Linux

These instructions have been tested on SUSE, RedHat and Ubuntu, but should be applicable for other Linux distributions as well. (Should anyone else install on other distributions, please let us know so we can update instructions).

This section will guide the user through the Globus grid node installation process using Vitual Data Toolkit (VDT). The estimated burden for this process is 30 to 45 minutes.

Software Requirements:

Operating System: SUSE Linux Enterprise 9 or higher

Virtual Data Toolkit version: 1.8.1

pacman version: 3.20 or higher

GCC complier version: 4.1.2 or higher (Special Note: Using version 4.1 will trigger software bug 4315.)

G++ compiler version: [Use GCC 4.1.2 compatible version] (Version checked using g++ --version)

Xinetd version: 2.3.14 or higher (Version checked using xinetd -version)

Tar version: 1.15.1 or higher (Version checked using tar --version)

Patch version: 2.5.9 or higher (Version checked using tar --version)

Make version: 3.80 (Version number checked using: make --version)

Perl version: 5.8.0 or higher (Version number checked using perl: --version)

Sudo version: 1.6.8p12 or higher (version number checked using: sudo -V)

User Requirements:

Root access is required for portions of the installation.

Additional Users: globus (non-root user used for configuration), additional non-root user : specific user name for example “dan”

Assumptions:

All prerequisite software has been installed by this point.

SUSE Linux 9 or higher is being used for the installation.

Virtual Data Toolkit version 1.8.1 is being installed.

Certificates will be stored in root. (/etc/grid-security/certificates)

Pre-Install Procedure

Add a Globus group using the following command:

groupadd globus

As the root user, create a non-root user called, “globus” using the following command:

useradd globus -d /home/globus -s /bin/bash -G globus

Note: Users can also be created using the Yast2 User Management GUI.

Download pacman version 3.20 to /tmp from the following location: HYPERLINK "http://vdt.cs.wisc.edu/software/pacman/3.20/pacman-3.20.tar.gz"http://vdt.cs.wisc.edu/software/pacman/3.20/pacman-3.20.tar.gz

Extract the pacman tar ball to /usr/local using the following command:

tar -xvf /tmp/pacman-3.20.tar.gz -C /usr/local

Change directory to /usr/local/pacman-3.20

Run the command: source /usr/local/pacman-3.20/setup.sh

As root, create the vdt directory in /opt using the following command:

mkdir /opt/vdt/

Starting the Installation

Source the /usr/local/pacman-3.20/setup.sh file using the following command:

source /usr/local/pacman-3.20/setup.sh

Change directory to: /opt/vdt

Run the command: pacman -get HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus"http://vdt.cs.wisc.edu/vdt_181_cache:Globus

Note: If you are running a later SUSE version you will need to add the

“ -pretend-platform linux-suse-9 “ switch to the command. (Without Quotes)

( pacman -pretend-platform linux-suse-9 -get HYPERLINK "http://vdt.cs.wisc.edu/vdt_1100_cache:Globus"http://vdt.cs.wisc.edu/vdt_181_cache:Globus HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus")

In addition to the -pretend-platform switch, you will all need to execute the following commands:

export VDTSETUP_ACCEPT_PLATFORM=y

export VDT_ALLOW_UNSUPPORTED=1

Accept the license agreement and answer the on-screen questions based on your site's installation preferences.

Setup Globus Web Services by running the following command:

pacman -get HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus-WS"http://vdt.cs.wisc.edu/vdt_181_cache:Globus-WS

Note: If you are running a later SUSE version you will need to add the

“ -pretend-platform linux-suse-9 “ switch to the command. (Without Quotes)

( pacman -pretend-platform linux-suse-9 -get \ HYPERLINK "http://vdt.cs.wisc.edu/vdt_1100_cache:Globus"http://vdt.cs.wisc.edu/vdt_181_cache:Globus-WS HYPERLINK "http://vdt.cs.wisc.edu/vdt_181_cache:Globus")

Run the follow command when setup is complete:

source /opt/vdt/setup.sh

Change directory to $VDT_LOCATION

Run command: . setup.sh

Start the VDT services by running the following command:

vdt-control --on Note: The command, vdt-control –off disables VDT services.

Trusted authority setup

Download the globus_simple_ca_31f15ec4_setup-0.19.tar.gz PHGRID file from the NCPHI Certificate Authority and save it in the /tmp directory

Extract the file by running the following command:

/opt/vdt/gpt/sbin/gpt-build /tmp/globus_simple_ca_31f15ec4_setup-0.19.tar.gz

Run the following command as the root user:

/opt/vdt/gpt/sbin/gpt-postinstall

Note: A warning will appear after running this command. This means additional commands tasks need to be performed in order to complete the certificate installation. This will be addressed in the next step.

5. To complete the trusted host installation, run the following command as the root user:

$GLOBUS_LOCATION/setup/globus_simple_ca_31f15ec4_setup/setup-gsi -default

Requesting Host Certificates

Host certificates are provided as a means of securing access to grid services. The procedure below will guide you through the process of requesting a certificate from a trusted Certificate Authority. Setting up a Simple Certificate authority is out of scope for this document. Note: This section assumes the certificates were installed in the /etc/grid-security directory.

Source the globus-user-env.sh file to set up the environment variables:

source $GLOBUS_LOCATION/etc/globus-user-env.sh

Request the new certificate by running the follow command:

$GLOBUS_LOCATION/bin/grid-cert-request -host [enter_hostname]

Email the resulting /etc/grid-security/hostcert_request.pem file to: DWashington1@cdc.gov

Note: If the grid machine has mail configured, you may run the following command to email the certificate: cat /etc/grid-security/hostcert_request.pem | mail DWashington1@cdc.gov

Copy the pem file you receive from NCPHI to /etc/grid-security/hostcert.pem

Copy the /etc/grid-security/hostcert.pem file to /etc/grid-security/containercert.pem

Copy the /etc/grid-security/hostkey.pem file to containerkey.pem

Run the following command to validate correct host certificate installation:

openssl verify -CApath /etc/grid-security/certificates -purpose sslserver \

/etc/grid-security/hostcert.pem

Requesting User Certificates

All users are required to have a valid certificate before they can access the grid. Follow the procedures below to request a user certificate.

Enter the command to set $GLOBUS_LOCATION:

export GLOBUS_LOCATION=/opt/vdt/globus

Source $GLOBUS_LOCATION/etc/globus-user-env.sh

Run the following command to request a user certificate:

/opt/vdt/globus/bin/grid-cert-request

Choose a pass phrase and enter it at the pass phrase prompt.

Email the resulting ~/.globus/usercert_request.pem to DWashington1@cdc.gov

Note: If the grid machine has mail configured, you may run the following command to email the certificate: cat ~/.globus/usercert_request.pem | mail DWashington1@cdc.gov

Copy the pem file you receive from Dan to ~/.globus/usercert.pem

Run the following command to validate certificate installation:

openssl verify -CApath /etc/grid-security/certificates \

-purpose sslclient ~/.globus/usercert.pem

Configuring Grid Map File

The grid-map file is used as a means of granting grid access to specific user accounts. A user must have a valid user certificate before the user account can be added to the grid map file. Remote users can be mapped to specific user accounts to enforce security controls on remote users.

Run the following command to determine the user's distinguished name:

$GLOBUS_LOCATION/bin/grid-cert-info -subject -file \ /home/[the_user]/.globus/usercert.pem

Note: The output of this command will be used in the next step.

Run the following command to create a grid-map entry:

$GLOBUS_LOCATION/sbin/grid-mapfile-add-entry -dn \

"[Add_Your_Subject_Output_Here]" \

-ln [the_username]

Note: The DN is the output of step 2.

Check the consistency of the /etc/grid-security/grid-map file using the following command:

$GLOBUS_LOCATION/sbin/grid-mapfile-check-consistency

Configuring Grid FTP Server (optional if use of GridFTP is planned)

Change directory to /etc/xinetd.d

Create the gridftp service file using the following command:

vi gridftp

Enter the following information in the newly created file:

service gsiftp

{

socket_type = stream

protocol = tcp

wait = no

user = root

server = /opt/vdt/globus/sbin/globus-gridftp-server

server_args = -i -data-interface <your.public.ip.address>

instances = 100

env += GLOBUS_LOCATION=/opt/vdt/globus

env += LD_LIBRARY_PATH=/opt/vdt/globus/lib

env += GLOBUS_TCP_PORT_RANGE=50000,51000

env += GLOBUS_HOSTNAME=serverhostname

env += GLOBUS_TCP_SOURCE_RANGE=52000,53000

log_on_success += DURATION

nice = 10

}

5. Enter :wq to save the file

6. Reload the xinet.d daemon by entering the following command:

/etc/init.d/xinetd reload

Testing Grid FTP (optional if use of GridFTP is planned)

Start the proxy by entering the following command:

$GLOBUS_LOCATION/bin/grid-proxy-init -verify

Test a Grid FTP by entering the following command:

globus-url-copy -vb -dbg gsiftp://localhost:2811/dev/zero file:///dev/null

Note: Press CTRL-C to end the transfer.

Use the following command to download a file from a remote server:

globus-url-copy -vb -dbg gsiftp://remote_server:2811/tmp/anyfile file:///tmp/file

Troubleshooting

Ephemeral Ports Blocked By Firewall (TCP Ports 50000 to 510000)

Symptom: System able to login on port 2811, but unable to perform gets or puts

Test Procedure:

Disable the gsiftp service in the /etc/xinet.d/gridftp file by adding the parameter: disabled = yes

Run the command: /etc/init.d/xinetd reload

Start the server manually on a specific port using the following command: /opt/vdt/globus/sbin/globus-gridftp-server -s -p 50000

Telnet to port 50000 from the remote server.

Example of failed connection:

bubba@gump:~> telnet node.hostname.com 50000

Trying 192.168.0.42...

telnet: connect to address 192.168.0.42: Connection refused

HYPERLINK "mailto:bubba@gump"bubba@gump:~>

Example of successful connection:

bubba@gump:~> telnet node.hostname.com 50000

Trying 192.168.0.42...

Connected to node.hostname.com.

Escape character is '^]'.

220 node.hostname.com GridFTP Server 2.5 (gcc32dbg, 1182369948-63) ready.

The user is unable to create a proxy due to a time discrepancy between hosts.

Symptom: Authentication Error: The certificate is not yet valid – check skew between hosts.

Test Procedure:

Open an xterm

Run the date command

Compare the output of the date command with the remote hosts

If the time difference is greater than 5 minutes out of sync, the system time needs to be updated. (Configuring NTP will keep the system's time synchronized with remote nodes.)

GridFTP trying to use private IP to transfer data to a node behind a NAT.

Symptom: The file transfer displays a “NO ROUTE TO HOST” error.

Test Procedure:

Start a proxy using: grid-proxy-init -debug -verify

Run the command: globus-url-copy -dbg HYPERLINK "/tmp/foo"file:///tmp/foo gsiftp://any.remotehost.net/tmp/foo

Pay attention to the debug output and look for the line: Entering Passive Mode (192,168,0,5,195,80) The first four sets of numbers is the IP Address GridFTP is trying to establish a connection with. In this case it is 192.168.0.5.

If the address is an internal address, edit the /etc/xinet.d/gridftp file to include the following: server_args = -i -data-interface <your.public.ip.here>

Restart xinetd using the following command: /etc/init.d/xinetd reload

Retry the file transfer