====== OSG Setup ======
Follow this link to view the [[https://twiki.grid.iu.edu/twiki/bin/view/ReleaseDocumentation/GetGridCertificates|OSG Site Certificate Guide]].
We are placing our OSG certificate packages in the export directory which will be mounted in all nodes as /share/osg.
# Edit the auto.share file\\
''**[user@grow-prod ~]$** sudo vi /etc/auto.share''\\
# Add this line.\\
osg grid-0-0.local:/export/&
# Update by executing:\\
''**[user@grow-prod ~]$** cd /var/411; make''
===== Pacman Setup =====
# Login to the grid node and as root user execute the following:\\
# Download the latest pacman\\
''%%**[user@grid-0-0 ~]$** wget "http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-latest.tar.gz"%%''\\
# Unpackage pacman into /opt directory\\
''**[user@grid-0-0 ~]$** sudo tar xzvf pacman-latest.tar.gz -C /opt''\\
# Change directory to /opt/pacman-3.29\\
''**[user@grid-0-0 ~]$** cd /opt/pacman-3.29''\\
# Source pacman for the first time by executing:\\
''**[user@grid-0-0 ~]$** sudo . /opt/pacman-3.29/setup.sh''\\
# Add these lines to /root/.bashrc\\
''**[user@grid-0-0 ~]$** sudo vi /root/.bashrc''\\
# Source pacman
if [ -f /opt/pacman-3.29/setup.sh ]; then
. /opt/pacman-3.29/setup.sh
fi
===== Install Certificate Scripts Package =====
# Retrieve and install the scripts package (Optional)\\
''**[user@grid-0-0 /opt/osg-1.2.20]$** sudo pacman -get http://vdt.cs.wisc.edu/vdt_200_cache:PPDG-Cert-Scripts''\\
# Setup the environment\\
''**[user@grid-0-0 /opt/osg-1.2.20]$** sudo source setup.sh''\\
===== Setup Initial Certificate Authority (CA) Package =====
**The commands that are in red notate where you will have to enter you own host name or serial numbers if not for the GROW cluster.**\\
# On the grid node execute the following:\\
''**[user@grid-0-0 /opt/osg-1.2.20]$** sudo vdt-ca-manage setupCA --location local --url osg''\\
# The results should look like so:\\
//Setting up CA Certificates for VDT installation at '/export/osg'\\
CA Certificates will be installed into /export/osg/globus/share/certificates
//
Setup completed successfully.
===== Host Certificate / Container Certificate =====
==== Request ====
# Change directory to the /opt/osg-1.2.20, source the setup, and execute this command.\\
''**[root@grid-0-0 ~]#** cd /opt/osg-1.2.20''\\
''**[root@grid-0-0 osg-1.2.20]#** source setup.sh''\\
''**[root@grid-0-0 osg-1.2.20]#** cert-request -ou s -dir . -label grow-grid.its.uiowa.edu''\\
==== Retrieve and Install ====
# Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu -dir . -prefix grow-grid.its.uiowa.edu''\\
checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0xYYYY
Checking that the certificate and ./grow-grid.its.uiowa.edukey.pem match
writing RSA key
./grow-grid.its.uiowa.educert.pem and ./grow-grid.its.uiowa.edukey.pem now contain your new credential
==== Verify ====
# Check to make sure the certificate matches your machine hostname.\\
''**[root@grid-0-0 osg-1.2.20]#** grid-cert-info -file ./grow-grid.its.uiowa.educert.pem -subject''\\
/DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
# Now execute:\\
''**[root@grid-0-0 osg-1.2.20]#** hostname -f''\\
grow-grid.its.uiowa.edu
# Copy the certificate to the default certificate directory and edit the file permissions.\\
''**[root@grid-0-0 osg-1.2.20]#** cp ./grow-grid.its.uiowa.educert.pem /etc/grid-security/hostcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chmod 444 /etc/grid-security/hostcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** cp ./grow-grid.its.uiowa.edukey.pem /etc/grid-security/hostkey.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chmod 400 /etc/grid-security/hostkey.pem''\\
# We will use the host certificate as the container certificate. This is the only instance where using a copy of the host certificate is allowed.\\
''**[root@grid-0-0 osg-1.2.20]#** cp grow-grid.its.uiowa.educert.pem /etc/grid-security/containercert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** cp grow-grid.its.uiowa.edukey.pem /etc/grid-security/containerkey.pem''\\
