| Version 91 (modified by piontek, 13 years ago) (diff) |
|---|
QCG Broker Client Installation
Requirements
- PL-Grid LDAP integration - The machine where the client is to be installed has to be configured to allow users to log in to the their "plg" accounts.
- Packages requirements - All packages required by QCG-Broker client will be automatically installed by YUM during the installation of qcg-broker-client package.
- Java (>= 1.6)
- Java (>= 1.6)
- gridFTP server - the gridFTP server providing access to user's data for staging them in/out. It can be installed on the client machine (see Optional steps) or be any other instance of server having access to the data.
Mandatory steps
The installation and configuration of QCG-Broker client consists of two mandatory steps:
- installation of set of trusted Certificate Authorities certificates,
- installation of the client itself.
Certificate authorities
To enable mutual authentication and secure communication between client and QCG-Broker service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured for every user.
EGI IGTF CAs
Install EGI Accepted CA certificates (this also install the Polish Grid CA)
- Add appropriate YUM repository
cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF [EGI-trustanchors] name=EGI-trustanchors baseurl=http://repository.egi.eu/sw/production/cas/1/current/ gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 gpgcheck=1 enabled=1 EOF
- Install certificates
yum install ca-policy-egi-core
The above instruction is based on this manual
PL-Grid Simpla-CA certificate (not part of IGTF)
- Add appropriate YUM repositories
cat > /etc/yum.repos.d/plgrid.repo << EOF [PLGRID-general] name=PLGRID general packages repository baseurl=http://software.plgrid.pl/packages/general/ enabled=1 metadata_expire=300 gpgcheck=0 EOF
- Install certificates
yum install ca_PLGRID-SimpleCA
Certificate Revocation List - CLR
- Add appropriate YUM repository
cat > /etc/yum.repos.d/fetch-crl.repo << EOF [EUGRIDPMA-fetch-crl] name=EUGRIDPMA fetch-crl repository baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/ enabled=1 metadata_expire=300 gpgcheck=0 EOF
- Install certificate revocation list fetching utility
yum install fetch-crl
- Get fresh CRLs now
/usr/sbin/fetch-crl
- Install cron job for it
cat > /etc/cron.daily/fetch-crl.cron << EOF #!/bin/sh /usr/sbin/fetch-crl EOF
chmod a+x /etc/cron.daily/fetch-crl.cron
QCG-Broker client
Software repositories
The packages are designed for Scientific Linux 5.x The installation process requires root privileges.
- Install PL-Grid or/and QCG repositories:
- Official PL-Grid repository
rpm -Uvh http://software.plgrid.pl/packages/repos/plgrid-repos-2010-2.noarch.rpm
- QosCosGrid testing repository
cat > /etc/yum.repos.d/qcg.repo << EOF [qcg] name=QosCosGrid YUM repository baseurl=http://fury.man.poznan.pl/qcg-packages/sl/x86_64/ enabled=1 gpgcheck=0 EOF
- QosCosGrid developing repository (not recommended - only for testing purposes)
cat > /etc/yum.repos.d/qcg.repo << EOF [qcg-develop] name=QosCosGrid Developer YUM repository baseurl=http://grass1.man.poznan.pl/qcg-rpms/sl5/x86_64/ enabled=1 gpgcheck=0 EOF
- Official PL-Grid repository
Installation
- install QCG-Broker client using YUM Package Manager:
yum install qcg-broker-client
The client is installed into three directories:
- /usr/share/qcg/qcg-broker-client - scripts and jars needed to run the client
- /etc/qcg/qcg-broker-client - configuration file for the client
- /usr/bin - links to qcg-* commands
Configuration
- To configure the client please edit the /etc/qcg/qcg-broker-client/qcg-broker-client.conf file.
vi /etc/qcg/qcg-broker-client/qcg-broker-client.conf
The following properties have to be set:
- QCG_URL_DEFAULT - the URL of QCG-Broker service
- QCG_DN_DEFAULT - the Distinguished Name of the QCG-Broker service
- QCG_CLIENT_LOCATION_DEFAULT - the location ot the client. This value is set during the installation procedure and
Optionally it is possible to configure the host and port of GridFTP service which will be used by client to staging input/output files
- GFTP_HOSTNAME - hostname of the host where the gridFTP server is installed. If the property is not set the default value is hostname of the host where the client is installed,
- GFTP_PORT - port which the gridFTP server is listening on. If the property is not set the default value is "2811".
Additionally it is possible to configure also the settings responsible for defining the policy for creation and refreshing of user's proxy.
- QCG_PROXY_DURATION_DEFAULT - default length in hours of the created proxy
- QCG_PROXY_DURATION_MIN - minimal acceptable lifetime of the proxy. If the remaining lifetime of the proxy is smaller then the value, the proxy will be automatically recreated.
The example of the configuration file can be seen below:
export QCG_CLIENT_LOCATION=/usr/share/qcg/qcg-broker-client export QCG_URL_DEFAULT="https://qcg-broker.man.poznan.pl:8443/qcg/services/" export QCG_DN_DEFAULT="/C=PL/O=GRID/O=PSNC/CN=qcg-broker/qcg-broker.man.poznan.pl" export GFTP_HOSTNAME=qcg.man.poznan.pl export GFTP_PORT=2811 export QCG_PROXY_DURATION_DEFAULT=600 export QCG_PROXY_DURATION_MIN=480
IMPORTANT: To configure the client to contact the official, production instance of QCG-Broker service deployed on PLGrid infrastructure please use the following values:
export QCG_URL_DEFAULT="https://qcg-broker.man.poznan.pl:8443/qcg/services/" export QCG_DN_DEFAULT="/C=PL/O=GRID/O=PSNC/CN=qcg-broker/qcg-broker.man.poznan.pl"
Site configuration
Configure the site to display "the message of the day" for QCG-Client. The path to the motd file is /usr/share/qcg/qcg-broker-client/doc/motd.
Optional steps
The optional steps consider installation and configuration of gridFTP server as well installation and configuration of the GridMapFileGenerator tool being responsible for periodic creation of grid-map-file used by the server for authorisation and mapping users to physical accounts.
The steps are for the case when there is no other gridFTP server providing access to user's data on the client machine and the dedicated instance of the server has to be installed.
IMPORTANT: In most cases it should be possible to configure QCG-client to use the gridFTP server installed on the QCG-Computing site. Such configuration is recommended as it reduces number of software components that have to be maintained.
GridFTP server
For the user convenience QCG client is able to stage in input data accessible from the host where it is installed and also to stage out output data there. The functionality requires the data to be accessible via gridFTP server. The gridFTP server can be installed on the client machine or it can be any gridFTP server having access to the data on client machine. The simplest and the most popular solution is to mount the same shared network file system on both machines. The mount point must be exact the same. Paths to data have to be exactly the same on both machines.
- install grid-ftp server using YUM Package Manager:
yum install qcg-dep-gridftp-server
The grid-ftp server requires the X.509 certificate and key to be present in following locations
- /etc/grid-security/hostcert.pem
- /etc/grid-security/hostkey.pem
The gridFTP server has to be configured to know the range of opened ports for connections. Please edit the /etc/xinetd.d/gsiftp file and set the GLOBUS_TCP_PORT_RANGE environment variable.
service gsiftp
{
instances = 200
per_source = 100
socket_type = stream
wait = no
user = root
env = LD_LIBRARY_PATH=/opt/plgrid/qcg/dependencies/globus/lib
env += GLOBUS_LOCATION=/opt/plgrid/qcg/dependencies/globus
server = /opt/plgrid/qcg/dependencies/globus/sbin/globus-gridftp-server
server_args = -i
log_on_success += DURATION
log_on_failure +=
nice = 10
disable = no
env += GLOBUS_TCP_PORT_RANGE=9000,9500
env += GRIDMAP=/etc/grid-security/grid-mapfile
}
IMPORTANT: Do not forget to start or reload xinetd service.
service xinetd reload
service xinetd start
Grid Mapfile
To have access do data every authenticated user must be authorized by gridFTP server against the grid-mapfile. This file can be created manually by an administrator (if the service is run in "test mode") or generated automatically based on the LDAP directory service.
Manually created grid mapfile (for testing purpose only)
#for test purpose only add mapping for your account echo '"MyCertDN" myaccount' >> /etc/grid-security/grid-mapfile
LDAP generated grid mapfile
- Create the qcg-dev group - this grou is allowed to read the configuration and log files.
groupadd -r qcg-dev
- Install qcg grid-mapfile generator
yum install qcg-gridmapfilegenerator
- Configure gridmapfilegenerator - remember to change
- url property to your local ldap replica
- search base
- filter expression
- security context
vim /opt/plgrid/qcg/etc/qcg-comp/plggridmapfilegenerator.conf
- Run the gridmapfile generator in order to generate gridmapfile now
/opt/plgrid/qcg/sbin/qcg-gridmapfilegenerator.sh
After installing and running this tool one can find three files:
- /etc/grid-security/grid-mapfile.local - here you can put list of DN and local unix accounts name that will be merged with data acquired from local LDAP server
- /etc/grid-security/grid-mapfile.deny - here you can put list od DN's (only DNs!) that you want to deny access to the QCG-Computing service
- /etc/grid-security/grid-mapfile - the final gridmap file generated using the above two files and information available in local LDAP server. Do not edit this file as it is generated automatically!
This gridmapfile generator script is run every 10 minutes. Moreover its issues su - $USERNAME -c 'true' > /dev/null for every new user that do not have yet home directory (thus triggering pam_mkhomedir if installed).
