authenticated). With this approach, you can run a GridFTP transfer anywhere that you can ssh. sshftp:// leverages the ubiquitous ssh/sshd programs to form control channel connections much in the same way that inetd forms connections. leverages the ubiquitous ssh/sshd programs to form control channel connections much in the same way that inetd forms connections.

Configure Server for SSH GridFTP Support

Every host that wishes to run a globus-gridftp-server which can accept sshftp:// connections must run the following command as root: connections must run the following command as root:

globus% globus-gridftp-server-enable-sshftp

In the absence of root access, a user can configure the server to allow sshftp:// connections for that user only with the following command: connections for that user only with the following command:

globus% globus-gridftp-server-enable-sshftp -nonroot

The above command creates a file named sshftp in /etc/grid-security (if run as root) or in $HOME/.globus (if run as nonroot). You may edit this file to set gridftp commandline options or environment variables such as GLOBUS_TCP_PORT_RANGE, but you can also set those options in the config file.

Performing sshftp:// Transfers Transfers

In this case, a globus-gridftp-server does not need to be running. The server will be started via the sshd program. Therefore, the hostname and port should be that of the sshd server. Run globus-url-copy just as you have before; simply change ftp:// to to sshftp://..

globus% globus-url-copy -v file:/etc/group sshftp://127.0.0.1/tmp/group
globus% globus-url-copy -list sshftp://127.0.0.1/tmp/

GSIFTP

This security option can be the most involved to set up, but provides the most security. It requires setting up GSI security as described in the GCT Installation Guide here: Basic Security Configuration.

Once GSI has been set up (host and user credentials are valid, the gridmap file is updated and you’ve run grid-proxy-init to create a proxy certificate), you simply run the GridFTP server:

globus-gridftp-server
Note

If run as root, it will pick up the host cert; if not, it will pick up the user cert.

Now you are ready to perform a GSI-authenticated transfer:

globus-url-copy <-s subject> src_url dst_url
Note

The subject option is only needed if the server was not started as root.

Running in daemon mode

The server should generally be run as root in daemon mode, although it is possible to run it as a user (see below). When run as root you will need to have a host certificate.

Run the server:

globus-gridftp-server < -s | -S > <args>

where:

-s

Runs in the foreground (this is the default mode).

-S

Detaches from the terminal and runs in the background.

The following additional steps may be required when running as a user other than root (for more details, review Basic Security Configuration):

  • Create a ~/.gridmap file, containing the DNs of any clients you wish to allow, mapped to the current username. file, containing the DNs of any clients you wish to allow, mapped to the current username.

  • Create a proxy with grid-proxy-init.

Running under inetd or xinetd

Note

We also feature a user-configurable, super-server daemon plugin called GFork. Click here for more information.

  1. Set up xinetd/inetd config file

    Note

    The service name used (gsiftp in this case) should be defined in /etc/services with the desired port.

    Here is a sample GridFTP server xinetd config entry in /etc/xinetd.conf: :

    service gsiftp
    {
        instances               = 100
        socket_type             = stream
        wait                    = no
        user                    = root
        env                     += GLOBUS_LOCATION=(globus_location)
        env                     += LD_LIBRARY_PATH=(globus_location)/lib
        server                  = (globus_location)/sbin/globus-gridftp-server
        server_args             = -i
        log_on_success          += DURATION
        nice                    = 10
        disable                 = no
    }

    Here is a sample gridftp server inetd config entry in /etc/inetd.conf (read as a single line)

    gsiftp   stream   tcp   nowait   root   /usr/bin/env env    \
    GLOBUS_LOCATION=(globus_location)                           \
    LD_LIBRARY_PATH=(globus_location)/lib                       \
    (globus_location)/sbin/globus-gridftp-server -i
    Note

    On Mac OS X, you must set DYLD_LIBRARY_PATH instead of LD_LIBRARY_PATH in the above examples.

    Note

    You should NOT include USERID in the log lines. See High latency for GridFTP server connections for more information.

  2. globus-gridftp-server -i

    Use the -i commandline option with globus-gridftp-server:

    globus-gridftp-server -i
Running under launchd

launchd is used to start services in the system Mac OS X 10.4 (Tiger) and newer, and is also available as a port to FreeBSD.

Here is a sample configuration file for launchd to start the server:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Disabled</key>
        <false/>
        <key>Label</key>
        <string>globus.gridftp</string>
        <key>Program</key>
        <string>(globus_location)/sbin/globus-gridftp-server</string>
        <key>ProgramArguments</key>
        <array>
            <string>globus-gridftp-server</string>
            <string>-i</string>
            <string>-d</string>
            <string>ALL</string>
            <string>-l</string>
            <string>(globus_location)/var/gridftp.log</string>
        </array>
        <key>Sockets</key>
        <dict>
            <key>Listeners</key>
            <dict>
                <key>SockServiceName</key>
                <string>gsiftp</string>
            </dict>
        </dict>
        <key>inetdCompatibility</key>
        <dict>
            <key>Wait</key>
            <false/>
        </dict>
        <key>StandardErrorPath</key>
        <string>/dev/null</string>
        <key>EnvironmentVariables</key>
        <dict>
            <key>GLOBUS_LOCATION</key>
            <string>(globus_location)</string>
            <key>LD_LIBRARY_PATH</key>
            <string>(globus_location)/lib</string>
        </dict>
    </dict>
</plist>

Provided that the configuration file is stored in /System/Library/LaunchDaemons/globus.gridftp.plist, the following command starts the GridFTP server:, the following command starts the GridFTP server:

launchctl load /System/Library/LaunchDaemons/globus.griftp.plist

The server will be started automatically with a system, unless the value of the key Disabled is changed from <false/> to <true/>.