# Change ownership on the container certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** chown daemon:daemon /etc/grid-security/containercert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chown daemon:daemon /etc/grid-security/containerkey.pem''\\
===== HTTP Service Certificate =====
==== Request ====
# Change directory to the /opt/osg-1.2.20, source the setup, and execute this command.\\
''**[root@grid-0-0 ~]#** cd /opt/osg-1.2.20''\\
''**[root@grid-0-0 osg-1.2.20]#** source setup.sh''\\
''**[root@grid-0-0 osg-1.2.20]#** cert-request -ou s -service http -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-http''\\
==== Retrieve and Install ====
# Create a new directory for the http service certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** mkdir /etc/grid-security/http''\\
# Once you have the serial number, retrieve the certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu-http -dir . -prefix grow-grid.its.uiowa.edu-http''\\
# Copy the certificate to the default directory and edit the permissions.\\
''**[root@grid-0-0 osg-1.2.20]#** cp ./grow-grid.its.uiowa.edu-httpcert.pem /etc/grid-security/http/httpcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chmod 444 /etc/grid-security/http/httpcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** cp ./grow-grid.its.uiowa.edu-httpkey.pem /etc/grid-security/http/httpkey.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chmod 400 /etc/grid-security/http/httpkey.pem''\\
# Change ownership of the certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** chown daemon:daemon /etc/grid-security/http/httpcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chown daemon:daemon /etc/grid-security/http/httpkey.pem''\\
==== Verify ====
# Check to make sure the certificate matches your machine hostname.\\
''**[root@grid-0-0 osg-1.2.20]#** grid-cert-info -file ./grow-grid.its.uiowa.edu-httpcert.pem -subject''\\
/DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
# Now execute:\\
''**[root@grid-0-0 osg-1.2.20]#** hostname -f''\\
grow-grid.its.uiowa.edu
===== RSV Service Certificate =====
We will create an rsvuser for this certificate.
# On the head node.\\
''**[root@grow-prod user]#** useradd -c "RSV monitoring user" -n rsvuser''\\
''**[root@grow-prod user]#** passwd rsvuser''\\
# Contact admin for password\\
''**[root@grow-prod user]#** ssh-agent $SHELL''\\
''**[root@grow-prod user]#** ssh-add''\\
''**[root@grow-prod user]#** rocks sync config''\\
''**[root@grow-prod user]#** rocks sync users''\\
==== Request ====
# Change directory to the /opt/osg-1.2.20, source the setup, and execute this command.\\
''**[root@grid-0-0 ~]#** cd /opt/osg-1.2.20''\\
''**[root@grid-0-0 osg-1.2.20]#** source setup.sh''\\
''**[root@grid-0-0 osg-1.2.20]#** cert-request -ou s -service rsv -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-rsv''\\
==== Retrieve and Install ====
# Once you have gotten the serial number, retrieve the certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu-rsv -dir . -prefix grow-grid.its.uiowa.edu-rsv''\\
# Copy the files to the default location and edit the file permissions.\\
''**[root@grid-0-0 osg-1.2.20]#** cp ./grow-grid.its.uiowa.edu-rsvcert.pem /etc/grid-security/rsvcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chmod 444 /etc/grid-security/rsvcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** cp ./grow-grid.its.uiowa.edu-rsvkey.pem /etc/grid-security/rsvkey.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chmod 400 /etc/grid-security/rsvkey.pem''\\
# Change ownership on the certificate.\\
''**[root@grid-0-0 osg-1.2.20]#** chown rsvuser:users /etc/grid-security/rsvcert.pem''\\
''**[root@grid-0-0 osg-1.2.20]#** chown rsvuser:users /etc/grid-security/rsvkey.pem''\\
==== Verify ====
# Check to make sure the certificate matches your machine hostname.\\
''**[root@grid-0-0 osg-1.2.20]#** grid-cert-info -file ./grow-grid.its.uiowa.edu-rsvcert.pem -subject''\\
/DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
# Now execute:\\
''**[root@grid-0-0 osg-1.2.20]#** hostname -f''\\
grow-grid.its.uiowa.edu
===== Prepare the Environment =====
Before installing OSG software we must prepare the environment.
