LIGO Data Grid

Installing LSC DataGrid Server 4.5

What's included?

Click here for a list of the included components.

What's new?

Installation

Note: These instructions have been tested for Fedora Core 4 including x86-64. If you tested it on new platforms, please inform Greg Mendell

1. Shell:

   Please make bash your default shell before following these instructions (or make the appropriate substitutions if using, e.g., tcsh). Installing as root is recommended.

2. IMPORTANT: BEFORE YOU START
   If you have an existing LDG installation, please open a new shell and run the following:
   

    $ env | grep -i LDG
   

   This should return an empty list. However, if there is already anything in your environment pointing to an existing installation of LDG, then this will confuse the installation. (This is one of the main problems user have when installing LDG.) The solution in this case is to make sure that nothing to do with LDG is sourced, for example in ~/.bashrc, ~/.bash_profile ~/.tcshrc or ~/.cshrc files, before trying to install LDG. Once you have a shell running where "env | grep -i LDG" returns an empty list, then proceed with the installation from that shell.
3. If you already have Condor installed:

   If you are installing LDG Server on a machine that is part of a Condor pool and you would like to enable your users to submit jobs into the pool via Globus you need to do the following:

   • Set two environment variables:
     1. VDTSETUP_CONDOR_CONFIG: Set this to the location of your existing condor_config file. For example

         # export VDTSETUP_CONDOR_CONFIG=/opt/condor/etc/condor_config
        

     2. VDTSETUP_CONDOR_LOCATION: Set this to the location of your existing Condor directory. For example

         # export VDTSETUP_CONDOR_LOCATION=/opt/condor
        

4. QUICK INSTALLATION INSTRUCTIONS: Experienced user may wish to follow these quick instructions. Otherwise DETAILED INSTALLATION INSTRUCTIONS are given below. (Also note that substituting LDG for http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg4.5 will install LDG from http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg, which points to the current release.)
   
   Get pacman v3.21 from here:
   http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg4.5/software/pacman-3.21.tar.gz
   
   and run these commands:

   
     # tar zxf pacman-3.21.tar.gz
     # cd pacman-3.21
     # source setup.(c)sh
     # cd ..
     # mkdir ldg-4.5
     # cd ldg-4.5/  
     # pacman -allow non-snapshottable-downloads -get
     http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg4.5:Server
     
   

   You will be asked two questions, about adding ldg and vdt URLs to [trusted.caches]. Answer y to each. In addition, after globus installs (which usually takes 10 to 20 minutes) there is a question about setting up a cron job to automatically update your CA certificates. You probably want to answer y, since this will update on a daily basis the VDT CA certificate distribtion in $VDT_LOCATION/globus/TRUSTED_CA via vdt-update-certs, though you can also run this utility from the command line by hand. More about this utility is here.
   If pacman does not recognize your platform, try

     # pacman -pretend-platform Fedora-4
   

   and then repeat the "pacman -allow non-snapshottable-downloads -get..." command.
   
   If the quick installation instructions succeed, next go to "Activating VDT Services Using vdt-control" below. If the installation fails, remove it and make sure "env | grep -i LDG" returns an empty list. Look at the detailed installation instructions for further information and what to do in case of errors.
   
   
5. DETAILED INSTALLATION INSTRUCTIONS
   
   • Install Pacman:
     • Download Pacman. This is version 3.21 which has been tested with LDG 4.5. Make sure you are using the Pacman downloaded from this site, though more recent versions and additional information about Pacman may be available from the Pacman web site.
     • Unpack Pacman:

        # tar zxf pacman-3.21.tar.gz
       

     • Setup your shell environment to use pacman:

        # cd pacman-3.21
        # source setup.sh
       

       This will set your PATH environment variable to find Pacman.
   • Prepare to install the LDG Server:
     • Decide where to install. Note the following:
       1. The LDG Server is best installed as root.
       2. At least 700MB of disk space is necessary.
     • If you plan to enable condor after the installation make sure compat-libstdc++-33.i386 is installed, which is required by condor start. We recommend the directory /opt/ldg-4.5:

        # cd /opt
        # mkdir ldg-4.5
       

     • Change into that directory:

        # cd /opt/ldg-4.5
       

   • Review the following changes that will be made to your system. These changes occur when you run "vdt-control --on" after the installation.
     1. These two lines are added to the /etc/services file:

         globus-gatekeeper       2119/tcp        # Added by the VDT
         gsiftp  2811/tcp        # Added by the VDT
        

     2. Two service configuration files globus-gatekeeper and gsiftp are added to the directory /etc/xinetd.d and a HUP signal is sent to xinetd.
     3. The files gris is created in /etc/rc.d/init.d. There are instructions below for updating sshd in this directory as well.
     4. A cron job that runs vdt-rotate-logs is added.
     5. Thus, you may wish to backup these files, if they exist, before beginning the installation, e.g., by running:

         # cp /etc/services /etc/services.bak
         # cp /etc/xinetd.d/globus-gatekeeper /etc/xinetd.d/globus-gatekeeper.bak
         # cp /etc/xinetd.d/gsiftp /etc/xinetd.d/gsiftp.bak
         # cp /etc/init.d/sshd /etc/init.d/sshd.bak
           (No changes are made to this file by vdt-control; see below for manual changes.)
         # cp /etc/init.d/gris /etc/init.d/gris.bak
        

   • Install the LDG Server:
     (Note that substituting LDG for http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg4.5 will install LDG from http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg, which points to the current release.)
     • Install the server package:

       
        # pacman -allow non-snapshottable-downloads -get
        http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg4.5:Server
       
       

       You will be asked the following question:
       Do you want to add [http://www.ldas-sw.ligo.caltech.edu/ldg_dist/ldg4.5] to [trusted.caches]? (y or n):
       Answer 'y' to continue.
       You will be also asked the following question:
       Do you want to add [http://vdt.cs.wisc.edu/vdt_181_cache] to [trusted.caches]? (y or n):
       Answer 'y', since the LDG is built on top of the Virtual Data Toolkit (VDT) from the OSG project.
       In addition, after globus installs (which usually takes 10 to 20 minutes) you will be asked:
       Do you want to automatically update your CA certificates? If so, we will check for updates once a day via cron.
       Do you want to automatically update your CA Certificates? [y/n]
       You probably want to answer 'y', since this will update on a daily basis the VDT CA certificate distribtion in $VDT_LOCATION/globus/TRUSTED_CA via vdt-update-certs, though you can also run this utility from the command line by hand. More about this utility is here.
       If everything installs correctly and completely then you should see at the end of the installation

        The LSC Data Grid Server 4.5 has been installed.
       

       If you do not see this or see error messages please send a note to Greg Mendell.
       ***You may also see one or two lines of additional output after the above message, which can be ignored.***
6. Activating VDT Services Using vdt-control:

   Note that vdt-control is a new utility used to add or remove services installed from vdt. After the installation finishes, source the setup.(c)sh file in the installation directory and to activate the VDT services run:

    # vdt-control --on
   

   or

    # vdt-control --on --force
   

   to force the changes to the files given above.

   After running, "vdt-control --on" you can also run "vdt-control --list" The output, for example, will look like this:

    # vdt-control --list
    Service            | Type   | Desired State
    -------------------+--------+--------------
    fetch-crl          | cron   | do not enable
    vdt-rotate-logs    | cron   | enable
    gris               | init   | enable
    globus-gatekeeper  | inetd  | enable
    gsiftp             | inetd  | enable
    edg-mkgridmap      | cron   | do not enable
    mysql              | init   | do not enable
    rls                | init   | do not enable
   

   Note that the only services affected by vdt-control are those listed in the "enable" state.

   The condor service will also be in the list, unless you set the environmental variables to not affect condor as explained above.

   Thus, enabled does not mean "on", but just that vdt-control has control over the set up of this service. The ones marked "do not enable" are services we either did not install from vdt or did not set a flag to have vdt control.

   Thus running "vdt-control --on" does this:

    a. Adds files and links in /etc/init.d/ and /etc/rc.d/rc*.d/ for "init"
       type services.
   
    b. Adds port numbers and service names to /etc/services and files to
       /etc/xinet.d for the "inetd" type services.
   
    c. Edits crontab for "cron" type services.
   

   And running "vdt-control --off" removes the changes.

   More about vdt-control is here: http://vdt.cs.wisc.edu/releases/1.8.1/man/vdt-control.html.

7. The vdt-update-certs utility:

   The Server installation includes vdt-update-certs, a utility for updating the VDT CA certificate distribution symbolically linked to $VDT_LOCATION/globus/TRUSTED_CA. See the man page here.

8. Get certificates:

   If you already had a host cert and key for the machine on which you just installed the LDG Server you can skip ahead to the next section. To use gris (see below) you will also need a LDAP certificate.

   If you do not have these you need to apply for both now.

   Go to Getting Server Certificates, but don't forget to return here to finish LDG Server configuration!

   (Also note that if you use the client certificate utilities that come with LDG, LSCrenewCert, LSCrequestCert, and LSCretrieveCert, that these require the perl modules LWP and SSLeay. In most cases these are installed with LDG. However, if you get errors that refer to these, try installing them from cpan, or send an email to Greg Mendell.)

9. Start the GRIS service
   If you wish to run Grid Information Services (GRIS), which uses the Lightweight Directory Access Protocol (LDAP), then once you have installed your LDAP certificate you should start gris (ldapd) by doing

    # /etc/rc.d/init.d/gris start
   

10. Startup the gsi-enabled SSH:
    • If you already have a pre-existing gsi-enabled ssh running, check whether you need to update /etc/init.d/sshd. Run:

       # diff /opt/ldg-4.5/vdt/globus/sbin/SXXsshd /etc/init.d/sshd
      

      No changes may be needed if sshd already points to the new installation, for example if you made a symbolic link to or stowed the new installation of LDG 4.5. If no changes to are needed to /etc/init.d/sshd just kill the existing sshd and run:

       # /etc/init.d/sshd start
      

    • If /opt/ldg-4.5/vdt/globus/sbin/SXXsshd and /etc/init.d/sshd differ or for a new installation of gsi-enabled ssh, run these commands:

       # chkconfig --del sshd
       # cp /etc/init.d/sshd /etc/init.d/sshd.bak [If not already done above]
       # cp /opt/ldg-4.5/vdt/globus/sbin/SXXsshd /etc/init.d/sshd
       # chkconfig --add sshd
      

      Note that chkconfig --del/--add sshd removes or adds links from /etc/rc.d/rc*.d/*sshd* to /etc/init.d/sshd and updates a list of services (e.g., run chkconfig --list).
    • Kill the root owned sshd process (not the users active ones!!!) and run

       # /etc/init.d/sshd start
      

      (If your are paranoid that this may fail, you may wish to login to another window to do this or start a temporary copy of sshd on another port, e.g., by running /usr/sbin/sshd -p 2000 and ssh -p 2000 root@FQDN. Then kill this temporary copy once the new sshd is working.)
    • Note that recent versions of OpenSSH do not allow users to login to "disabled" accounts. On most Linux systems this means accounts with an entry in /etc/shadow that contains !!. If your system has such accounts and you actually want the users to be able to login, you should change !! to something else, e.g., x. See the OpenSSH documentation for details.
    • Note that the line 'Protocol 2' is inserted below '#Protocol 2,1' in vdt/globus/etc/ssh/sshd_config under the installation directory.
11. Define LSC_DATAGRID_SERVER_LOCATION system wide

    The server installation also includes the client tools. If you want users to be able to easily use the tools you should add

     # export LSC_DATAGRID_SERVER_LOCATION=/opt/ldg-4.5
    

    in /etc/profile or the equivalent for your system. Then have your users add

     # source ${LSC_DATAGRID_SERVER_LOCATION}/setup.sh
    

    to their own .bash_profile and/or .bashrc files.
12. Do you have a firewall?

    If you have any type of firewall between the machine on which you install the LDG Server and the internet then you will need to make some adjustments in your firewall configuration in order to properly expose the services.

    Please download and read Globus Firewall Requirements.

13. Condor configuration and deployment:

    Once the LDG Server suite is installed and you have a valid certificate you should consider deploying Condor onto your cluster if it is not already deployed. See Configuring and Deploying Condor.