Project

General

Profile

Creating a IFGridftpServerBase Image

OpenNebula specification file used for Base Image creation is as follows

NAME   = IFGridftpServerBase
CPU    = 1
VCPU   = 2
MEMORY = 4096

DISK   = [
           source   = /cloud/images/OpenNebula/images/current-image.img,
           save     = yes,
           target   = vda,
           bus = virtio,
           persistent = yes,
           readonly = no
         ]

DISK   = [
  type     = swap,
  size     = 4096,
  target   = vdb ]

NIC    = [ NETWORK = "FermiCloud" ]

FEATURES=[ acpi="no" ]

GRAPHICS = [
  type    = "vnc",
  listen  = "127.0.0.1",
  port    = "-1",
  autoport = "yes",
  keymap = "en-us"]

CONTEXT = [
    ip_public   = "$NIC[IP, NETWORK=\"FermiCloud\"]",
    hostname    = "if-gridftp-base.fnal.gov",
    netmask     = "255.255.254.0",
    gateway     = "131.225.154.1",
    ns          = "131.225.8.120",
    files       = "/cloud/images/OpenNebula/templates/init.sh /home/parag/OpenNebula/cedps/k5login",
    target      = "hdc",
    root_pubkey = "id_dsa.pub",
    username    = "opennebula",
    user_pubkey = "id_dsa.pub" 
]

REQUIREMENTS = "HYPERVISOR=\"kvm\"" 

Launch a new VM with dynamic IP address.

[parag@fcl002 cedps]$ onevm create IFGridftpServerBase.one

Once the VM is running login into the VM and configure it

[parag@cd-109337 ~]$ ssh root@131.225.154.59

# Stop and Disable ypbind
[root@fermicloud002 ~]# service ypbind stop
Shutting down NIS services:                                [  OK  ]
[root@fermicloud002 ~]# chkconfig --list| grep ypbind
ypbind          0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@fermicloud002 ~]# chkconfig ypbind off
[root@fermicloud002 ~]# chkconfig --list| grep ypbind
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off

# Make the experiment disks available without ypbind
[root@fermicloud002 etc]# scp root@fcl002:/etc/auto.* /etc/
[root@fermicloud002 etc]# service autofs stop
Stopping automount:                                        [  OK  ]
[root@fermicloud002 etc]# service autofs start
Starting automount:                                        [  OK  ]

# Check that experiment areas are available without ypbind
[root@fermicloud002 etc]# ls -la /minos/app

# Install pacman & VDT
[root@fermicloud002 etc]# cd /usr/local/
[root@fermicloud002 pacman-3.29]# tar xzf /tmp/pacman-latest.tar.gz
[root@fermicloud002 local]# cd pacman-3.29/
[root@fermicloud002 pacman-3.29]# source ./setup.sh 
[root@fermicloud002 etc]# cd /usr/local/
[root@fermicloud002 local]# mkdir /usr/local/vdt-2.0.99
[root@fermicloud002 local]# ln -s /usr/local/vdt-2.0.99 /usr/local/vdt
[root@fermicloud002 local]# cd /usr/local/vdt-2.0.99/
[root@fermicloud002 vdt-2.0.99]# pacman -get http://vdt.cs.wisc.edu/vdt_200_cache:EDG-Make-Gridmap \
http://vdt.cs.wisc.edu/vdt_200_cache:CA-Certificates-Updater \
http://vdt.cs.wisc.edu/vdt_200_cache:CA-Certificates \
http://vdt.cs.wisc.edu/vdt_200_cache:Fetch-CRL 
http://vdt.cs.wisc.edu/vdt_200_cache:Configure-Fetch-CRL \
http://vdt.cs.wisc.edu/vdt_200_cache:VOMS-Client \
http://vdt.cs.wisc.edu/vdt_200_cache:Globus-Base-Data-Server \
http://vdt.cs.wisc.edu/vdt_200_cache:EDG-Make-Gridmap
Do you want to add [http://vdt.cs.wisc.edu/vdt_200_cache] to [trusted.caches]? (y/n/yall): yall

# Setup CA Certificates and other required VDT services
[root@fermicloud002 vdt-2.0.99]# source /usr/local/vdt/setup.sh 

# Change $VDT_LOCATION/vdt-app-data/vdt-update-certs/vdt-update-certs.conf to enable OSG CA Certs
[root@fermicloud002 vdt-2.0.99]# vi $VDT_LOCATION/vdt-app-data/vdt-update-certs/vdt-update-certs.conf
[root@fermicloud002 vdt-2.0.99]# vdt-setup-ca-certificates --certs-dir /usr/local/vdt-2.0.99/

# Make sure Host certs and keys are in place
[root@fermicloud002 vdt-2.0.99]# ls -la /etc/grid-security/

# First make sure that /etc/services do not have gsiftp service. If it does remove it
[root@fermicloud002 vdt-2.0.99]# vi /etc/services

# Enable VDT Services but do not start them
[root@fermicloud002 vdt-2.0.99]# vdt-control --list
Service                 | Type   | Desired State
------------------------+--------+--------------
fetch-crl              | cron    | do not enable 
vdt-rotate-logs        | cron    | do not enable 
vdt-update-certs       | cron    | do not enable 
gsiftp                 | inetd   | do not enable 

[root@fermicloud002 vdt-2.0.99]# vdt-control --enable fetch-crl vdt-rotate-logs vdt-update-certs gsiftp
running 'vdt-register-service --name fetch-crl --enable'... ok
running 'vdt-register-service --name vdt-rotate-logs --enable'... ok
running 'vdt-register-service --name vdt-update-certs --enable'... ok
running 'vdt-register-service --name gsiftp --enable'... ok

# Download & Install the if-gridftp-authz-tools available from the Files section of the twiki
[root@fermicloud002 log]# cd /opt/
[root@fermicloud002 opt]wget https://cdcvs.fnal.gov/redmine/attachments/download/5156/if-gridftp-authz-tools-v0.1.tgz
[root@fermicloud002 opt]# tar xzf if-gridftp-authz-tools-v0.1.tgz 
[root@fermicloud002 opt]# mkdir if-gridftp-authz-tools/log

# Setup the default crontabs but keep them disabled
###### Customize the crontab below before enabling them ######

###### Change the nis-hostname and the nis-domain based on the experiment
### 57 */2 * * * source /root/.bash_profile; /opt/if-gridftp-authz-tools/bin/create_password_file.py --nis-domain=XXXXXXXXX --nis-hostname=gpwn001.fnal.gov >>/opt/if-gridftp-authz-tools/log/gridmap_with_usernames.log 2>&1;

##### Change the group names based on voms groups for the experiment
##### Supports more than one group
### 57 */2 * * * source /root/.bash_profile; source /usr/local/vdt/setup.sh; /opt/if-gridftp-authz-tools/bin/gridmap_with_usernames.py --group-uri-base 'vomss://voms.fnal.gov:8443/voms/fermilab?/fermilab' --group XXXXXXXX --mappings-from-file /opt/if-gridftp-authz-tools/etc/testusers --output /etc/grid-security/grid-mapfile >> /opt/if-gridftp-authz-tools/log/gridmap_with_usernames.log 2>&1

Logout of the VM, and same the VM image for reuse

Creating & customizing a image from IFGridftpServerBase image

Steps involved

  1. Make sure base image is not running
  2. Save the base image as an experiment specific image
  3. In the Experiment specific image spec file, put the hostname, static ip address
  4. Launch the new VM
  5. Make sure the certificates specific to new VM are in place and referenced from the /etc/grid-security
  6. Source vdt setup and run vdt-control --on
  7. Enable the crontabs after making changes to them.
  8. Run the scripts from the cron (To create gridmap and local users) manually once to test them