Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 2 and Version 3 of installingGridFTP

Timestamp:: 09/23/13 14:45:36 (11 years ago)
Author:: mmamonski
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

installingGridFTP

v2	v3
1		[[PageOutline]]
2
3		= GridFTP Installation =
4
5		This page provides step-by-step guide for site admins. It describes basic steps to install and configure GridFTP service.
6		For any issue concerning the guide please contact [mailto:bogdanl@man.poznan.pl Bogdan Ludwiczak].
7
8		= Globus Toolkit/GridFTP - installation =
9
10		This sections provides overview of Globus Toolkit ver. 4.x installation procedure.
11
12		Globus Toolkit is provided both in binary and source versions. It is also available as Java WS-core only or full version. For the purpose of the !QosCosGrid Infrastructure the full source installation is required, as it provides the required GridFTP features and in most cases is more reliable (though more troublesome in rare cases) and robust then binary version.
13
14		Below are the steps required to compile and install Globus Toolkit with only GridFTP daemon and utilities.
15
16		'''Note:''' this is only an outline of the installation process which should be sufficient to install GridFTP service in most cases, full and detailed information regarding toolkit installation can be found in official Globus [http://www.globus.org/toolkit/docs/4.0/ documentation].
17
18		* Check if target system has all required software components:
19		* gcc (latest 3.4 or 4.1)
20		* GNU tar, sed, make
21		* Perl >5.6
22		* Create a dedicated, non-privileged user named `globus`. This user owns the installation/deployment files compile and install Globus Toolkit performs administrative tasks such as deploying/configuring services, etc.
23		* Create deployment directory
24		* make sure that user the `globus` has read and write permissions in the installation directory
25
26		'''Note:''' Following steps should be carried out by the `globus` user.
27
28		* Download and untar Globus Toolkit ver.4.2.x all-source-installer (available at the [[http://www.globus.org/toolkit/downloads/4.2.1/#source Globus Toolkit]] web site)
29		* change current working directory to the source directory (i.e. `~/gt4.2.x-all-source-installer`)
30		* set environmental variable `GLOBUS_LOCATION` to point to installation directory (e.g. `/opt/globus/gt421`)
31		* finally use `./configure` to set up compilation and installation option. Use at least `--prefix` option to set the deployment directory.
32		{{{
33		#!div style="font-size: 90%"
34		{{{#!sh
35		./configure --prefix=${GLOBUS_LOCATION}
36		}}}
37		}}}
38		'''Note:''' If you encounter an error '''configure: error: Unable to compile with SSL''', replace the above line with:
39		{{{
40		#!div style="font-size: 90%"
41		{{{#!sh
42		./configure --disable-system-openssl --prefix=${GLOBUS_LOCATION}
43		}}}
44		}}}
45		* Compile and install Globus Toolkit by running:
46		{{{
47		#!div style="font-size: 90%"
48		{{{#!sh
49		make gridftp
50		make install
51		}}}
52		}}}
53		If you wish to have a log file of the build, use "tee" command:
54		{{{
55		#!div style="font-size: 90%"
56		{{{#!sh
57		make gridftp 2>&1 \| tee build.log
58		make install
59		}}}
60		}}}
61		* GT4 unlike other software packages is made directly to target location (`$GLOBUS_LOCATION`)
62		* If you omit `gridftp` for `make` the entire Globus Toolkit will be build what can take several hours to complete.
63		* during `make install` phase Globus configuration will be initialized
64		* You can also choose to build GridFTP server or client tools be specifying `globus_gridftp_server` or `globus-data-management-client` respectively.
65
66		The belowe steps completes Globus Toolkit/GridFTP installation. The following figure summarizes shell commands used during typical installation process:
67		{{{
68		#!div style="font-size: 90%"
69		{{{#!sh
70		bogdanl@cress ~ $ su -
71		cress ~ # useradd -m globus
72		cress ~ # mkdir /opt/globus
73		cress ~ # chown globus:users /opt/globus
74		cress ~ # su - globus
75		globus@cress ~ $ wget http://www-unix.globus.org/ftppub/gt4/4.2.1/installers/src/gt4.2.1-all-source-installer.tar.bz2
76		globus@cress ~ $ tar xjf gt4.2.1-all-source-installer.tar.bz2
77		globus@cress ~ $ export GLOBUS_LOCATION=/opt/globus/gt421
78		globus@cress ~ $ cd gt4.2.1-all-source-installer
79		globus@cress ~/gt4.2.1-all-source-installer $ ./configure --prefix=${GLOBUS_LOCATION} \
80		globus@cress ~/gt4.2.1-all-source-installer $ make gridftp
81		cd gpt && OBJECT_MODE=32 ./build_gpt
82		...