==== Create Directories ====
# On the grid node, create the directories which will be network mounted, change permissions, and change ownership on the certificates.\\
''**[root@grid-0-0 osg]#** mkdir wnclient-1.2 ce-1.2''\\
''**[root@grid-0-0 osg]#** ln -s wnclient-1.2 wnclient''\\
''**[root@grid-0-0 osg]#** ln -s ce-1.2 ce''\\
''**[root@grid-0-0 osg]#** ln -s ce-1.2 se''\\
''**[root@grid-0-0 osg]#** mkdir -p app/etc''\\
''**[root@grid-0-0 osg]#** chmod 777 app app/etc''\\
''**[root@grid-0-0 osg]#** mkdir /data/se/osg''\\
''**[root@grid-0-0 osg]#** chown root:users /data/se/osg''\\
''**[root@grid-0-0 osg]#** chmod 775 /data/se/osg''\\
==== Garbage Collection ====
=== Compute node ===
# We added an extend-compute.xml that creates a cron job to take care of garbage collection.\\
''**[root@grow-prod ~]#** vi /export/rocks/install/site-profiles/5.4/nodes/extend-compute.xml''\\
Click [[http://highenergy.physics.uiowa.edu/~dsquires/grow/backup_files/extend-compute.xml|here]] to see our extend-compute.xml file.
# Make sure to create a new distro when adding or editing a kickstart file.\\
''**[root@grow-prod ~]#** cd /export/rocks/install''\\
''**[root@grow-prod ~]#** rocks create distro''\\
# Check to see if the xml format is correct.\\
''**[root@grow-prod ~]#** rocks list appliance xml compute''\\
# If there is a mistake this will tell you which line has an error.\\
=== Login Node ===
?
==== Install xinetd ====
# Install xinetd service on the grid node which is needed by OSG.\\
''**[root@grid-0-0 osg]#** yum install xinetd''\\
''**[root@grid-0-0 osg]#** /etc/rc.d/init.d/xinetd restart''\\
''**[root@grid-0-0 osg]#** chkconfig --add xinetd''\\
==== Reconfigure grid node hostname ====
# Edit the /etc/sysconfig/network file.\\
''**[root@grow-grid ~]#** vi /etc/sysconfig/network''\\
HOSTNAME=grid-0-0.local
with
HOSTNAME=grow-grid.its.uiowa.edu
# In /etc/hosts, add:\\
128.255.88.50 grow-grid.its.uiowa.edu
# Then tell hostname to print the true FQHN:\\
''**[root@grow-grid ~]#** hostname grow-grid.its.uiowa.edu''\\
# Restart the network:\\
''**[root@grow-grid ~]#** service network restart''\\
# Make sure to logout from the grid node and log back in before continuing.
==== Enable Automatic Updates of CA Certificates ====
''[root@grow-grid ~]# cd /export/osg''\\
''[root@grow-grid osg]# vdt-control --enable vdt-update-certs''\\
running 'vdt-register-service --name vdt-update-certs --enable'... ok
==== Enable Automatic Update of Revocation List ====
''[root@grow-grid osg]# cd /export/osg''\\
''[root@grow-grid osg]# vdt-control --enable fetch-crl''\\
running 'vdt-register-service --name fetch-crl --enable'... ok
===== CE =====
''[root@grow-grid ce]# cd /share/osg/ce''\\
''[root@grow-grid ce]# pacman -get %%http://software.grid.iu.edu/osg-1.2:ce%%
''\\
''[root@grow-grid ce]# . setup.sh ''\\
''[root@grow-grid ce]# vdt-ca-manage setupca --location root --url osg''\\
Setting up CA Certificates for VDT installation at '/share/osg/ce-1.2'
CA Certificates will be installed into /etc/grid-security/certificates
Setup completed successfully.
''[root@grow-grid ce]# export VDTSETUP_CONDOR_LOCATION=/opt/condor''\\
''[root@grow-grid ce]# pacman allow trust-all-caches -get %%http://software.grid.iu.edu/osg-1.2:Globus-Condor-Setup%%''\\
''[root@grow-grid ce]# pacman -allow trust-all-caches -get %%http://software.grid.iu.edu/osg-1.2:ManagedFork%%''\\
''[root@grow-grid ce]# $VDT_LOCATION/vdt/setup/configure_globus_gatekeeper --managed-fork y --server y''\\
==== Change Port Numbers ====
# Because the CE and SE are on the same node they need to differentiate port numbers for some services.\\
''[root@grow-grid ce]# vi $VDT_LOCATION/tomcat/v55/conf/server.xml''\\
# Change the following line to read "7443"\\
enableLookups="false" redirectPort="8443" protocol="AJP/1
# File should now read:\\
enableLookups="false" redirectPort="7443" protocol="AJP/1
# Now edit this file:
''[root@grow-grid ce]# vi $VDT_LOCATION/apache/conf/extra/httpd-ssl.conf''\\
# There will be three lines that need to be edited.\\
Listen 8443
RewriteRule (.*) https://%{SERVER_NAME}:8443$1
ServerName www.example.com:8443
# Change to:\\
Listen 7443
RewriteRule (.*) https://%{SERVER_NAME}:7443$1
ServerName www.example.com:7443
''[root@grow-grid ce]# vdt-post-install''
''[root@grow-grid ce]# vdt-ca-manage setupca --location local --url osg''\\
Setting up CA Certificates for VDT installation at '/share/osg/ce-1.2'
CA Certificates will be installed into /share/osg/ce-1.2/globus/share/certificates
Setup completed successfully.
