Table of Contents

  1. To be written
  2. CentOS Installation
  3. Installation Prerequisites
    1. Add globus user
    2. Install Condor
  4. Pacman Installation
  5. Compute Element Installation
  6. Install job manager interface Globus-Condor
  7. Get CA distribution package
  8. Install host cert
  9. Install Globus-WS container cert
  10. Install HTTP service cert
  11. CA set up
  12. VDT post install script
  13. Install managed fork
  14. edg-mkgridmap Configuration

To be written

  • edg-mkgridmap.conf file, running edg-mkgridmap, pre-condns: ACL on voms

CentOS Installation

In this installation we have used CentOS-5.3 as our operating system. The kickstart file should be web accessible. At the boot prompt enter following command to start installation. You will need to change CDs during the installation process. 

linux ks=http://<ip.addr.kickstart.url>/<path-to-kickstart.file>

Installation Prerequisites

Following instructions were adapted from OSG PreparingComputeElement wiki notes.

Add globus user

  • We need to add globus user for running Globus web services. If globus user is not present then Globus web services will run as a daemon user. 
    groupadd -g 401 globus
useradd -c 'Globus Toolkit' -g 401 -m globus

Install Condor

  • The OSG wiki notes mention that we need to have a supported batch system (Condor, PBS, LSF, or SGE) installed on the CE host machine, or accessible to it. I installed Condor using RPM package, as pacman install failed. The external Condor will need csh, Java and Ant installs. Install csh using 'yum install csh'. CentOS does not provide Sun's JDK, so we need to install it from Sun website. Refer to 'Java - JDK install' and 'Apache ant install' sections on CentosConfig page. A copy of Condor RPM is available on '/groups/lab'. Copy it to your local machine and install Condor: 
    scp pavgi@meter:/groups/lab/condor-7.2.4/condor-7.2.4-linux-x86-rhel5-1.i386.rpm /var/tmp/ 
rpm -i /var/tmp/condor-7.2.4-linux-x86-rhel5-1.i386.rpm
  • Set environment variables 
    export CONDOR_LOCATION=/opt/condor-7.2.4
source condor-7.2.4/condor.sh 
export VDTSETUP_CONDOR_LOCATION=$CONDOR_LOCATION 
export VDTSETUP_CONDOR_CONFIG=$CONDOR_CONFIG 
export VDTSETUP_NO_CONDOR_CRON=y

Pacman Installation

OSG/VDT components are installed using pacman. Download and install pacman using following set of commands. This will update the $PATH variable with the pacman binaries directory. 

cd /var/tmp
wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-3.28.tar.gz
tar --no-same-owner -C /opt/ -xzvf pacman-3.28.tar.gz
cd /opt
ln -s pacman-3.28 pacman
cd pacman
source setup.sh

Compute Element Installation

For this test installation firewall was not configured to allow connections on port 8443. Disable firewall to accept connections: 

service iptables stop

Now we need to create a CE installation directory and start installation using pacman. 

mkdir -p /usr/local/osg/ce
export VDT_LOCATION=/usr/local/osg/ce
cd $VDT_LOCATION
pacman -get  http://software.grid.iu.edu/osg-1.2:ce

Now we will source the CE setup file which will define and update appropriate environment variables 

source setup.sh

Install job manager interface Globus-Condor

We need to install an extra package to interface with our existing job manager (Condor) installation. 

pacman -get http://software.grid.iu.edu/osg-1.2:Globus-Condor-Setup

Get CA distribution package

We need to get CA distribution package from which we will get our certificates. We will use the SimpleCA installed on the VOMS machine as our CA. Ideally the CA should be on a separate machine, but it is fine in case of our test environment. The following set of commands will copy SimpleCA distribution package on compute element and configure it for requesting new certs. 

scp voms1:/root/.globus/simpleCA/globus_simple_ca_442e8efa_setup-0.19.tar.gz /var/tmp/ 
gpt-build /var/tmp/globus_simple_ca_442e8efa_setup-0.19.tar.gz
gpt-postinstall
/usr/local/osg/ce/globus/setup/globus_simple_ca_442e8efa_setup/setup-gsi

Install host cert

  • Request host certificate 
    grid-cert-request -host `hostname`
  • Transfer cert to CA for signing it. I create a dir by hostname on CA to store all cert requests. It is optional and not part of CE or SimpleCA setup. Following set of commands copy certificate request from ce3 to SimpleCA (in this case it is co-located with voms1), signs the certificate request, and transfer it back on compute element. 
    mkdir -p /var/tmp/ce3-cert-reqs
scp ce3:/etc/grid-security/hostcert_request.pem /var/tmp/ce3-cert-reqs/

    grid-ca-sign -in /var/tmp/ce3-cert-reqs/hostcert_request.pem -out /var/tmp/ce3-cert-reqs/hostcert.pem
scp /var/tmp/ce3-cert-reqs/hostcert.pem ce3:/etc/grid-security/

Install Globus-WS container cert

Clone container cert/key from the host cert/key and set permissions for globus user 

chown globus: /etc/grid-security/containercert.pem
chown globus: /etc/grid-security/containerkey.pem

Install HTTP service cert

  • Request host certificate 
    grid-cert-request -host `hostname` -service http
  • This step is similar to previous host certificate signing step. Following set of commands copy certificate request from ce3 to SimpleCA (in this case it is co-located with voms1), signs the certificate request, and transfer it back on compute element. 
    scp ce3:/etc/grid-security/http/httpcert_request.pem /var/tmp/ce3-cert-reqs/

    grid-ca-sign -in /var/tmp/ce3-cert-reqs/httpcert_request.pem -out /var/tmp/ce3-cert-reqs/httpcert.pem
scp /var/tmp/ce3-cert-reqs/httpcert.pem ce3:/etc/grid-security/http/httpcert.pem
  • Change permissions on certificate/key pair so that http service can use it 
    chown daemon:daemon /etc/grid-security/http/httpcert.pem
chown daemon:daemon /etc/grid-security/http/httpkey.pem

CA set up

Set up CA for the VDT install 

vdt-ca-manage setupca --location local --url http://<host.ip.addr.or.hostname>/software/certificates/ca-certs-version

VDT post install script

Run vdt-post-install script 

vdt-post-install --verbose

The vdt-post-install runs PRIMA and edg-gridmap configure scripts. The edg-mkgridmap utility is already installed, but running vdt-post-install will add it to the cron job list. It places gsi-authz.conf and prima.conf in the post-install directory. These file may need to be copied in the /etc/grid-security to set authorization mode. Following is the output of vdt-post-install: 

Starting...
Configuring PRIMA (configure_prima)... Done.
Configuring EDG-Make-Gridmap (configure_edg_make_gridmap)... Done.
Configuring PRIMA-GT4 (configure_prima_gt4)... Done.
Completed all configuration.

Install managed fork

Install managed fork 

pacman -get  http://software.grid.iu.edu/osg-1.2:ManagedFork

source setup.sh                                             
/usr/local/osg/ce/vdt/setup/configure_globus_gatekeeper --managed-fork y --server y

edg-mkgridmap Configuration

Edit $VDT_LOCATION/edg/etc/edg-mkgridmap.conf file to add following entries 

#### GROUP: group URI [lcluser]
#
#-------------------
# USER-VO-MAP animals animals -- 1 -- Shantanu Pavgi (root@voms1.lab.ac.uab.edu)     
group vomss://voms1.lab.ac.uab.edu:8443/voms/pacific ssp
group vomss://voms1.lab.ac.uab.edu:8443/voms/coffee ssp

The edg-mkgridmap should run successfully if appropriate ACLs are set on VOMS server. 

edg-mkgridmap