Installing GlideinWMS 2 4 on SL5 Machine

This is a log of work done on, an SL5 machine used for development.
We have root on this machine, and much of the work that FEF would do we do instead.

Preparation to be done by FEF

  • create user condor uid=4716

Prep work as root done by installer/operator

  • useradd -u 43598 -c 'gWMS vo frontend user' gfrontend
  • useradd -u 43680 -c 'gWMS factory' gfactory
  • usermod -a -G condor gfrontend
  • usermod -a -G condor dbox
  • usermod -a -G condor lueking
  • usermod -a -G condor gfactory
  • (add lueking and dbox to gfrontend and gfactory .k5login)
  • wget
  • tar xzvf pacman-3.28.tar.gz
  • cd pacman-3.28
  • .
  • cd ..
  • pacman -get
    (warning about SELinux that I didnt understand, went to read what it was, vdt waits 30 seconds and then continues, thanks pacman!)
    pacman gets stuff for about 20 minutes....
  • disable SELinux
    • echo 0 >/selinux/enforce
    • vi /etc/selinux/config (change enforced to permissive)
  • install correct VDT (client, not full)
  • get and install condor 7.4.2 rpm (from condor web site)

Preparation to be done by installer/operator

  • ssh to gfactory@install_machine
  • install apache
    • mkdir httpd; cd httpd; get httpd.(latest_stable).tar.gz from
    • make apache server according to instructions. I set up mine like so:
    • port 8080 with document root at ~gfactory/httpd/build/htdocs
    • configuration files at ~gfactory/httpd/build/conf
  • install M2Crypto


  • m2crypto install continued
    • python build
    • python install --prefix /home/gfactory/m2crypto/install
    • results in m2crypto living in ~gfactory/m2crypto/install
    • add this line to your .bashrc:
export PYTHONPATH=/home/gfactory/m2crypto/install/lib64/python2.4/site-packages:$PYTHONPATH
  • get certs for gfactory and gfrontend
  • as user gfactory:
    • . /usr/local/vdt/
    • %cert-request --ou s --name "Dennis Box" --host --email --vo fermilab --affiliation fnal --reason "cert for glideinWMS gfactory" --phone 630-840-3145 --agree --service "gfactory"
    • a few hours later you will get email on how to retrieve your cert using the cert-retrieve command.
    • cert-retrieve -serialnum (# from email instructions) will create .globus/hostcert.pem and .globus/hostkey.pem .
    • Rename these two files to usercert.pem and userkey.pem, otherwise voms-proxy-init gets confused (advice from Steve Timm)
  • test that the cert is usable and belongs to who you think it should:
[gfactory@edge]$ openssl x509 -text -in /home/gfactory/.globus/usercert.pem | head -15
        Version: 3 (0x2)
        Serial Number: 40282 (0x9d5a)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=org, DC=DOEGrids, OU=Certificate Authorities, CN=DOEGrids CA 1
            Not Before: Dec 14 01:51:11 2009 GMT
            Not After : Dec 14 01:51:11 2010 GMT
        Subject: DC=org, DC=doegrids, OU=Services, CN=gfactory/
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
  • add the cert as an auxillary to your fermilab cert in vomrs.
    • use to load your kca cert in your browser
    • go to
    • click on the [+]Members menu item in the left column
    • then click on the [+]Certificates menu item
    • then click on the 'Add Certificate' menu item
    • fill in the web form to add the certificate you requested earlier.
The DN is derivable from the Subject: line in the openssl command you executed above 

DN: /DC=org/DC=doegrids/OU=Services/CN=gfactory/
Select the CA from the pull down list, it is:
/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
  • finish filling out the form and submit. Someone from fermigrid has to manually approve your reuquest
  • When this is done correctly gfactory can voms-proxy-init:
[gfactory@edge ~]$ voms-proxy-init  -voms fermilab:/fermilab/nova/Role=pilot  --debug -valid 268:00
Detected Globus version: 22
Unspecified proxy version, settling on Globus version: 2
Number of bits in key :1024
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Files being used:
 CA certificate file: none
 Trusted certificates directory : /usr/local/vdt-2.0.0/globus/TRUSTED_CA
 Proxy certificate file : /home/gfactory/.grid/pilot.dbox.proxy
 User certificate file: /home/gfactory/.globus/usercert.pem
 User key file: /home/gfactory/.globus/userkey.pem
Output to /home/gfactory/.grid/pilot.dbox.proxy
Your identity: /DC=org/DC=doegrids/OU=Services/CN=gfactory/
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Using configuration file /usr/local/vdt-2.0.0/glite/etc/vomses
Creating temporary proxy to /tmp/tmp_x509up_u43680_5223 ...........++++++
Contacting [/DC=org/DC=doegrids/OU=Services/CN=http/] "fermilab" Done

Warning: The validity of this VOMS AC in your proxy is shortened to 86400 seconds!

Creating proxy to /home/gfactory/.grid/pilot.dbox.proxy .............................++++++
Your proxy is valid until Sat Jun  5 20:52:14 2010
[gfactory@edge ~]$ 
  • as user gfrontend:
    • . /usr/local/vdt/
    • %cert-request --ou s --name "Dennis Box" --host --email --vo fermilab --affiliation fnal --reason "cert for glideinWMS vo frontend" --phone 630-840-3145 --agree --service "gfrontend"
    • follow the same instructions as with gfactory cert creation
    • test the cert using openssl
    • you do not need to add this cert to vomrs

Install GlideinWMS

  • The way we chose to install it, from among many options, is
    • all components on a single node (the one we have been prepping)
    • user gfactory runs the glideinWMS factory
    • user gfrontend runs the vofrontend