''[root@grow-grid ce]# cd /etc/grid-security''\\
''[root@grow-grid grid-security]# ln -s /share/osg/ce/globus/share/certificates''\\
ln: creating symbolic link `./certificates' to `/share/osg/ce/globus/share/certificates': File exists
==== Edit rsvuser bashrc file ====
''[root@grow-prod rsvuser]# vi .bashrc''\\
# Add the following lines\\
. /share/osg/ce/setup.sh
. $VDT_LOCATION/vdt/etc/condor-cron-env.sh
==== OSG Environment ====
''[root@grow-prod ~]# cd /etc/profile.d''\\
''[root@grow-prod profile.d]# vi osg.sh''\\
# Add this line to the file.\\
. /share/osg/ce/setup.sh
''[root@grow-prod profile.d]# vi osg.csh''\\
# Add this line to the file.\\
source /share/osg/ce/setup.csh
==== Setup Condor Environment Variables ====
=== Edit the Firewall ===
''[root@grow-grid etc]# vi /etc/sysconfig/iptables''\\
# Add the following lines:\\
# GLOBUS_TCP_PORT_RANGE
-A INPUT -m state --state NEW -p tcp -m tcp --dport 20000:25000 -j ACCEPT
# Monalisa, grabs 3 ports from the following range
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9000:9010 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 9000 -j ACCEPT
# GRAM
-A INPUT -m state --state NEW -p tcp -m tcp --dport 2119 -j ACCEPT
# Gridftp
-A INPUT -m state --state NEW -p tcp -m tcp --dport 2811 -j ACCEPT
# Optional Services
# RLS Server
-A INPUT -m state --state NEW -p tcp -m tcp --dport 39281 -j ACCEPT
# MyProxy
-A INPUT -m state --state NEW -p tcp -m tcp --dport 7512 -j ACCEPT
# MDS
-A INPUT -m state --state NEW -p tcp -m tcp --dport 2135 -j ACCEPT
# GIIS
-A INPUT -m state --state NEW -p tcp -m tcp --dport 2136 -j ACCEPT
# GUMS/VOMS
''[root@grow-grid etc]# /etc/rc.d/init.d/iptables restart''\\
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_ns [ OK ]
''[root@grow-grid etc]# /etc/rc.d/init.d/xinetd reload''\\
Reloading configuration: [ OK ]
