Ngsui02
Contents
ngsui02 as a xen guest
The instructions to install UI with GSI-SSHD can be summarized in one complex command providing the xen technology is used in conjunction with xen-strap tool (see http://www.gridpp.ac.uk/wiki/Xen-strap)
./xen-strap -a -u -y -b --name=ngsui02 --ip=130.246.143.132 --ntp -i mc -i openssh-clients \ --ssh-pub-keys=<URL_to_root_authorized_key> \ --post-install-in="http://www.gridpp.rl.ac.uk/pps/files/glite-ui-gsisshd \ http://www.gridpp.rl.ac.uk/pps/files/siteinfo-ngs-ui-gsisshd.def \ http://www.gridpp.rl.ac.uk/pps/host-certs/ngsui02.ngs.rl.ac.uk.p12" \ sl4 lvm:vg1/ngsui02:4G
Once that command is executed on xen host (dom0) it takes about 5 minutes (including system creation) until the system is asking you for the password of the encrypted host certificate and it takes another about 20 min until the target guest domain will boot into prompt and the system is fully functional. The root password is copied from the host system.
Notice you are not constrained to xen technology at all.See below.
The actual middleware installation and configuration is defined by the script specified in xen-strap option "--post-install-in":
http://www.gridpp.rl.ac.uk/pps/files/glite-ui-gsisshd
If you are interested only into minimal gsisshd server you may use this script instead
http://www.gridpp.rl.ac.uk/pps/files/gsisshd .
The script is downloaded after the xen target guest domain is created and it is executed or sourced with the parameters specified in the same string
http://www.gridpp.rl.ac.uk/pps/files/siteinfo-ngs-ui-gsisshd.def http://wwwinstall.gridpp.rl.ac.uk//ks/host-certs/pps-x7.p12.
Notice that using the URL is not mandatory for both controlling scripts (xen-strap in case of the glite-ui-gsisshd script) and for the following two parameters as well. You may as well use the full absolute path to the local files if that suits you better or if you want to customize the scripts.
Notice you may want to make installation manually as described below and execute the script in whatever machine you want. (vmware guest). The script glite-ui-gsisshd itself (together with the parameters) defines the steps needed to reinstall the machine, so you may prefer to read the script and to perform the tasks step-by-step especially if the higher version of the middleware diverges in the installation of configuration procedures.
The parameters of the script glite-ui-gsisshd are self-explanatory. The first is site-info.def file and the second is the host certificate needed for gsi-sshd. There is also a third optional parameter pps to the script glite-ui-gsisshd, in which case the pps repository is used for middleware rather then the default production repository. You can use the string 'no-cert' in place of *.p12 file, in which case the host certificate is not installed and the yaim configuration is skipped. Then only the packages are installed.
The command syntax is like
glite-ui-gsisshd <path_or_url_to_siteinfo.def> <path_or_url_to_host_cert.p12|no-cert> [prod|pps|cert]
The script does not assume much and should work on both yum or apt package management system. (The xen-strap -a uses apt system. ) It should also work nicely if you are behind the web proxy/cache server (squid) and there is no direct http connection available. The script will complain and advise you to look at /etc/wgetrc.
Be aware that to make certificates working with voms-proxy-from-proxy the users have to select
non-default "legacy" proxy type
from the choice (in client gsissh term )
Pre-RFC impersonation , RFC-impersonation, Legacy
The first Pre-RFC impersonation is default, but it doesn't work.
ngsui02 as a vmware guest
Preparing vmware guest system
Let put the kickstart file into a floppy image, which is the only way to automate installation if we have no network boot support like dhcp or pxe. the kickstart file is here
http://www.gridpp.rl.ac.uk/pps/files/ngsui02.ks.cfg
and the mini tool is here
http://www.gridpp.rl.ac.uk/pps/files/make_floppy_ks
download the both files to a computer where you have a root access and
sudo ./make_floppy_ks ngsui02.ks.cfg floppy_ngsui02.img
the proper floppy image with kickstart is now copied into gwz45397@uddi.ngs.rl.ac.uk edit the script to change the target server
On the wmware server Now you have to mount the floppy image to floppy device. You have to figgure out how. It is easy. You also have to mount the installation CD image (SL4.6). First CD of the set.
After booting the kernel from the installation CD you have to run the options.
linux ks=floppy
the actuall middleware installation
Production middleware is used by default
http://grid-deployment.web.cern.ch/grid-deployment/yaim/repos/glite-UI.repo
with third argument pps the repository
http://www.gridpp.rl.ac.uk/pps/files/pps-glite-ui.repo
on ngsui02 as a root
wget http://www.gridpp.rl.ac.uk/pps/files/glite-ui-gsisshd chmod 755 ./glite-ui-gsisshd ./glite-ui-gsisshd http://www.gridpp.rl.ac.uk/pps/files/siteinfo-ngs-ui-gsisshd.def http://www.gridpp.rl.ac.uk/pps/host-certs/ngsui02.ngs.rl.ac.uk.p12 After a while maybe 5 seconds (testing http proxy setting) you are asked for the password of the encrypted host certificate.
