[Go to Home]

DAS2-UvA Grid
The DAS-2 Grid
Logbook (part 1)
Logbook (part 2)
Install overview
UvA DAS-2 usage


Installing Globus and EDG services on DAS2 (fs2)

Follow this series of steps to install core Globus and EDG services on a DAS2 frontend (file server).
  1. Get all relevant RPMS from the repository. A snapshot of the full WP6 RPM repository (which is maintained on marianne.in2p3.fr) can be found in this directory and from the release-bundle overview. The directory contains all RPMS that were installed on fs2.das2.nikhef.nl to get the Grid software running. All files are collapsed into one directory.
  2. The RPMs in the repository are grouped into five sets:
    EDG certification authorities
    Perl5 modules needed to run the EDG utilities
    EDG WP6 utilities to generate grid-mapfiles and CRL updates
    Globus 2.0 EDG-beta-21
    EDG Globus configuration tools and globus.conf
    These rpmlists can also be found in the repository directory.
  3. Install the RPM sets in the following order:
    If you are installing these on a "plain" RedHat 7.2 system, you will also need the "old" ncurses rpm (ncurses4-5.0-5.i386.rpm).
  4. If you want to build Globus-based applications on this system using the makefile generator provided by GPT, also install the GPT rpm (i386 and source).
  5. Create a directory /etc/grid-security if is does not already exist.
    cd /etc
    mkdir grid-security
    chown root:root grid-security
    mkdir grid-security/certificates
    chown root:root grid-security/certificates
  6. Create the compatibility signing-policy file for Globus 1.1.3. This has to be done every time a CA policy changes or a new CA RPM is added:
    cd /etc/grid-security/certificates
    cat *signing_policy > ca-signing-policy.conf
  7. Generate a directory for leased accounts. This directory as to be global within the administrative domain in which the leased accounts are used. If you have multiple front-end nodes, you must export this directory using NFS:
    mkdir /etc/grid-security/gridmapdir
    chown root:root /etc/grid-security/gridmapdir
    and generate empty files named after all your leased accounts. E.g. if you would have accounts "test001", "test002",...,"test020", you should do:
    cd /etc/grid-security/gridmapdir
    touch test001
    touch test002
    touch test020
    or something a bit more clever (make a script).
  8. Configure your mkgridmap utility. The configuration file is at /opt/edg/etc/mkgridmap.conf. Please modify the example provided for your own administrative domain. To test it, add the relevant PERL modules to your path and run mkgridmap:
    export PERL5LIB=/usr/lib/perl5/site_perl/5.005/i386-linux:\
    If you are happy with this service, add the PERL environment to /etc/rc.d/init.d/edg-gridmapfile-upgraded.
  9. If you have "local" users to add to your grid-mapfile, do su in mkgridmap.conf using the gmf_local directive. Also configure any VO groups that you want to give access to your resources. If you use the AUTO login-name generation, names will the concatanation of all initials in the user's certificate subject, followed by the complete surname. So, "David Groep" will be local user "dgroep". This behaviour can be modified in the "subject2user" script.
  10. Add the perl line also to the top in /etc/rc.d/init.d/edg-crl-upgraded. This script will periodically retrieve the latest CRLs from the CA repositories.
  11. Make sure your system clock is synchronized with the rest of the world, preferably using (x)ntpd. Pick a local, reliable time server and run:
    ntpdate -u timehost.mydomain
    cat /etc/sysconfig/clock
    hwclock --systohc [--utc]
  12. Acquire a host certificate for your gatekeeper and GridFTP service. The subject name (DN) should be something like O=dutchgrid, O=hosts, OU=nikhef.nl, CN=fs2.das2.nikhef.nl. Go to the DutchGrid CA site at http://certificate.nikhef.nl/userhelp.html and request a "host" certificate appropriate for your domain. Please follow the instructions there about requesting a cert, mailing the request and submitting to authorization of your request. The private key you generate must be kep secure, so immediately set the umask to 400 and ownership to root if it is not like that already.
    After authentication, you will receive a signed host certificate. You put both key (mode 400) and host cert (mode 444) in the directory /opt/globus/etc/, named "hostkey.pem" and "hostcert.pem". Then, make symlinks from the /etc/grid-security directory:
    cd /etc/grid-security
    ln -s /opt/globus/etc/hostcert.pem
    ln -s /opt/globus/etc/hostkey.pem
  13. Configure your Globus install using /etc/globus.conf. The template for this file is already on your system and can be found at /opt/globus/share/doc/globus.conf.template. The main entries required for a full globus service (gatekeeper, GridFTP, MDS/GIS) are in in this example. Modify at least the following variables to reflext your local situation:
    GLOBUS_HOST_DN="hn=fs2.das2.nikhef.nl, dc=das2, dc=nikhef, dc=nl, o=Grid"
    GLOBUS_ORG_DN="dc=das2, dc=nikhef, dc=nl, o=Grid"
    Remember that a local user called "globus" must exist; the MDS services will be run by this user.
    You will be configuring a "fork" and "pbs" job manager, a gsi-wuftpd GridFTP service and a GRIS service registering (anonymously) to the central GIIS at fs2.das2.nikhef.nl.
  14. Add the Globus and EDG services to the system startup sequence:
    chkconfig globus-mds on
    chkconfig globus-gatekeeper on
    chkconfig globus-gsi_wuftpd on
    chkconfig edg-gridmapfile-upgraded on
    chkconfig edg-crl-upgraded on
    and start all these services from /etc/rc.d/init.d/....
  15. Test the setup from a remote system using your own grid credentials. Add your subjectname to the grid-mapfile if necessary for testing.
If you have problems when installing globus or have comments/suggestions regarding this quick-guide, please contact David Groep <gridadm@nikhef.nl>.
Comments to David Groep