=== Edit Stateful Firewalls ===
''[root@grow-grid etc]# cd /export/osg/vdt/etc/''\\
''[root@grow-grid etc]# vi vdt-local-setup.sh''\\
# This file is sourced by setup.sh. Use it for any custom setup for this site.
# This file will be preserved across VDT installations if OLD_VDT_LOCATION is set.
# Set GLOBUS_TCP_PORT_RANGE to define communication ports for outbound connections.
export GLOBUS_TCP_PORT_RANGE=20000,25000
# Set GLOBUS_TCP_SOURCE_RANGE to define communication ports for inbound connections.
export GLOBUS_TCP_SOURCE_RANGE=20000,25000
# Set GLOBUS_TCP_PORT_RANGE_STATE_FILE to the location where Globus should record
# TCP port usage for outbound connections in case of a stateful firewall.
export GLOBUS_TCP_PORT_RANGE_STATE_FILE=/var/cache/iptables/globus
# Set GLOBUS_TCP_SOURCE_RANGE_STATE_FILE to the location where Globus should record
# TCP port usage for inbound connections in case of a stateful firewall.
export GLOBUS_TCP_SOURCE_RANGE_STATE_FILE=/var/cache/iptables/globus
''[root@grow-grid etc]# vi vdt-local-setup.csh''\\
# This file is sourced by setup.sh. Use it for any custom setup for this site.
# This file will be preserved across VDT installations if OLD_VDT_LOCATION is set.
# Set GLOBUS_TCP_PORT_RANGE to define communication ports for outbound connections.
setenv GLOBUS_TCP_PORT_RANGE 20000,25000
# Set GLOBUS_TCP_SOURCE_RANGE to define communication ports for inbound connections.
setenv GLOBUS_TCP_SOURCE_RANGE 20000,25000
# Set GLOBUS_TCP_PORT_RANGE_STATE_FILE to the location where Globus should record
# TCP port usage for outbound connections in case of a stateful firewall.
setenv GLOBUS_TCP_PORT_RANGE_STATE_FILE /var/cache/iptables/globus
# Set GLOBUS_TCP_SOURCE_RANGE_STATE_FILE to the location where Globus should record
# TCP port usage for inbound connections in case of a stateful firewall.
setenv GLOBUS_TCP_SOURCE_RANGE_STATE_FILE /var/cache/iptables/globus
# It may be necessary to limit the Linux ephemeral port range to avoid the Globus ports defined above. Please check the /etc/sysctl.conf file for the following lines; insert if needed:\\
''[root@grow-grid etc]# vi /etc/sysctl.conf''\\
# Limit ephemeral ports to avoid globus TCP port range
# See OSG CE install guide
net.ipv4.ip_local_port_range = 10240 19999
# Execute sysctl as the root user for these settings to take effect:\\
''[root@grow-grid etc]# sysctl -p''\\
==== Additional Steps for Scientific Linux ====
# Scientific Linux uses /etc/hosts.deny to block all connections requests. Please add following lines to /etc/hosts.allow to open access to GridFTP and GRAM:\\
''[root@grow-grid etc]# vi /etc/hosts.allow''\\
/export/osg/vdt/services/vdt-run-gsiftp.sh : ALL
/export/osg/vdt/services/vdt-run-globus-gatekeeper.sh : ALL
==== Install Managedfork ====
# Install managedfork\\
''[root@grow-grid osg]# export VDTSETUP_CONDOR_LOCATION=/opt/condor''\\
''[root@grow-grid osg]# export VDTSETUP_CONDOR_CONFIG=/opt/condor/condor_configure''\\
''[root@grow-grid osg]# pacman -get %%http://software.grid.iu.edu/osg-1.2:ManagedFork%%''\\
Do you want to add http://software.grid.iu.edu/osg-1.2 to trusted.caches? (y/n/yall): yall
INFO: The Globus-Base-Info-Server package is not supported on this platform
# This section needs to be done\\
By default managedfork does not restrict the execution of jobs forked on the gatekeeper. Restrictions can be defined using the Condor configuration file $CONDOR_CONFIG:
START_LOCAL_UNIVERSE = TotalLocalJobsRunning < 5 || GridMonitorJob =?= TRUE
NOTE
Match TotalLocalJobsRunning to the capabilities of your gatekeeper. You must execute condor_reconfig as root for the changes to take effect.
==== Install Condor Job Manager ====
''[root@grow-grid ~]# cd /export/osg''\\
''[root@grow-grid osg]# pacman -get %%http://software.grid.iu.edu/osg-1.2:Globus-Condor-Setup%%''\\
# Next, optimize Gratia probe performance by changing the directory to record the job history. The location can be changed in the file $VDTSETUP_CONDOR_CONFIG using the variable PER_JOB_HISTORY_DIR:\\
''[root@grow-grid etc]# vi /opt/condor/condor_configure''\\
PER_JOB_HISTORY_DIR = /export/osg/gratia/var/data
''[root@grow-grid etc]# condor_reconfig''\\
==== Enable Log-file Rotation (Optional) ====
# Optionally enable the rotation of all log-files using vdt-control:\\
''[root@grid-grid /export/osg]$ vdt-control --enable vdt-rotate-logs''\\
==== Headline ====
''[root@grow-grid osg]# vdt-post-install''\\
Starting...
Done.