83		Your build completed successfully. Please run make install.
84		globus@cress ~/gt4.2.1-all-source-installer $ make install
85		}}}
86		}}}
87
88		= Globus Toolkit/GridFTP - basic configuration =
89
90		== Security ==
91		After Globus Toolkit installation, but before starting Globus services several aspects of GSI security need to be configured:
92		* configure Globus (and thus GridFTP daemon) to trust a particular set of CAs (Certificate Authorities), i.e. place certificates of trusted CAs into designated directory - CA is trusted only if its CA certificate exists with the appropriate name in an appropriate directory. Moreover, for pre-ws services (including GridFTP), signing policy file must exist in the same location as CA certificate. In other words, one needs two files to trust given CA:
93		* `cert_hash.0` - the trusted CA certificate and
94		* `cert_hash.signing_policy` - the signing policy.
95		Globus services and tools looks for that directory in following locations:
96		* the value of `$X509_CERT_DIR` environment variable if it is set and the directory exists,
97		* otherwise, in `$HOME/.globus/certificates` if it exists,
98		* otherwise, in `/etc/grid-security/certificates` if it exists,
99		* otherwise, in `$GLOBUS_LOCATION/share/certificates` if it exists.
100
101		'''Note:''' We suggest to use `/etc/grid-security/certificates` as system wide trusted CAs directory, remember that `$X509_CERT_DIR` and `$HOME/.globus/certificates` have higher priority.
102
103		The `cert_hash.0`, i.e. certificate of the CA, is provided by CA, usually with appropriate hash name. Hash name consists of 8 hex-digits and suffix ".0" (e.g. `8a661490.0`). Valid hash can be obtained with following command (available in `$GLOBUS_LOCATION/bin/`):
104		{{{
105		#!div style="font-size: 90%"
106		{{{#!sh
107		openssl x509 -hash -noout -in ca_certificate
108		}}}
109		}}}
110		* cert_hash.signing_policy usually is also provided by CA, but it can be constructed manually. The signing policy file has the following format:
111		{{{
112		#!div style="font-size: 90%"
113		{{{#!default
114		access_id_CA X509 'CA Distinguished Name'
115		pos_rights globus CA:sign
116		cond_subjects globus '"Name Pattern1" "Name Pattern2" ...'
117		}}}
118		}}}
119		to get 'CA Distinguished Name' execute:
120		{{{
121		#!div style="font-size: 90%"
122		{{{#!sh
123		openssl x509 -subject -noout -in cert_hash.0
124		}}}
125		}}}
126		* "Name patternX" is a string used to match the distinguished names of certificates granted by the given CA. Usually, it is a CA name with common name replaced by wild card '*', e.g.:
127		{{{
128		#!div style="font-size: 90%"
129		{{{#!default
130		"/C=PL/O=GRID/CN=Polish Grid CA" -> '"/C=PL/O=GRID/*"'
131		}}}
132		}}}
133		it accepts "C=PL/O=GRID/OU=PSNC/CN=Bogdan Ludwiczak", but it rejects "O=GRID/OU=PSNC/CN=Bogdan Ludwiczak". "*" pattern accepts all certificates.
134
135		* Configure appropriate default values for use by the grid-cert-request command which is used to generate certificates requests. The following files have to be properly configured to enable Globus tools to generate valid certificate requests:
136		* `/etc/grid-security/globus-user-ssl.conf` - defines the distinguished name to use for a user's certificate request.
137		* `/etc/grid-security/globus-host-ssl.conf` - defines the distinguished name for a host and service certificate request.
138		* `/etc/grid-security/grid-security.conf` - is a main configuration file that contains the name and email address for the given CA.