in files
/opt/glite/etc/<VO_NAME>/glite_wms.conf
change
ShallowRetryCount = 10;
to
ShallowRetryCount = -1;
and the users are allowed to forget to set the variable in their *.jdl
(TODO: on ngsrb02 in file
/opt/glite/etc/glite_wms.conf.template
there is also the option ShallowRetryCount Investigate if the option is related to that one on UI and if changing the option and restarting services is equivalent to change the options on UI )
By default only those certificates are installed
yum -y install ca_UKeScienceRoot-1.20-1 ca_UKeScienceCA-1.20-1 ca_UKeScienceRoot-2007-1.20-1 ca_UKeScienceCA-2007-1.20-1 ca_CERN-TCA-1.20-1 ca_CERN-Root-1.20-1
[root@ngsui02 siteinfo]# rpm -qa | grep ca_ ca_CERN-Root-1.20-1 ca_CERN-TCA-1.20-1 ca_UKeScienceCA-2007-1.20-1 ca_UKeScienceRoot-2007-1.20-1 ca_UKeScienceCA-1.20-1 ca_UKeScienceRoot-1.20-1
if you want all root certificates do
yum install lcg-CA
if you want to remove all certificates execute command
( LIST=`rpm -qa | grep ^ca_` ; yum -y remove $LIST )
only those VOs are supported
ngs.ac.uk gridpp dteam ops
if you want to add ilc atlas alice lhcb cms then edit
/root/siteinfo/siteinfo-ngs-ui-gsisshd.def
and execute
/root/siteinfo/config_ui_gsisshd
Due to the latest vulnerability in gsisshd the X11 forwarding has been switched off in file
/opt/globus/etc/ssh/sshd_config #X11Forwarding yes X11Forwarding no
and service restarted
/etc/init.d/gsisshd stop /etc/init.d/gsisshd start
No local firewall (iptables) is installed
After login via gsi-ssh term the commands get_test and voms-proxy-from-proxy are available in /usr/local/bin and the /usr/local/bin is in the PATH variable.
Here is the short script I used to make the ngs user pool on UI http://www.gridpp.rl.ac.uk/pps/files/make_ngs_users.sh The output of the command has to be added to users.conf specified in site-info.def for UI.
cp users.conf users.conf.bak grep -v ngs users.conf.bak > users.conf ./make_ngs_users.sh >> users.conf
To make yum working after the login I added the RAL specific stuff, execute
echo "export http_proxy=http://wwwcache2.rl.ac.uk:8080" >> /etc/profile.d/local.sh
Manually crafted patches of gsisshd configuration used here in Yaim are heading for inclusion into head version of yaim. At the time of reading (> apr 2008) they may be included, so remove the patches if you experience the problems.
ngsrb02
WMSLB middleware baseline glite-3.1 on SL4 has been move forward to PPS from CERT stage recently. It is expected to be released into production by the end of April 2008. watch here
https://twiki.cern.ch/twiki/bin/view/EGEE/Glite31NodeTracker
or check glite-WMS.repo and glite-LB.repo here
http://grid-deployment.web.cern.ch/grid-deployment/yaim/repos/
or here
http://linuxsoft.cern.ch/EGEE/gLite/R3.1/
For now I am forced to se here the pps repository http://grid-deployment.web.cern.ch/grid-deployment/glite/pps/3.1/ ,which is the latest most stable WMSLB middlware on SL4. For yum use
http://www.gridpp.rl.ac.uk/pps/files/pps-glite3.1-wmslb.repo
There are unlikely big changes in installation and configuration between PPS and production release.
On xen
./xen-strap -a -u -y -b --name=pps-x6 --ip=130.246.187.106 --ntp -i mc -i openssh-clients --ssh-pub-keys="http://wwwinstall.gridpp.rl.ac.uk/yum/pps/ks/pps_authorized_keys_marian" --post-install-in="http://www.gridpp.rl.ac.uk/pps/files/glite31-wmslb-sl4 http://www.gridpp.rl.ac.uk/pps/files/glite31-wmslb-sl4-ngs-siteinfo.def http://www.gridpp.rl.ac.uk/pps/host-certs/ngsrb02.ngs.rl.ac.uk.p12" sl4 lvm:vg1/pps-x6:4G
On vmware
First get and check the kickstart file you it looks like you want
http://www.gridpp.rl.ac.uk/pps/files/ngsrb02.ks.cfg
make the floppy image with the kickstart file and upload it to vmware server
wget http://www.gridpp.rl.ac.uk/pps/files/make_floppy_ks chmod 755 ./make_floppy_ks sudo ./make_floppy_ks ngsrb02.ks.cfg floppy_ngsrb02.img
./glite31-wmslb-sl4 http://www.gridpp.rl.ac.uk/pps/files/glite31-wmslb-sl4-ngs-siteinfo.def \ http://www.gridpp.rl.ac.uk/pps/host-certs/ngsrb02.ngs.rl.ac.uk.p12
if the configuration didn't proceed go to /root/siteinfo/
cd /root/siteinfo ./config_wmslb
RAL specific stuff, execute
echo "export http_proxy=http://wwwcache2.rl.ac.uk:8080" >> /etc/profile.d/local.sh