Project

General

Profile

Installing GlideinWMS 1 6 2 on SL4 Machine

Preparation to be done by FEF

  • create user condor uid=4716
  • install condor 7.2.3 rpm (should be owned by condor)
  • install VDT 2.0.0
  • install user gfactory uid=43680 and gfrontend uid=43598
  • install rrdtool, python-rrdtool rpms
  • permissions: installer/operator needs:
    • to be in condor group
    • to have sudo on all the /opt/condor/bin and /opt/condor/sbin commands
    • to be in gfactory .k5login
    • to be in gfrontend .k5login

Preparation to be done by installer/operator

  • ssh to gfactory@install_machine
  • install apache
    • mkdir httpd; cd httpd; get httpd.(latest_stable).tar.gz from http://httpd.apache.org/download.cgi
    • make apache server according to instructions. I set up mine like so:
    • port 8080 with document root at ~gfactory/httpd/build/htdocs
    • configuration files at ~gfactory/httpd/build/conf
  • install M2Crypto
  • install condor tarball for glideins
    • the glideins ship over a condor startd and startd daemons to the worker node that start up and then 'phone home'
    • download condor tarball condor-7.2.4-linux-x86_64-rhel3.tar.gz from http://www.cs.wisc.edu/
    • make ~gfrontend/gfactory_condor directory and untar condor there
    • you will be asked for this directory later by gfactory install program
  • get certs for gfactory and gfrontend
  • as user gfactory:
    • . /usr/local/vdt/setup.sh
    • %cert-request --ou s --name "Dennis Box" --host if01.fnal.gov --email --vo fermilab --affiliation fnal --reason "cert for glideinWMS gfactory" --phone 630-840-3145 --agree --service "gfactory"
    • a few hours later you will get email on how to retrieve your cert using the cert-retrieve command.
    • cert-retrieve -serialnum (# from email instructions) will create .globus/hostcert.pem and .globus/hostkey.pem .
    • Rename these two files to usercert.pem and userkey.pem, otherwise voms-proxy-init gets confused (advice from Steve Timm)
  • test that the cert is usable and belongs to who you think it should:
[gfactory@if05 M2Crypto-0.19.1]$ openssl x509 -text -in /home/gfactory/.globus/usercert.pem | head -15
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 40282 (0x9d5a)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=org, DC=DOEGrids, OU=Certificate Authorities, CN=DOEGrids CA 1
        Validity
            Not Before: Dec 14 01:51:11 2009 GMT
            Not After : Dec 14 01:51:11 2010 GMT
        Subject: DC=org, DC=doegrids, OU=Services, CN=gfactory/if05.fnal.gov
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ac:63:e2:61:b3:bb:ae:07:35:9f:a5:90:72:c9:
  • add the cert as an auxillary to your fermilab cert in vomrs.
    • use get-cert.sh to load your kca cert in your browser
    • go to https://vomrs.fnal.gov:8443/vomrs/vo-fermilab/vomrs
    • click on the [+]Members menu item in the left column
    • then click on the [+]Certificates menu item
    • then click on the 'Add Certificate' menu item
    • fill in the web form to add the certificate you requested earlier.
The DN is derivable from the Subject: line in the openssl command you executed above 

DN: /DC=org/DC=doegrids/OU=Services/CN=gfactory/if05.fnal.gov
Select the CA from the pull down list, it is:
/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
  • finish filling out the form and submit. Someone from fermigrid has to manually approve your reuquest
  • When this is done correctly gfactory can voms-proxy-init:
[gfactory@if05 ~]$ voms-proxy-init  -voms fermilab:/fermilab/nova/Role=pilot  --debug -valid 268:00
Detected Globus version: 22
Unspecified proxy version, settling on Globus version: 2
Number of bits in key :1024
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Files being used:
 CA certificate file: none
 Trusted certificates directory : /usr/local/vdt-2.0.0/globus/TRUSTED_CA
 Proxy certificate file : /home/gfactory/.grid/pilot.dbox.proxy
 User certificate file: /home/gfactory/.globus/usercert.pem
 User key file: /home/gfactory/.globus/userkey.pem
Output to /home/gfactory/.grid/pilot.dbox.proxy
Your identity: /DC=org/DC=doegrids/OU=Services/CN=gfactory/if05.fnal.gov
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Creating temporary proxy to /tmp/tmp_x509up_u43680_5223 ...........++++++
...++++++
 Done
Contacting  voms.fnal.gov:15001 [/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov] "fermilab" Done

Warning: voms.fnal.gov:15001: The validity of this VOMS AC in your proxy is shortened to 86400 seconds!

Creating proxy to /home/gfactory/.grid/pilot.dbox.proxy .............................++++++
.....................................++++++
 Done
Your proxy is valid until Sat Jun  5 20:52:14 2010
[gfactory@if05 ~]$ 
  • as user gfrontend:
    • . /usr/local/vdt/setup.sh
    • %cert-request --ou s --name "Dennis Box" --host if01.fnal.gov --email --vo fermilab --affiliation fnal --reason "cert for glideinWMS vo frontend" --phone 630-840-3145 --agree --service "gfrontend"
    • follow the same instructions as with gfactory cert creation
    • test the cert using openssl
    • you do not need to add this cert to vomrs

Install GlideinWMS

  • The way we chose to install it, from among many options, is
    • all components on a single node (the one we have been prepping)
    • user gfactory runs the glideinWMS factory
    • user gfrontend runs the vofrontend