Making log symlinks in /export/osg/logs
===== Configure the grid-mapfile service =====
''[root@grow-grid osg]# . /export/osg/ce/setup.sh''\\
''[root@grow-grid osg]# vdt-control --enable edg-mkgridmap''\\
running 'vdt-register-service --name edg-mkgridmap --enable'... ok
===== Configuration Procedure =====
# Below is the changes we made to our config.ini file. We only are listing the variables that were changed.\\
# Edit the /share/osg/ce-1.2/osg/etc/config.ini file\\
''[root@grow-grid ce-1.2]# vi /share/osg/ce-1.2/osg/etc/config.ini''\\
;==================
; IMPORTANT
;==================
localhost = grow-grid.its.uiowa.edu
admin_email = daniel-squires@uiowa.edu
osg_location = /share/osg/ce
;==================
; Site Information
;==================
group = OSG
host_name = grow-grid.its.uiowa.edu
resource = GROW-GRID
resource_group = GROW-UIOWA
sponsor = CMS
contact = %(admin_email)s
email = %(admin_email)s
city = "Iowa City"
country = "United States"
longitude = -91.5459099
latitude = 41.660154
;==================
; Condor
;==================
enabled = True
condor_location = /opt/condor
condor_config = /opt/condor/condor_configure
job_contact = %(localhost)s/jobmanager-condor
util_contact = %(localhost)s/jobmanager
wsgram = %(enable)s
;==================
; Managed Fork
;==================
enabled = %(enable)s
;==================
; Misc Services
;==================
use_cert_updater = %(enable)s
authorization_method = gridmap
enable_webpage_creation = %(enable)s
enable_cleanup = %(disable)s
;==================
; RSV
;==================
enabled = True
rsv_user = rsvuser
ce_hosts = %(localhost)s
enable_gridftp_probes = True
gridftp_hosts = %(localhost)s
gridftp_dir = /tmp
gratia_probes = %(default)s
enable_srm_probes = True
srm_hosts = %(localhost)s
srm_dir = /tmp
srm_webservice_path = srm/v2/server
;==================
; Storage
;==================
se_available = %(enable)s
default_se = %(localhost)s
grid_dir = /share/osg/wnclient
app_dir = /share/osg/app
data_dir = /data/se/osg
worker_node_temp = /tmp
;==================
; GIP
;==================
advertise_gsiftp = %(disable)s
;==================
; Subclusters
;==================
[Subcluster grow-grid.its.uiowa.edu-ce1]
name = %(localhost)-ce1
node_count = 12
cpu_speed_mhz = 1000
cpu_platform = x86_64
ram_mb = 3952
cpu_model = Dual-Core AMD Opteron(tm) Processor 2212
cpus_per_node = 4
cores_per_node = 8
cpu_vendor = AMD
[Subcluster grow-grid.its.uiowa.edu-ce2]
name = %(localhost)-ce2
node_count = 1
ram_mb = 3270
cpu_model = Dual Core AMD Opteron(tm) Processor 290
cpu_vendor = AMD
cpu_speed_mhz = 2813
cpu_platform = x86_64
cpus_per_node = 4
cores_per_node = 8
inbound_network = FALSE
outbound_network = TRUE
;==================
; SE
;==================
[SE grow-grid.its.uiowa.edu-se1]
name = GROW-GRID
srm_endpoint = srm://%(localhost)s:8443/srm/v2/server
provider_implementation = bestman
version = 2.2.1.2.i7.p3
implementation = bestman
default_path = /data/se/osg/VONAME
use_df = True
# We are only using Condor so we deleted out the sections for PBS, SGE, and LSF\\
====== Edit Vomses ======
# Remove the following line from the vomses file to use only one proxy server for cms.\\
''[root@grow-grid etc]# vi /share/osg/ce/glite/etc/vomses''\\
"cms" "voms.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch" "cms"
====== Verify Configuration ======
# Verify that the configuration script is valid.\\
''[root@grow-grid osg]# configure-osg -v''\\
====== Run Configuration Script ======
''[root@grow-grid osg]# configure-osg -c''\\
Using /share/osg/ce-1.2/osg/etc/config.ini for configuration information
running 'vdt-register-service --name vdt-rotate-logs --enable'... ok
running 'vdt-register-service --name globus-gatekeeper --enable'... ok
running 'vdt-register-service --name globus-ws --enable'... ok
running 'vdt-register-service --name fetch-crl --enable'... ok
Running /share/osg/ce-1.2/fetch-crl/share/doc/fetch-crl-2.8.5/fetch-crl.cron, this process make take some time to fetch all the crl updates
running 'vdt-register-service --name vdt-update-certs --enable'... ok
running 'vdt-register-service --name edg-mkgridmap --enable'... ok
running 'vdt-register-service --name gums-host-cron --disable'... ok
PRIMA for GT4 web services has been disabled
You will now be using a grid-mapfile for authorization.