139
140		These files are usually provided by the CA, i.e. [[http://www.man.poznan.pl/plgrid-ca/\|PL-Grid]]. Typically, CA configuration files are placed in `/etc/grid-security/certificates/` directory with additional extension `.CA_hash_name` and only appropriate symbolic links are created in `/etc/grid-security/`. Globus Toolkit provides `grid-default-ca` command which can be used to automatically create appropriate links.
141
142		== Requesting host and user X.509 certificates ==
143		All Globus service (including GridFTP) require a host (or service) certificate to operate. Also every user needs a user certificate do use Globus services. You can use Globus command `grid-cert-request` to generate `host/users` certificate request which should be send to your CA to be signed. Make sure that CA configuration files and certificate are in place before generating requests. This command will create 3 files:
144		* an empty (file length is 0) `/etc/grid-security/hostcert.pem` or `~/.globus/usercert.pem`,
145		* `/etc/grid-security/hostkey.pem` or `~/.globus/userkey.pem` file containing `host/use`r private key which must be kept secret - make sure that the unix access mode is set to 0400 or 0600 at most,
146		* `/etc/grid-security/hostcert_request.pem` or `~/.globus/usercert_request.pem` file containing acctual request to be send to and signed by CA.
147
148		'''Note:''' Before you can use grid-cert-request command you have to source Globus configuration script appropriate for your shell, i.e. `$GLOBUS_LOCATION/etc/globus-user-env.csh` or `$GLOBUS_LOCATION/etc/globus-user-env.sh`
149
150		Send newly generated certificate request (i.e. `/etc/grid-security/hostcert_request.pem` or `~/.globus/usercert_request.pem` file) to the appropriate CA and wait for the certificate which should be send in return by your CA. Save the new certificate in `hostcert.pem` or `usercert.pem`. Now, request file can be deleted. Host certificate and private key should be owned by root user.
151		Specify identity mapping information. Globus services map distinguished names (retrieved from certificates) to local identities (unix account) by means of `grid-mapfile`. Mappings have the following form:
152		`"Distinguished Name" local_name`
153		(every line of the file defines one mapping). To let user in, create an account and add mapping to the site's grid-mapfile. Globus looks for the file in the following locations:
154		* the value of `GRIDMAP` environment variable if it is set,
155		* otherwise, if service is run as root then grid map file is `/etc/grid-security/grid-mapfile`,
156		* otherwise, the grid map file is `$HOME/.gridmap`
157		* otherwise, in `/etc/grid-security/grid-mapfile`.
158
159		'''Note:''' In the !QosCosGrid there is a possibility to generate a new user X.509 certificate in more [[http://node2.qoscosgrid.man.poznan.pl:80/gridsphere/gridsphere/guest/security/r/\|user-friendly way]]
160
161		== Firewall configuration ==
162
163		Detailed information on GT firewall issues can be found at [[http://www.globus.org/toolkit/security/firewalls/]]. This paragraph only lists the minimum required firewall configuration and gives a short overview of the basic issues. To enable remote access to Globus Toolkit services the following TCP port should be opened for the incoming connections:
164		* static port: 2811 for main GridFTP daemon port
165		* ephemeral TCP ports: various Globus services require an arbitrary chosen TCP port range. It is controllable by environmental variable `GLOBUS_TCP_PORT_RANGE` for pre-ws components. Make sure it is defined in daemons environment (i.e. put it in (x)inetd configuration entries).
166
167		Figure below gives an overview of typical Globus/GridFTP communication flow It shows the meaning of the aforementioned Globus TCP port range.
