Ngsui02

From GridPP Wiki
Jump to: navigation, search

ngsui02 as a xen guest

The instructions to install UI with GSI-SSHD can be summarized in one complex command providing the xen technology is used in conjunction with xen-strap tool (see http://www.gridpp.ac.uk/wiki/Xen-strap) 

 ./xen-strap -a -u -y -b --name=ngsui02 --ip=130.246.143.132 --ntp -i mc -i openssh-clients  \
  --ssh-pub-keys=<URL_to_root_authorized_key> \
  --post-install-in="http://www.gridpp.rl.ac.uk/pps/files/glite-ui-gsisshd \
                        http://www.gridpp.rl.ac.uk/pps/files/siteinfo-ngs-ui-gsisshd.def \
                        http://www.gridpp.rl.ac.uk/pps/host-certs/ngsui02.ngs.rl.ac.uk.p12" \
 sl4 lvm:vg1/ngsui02:4G

Once that command is executed on xen host (dom0) it takes about 5 minutes (including system creation) until the system is asking you for the password of the encrypted host certificate and it takes another about 20 min until the target guest domain will boot into prompt and the system is fully functional. The root password is copied from the host system.

Notice you are not constrained to xen technology at all.See below.

The actual middleware installation and configuration is defined by the script specified in xen-strap option "--post-install-in": 

  http://www.gridpp.rl.ac.uk/pps/files/glite-ui-gsisshd

If you are interested only into minimal gsisshd server you may use this script instead 

http://www.gridpp.rl.ac.uk/pps/files/gsisshd .

The script is downloaded after the xen target guest domain is created and it is executed or sourced with the parameters specified in the same string 

http://www.gridpp.rl.ac.uk/pps/files/siteinfo-ngs-ui-gsisshd.def
http://wwwinstall.gridpp.rl.ac.uk//ks/host-certs/pps-x7.p12.

Notice that using the URL is not mandatory for both controlling scripts (xen-strap in case of the glite-ui-gsisshd script) and for the following two parameters as well. You may as well use the full absolute path to the local files if that suits you better or if you want to customize the scripts.

Notice you may want to make installation manually as described below and execute the script in whatever machine you want. (vmware guest). The script glite-ui-gsisshd itself (together with the parameters) defines the steps needed to reinstall the machine, so you may prefer to read the script and to perform the tasks step-by-step especially if the higher version of the middleware diverges in the installation of configuration procedures.

The parameters of the script glite-ui-gsisshd are self-explanatory. The first is site-info.def file and the second is the host certificate needed for gsi-sshd. There is also a third optional parameter pps to the script glite-ui-gsisshd, in which case the pps repository is used for middleware rather then the default production repository. You can use the string 'no-cert' in place of *.p12 file, in which case the host certificate is not installed and the yaim configuration is skipped. Then only the packages are installed.

The command syntax is like 

glite-ui-gsisshd <path_or_url_to_siteinfo.def> <path_or_url_to_host_cert.p12|no-cert> [prod|pps|cert]

The script does not assume much and should work on both yum or apt package management system. (The xen-strap -a uses apt system. ) It should also work nicely if you are behind the web proxy/cache server (squid) and there is no direct http connection available. The script will complain and advise you to look at /etc/wgetrc.

Be aware that to make certificates working with voms-proxy-from-proxy the users have to select 

non-default "legacy" proxy type

from the choice (in client gsissh term ) 

Pre-RFC impersonation , RFC-impersonation, Legacy

The first Pre-RFC impersonation is default, but it doesn't work.


ngsui02 as a vmware guest

Preparing vmware guest system

Let put the kickstart file into a floppy image, which is the only way to automate installation if we have no network boot support like dhcp or pxe. the kickstart file is here 

http://www.gridpp.rl.ac.uk/pps/files/ngsui02.ks.cfg

and the mini tool is here 

http://www.gridpp.rl.ac.uk/pps/files/make_floppy_ks

download the both files to a computer where you have a root access and 

sudo ./make_floppy_ks ngsui02.ks.cfg floppy_ngsui02.img

the proper floppy image with kickstart is now copied into gwz45397@uddi.ngs.rl.ac.uk edit the script to change the target server

On the wmware server Now you have to mount the floppy image to floppy device. You have to figgure out how. It is easy. You also have to mount the installation CD image (SL4.6). First CD of the set.

After booting the kernel from the installation CD you have to run the options. 

linux ks=floppy

the actuall middleware installation

Production middleware is used by default 

http://grid-deployment.web.cern.ch/grid-deployment/yaim/repos/glite-UI.repo

with third argument pps the repository 

http://www.gridpp.rl.ac.uk/pps/files/pps-glite-ui.repo

on ngsui02 as a root 

wget http://www.gridpp.rl.ac.uk/pps/files/glite-ui-gsisshd
chmod 755 ./glite-ui-gsisshd
./glite-ui-gsisshd http://www.gridpp.rl.ac.uk/pps/files/siteinfo-ngs-ui-gsisshd.def http://www.gridpp.rl.ac.uk/pps/host-certs/ngsui02.ngs.rl.ac.uk.p12
After a while maybe 5 seconds (testing http proxy setting) you are asked for the password of the encrypted host certificate.

in files 

/opt/glite/etc/<VO_NAME>/glite_wms.conf

change 

ShallowRetryCount  =  10;

to 

ShallowRetryCount  =  -1;

and the users are allowed to forget to set the variable in their *.jdl

(TODO: on ngsrb02 in file 

/opt/glite/etc/glite_wms.conf.template

there is also the option ShallowRetryCount Investigate if the option is related to that one on UI and if changing the option and restarting services is equivalent to change the options on UI )


By default only those certificates are installed yum -y install ca_UKeScienceRoot-1.20-1 ca_UKeScienceCA-1.20-1 ca_UKeScienceRoot-2007-1.20-1 ca_UKeScienceCA-2007-1.20-1 ca_CERN-TCA-1.20-1 ca_CERN-Root-1.20-1 

[root@ngsui02 siteinfo]# rpm -qa | grep ca_
ca_CERN-Root-1.20-1
ca_CERN-TCA-1.20-1
ca_UKeScienceCA-2007-1.20-1
ca_UKeScienceRoot-2007-1.20-1
ca_UKeScienceCA-1.20-1
ca_UKeScienceRoot-1.20-1

if you want all root certificates do 

yum install lcg-CA

if you want to remove all certificates execute command 

( LIST=`rpm -qa | grep ^ca_` ; yum -y remove $LIST )

only those VOs are supported 

 ngs.ac.uk gridpp dteam ops

if you want to add ilc atlas alice lhcb cms then edit 

/root/siteinfo/siteinfo-ngs-ui-gsisshd.def

and execute 

/root/siteinfo/config_ui_gsisshd

Due to the latest vulnerability in gsisshd the X11 forwarding has been switched off in file 

/opt/globus/etc/ssh/sshd_config
#X11Forwarding yes
X11Forwarding no

and service restarted 

/etc/init.d/gsisshd stop
/etc/init.d/gsisshd start

No local firewall (iptables) is installed


After login via gsi-ssh term the commands get_test and voms-proxy-from-proxy are available in /usr/local/bin and the /usr/local/bin is in the PATH variable.

Here is the short script I used to make the ngs user pool on UI http://www.gridpp.rl.ac.uk/pps/files/make_ngs_users.sh The output of the command has to be added to users.conf specified in site-info.def for UI. 

cp users.conf users.conf.bak
grep -v ngs users.conf.bak > users.conf
./make_ngs_users.sh >> users.conf

To make yum working after the login I added the RAL specific stuff, execute 

echo "export http_proxy=http://wwwcache2.rl.ac.uk:8080" >> /etc/profile.d/local.sh

Manually crafted patches of gsisshd configuration used here in Yaim are heading for inclusion into head version of yaim. At the time of reading (> apr 2008) they may be included, so remove the patches if you experience the problems.

ngsrb02

WMSLB middleware baseline glite-3.1 on SL4 has been move forward to PPS from CERT stage recently. It is expected to be released into production by the end of April 2008. watch here 

 https://twiki.cern.ch/twiki/bin/view/EGEE/Glite31NodeTracker

or check glite-WMS.repo and glite-LB.repo here 

 http://grid-deployment.web.cern.ch/grid-deployment/yaim/repos/

or here 

 http://linuxsoft.cern.ch/EGEE/gLite/R3.1/

For now I am forced to se here the pps repository http://grid-deployment.web.cern.ch/grid-deployment/glite/pps/3.1/ ,which is the latest most stable WMSLB middlware on SL4. For yum use 

http://www.gridpp.rl.ac.uk/pps/files/pps-glite3.1-wmslb.repo

There are unlikely big changes in installation and configuration between PPS and production release.

On xen

./xen-strap -a -u -y -b --name=pps-x6 --ip=130.246.187.106 --ntp -i mc -i openssh-clients   
--ssh-pub-keys="http://wwwinstall.gridpp.rl.ac.uk/yum/pps/ks/pps_authorized_keys_marian"  
     --post-install-in="http://www.gridpp.rl.ac.uk/pps/files/glite31-wmslb-sl4 http://www.gridpp.rl.ac.uk/pps/files/glite31-wmslb-sl4-ngs-siteinfo.def  
                http://www.gridpp.rl.ac.uk/pps/host-certs/ngsrb02.ngs.rl.ac.uk.p12" 
sl4 lvm:vg1/pps-x6:4G

On vmware

First get and check the kickstart file you it looks like you want 

 http://www.gridpp.rl.ac.uk/pps/files/ngsrb02.ks.cfg

make the floppy image with the kickstart file and upload it to vmware server 

wget  http://www.gridpp.rl.ac.uk/pps/files/make_floppy_ks
chmod 755 ./make_floppy_ks
sudo ./make_floppy_ks ngsrb02.ks.cfg floppy_ngsrb02.img

./glite31-wmslb-sl4 http://www.gridpp.rl.ac.uk/pps/files/glite31-wmslb-sl4-ngs-siteinfo.def  \
                http://www.gridpp.rl.ac.uk/pps/host-certs/ngsrb02.ngs.rl.ac.uk.p12

if the configuration didn't proceed go to /root/siteinfo/ 

cd /root/siteinfo
./config_wmslb

RAL specific stuff, execute 

echo "export http_proxy=http://wwwcache2.rl.ac.uk:8080" >> /etc/profile.d/local.sh
Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=Ngsui02&oldid=1957"