Modifications to the /etc/sudoers file are still required.
You will need to restart the /etc/init.d/globus-ws container
to effect the changes.
Running /share/osg/ce-1.2/edg/sbin/edg-mkgridmap, this process may take some time to query vo and gums servers
INFO: Attempting to configure Apache to serve OSG site index page
Adding site alias.
Apache setup properly to serve the site information page.
Restart Apache for changes to take effect.
Enabling the Apache service using vdt-control ...
Page can be viewed at https://HOSTNAME:8443/site
INFO: Resetting all metrics and consumers to disabled because --reset was supplied
INFO: Configuring RSV to use a service certificate.
Enabling consumers: html-consumer gratia-consumer
Enabling default metrics of type 'OSG-Local-Monitor' for host 'grow-grid.its.uiowa.edu'
Enabling default metrics of type 'OSG-CE' for host 'grow-grid.its.uiowa.edu'
Enabling default metrics of type 'OSG-GridFTP' for host 'grow-grid.its.uiowa.edu'
Enabling default metrics of type 'OSG-SRM' for host 'grow-grid.its.uiowa.edu'
running 'vdt-register-service --name condor-cron --enable'... ok
The following consumer subscription has been installed:
HOST: http://is2.grid.iu.edu:14001
TOPIC: OSG_CE
DIALECT: RAW
The following consumer subscription has been installed:
HOST: http://is1.grid.iu.edu:14001
TOPIC: OSG_CE
DIALECT: RAW
The following consumer subscription has been installed:
HOST: https://osg-ress-1.fnal.gov:8443/ig/services/CEInfoCollector
TOPIC: OSG_CE
DIALECT: OLD_CLASSAD
running 'vdt-register-service --name tomcat-55 --enable'... ok
running 'vdt-register-service --name apache --enable'... ok
running 'vdt-register-service --name gratia-condor --enable'... ok
running 'vdt-register-service --name mysql5 --enable'... ok
running 'vdt-register-service --name gsiftp --enable'... ok
Configure-osg completed successfully
====== Configure grid-mapfile service ======
''[root@grow-grid osg]# vdt-control --enable edg-mkgridmap''\\
running 'vdt-register-service --name edg-mkgridmap --enable'... ok
# Copy the lines from sudo-example.txt into /etc/sudoers
''[root@grow-grid etc]# vi /share/osg/ce-1.2/osg/etc/sudo-example.txt''\\
# Copy the following lines.\\
Runas_Alias GLOBUSUSERS = ALL, !root
daemon ALL=(GLOBUSUSERS) \
NOPASSWD: /share/osg/ce-1.2/globus/libexec/globus-gridmap-and-execute \
-g /etc/grid-security/grid-mapfile \
/share/osg/ce-1.2/globus/libexec/globus-job-manager-script.pl *
daemon ALL=(GLOBUSUSERS) \
NOPASSWD: /share/osg/ce-1.2/globus/libexec/globus-gridmap-and-execute \
-g /etc/grid-security/grid-mapfile \
/share/osg/ce-1.2/globus/libexec/globus-gram-local-proxy-tool *
# Paste\\
''[root@grow-prod etc]# vi /etc/sudoers''\\
# Add user accounts for approved VOs\\
''[root@grow-prod ~]# useradd -c "Monitoring information service" -n mis -s /bin/true''\\
''[root@grow-prod ~]# useradd -c "CMS grid jobs" -n uscms01 -s /bin/true''\\
''[root@grow-prod ~]# useradd -c "Fermilab Service Desk" -n fermilab -s /bin/true''\\
''[root@grow-prod ~]# useradd -c "Open Science Grid" -n osg -s /bin/true''\\
''[root@grow-prod ~]# useradd -c "OSG Education Activity" -n osgedu -s /bin/true''\\
''[root@grow-prod dsquires]# useradd -c "International Linear Collider" -n ilc -s /bin/true''\\
# Add the following lines to the edg-mkgridmap.conf to make sure local users are not locked out.\\
''[root@grow-grid ce]# vi /share/osg/ce/edg/etc/edg-mkgridmap.conf''\\
#### GMF_LOCAL: gmf_local grid-mapfile-local
gmf_local /etc/grid-security/grid-mapfile-local
# Sync Rocks users.\\
''[root@grow-prod ~]# ssh-agent $SHELL''\\
''[root@grow-prod ~]# ssh-add''\\
''[root@grow-prod ~]# rocks sync config''\\
''[root@grow-prod ~]# rocks sync users''\\