168
169		[[Image(Firewall_gridftp.jpg, center)]]
170
171		== GridFTP Daemon ==
172		After successful installation of !GlobusToolkit, the GridFTP daemon binary is located in: `$GLOBUS_LOCATION/sbin/globus-gridftp-server` file. The daemon could be run in standalone mode, but we suggest using (x)inetd mode. To configure it this way, first add the following entry to `/etc/services` file:
173		{{{
174		#!div style="font-size: 90%"
175		{{{#!default
176		gsiftp 2811/tcp # GridFTP (Port 2811 is the IANA registered GridFTP port)
177		}}}
178		}}}
179		Next add appropriate entry to (x)inetd configuration file(s). Remember to set `LD_LIBRARY_PATH`, `GLOBUS_LOCATION` and `GLOBUS_TCP_PORT_RANGE` in the (x)inetd entry environment, like in the xinetd example below:
180
181		{{{
182		#!div style="font-size: 90%"
183		{{{#!default
184		service gsiftp
185		{
186		instances = 100
187		cps = 50 10
188		per_source = 50
189		socket_type = stream
190		wait = no
191		user = root
192		env = LD_LIBRARY_PATH=/opt/globus/lib
193		env += GLOBUS_LOCATION=/opt/globus
194		env += GLOBUS_TCP_PORT_RANGE=9000,9999
195		server = /opt/globus/sbin/globus-gridftp-server
196		server_args = -i -c /opt/globus/etc/gridftp.conf
197		log_on_success += DURATION
198		log_on_failure +=
199		nice = 10
200		disable = no
201		}
202		}}}
203		}}}
204
205		Note that the above example specifies grid-ftp configuration file (`-c .../gridftp.conf` in `server_args` line). It is not required - GridFTP daemon should work without this file. A useful example of configuration file is:
206
207		{{{
208		#!div style="font-size: 90%"
209		{{{#!sh
210		log_level ALL (or 'EERROR', 'WARN', 'INFO', 'DUMP')
211		log_module stdio
212		log_single /var/log/gridftp
213		}}}
214		}}}
215
216		it enables logging which can be helpful in resolving potential problems. Finally, restart (x)inetd to activate the GridFTP daemon:
217		{{{
218		#!div style="font-size: 90%"
219		{{{#!sh
220		/etc/init.d/xinetd restart
221		}}}
222		}}}
223
224		== Users configuration ==
225		All Globus Toolkit commands require appropriately configured environment. Globus Toolkit provides scripts for that purpose. To configure users environment for GT command do the following:
226		for bash shell:
227		{{{
228		#!div style="font-size: 90%"
229		{{{#!sh
230		export GLOBUS_LOCATION=/opt/globus/gt421
231		. $GLOBUS_LOCATION/etc/globus-user-env.sh
232		}}}
233		}}}
234
235		or for csh shell:
236		{{{
237		#!div style="font-size: 90%"
238		{{{#!sh
239		setenv GLOBUS_LOCATION /opt/globus/gt421
240		source $GLOBUS_LOCATION/etc/globus-user-env.csh
241		}}}
242		}}}
243
244		Next you must obtain user certificates (as described in [[#RequestinghostanduserX.509certificates\|Requesting host and user X.509 certificates]]) and then create user proxy by running command `grid-proxy-init`:
245		{{{
246		#!div style="font-size: 90%"
247		{{{#!sh
248		grid-proxy-init
249		Your identity: /C=PL/O=GRID/O=PSNC/CN=Bogdan Ludwiczak
250		Enter GRID pass phrase for this identity:
251		Creating proxy ....................................................... Done
252		Your proxy is valid until: Tue Apr 29 21:02:33 2008
253		}}}
254		}}}
255
256		Next, become root and create a mapping in `/etc/grid-security/grid-mapfile`. You can use your favorite text editor for that purpose and append a line similar to this one:
257		{{{
258		#!div style="font-size: 90%"
259		{{{#!sh
260		"/C=PL/O=GRID/O=PSNC/CN=Bogdan Ludwiczak" bogdanl
261		}}}
262		}}}
263		or use GT `grid-mapfile-add-entry` command:
264		{{{
265		#!div style="font-size: 90%"
266		{{{#!sh
267		grid-mapfile-add-entry -dn "/C=PL/O=GRID/O=PSNC/CN=Bogdan Ludwiczak" -ln bogdanl
268		}}}
269		}}}
270
271		'''Note:''' "bogdanl" in examples above is a name of a local unix account.
272
273		Now you can transfer some files with globus-url-copy tool:
274
275		{{{
276		#!div style="font-size: 90%"
277		{{{#!sh
278		globus-url-copy gsiftp://node1.qoscosgrid.man.poznan.pl/~/file file:///tmp/file.test
279		globus-url-copy gsiftp://node1.qoscosgrid.man.poznan.pl/~/file gsiftp://node1.qoscosgrid.man.poznan.pl/~/file2
280		globus-url-copy gsiftp://node1.qoscosgrid.man.poznan.pl/~/file gsiftp://node2.qoscosgrid.man.poznan.pl/~/file2
281		}}}
282		}}}
283
284		= Quick Start =
285		* create `globus` user and installation directory, make `globus` user an owner of this directory:
286		{{{
287		#!div style="font-size: 90%"
288		{{{#!sh
289		bogdanl@cress ~ $ su -
290		cress ~ # useradd -m globus
291		cress ~ # mkdir /opt/globus
292		cress ~ # chown globus:users /opt/globus
293		}}}
294		}}}
295
296		* login as a `globus` user:
297		{{{
298		#!div style="font-size: 90%"
299		{{{#!sh
300		cress ~ # su - globus
301		}}}
302		}}}
303
304		* download Globus Toolkit source installer and untar it:
305		{{{
306		#!div style="font-size: 90%"
307		{{{#!sh
308		globus@cress ~ $ wget http://www-unix.globus.org/ftppub/gt4/4.2.1/installers/src/gt4.2.1-all-source-installer.tar.bz2
309		globus@cress ~ $ tar xjf gt4.2.1-all-source-installer.tar.bz2
310		}}}
311		}}}
312		* Configure and make sources:
313		{{{
314		#!div style="font-size: 90%"
315		{{{#!sh
316		globus@cress ~ $ cd gt4.2.1-all-source-installer
317		globus@cress ~ $ export GLOBUS_LOCATION=/opt/globus/gt421
318		globus@cress ~/gt4.2.1-all-source-installer $ ./configure --prefix=${GLOBUS_LOCATION} \
319		globus@cress ~/gt4.2.1-all-source-installer $ make gridftp
320		cd gpt && OBJECT_MODE=32 ./build_gpt
321		...
322		Your build completed successfully. Please run make install.
323		globus@cress ~/gt4.2.1-all-source-installer $ make install
324		}}}
325		}}}
326		* Request host certificates.
327		* Start gridftp-server either standalone or by (x)inetd daemon
328		* If you are going to use xinetd daemon add gridftp to `/etc/services`:
329		{{{
330		#!div style="font-size: 90%"
331		{{{#!sh
332		bogdanl@cress ~ $ su -
333		cress ~ # echo "gsiftp 2811/tcp # GridFTP" >> /etc/services
334		}}}
335		}}}
336		* and create new xinetd configuration file for gridftp service
337		{{{
338		#!div style="font-size: 90%"
339		{{{#!sh
340		cress ~ # cat /etc/xinetd.d/gridftp
341		service gsiftp
342		{
343		instances = 100
344		cps = 50 10
345		per_source = 50
346		socket_type = stream
347		wait = no
348		user = root
349		env = LD_LIBRARY_PATH=/opt/globus/lib
350		env += GLOBUS_LOCATION=/opt/globus
351		env += GLOBUS_TCP_PORT_RANGE=9000,9999
352		server = /opt/globus/sbin/globus-gridftp-server
353		server_args = -i -c /opt/globus/etc/gridftp.conf
354		log_on_success += DURATION
355		log_on_failure +=
356		nice = 10
357		disable = no
358		}
359		}}}
360		}}}
361		* restart xinetd:
362		{{{
363		#!div style="font-size: 90%"
364		{{{#!sh
365		cress ~ # /etc/init.d/xinetd restart
366		}}}
367		}}}
368		* test it:
369		{{{
370		#!div style="font-size: 90%"
371		{{{#!sh
372		bogdanl@cress ~ $ telnet cress 2811
373		Trying 150.254.149.134...
374		Connected to cress.man.poznan.pl.
375		Escape character is '^]'.
376		220 cress.man.poznan.pl GridFTP Server 2.3 (gcc32dbg, 1144436882-63) ready.
377		bogdanl@cress ~ $ export GLOBUS_LOCATION=/opt/globus/gt421
378		bogdanl@cress ~ $ . $GLOBUS_LOCATION/etc/globus-user-env.sh
379		bogdanl@cress ~ $ grid-proxy-init
380		bogdanl@cress ~ $ globus-url-copy gsiftp://cress/~/file \
381		file:///tmp/file.test
382		bogdanl@cress ~ $ globus-url-copy gsiftp://cress/~/file \
383		gsiftp://cress/~/file2
384		}}}
385		}}}
386
387		= Tuning =
388		Please read this page [[GridFTPTuning\|GridFTP tuning]].
	1	Installation using packages: [http://apps.man.poznan.pl/trac/qcg/wiki/gridftp%20server \|link]