Notes on configuring copy blotter VM for production:

Copy the VM

• shutdown blotter

• on devil

  cd /srv/vm
  TMPVMDIR=`mkdir tmp-vm`
  SRCVM=blotter
  DESTVM=cagrid-production
  cp -rp $SRCVM $TMPVMDIR
  pushd $TMPVMDIR
  ../mvb-rename $SRCVM $DESTVM 
  mv $DESTVM ..
  popd
  rmdir $TMPVMDIR
  

• open the vm in vmware server console

• at the boot prompt boot to single user mode (add "single" to the boot arguments)

• change the ip address in single user mode before attempting to boot up system

Machine State

• Change to init 3 at boot (/etc/inittab) (change id:5:initdefault: to id:3:initdefault:). The following patch applies the change.

  cd /etc
  patch --ignore-whitespace --backup inittab << EOF
  18c18
  < id:5:initdefault:
  ---
  > id:3:initdefault:
  EOF
  

• Remove non-production user: jpr, ppreddy

  userdel -r jpr
  userdel -r ppreddy
  

• Lock all app accounts passwd -l (see /etc/shadow)

  passwd -l caarray
  passwd -l cagwas
  passwd -l catissue
  passwd -l ctods
  passwd -l ncia
  

• change password for cagrid, root (to be passed on to production and changed there)

• change /etc/ssh/sshd_config to only allow cagrid to log in remotely
  • only allow root from the "console"

    cd /etc/ssh
    patch --ignore-whitespace --backup sshd_config << EOF
    107c107
    < AllowUsers jpr ppreddy labkey
    ---
    > AllowUsers cagrid
    EOF
    

• update sudo config to allow password-less access to root (document sudo bash as method to get to root). Right now, achieving this by adding user 'cagrid' to 'wheel' group

  usermod -a -G wheel cagrid
  

• turn on yum to perform a yum update

  chkconfig yum on
  

Services

• disable all non-essential services: portmap, cups-config-daemon, sendmail, rpcidmapd, cups, nfslock

  chkconfig portmap off
  chkconfig cups-config-daemon off
  chkconfig sendmail off
  chkconfig rpcidmapd off
  chkconfig cups off
  chkconfig nfslock off
  

• disable all un-used caBIG (Life Sciences Dist) tools; caTissue, etc.

  chkconfig jboss-catissue off
  chkconfig jexec off
  

• turn on tomcat script with chkconfig tomcat off
  • Right now the script in /etc/init.d/tomcat5 does not have the header with run levels to add to the chkconfig as a system-wide service.
  • TODO:Convert the existing tomcat script to chkconfig compatible

Network Config

• change the IP address (/etc/hosts and /etc/sysconfig/network-scripts/ifcfg-eth0 remove ifcfg-eth0:1)

  cd /etc
  patch --ignore-whitespace --backup hosts << EOF
  4c4
  < 138.26.125.35           blotter.lab.ac.uab.edu blotter
  ---
  > 138.26.125.99           cagrid01.lab.ac.uab.edu cagrid01
  EOF
  

cd /etc/sysconfig/network-scripts
rm ifcfg-eth0\:1
patch --ignore-whitespace --backup ifcfg-eth0 << EOF
4c4
< IPADDR=138.26.125.35
---
> IPADDR=138.26.125.99
EOF

• change the host name to (what??)
  • Right now its cagrid01.lab.ac.uab.edu

    cd /etc/sysconfig
    patch --ignore-whitespace --backup network << EOF
    2c2
    < HOSTNAME=blotter.lab.ac.uab.edu
    ---
    > HOSTNAME=cagrid01.lab.ac.uab.edu
    EOF
    

• change the firewall to only allow ssh, caarray (webapp & grid service), labkey (globus container), upt?

  cd /ets/sysconfig
  patch --ignore-whitespace --backup iptables << EOF
  12,13c12
  < -A RH-Firewall-1-INPUT -s 138.26.125.35 -j ACCEPT
  < -A RH-Firewall-1-INPUT -s 10.0.0.68 -j ACCEPT
  ---
  > #-A RH-Firewall-1-INPUT -s 138.26.125.99 -j ACCEPT
  15,16c14,15
  < -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
  < -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
  ---
  > #-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
  > #-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
  18c17
  < -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
  ---
  > #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
  EOF
  

caArray Service

• Delete all accounts except one user and admin level account (use UPT?) (new passwds go to JS)

• Verify role of UPT in controlling access to caArray

• Change the service metadata

  su - caarray2
  pushd apps/caarray2/jboss-4.0.4.GA/server/default/deploy/wsrf.war/WEB-INF/etc/cagrid_CaArraySvc
  patch --ignore-whitespace --backup serviceMetadata.xml << EOF
  76c76
  <    <ns9:Address country="US" locality="Birmingham" postalCode="35294" stateProvince="AL" street1="1802 6th Avenue South" street2=""/>
  ---
  >    <ns9:Address country="US" locality="Birmingham" postalCode="35294" stateProvince="AL" street1="1801 University Boulevad" street2=""/>
  EOF
  

• Change the server-config, so that the caArray Grid service is published with the IP address instead of hostname

  su - caarray2
  pushd apps/caarray2/jboss-4.0.4.GA/server/default/deploy/wsrf.war/WEB-INF/etc/globus_wsrf_core
  patch --ignore-whitespace --backup  server-config.wsdd << EOF
  20,21c20,21
  <       <parameter name="logicalHost" value="blotter.lab.ac.uab.edu"/>
  <         <parameter name="publishHostName" value="true"/>
  ---
  > <!--  <parameter name="logicalHost" value="blotter.lab.ac.uab.edu"/> -->
  >         <parameter name="publishHostName" value="false"/>
  EOF
  

• Change the service registration URL to caBig production grid

  su - caarray2
  pushd apps/caarray2/jboss-4.0.4.GA/server/default/deploy/wsrf.war/WEB-INF/etc/cagrid_CaArraySvc
  patch --ignore-whitespace --backup CaArraySvc_registration.xml<< EOF
  9c9
  <     <wsa:Address>http://training03.cagrid.org:6080/wsrf/services/DefaultIndexService</wsa:Address>
  ---
  >     <wsa:Address>http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService</wsa:Address>
  EOF
  

• Create /etc/init.d start/stop script to invoke run.sh for webapp and grid jboss containers on boot
  • look to /etc/init.d/jboss-catissue as a guide
  • service starting is currently manual

    su - caarray2
    
    apps/caarray2/jboss-4.0.5.GA/bin/run.sh 2>&1 > $HOME/var/log/jb-405.log &
    apps/caarray2/jboss-4.0.4.GA/bin/run.sh 2>&1 > $HOME/var/log/jb-404.log &
    

• the above commands assume $HOME/var/log exists (if they don't do a mkdir $HOME/var/log as part of the new vm setup)
• Two separate scripts, jboss-caarray-webapp and jboss-caarray-grid are attached below. Copied the same to /etc/init.d.

• Register script with chkconfig.

  chkconfig --add jboss-caarray-webapp
  chkconfig --add jboss-caarray-grid
  chkconfig jboss-caarray-webapp on
  chkconfig jboss-caarray-grid on
  

• The start-stop of caArray grid service with init script resulted in an error, as a result of which had to build caArray service from the source files. For this, we built from the /home/caarray account where caArray_2_0_0 source install files were located instead of /home/caarray2.
• NOTE: Before building the caArray service, made a tar of the existing caarray database at /usr/local/mysql/data and dropped the database for a clean install.

  cd /usr/local/mysql/data
  tar -cf caarraybak-2009-05-19.tar caarray
  mysql -u root -p
  mysql> drop database caarray;
  

• The caArray service install

  su - caarray
  cd src/caarray2
  

• Applied the following changes to the existing install.properties (from blotter)

  patch --ignore-whitespace --backup install.properties << EOF
  4c4
  < application.host.ipaddr=138.26.125.35
  ---
  > application.host.ipaddr=138.26.125.99
  EOF
  

• Next doing ant builds both the caArray web and grid services. First run, got a build failure due to non-existing url for the caArray web app container, Jboss-4.0.5.GA security_config.dtd. Fixed this, by modifying the dtd url to local jboss-4.0.5.GA path and doing ant again started the two jboss containers.

  su - caarray
  cd src/caarray2/common/resources/jboss-conf/
  patch --ignore-whitespace --backup security-config-ldap.xml << EOF
  4c4,5
  < "http://www.jboss.org/j2ee/dtd/security_config.dtd">
  ---
  > "/home/caarray/apps/caarray2/jboss-4.0.5.GA/docs/dtd/security_config.dtd">
  > <!-- "http://www.jboss.org/j2ee/dtd/security_config.dtd"> -->
  EOF
  

UPT service

• Create /etc/init.d start/stop script to invoke run.sh
  • service starting is currently manual

    su - upt
    
    apps/upt/jboss-4.0.4.GA/bin/run.sh 2>&1 > $HOME/var/log/upt.log &
    

• the above commands assume $HOME/var/log exists (if they don't do a mkdir $HOME/var/log as part of the new vm setup)
• jboss-upt is the start-stop script (attached below). Copied the same to /etc/init.d.
• Register script with chkconfig.

  chkconfig --add jboss-upt
  chkconfig jboss-upt on
  

Jboss Config

• Security is not enabled by default in the Jboss containers, which are used for UPT and caArray services.
• Jboss JMX Console and Web Console have been secured by configuring the container to use password-based authentication and authorization.
• To modify JMX Console and Web Console users and roles properties, make changes at the following locations :
  • For caArray WebApp:
    • /home/caarray/apps/caarray2/jboss-4.0.5.GA/server/default/conf/props/jmx-console-users.properties
    • /home/caarray/apps/caarray2/jboss-4.0.5.GA/server/default/conf/props/jmx-console-roles.properties
    • /home/caarray/apps/caarray2/jboss-4.0.5.GA/server/default/conf/props/web-console-users.properties
    • /home/caarray/apps/caarray2/jboss-4.0.5.GA/server/default/conf/props/web-console-roles.properties
  • For caArray Grid:
    • /home/caarray/apps/caarray2/jboss-4.0.4.GA/server/default/conf/props/jmx-console-users.properties
    • /home/caarray/apps/caarray2/jboss-4.0.4.GA/server/default/conf/props/jmx-console-roles.properties
    • /home/caarray/apps/caarray2/jboss-4.0.4.GA/server/default/conf/props/web-console-users.properties
    • /home/caarray/apps/caarray2/jboss-4.0.4.GA/server/default/conf/props/web-console-roles.properties
  • For UPT:
    • /home/upt/apps/upt/jboss-4.0.4.GA/server/default/conf/props/jmx-console-users.properties
    • /home/upt/apps/upt/jboss-4.0.4.GA/server/default/conf/props/jmx-console-roles.properties
    • /home/upt/apps/upt/jboss-4.0.4.GA/server/default/conf/props/web-console-users.properties
    • /home/upt/apps/upt/jboss-4.0.4.GA/server/default/conf/props/web-console-roles.properties

• Currently, only one user, admin has been defined. Other users and passwords can be added/modified by making changes in the above mentioned files.

LabKey Grid Service

• Starting the labkey globus container needs to be converted to a chkconfig-base start stop script (/etc/init.d)

  su - labkey
  
  export JAVA_HOME=/usr/java/jdk1.5.0_10/jre                                 
  export ANT_HOME=/home/labkey/apps/apache-ant-1.6.5                         
  export GLOBUS_LOCATION=/home/labkey/apps/ws-core-4.0.3 
  
  $GLOBUS_LOCATION/bin/globus-start-container -nosec  2>&1 > $HOME/var/log/gs-container.out &
  

• globus-labkey is the start-stop script (attached below). Copied the same to /etc/init.d.
• Register script with chkconfig.

  chkconfig --add globus-labkey
  chkconfig globus-labkey on
  

• Service metadata needs to be verified for new location

  cd apps/cpas/etc/
  vi serviceMetadata.xml
  

• This information is fine but should be consistent with labkey and caarray data services

<ns1:hostingResearchCenter>
  <ns9:ResearchCenter displayName="UAB-CCC" shortName="UAB-CCC" xmlns:ns9="gme://caGrid.caBIG/1.0/gov.nih.nci.cagrid.metadata.common">
   <ns9:Address country="US" locality="Birmingham" postalCode="35294" stateProvince="AL" street1="1802 6th Avenue South" street2=""/>
   <ns9:pointOfContactCollection>
    <ns9:PointOfContact affiliation="Staff" email="John.Sandefur@ccc.uab.edu" firstName="John" lastName="Sandefur" phoneNumber="" role=""/>
   </ns9:pointOfContactCollection>
  </ns9:ResearchCenter>
 </ns1:hostingResearchCenter>

Service URL

• A summary of the urls for the caBig services hosted on cagrid-production VM:
  • caArray Web Application: http://138.26.125.99:38080/caarray
  • caArray Grid Service Jboss Container: http://138.26.125.99:18080 (This does not show the caArray Grid service. In order to locate the service go to caGrid Portal)
  • User Provisioning Tool http://138.26.125.99:46210/upt
  • Labkey Globus Container: http://138.26.125.99:8080 (This does not show the Labkey service. In order to locate the service go to caGrid Portal)

Steps to create a copy of cagrid-production VM

Copy the VM

• shutdown cagrid-production
  • on devil

    cd /srv/vm
    TMPVMDIR=`mkdir tmp-vm`
    SRCVM=cagrid-production
    DESTVM=cagrid02-production
    cp -rp $SRCVM $TMPVMDIR
    pushd $TMPVMDIR
    ../mvb-rename $SRCVM $DESTVM
    mv $DESTVM ..
    popd
    rmdir $TMPVMDIR
    

• open the vm in vmware server console
• at the boot prompt boot to single user mode (add "single" to the boot arguments)

Network Config

• change the ip address and/or hostname at the following locations in single user mode before attempting to boot up system
  • /etc/hosts (ip addr + hostname)
  • /etc/sysconfig/network-scripts/ifcfg-eth0 (ip addr)
  • /etc/sysconfig/network (hostname)

• The ports to be opened are:
  • 5353 (DNS)
  • 123 (NTP)
  • 22 (SSH)
  • 8080 (Globus Labkey)
  • 18080 (caArray Grid Service)
  • 38080 (caArray Web App Service)
  • 46210 (UPT)

caArray Service

• Before building the caArray service, make a tar of the existing caarray database at /usr/local/mysql/data and drop the database for a clean install.

  cd /usr/local/mysql/data
  
  date=`date +"%Y%m%d"`
  
  tar -cf caarraybak-$date.tar caarray
  
  mysql -u root -p
  
  mysql> drop database caarray;
  
  

• The caArray service install. Change the service install.properties file to the ip address of your host and build the service with ant

  su - caarray
  
  cd src/caarray2
  
  patch --ignore-whitespace --backup install.properties << EOF
  4c4
  < application.host.ipaddr=138.26.125.99
  ---
  > application.host.ipaddr=138.26.125.98
  EOF
  
  ant
  
  

• Copy back the tar caarray database to /usr/local/mysql/data as it contains the test data to query the caArray service from the grid portal
• Change the passwords for the various accounts, which include, system, mysql, jboss, upt, and caArray
• reboot the vm