# Now create the grid-mapfile-local file which will map users to accounts. The last two lines are added to allow Bockjoo Kim access to setup CMSSW.\\
"/DC=org/DC=doegrids/OU=Services/CN=http/grow-grid.its.uiowa.edu" uscms01
"/DC=org/DC=doegrids/OU=Services/CN=rsv/grow-grid.its.uiowa.edu" rsvuser
"/DC=org/DC=doegrids/OU=People/CN=Bockjoo Kim (UFlorida T2 Service) 606361" cmssoft
"/DC=org/DC=doegrids/OU=People/CN=Bockjoo Kim 740786" cmssoft
====== Install the SE ======
# Change to SE directory\\
''[dsquires@grow-grid ~]$ cd /share/osg/se''\\
# Source the OSG environment.\\
''[dsquires@grow-grid se]$ . setup.sh''\\
# Use pacman to install Bestman. Make sure to copy your config.ini file to a safe location as Bestman will overwrite this file.\\
''[root@grow-grid se]# pacman -get %%http://software.grid.iu.edu/osg-1.2:Bestman%%''\\
# Replace the config.ini file with the original file.\\
# Source the environment again.\\
''[root@grow-grid se]# . setup.sh''\\
[root@grow-grid se]# vdt/setup/configure_bestman --server y --user best --cert /etc/grid-security/bestmancert.pem --key /etc/grid-security/bestmankey.pem --http-port 7070 --https-port 8443 --globus-tcp-port-range 20000,25000 --enable-gateway --with-allowed-paths "/tmp;/home;/data" --with-transfer-servers gsiftp://grow-grid.its.uiowa.edu
# Edit the /etc/sudoers file by adding these lines and commenting out the first line.\\
#Defaults requiretty
Cmnd_Alias SRM_CMD = /bin/rm, /bin/mkdir, /bin/rmdir, /bin/mv, /bin/ls
Runas_Alias SRM_USR = ALL, !root
daemon ALL=(SRM_USR) NOPASSWD: SRM_CMD
====== Install worker node client ======
''[root@grow-grid dsquires]# cd /share/osg/wnclient''\\
# Use pacman to install worker node client.\\
''[root@grow-grid wnclient]# pacman -allow trust-all-caches -get %%http://software.grid.iu.edu/osg-1.2:wn-client%%''\\
# Setup the new environment.\\
''[root@grow-grid wnclient]# . setup.sh''\\
''[root@grow-grid wnclient]# vdt-ca-manage setupca --location local --url osg''\\
Setting up CA Certificates for VDT installation at '/share/osg/wnclient-1.2'
CA Certificates will be installed into /share/osg/wnclient-1.2/globus/share/certificates
Setup completed successfully.
''[root@grow-grid wnclient]# rm globus/TRUSTED_CA''\\
rm: remove symbolic link `globus/TRUSTED_CA'? y
''[root@grow-grid wnclient]# ln -s /share/osg/ce/globus/TRUSTED_CA globus/TRUSTED_CA''\\
====== Start CE and SE ======
''[root@grow-grid wnclient]# cd /share/osg/ce''\\
''[root@grow-grid ce]# . setup.sh''\\
''[root@grow-grid ce]# vdt-control %%--%%on''\\
enabling init service bestman... ok
enabling init service mysql5... ok
enabling init service globus-ws... ok
enabling cron service vdt-update-certs... ok
enabling cron service edg-mkgridmap... ok
enabling cron service vdt-rotate-logs... ok
skipping init service 'MLD' -- marked as disabled
enabling cron service gratia-condor... ok
enabling init service apache... ok
enabling init service tomcat-55... ok
enabling init service condor-cron... ok
enabling inetd service gsiftp... ok
enabling inetd service globus-gatekeeper... ok
enabling cron service fetch-crl... ok
skipping cron service 'gums-host-cron' -- marked as disabled
skipping cron service 'vdt-cleanup' -- marked as disabled
skipping cron service 'gratia-gridftp-transfer' -- marked as disabled
enabling init service osg-rsv... ok
====== Verify ======
# Login as a user, source the environment, get a proxy and run the following perl script.\\
''[dsquires@grow-grid ce]$ grid-proxy-init''\\
====== Notes ======
====== Contact Info ======
This Dokuwiki page is maintained by:\\
Daniel Squires\\
University of Iowa\\
Department of Computer Science\\
Email: