Rollout the minimal LCG system

James Werner

These are the installation procedures for a complete installation site LCG independent of any external resources (Deliverable A3.3 - 2005Q4).

Thanks to Sabah Salin and Alessandra Forti for support and discussions.

Pre-required tasks.

  1. Hardware architecture
  2. Requesting certificates
  3. The firewall issue



Hardware/Software architecture.

Savannah portal: http://savannah.cern.ch/
http://www.gridpp.ac.uk/deployment/links.html
LCG rollout archives: http://www.listserv.rl.ac.uk/archives/lcg-rollout.html
Download releases: http://lcg.web.cern.ch/LCG/Sites/releases.html
Wiki: http://goc.grid.sinica.edu.tw/gocwiki/FrontPage

LCG software is a set of specific functional computers running modules that interact
with each other during the job submission, running and deliver processes.
The processes are:

    
  
  1. User interface (UI): It is the module that allows users interact with grid. It contains 
programs to submit jobs and commands to the grid, check job status, recover outputs, etc.
    2. 
  
  2. Resource broker (RB): It is responsable to match the jobs with resources, implement policies, 
and send jobs for processing in a remote resource (Computer element).The definition of resources
are written in the JDF file using ClassAds (see condor manual and LCG user manual for more details).
    3. 
  
  3. Computer element (CE): it is the batch manager (PBS) that allocates resources in the farm to run users' 
software. There are interactive jobs, parallel jobs, and simple jobs. 
    4. 
  
  4. Worker Nodes (WN): it is the computer that will run your software. It contains the packages
installed, libraries, and necessary local data for processing.
    5. 
  
  5. Storage Element (SE): it is the mass storage element in grid.
    6. 
  
  6. Berkeley Database (BDII): it is the catalog of resources published in the grid. It is distributed in 
two levels. The first catalog all CE BDII entries. The second, in the CE, contains the information about the
farm managed by the CE.
    7. 
  
  7. Proxy manager (PX): stores proxies for long time jobs in the grid.
    8. 
   


CE and RB never could be installed in the same computer. There are installations where RB and BDII are together. 
These are the conputers with standard Scientific Linux 3.0.4 installation from 
www.scientificlinux.org. The log is available here.


  
IP     Hostname nick     Function        Cert  
IS_ip	IS_host	IS_nick	BDII PX MON       *
RB_ip	RB_host	RB_nick	RB                *
CE_ip	CE_host	CE_nick	CE                *
WN_ip	WN_host	WN_nick	WN
...
UI_ip	UI_host	UI_nick	UI
SE_IP	SE_host	SE_nick	SE                *

*  e-Science certificate are required in these machines
The data server using NFS is cap.hep.man.ac.uk. 
Most of the current servers get delivered with two ethernet: eth0 should be connected to the public network
(194.36.XX.XX) and eth1 to the private network (192.0.168.XX). The advantage is for example, when accessing 
data server (cap) will not share network connection with AFS.
Another important point is: when writing data from your code, do not write records remotely (AFS, NFS, etc).
Write outputs in a local disk, and at the end of your job copy it to a remote resource.

Requesting certificates

Verify if your certificate is installed:

At desktop pc73.hep.man.ac.uk, user jamwer:

ls .globus


usercert.pem userkey.pem

If you do not have certificate, you have to obtain one before request hosts certificates.

Run firefox browser:


firefox

Site:   https:/ca.grid-support.ac.uk
accept this certificate permanently (or you will not be able to recover the host certificate)
Request a certificate
Server certificate
DSN is the server hostname
type host

These are the outputs, to confirm the information:

E-Mail  jamwer2000@hotmail.com
DNS Name        host/IS_host
L       HEP
OU      Manchester
Fully qualified domain name     IS_host
User Data
Role    User
Registration Authority  Manchester HEP

NOTBEFORE       Mon Nov 7 09:02:15 2005 UTC
PIN     553848908d51c23446b713a058c2f91ed656927e
PROFILE         UKHOST
RA      Manchester HEP
ROLE    User
SERIAL  362016
SUBJECT_ALT_NAME        DNS: IS_host
TYPE    SPKAC


Later, you will receive an email such as:


From : ca@ca.grid-support.ac.uk
Sent : 07 November 2005 16:23:11
To : jamwer2000@hotmail.com
Subject : UK eScience CA - New Issued Certificate (Serial: 5141)

 Dear Customer, 

 Your certificate with the serial number 5141 and the DN: 

 emailAddress=jamwer2000@hotmail.com,CN=host/IS_host,L=HEP,OU=Manchester,O=eScience,C=UK 

 has just been generated by the UK e-Science CA.  You can import it directly 
 into the same browser you requested the certificate from by following this link:
 
 https://ca.grid-support.ac.uk/cgi-bin/pub/pki?cmd=getcert&key=5141&type=CERTIFICATE

 You can also do this by going to https://ca.grid-support.ac.uk/pub and clicking 
 on "Import Certificate into Browser" and entering the serial number: 5141
 

Recovering the certificates:


Go in the same computer, account, and browser (firefox)

https://ca.grid-support.ac.uk
Import certificate into browser
Serial number: (see number in the subject from ca email, in my case 5141)

At firefox:  Edit/Preferences/Advanced/Certificates/manage certificates
Mark one certificate
Backup
type pem phrase
WARNING: in the "Certificate backup password" and "...(again)" type
any character and backspace (it will be empty!)
Save as computer_name.p12


Converting p12 to pem format

See http://www.hep.man.ac.uk/local/grid/grid-cert-FAQ.html 

openssl pkcs12 -in name.p12 -clcerts -nokeys -out namecert.pem 


Enter Import Password:  Just type enter!
MAC verified OK


openssl pkcs12 -in name.p12 -nodes -nocerts -out namekey.pem 


Enter Import Password:  Just type enter!
MAC verified OK
                           

At each host computer:


 cd /etc/grid-security/
 cp /nfs/work/users/jamwer/GRID/namecert.pem hostcert.pem
 cp /nfs/work/users/jamwer/GRID/namekey.pem hostkey.pem
 chmod 400 hostkey.pem
 chmod 444 hostcert.pem

where XX is 30, 31, 32, and 40.



The firewall issue.


Using grid from your laptop/desktop requires some ports are open in the firewall.
The description about it are available at:

LCG application, middleware & security - last 2 pages are important, and not able to be printed!
Globus requirements
Security and Firewall Settings
Reporting on experiences operating Globus through firewall.




Top











Last modified:   








Copyright  2004 Manchester University




Feedback to: jamwer@hep.man.ac.uk