Linux
These instructions have been tested on SUSE, RedHat and Ubuntu, but should be applicable for other Linux distributions as well. (Should anyone else install on other distributions, please let us know so we can update instructions).
This section will guide the user through the Globus grid node installation process using Vitual Data Toolkit (VDT). The estimated burden for this process is 30 to 45 minutes.
Software Requirements:
Operating System: SUSE Linux Enterprise 9 or higher
Virtual Data Toolkit version: 1.8.1
pacman version: 3.20 or higher
GCC complier version: 4.1.2 or higher (Special Note: Using version 4.1 will trigger software bug 4315.)
G++ compiler version: [Use GCC 4.1.2 compatible version] (Version checked using g++ --version)
Xinetd version: 2.3.14 or higher (Version checked using xinetd -version)
Tar version: 1.15.1 or higher (Version checked using tar --version)
Patch version: 2.5.9 or higher (Version checked using tar --version)
Make version: 3.80 (Version number checked using: make --version)
Perl version: 5.8.0 or higher (Version number checked using perl: --version)
Sudo version: 1.6.8p12 or higher (version number checked using: sudo -V)
User Requirements:
Root access is required for portions of the installation.
Additional Users: globus (non-root user used for configuration), additional non-root user : specific user name for example “dan”
Assumptions:
All prerequisite software has been installed by this point.
SUSE Linux 9 or higher is being used for the installation.
Virtual Data Toolkit version 1.8.1 is being installed.
Certificates will be stored in root. (/etc/grid-security/certificates)
Pre-Install Procedure
Add a Globus group using the following command:
groupadd globus
As the root user, create a non-root user called, “globus” using the following command:
useradd globus -d /home/globus -s /bin/bash -G globus
Note: Users can also be created using the Yast2 User Management GUI.
Download pacman version 3.20 to /tmp from the following location: HYPERLINK "http://vdt.cs.wisc.edu/software/pacman/3.20/pacman-3.20.tar.gz"http://vdt.cs.wisc.edu/software/pacman/3.20/pacman-3.20.tar.gz
Extract the pacman tar ball to /usr/local using the following command:
tar -xvf /tmp/pacman-3.20.tar.gz -C /usr/local
Change directory to /usr/local/pacman-3.20
Run the command: source /usr/local/pacman-3.20/setup.sh
As root, create the vdt directory in /opt using the following command:
mkdir /opt/vdt/
Starting the Installation
Login as the root user
Source the /usr/local/pacman-3.20/setup.sh file using the following command:
source /usr/local/pacman-3.20/setup.sh
Change directory to: /opt/vdt
Run the command: pacman -get HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus"http://vdt.cs.wisc.edu/vdt_181_cache:Globus
Note: If you are running a later SUSE version you will need to add the
“ -pretend-platform linux-suse-9 “ switch to the command. (Without Quotes)
( pacman -pretend-platform linux-suse-9 -get HYPERLINK "http://vdt.cs.wisc.edu/vdt_1100_cache:Globus"http://vdt.cs.wisc.edu/vdt_181_cache:Globus HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus")
In addition to the -pretend-platform switch, you will all need to execute the following commands:
export VDTSETUP_ACCEPT_PLATFORM=y
export VDT_ALLOW_UNSUPPORTED=1
Accept the license agreement and answer the on-screen questions based on your site's installation preferences.
Setup Globus Web Services by running the following command:
pacman -get HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus-WS"http://vdt.cs.wisc.edu/vdt_181_cache:Globus-WS
Note: If you are running a later SUSE version you will need to add the
“ -pretend-platform linux-suse-9 “ switch to the command. (Without Quotes)
( pacman -pretend-platform linux-suse-9 -get \ HYPERLINK "http://vdt.cs.wisc.edu/vdt_1100_cache:Globus"http://vdt.cs.wisc.edu/vdt_181_cache:Globus-WS HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus")
Run the follow command when setup is complete:
source /opt/vdt/setup.sh
Change directory to $VDT_LOCATION
Run command: . setup.sh
Start the VDT services by running the following command:
vdt-control --on Note: The command, vdt-control –off disables VDT services.
Trusted authority setup
Download the globus_simple_ca_31f15ec4_setup-0.19.tar.gz PHGRID file from the NCPHI Certificate Authority and save it in the /tmp directory
Extract the file by running the following command:
/opt/vdt/gpt/sbin/gpt-build /tmp/globus_simple_ca_31f15ec4_setup-0.19.tar.gz
Run the following command as the root user:
/opt/vdt/gpt/sbin/gpt-postinstall
Note: A warning will appear after running this command. This means additional commands tasks need to be performed in order to complete the certificate installation. This will be addressed in the next step.
5. To complete the trusted host installation, run the following command as the root user:
$GLOBUS_LOCATION/setup/globus_simple_ca_31f15ec4_setup/setup-gsi -default
Requesting Host Certificates
Host certificates are provided as a means of securing access to grid services. The procedure below will guide you through the process of requesting a certificate from a trusted Certificate Authority. Setting up a Simple Certificate authority is out of scope for this document. Note: This section assumes the certificates were installed in the /etc/grid-security directory.
Login as the root user
Source the globus-user-env.sh file to set up the environment variables:
source $GLOBUS_LOCATION/etc/globus-user-env.sh
Request the new certificate by running the follow command:
$GLOBUS_LOCATION/bin/grid-cert-request -host [enter_hostname]
Email the resulting /etc/grid-security/hostcert_request.pem file to: DWashington1@cdc.gov
Note: If the grid machine has mail configured, you may run the following command to email the certificate: cat /etc/grid-security/hostcert_request.pem | mail DWashington1@cdc.gov
Copy the pem file you receive from NCPHI to /etc/grid-security/hostcert.pem
Copy the /etc/grid-security/hostcert.pem file to /etc/grid-security/containercert.pem
Copy the /etc/grid-security/hostkey.pem file to containerkey.pem
Run the following command to validate correct host certificate installation:
openssl verify -CApath /etc/grid-security/certificates -purpose sslserver \
/etc/grid-security/hostcert.pem
Requesting User Certificates
All users are required to have a valid certificate before they can access the grid. Follow the procedures below to request a user certificate.
Login as a non-root user
Enter the command to set $GLOBUS_LOCATION:
export GLOBUS_LOCATION=/opt/vdt/globus
Source $GLOBUS_LOCATION/etc/globus-user-env.sh
Run the following command to request a user certificate:
/opt/vdt/globus/bin/grid-cert-request
Choose a pass phrase and enter it at the pass phrase prompt.
Email the resulting ~/.globus/usercert_request.pem to DWashington1@cdc.gov
Note: If the grid machine has mail configured, you may run the following command to email the certificate: cat ~/.globus/usercert_request.pem | mail DWashington1@cdc.gov
Copy the pem file you receive from Dan to ~/.globus/usercert.pem
Run the following command to validate certificate installation:
openssl verify -CApath /etc/grid-security/certificates \
-purpose sslclient ~/.globus/usercert.pem
Configuring Grid Map File
The grid-map file is used as a means of granting grid access to specific user accounts. A user must have a valid user certificate before the user account can be added to the grid map file. Remote users can be mapped to specific user accounts to enforce security controls on remote users.
Login as root
Run the following command to determine the user's distinguished name:
$GLOBUS_LOCATION/bin/grid-cert-info -subject -file \ /home/[the_user]/.globus/usercert.pem
Note: The output of this command will be used in the next step.
Run the following command to create a grid-map entry:
$GLOBUS_LOCATION/sbin/grid-mapfile-add-entry -dn \
"[Add_Your_Subject_Output_Here]" \
-ln [the_username]
Note: The DN is the output of step 2.
Check the consistency of the /etc/grid-security/grid-map file using the following command:
$GLOBUS_LOCATION/sbin/grid-mapfile-check-consistency
Configuring Grid FTP Server (optional if use of GridFTP is planned)
Login as root
Change directory to /etc/xinetd.d
Create the gridftp service file using the following command:
vi gridftp
Enter the following information in the newly created file:
service gsiftp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /opt/vdt/globus/sbin/globus-gridftp-server
server_args = -i -data-interface <your.public.ip.address>
instances = 100
env += GLOBUS_LOCATION=/opt/vdt/globus
env += LD_LIBRARY_PATH=/opt/vdt/globus/lib
env += GLOBUS_TCP_PORT_RANGE=50000,51000
env += GLOBUS_HOSTNAME=serverhostname
env += GLOBUS_TCP_SOURCE_RANGE=52000,53000
log_on_success += DURATION
nice = 10
}
5. Enter :wq to save the file
6. Reload the xinet.d daemon by entering the following command:
/etc/init.d/xinetd reload
Testing Grid FTP (optional if use of GridFTP is planned)
Login as a non-root user with a valid user certificate
Start the proxy by entering the following command:
$GLOBUS_LOCATION/bin/grid-proxy-init -verify
Test a Grid FTP by entering the following command:
globus-url-copy -vb -dbg gsiftp://localhost:2811/dev/zero file:///dev/null
Note: Press CTRL-C to end the transfer.
Use the following command to download a file from a remote server:
globus-url-copy -vb -dbg gsiftp://remote_server:2811/tmp/anyfile file:///tmp/file
Troubleshooting
Ephemeral Ports Blocked By Firewall (TCP Ports 50000 to 510000)
Symptom: System able to login on port 2811, but unable to perform gets or puts
Test Procedure:
Login As Root
Disable the gsiftp service in the /etc/xinet.d/gridftp file by adding the parameter: disabled = yes
Run the command: /etc/init.d/xinetd reload
Start the server manually on a specific port using the following command: /opt/vdt/globus/sbin/globus-gridftp-server -s -p 50000
Telnet to port 50000 from the remote server.
Example of failed connection:
bubba@gump:~> telnet node.hostname.com 50000
Trying 192.168.0.42...
telnet: connect to address 192.168.0.42: Connection refused
HYPERLINK "mailto:bubba@gump"bubba@gump:~>
Example of successful connection:
bubba@gump:~> telnet node.hostname.com 50000
Trying 192.168.0.42...
Connected to node.hostname.com.
Escape character is '^]'.
220 node.hostname.com GridFTP Server 2.5 (gcc32dbg, 1182369948-63) ready.
The user is unable to create a proxy due to a time discrepancy between hosts.
Symptom: Authentication Error: The certificate is not yet valid – check skew between hosts.
Test Procedure:
Open an xterm
Run the date command
Compare the output of the date command with the remote hosts
If the time difference is greater than 5 minutes out of sync, the system time needs to be updated. (Configuring NTP will keep the system's time synchronized with remote nodes.)
GridFTP trying to use private IP to transfer data to a node behind a NAT.
Symptom: The file transfer displays a “NO ROUTE TO HOST” error.
Test Procedure:
Start a proxy using: grid-proxy-init -debug -verify
Run the command: globus-url-copy -dbg HYPERLINK "/tmp/foo"file:///tmp/foo gsiftp://any.remotehost.net/tmp/foo
Pay attention to the debug output and look for the line: Entering Passive Mode (192,168,0,5,195,80) The first four sets of numbers is the IP Address GridFTP is trying to establish a connection with. In this case it is 192.168.0.5.
If the address is an internal address, edit the /etc/xinet.d/gridftp file to include the following: server_args = -i -data-interface <your.public.ip.here>
Restart xinetd using the following command: /etc/init.d/xinetd reload
Retry the file transfer