DAS2-UvA Grid
Index
The DAS-2 Grid
Logbook (part 1)
Logbook (part 2)
Install overview
UvA DAS-2 usage
Back
|
Installing Globus and EDG services on DAS2 (fs2)
Follow this series of steps to install core Globus and EDG services
on a DAS2 frontend (file server).
-
Get all relevant RPMS from the repository. A snapshot of the full WP6 RPM
repository (which is maintained on marianne.in2p3.fr) can be
found in this directory
and from the release-bundle overview.
The directory contains all RPMS that were installed on fs2.das2.nikhef.nl to
get the Grid software running. All files are collapsed into one directory.
-
The RPMs in the repository are grouped into five sets:
- rpmlist-edg-security
- EDG certification authorities
- rpmlist-external-core-perl
- Perl5 modules needed to run the EDG utilities
- rpmlist-edg-wp6-utils
- EDG WP6 utilities to generate grid-mapfiles and CRL updates
- rpmlist-globus2-beta21
- Globus 2.0 EDG-beta-21
- rpmlist-globus2-beta21-edgconfig
- EDG Globus configuration tools and globus.conf
These rpmlists can also be found in the repository directory.
-
Install the RPM sets in the following order:
rpmlist-external-perl-core
rpmlist-globus2-beta21
rpmlist-globus2-beta21-edgconfig
rpmlist-edg-security
rpmlist-edg-wp6-utils
If you are installing these on a "plain" RedHat 7.2 system, you will
also need the "old" ncurses rpm
(ncurses4-5.0-5.i386.rpm).
-
If you want to build Globus-based applications on this system
using the makefile generator provided by GPT, also install
the GPT rpm (i386 and
source).
-
Create a directory /etc/grid-security if is does not already exist.
cd /etc
mkdir grid-security
chown root:root grid-security
mkdir grid-security/certificates
chown root:root grid-security/certificates
-
Create the compatibility signing-policy file for Globus 1.1.3. This
has to be done every time a CA policy changes or a new CA RPM
is added:
cd /etc/grid-security/certificates
cat *signing_policy > ca-signing-policy.conf
-
Generate a directory for leased accounts. This directory as to be
global within the administrative domain in which the leased accounts
are used. If you have multiple front-end nodes, you must export
this directory using NFS:
mkdir /etc/grid-security/gridmapdir
chown root:root /etc/grid-security/gridmapdir
and generate empty files named after all your leased accounts. E.g.
if you would have accounts "test001", "test002",...,"test020", you
should do:
cd /etc/grid-security/gridmapdir
touch test001
touch test002
...
touch test020
or something a bit more clever (make a script).
-
Configure your mkgridmap utility. The configuration file is
at /opt/edg/etc/mkgridmap.conf.
Please modify the example provided for your own administrative domain.
To test it, add the relevant PERL modules to your path and run
mkgridmap:
export PERL5LIB=/usr/lib/perl5/site_perl/5.005/i386-linux:\
/usr/lib/perl5/site_perl/5.005
/opt/edg/sbin/mkgridmap
If you are happy with this service, add the PERL environment to
/etc/rc.d/init.d/edg-gridmapfile-upgraded.
-
If you have "local" users to add to your grid-mapfile, do su
in mkgridmap.conf using the gmf_local directive.
Also configure any VO groups that you want to give access to your
resources. If you use the AUTO login-name generation,
names will the concatanation of all initials in the user's
certificate subject, followed by the complete surname. So,
"David Groep" will be local user "dgroep". This behaviour can
be modified in the "subject2user" script.
-
Add the perl line also to the top in
/etc/rc.d/init.d/edg-crl-upgraded. This script will
periodically retrieve the latest CRLs from the CA repositories.
-
Make sure your system clock is synchronized with the rest of the world,
preferably using (x)ntpd. Pick a local, reliable time server and
run:
ntpdate -u timehost.mydomain
date
cat /etc/sysconfig/clock
hwclock --systohc [--utc]
-
Acquire a host certificate for your gatekeeper and GridFTP service.
The subject name (DN) should be something like
O=dutchgrid, O=hosts, OU=nikhef.nl, CN=fs2.das2.nikhef.nl.
Go to the DutchGrid CA site at
http://certificate.nikhef.nl/userhelp.html
and request a "host" certificate appropriate for your domain.
Please follow the instructions there about requesting a cert, mailing the
request and submitting to authorization of your request. The
private key you generate must be kep secure, so immediately
set the umask to 400 and ownership to root if it is not like that
already.
After authentication, you will receive a signed host certificate.
You put both key (mode 400) and host cert (mode 444) in
the directory /opt/globus/etc/, named "hostkey.pem" and
"hostcert.pem".
Then, make symlinks from the /etc/grid-security directory:
cd /etc/grid-security
ln -s /opt/globus/etc/hostcert.pem
ln -s /opt/globus/etc/hostkey.pem
-
Configure your Globus install using /etc/globus.conf. The template
for this file is already on your system and can be found at
/opt/globus/share/doc/globus.conf.template.
The main entries required for a full
globus service (gatekeeper, GridFTP, MDS/GIS) are in
in this example.
Modify at least the following variables to reflext your local situation:
GLOBUS_HOST_DN="hn=fs2.das2.nikhef.nl, dc=das2, dc=nikhef, dc=nl, o=Grid"
GLOBUS_ORG_DN="dc=das2, dc=nikhef, dc=nl, o=Grid"
Remember that a local user called "globus" must exist; the MDS
services will be run by this user.
You will be configuring a "fork" and "pbs" job manager, a gsi-wuftpd
GridFTP service and a GRIS service registering (anonymously) to the central
GIIS at fs2.das2.nikhef.nl.
-
Add the Globus and EDG services to the system startup sequence:
chkconfig globus-mds on
chkconfig globus-gatekeeper on
chkconfig globus-gsi_wuftpd on
chkconfig edg-gridmapfile-upgraded on
chkconfig edg-crl-upgraded on
and start all these services from /etc/rc.d/init.d/....
- Test the setup from a remote system using your own grid credentials.
Add your subjectname to the grid-mapfile if necessary for testing.
If you have problems when installing globus or have comments/suggestions
regarding this quick-guide, please contact
David Groep <gridadm@nikhef.nl>.
Comments to David Groep
|