User permissions

Users are mapped to a local account on the server machine and file permissions are handled by the operating systems. In the anonymous mode, users that connect to the server will posses all the same rights as the user that the server process is run as (directly or via -anonymous-user).

In case of username/password authentication, the users are mapped to the uid corresponding to the username in the GridFTP password file and the access permissions for the users is same as that of the UID that they are mapped to. If SSH based authentication is used, upon successful authentication, SSHD maps users to a local account and the GridFTP server is run as the mapped local user. The access permissions are the same as that of the mapped local user.

If GSI is used, upon successful authentication an authorization callout is invoked to (a) verify authorization and (b) determine the local user id as which the request should be executed. This callout is linked dynamically. Globus GridFTP provides an implementation that supports a Globus "gridmapfile". Sites can also provide alternative implementations. Server does a setuid to the local user id as determined by the authorization callout and the access permissions are the same as that of the local user id.

GridFTP server provides an option to disable certain FTP commands:

 -disable-command-list <string>

Where <string> represents a comma separated list of client commands that will be disabled. Default: not set.

globus-gridftp-server quickstart

The following is a quick guide to running the server and using the client:

Look through the list of options for globus-gridftp-server:

globus-gridftp-server --help

Start the server in anonymous mode (discussed more fully here):

globus-gridftp-server -control-interface 127.0.0.1 -aa -p 5000

where:

–control-interface

is the hostname or IP address of the interface to listen for control connections on . This option is only needed here as a rudimentary means of security for this simple example.

–aa

enables anonymous mode

–p

indicates on which port the server listens.

Run a two party transfer with client:

globus-url-copy -v file:///etc/group ftp://localhost:5000/tmp/group

Run 3rd party transfer:

globus-url-copy -v ftp://localhost:port/etc/group ftp://localhost:port/tmp/group2

Experiment with -dbg, and -vb options for debugging and checking the performance of your setup:

globus-url-copy -dbg file:///etc/group ftp://localhost:5000/tmp/group
globus-url-copy -vb file:///dev/zero ftp://localhost:5000/dev/null

where:

  • -dbg**:: A useful option when something is not working. It results in a GridFTP control channel protocol dump (along with other useful information) to stderr. If you understand the GridFTP protocol, or you have ambition to understand it, this can be a very useful tool to discover various problems in your setup such as overloaded servers and firewalls. When submitting a bug report or asking a question on the support email lists one should always send along the -dbg output.

    -vb

    Provides a type of progress bar of the user to observe the rate at which their transfer is progressing.

Ctrl-c - Kill the server.

Note

There are many possible options and configurations with globus-gridftp-server. For some guidelines on setting it up for your situation, see Key Admin Settings and Tuning Recommendations.

Enabling File Sharing with Globus Sharing Service

To enable file sharing using Globus Sharing, you have to add the Globus Sharing CA certificates to your trusted certificates directory (/etc/grid-security/certificates) and use -sharing-dn option in the server as follows:

globus% globus-gridftp-server -sharing-dn "/C=US/O=Globus Consortium/OU=Globus Online/OU=Transfer User/CN=__transfer__"

and use -sharing-rp option to restrict the file paths allowed for sharing:

globus% globus-gridftp-server -sharing-rp <path>

Environment variable interface

Environment variables for GridFTP

The GridFTP server or client libraries do not read any environment variable directly, but the security and networking related variables described below may be useful.

Errors

Error Codes in GridFTP

Table 1. GridFTP Errors
Error Code Definition Possible Solutions

globus_ftp_client: the server responded with an error
530 530-globus_xio: Authentication Error
530-OpenSSL Error: s3_srvr.c:2525: in library: SSL routines,
function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
530-globus_gsi_callback_module: Could not verify credential
530-globus_gsi_callback_module: Can’t get the local trusted CA certificate:
Untrusted self-signed certificate in chain with hash d1b603c3
530 End.

This error message indicates that the GridFTP server doesn’t trust the certificate authority (CA) that issued your certificate.

You need to ask the GridFTP server administrator to install your CA certificate chain in the GridFTP server’s trusted certificates directory.

globus_ftp_control: gss_init_sec_context failed
OpenSSL Error: s3_clnt.c:951: in library: SSL routines, function
SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Can’t get the local trusted CA certificate:
Untrusted self-signed certificate in chain with hash d1b603c3

This error message indicates that your local system doesn’t trust the certificate authority (CA) that issued the certificate on the resource you are connecting to.

You need to ask the resource administrator which CA issued their certificate and install the CA certificate in the local trusted certificates directory.

530-globus_xio: Authentication Error
530-globus_gsi_callback_module: Could not verify credential
530-globus_gsi_callback_module: Could not verify credential
530-globus_gsi_callback_module: Invalid CRL: The available CRL has expired
530 End.

This error message indicates one of the following: Certificate Revocation List (CRL) for the source or destination server CA at the client has expired or CRL for client CA has expired at source or destination server or CRL for source (destination) server CA has expired at destination (source) server. CRL is a file {CA_hash}.r0 in /etc/grid-security/certificates or ${USER_HOME}/.globus/certificates or ${X509_CERT_DIR}

The tool available at http://dist.eugridpma.info/distribution/util/fetch-crl/ can be run in a crontab to keep the CRLs up to date.