Tags:
,
view all tags
---+!! System Administrator Guide for CEMon %TOC% ---# Operations/Installation and Configuration ---## Prerequisites ---### Operating system A standard 64 bit SL(C)5 distribution is supposed to be properly installed. ---### Node synchronization A general requirement for the Grid nodes is that they are synchronized. This requirement may be fulfilled in several ways. One of the most common one is using the =NTP= protocol with a time server. ---## Plan how to deploy CEMon ---### Choose the authorization model CEMon can be configured to use as authorization system: * the ARGUS authorization framework OR * the grid Java Authorization Framework (gJAF) In the former case a ARGUS box (usually at site level) where to define policies is needed. To use ARGUS as authorization system, yaim variable =USE_ARGUS= must be set in the following way: <verbatim> USE_ARGUS=yes </verbatim> In this case it is also necessary to set the following yaim variables: * =ARGUS_PEPD_ENDPOINTS= The endpoint of the ARGUS box (e.g."https://cream-43.pd.infn.it:8154/authz") * =CREAM_PEPC_RESOURCEID= The id of the CREAM CE in the ARGUS box (e.g. "http://pd.infn.it/cream-18") If instead gJAF should be used as authorization system, yaim variable =USE_ARGUS= must be set in the following way: <verbatim> USE_ARGUS=no </verbatim> ---### Repositories For a successful installation, you will need to configure your package manager to reference a number of repositories (in addition to your OS); * the EPEL repository * the EMI middleware repository * the CA repository and to *REMOVE (!!!)* or *DEACTIVATE (!!!)* * the DAG repository ---#### The EPEL repository You can install the EPEL repository, issuing: <verbatim> rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm </verbatim> ---#### The EMI middleware repository The EMI-1 RC4 repository can be found under: <verbatim> http://emisoft.web.cern.ch/emisoft/dist/EMI/1/RC4/sl5/x86_64 </verbatim> To use yum, the yum repo to be installed in =/etc/yum.repos.d= can be found at https://twiki.cern.ch/twiki/pub/EMI/EMI-1/rc4.repo ---#### The Certification Authority repository The most up-to-date version of the list of trusted Certification Authorities (CA) is needed on your node. The relevant yum repo can be installed issuing: <verbatim> wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/egi-trustanchors.repo -O /etc/yum.repos.d/egi-trustanchors.repo </verbatim> ---#### Important note on automatic updates An update of an RPM not followed by configuration can cause problems. Therefore *WE STRONGLY RECOMMEND NOT TO USE AUTOMATIC UPDATE PROCEDURE OF ANY KIND*. Running the script available at http://forge.cnaf.infn.it/frs/download.php/101/disable_yum.sh (implemented by Giuseppe Platania, INFN Catania) yum autoupdate will be disabled ---### Operations/Installation of CEMon In EMI, CEMon is installed as part of the CREAM-CE. So the following instructions refer to the installation of the CREAM CE. First of all, install the =yum-protectbase= rpm: <verbatim> yum install yum-protectbase.noarch </verbatim> Then proceed with the installation of the CA certificates: <verbatim> yum install ca-policy-egi-core </verbatim> To proceed the installation, install fSun JDK ( =jdk=) or openjdk ( =java-1.6.0-openjdk=) Then install =xml-commons-apis=: <verbatim> yum install xml-commons-apis </verbatim> This is due to a dependency problem within the Tomcat distribution Then install the CREAM-CE metapackage: <verbatim> yum install emi-cream-ce </verbatim> ---### Operations/Installation of the CEMon CLI The CEMon CLI is part of the EMI-UI. To install it please refer to the [[http://www.eu-emi.eu/c/document_library/get_file?uuid=7fd664ad-18f7-4aec-9baa-9cf5bd47a396&groupId=14057][Generic Installation & Configuration Guide]] ---## Configuration ---### Using the YAIM configuration tool For a detailed description on how to configure the middleware with YAIM, please check the [[https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400][YAIM guide]]. The necessary YAIM modules needed to configure a certain node type are automatically installed with the middleware. ---### Configuration of CEMon using yaim In EMI, CEMon is installed and configured as part of the CREAM-CE ---#### Install host certificate The CREAM CE node requires the host certificate/key files to be installed. Contact your national Certification Authority (CA) to understand how to obtain a host certificate if you do not have one already. Once you have obtained a valid certificate: * hostcert.pem - containing the machine public key * hostkey.pem - containing the machine private key make sure to place the two files in the target node into the =/etc/grid-security= directory. Then set the proper mode and ownerships doing: <verbatim> chown root.root /etc/grid-security/hostcert.pem chown root.root /etc/grid-security/hostkey.pem chmod 600 /etc/grid-security/hostcert.pem chmod 400 /etc/grid-security/hostkey.pem </verbatim> ---#### Configure the siteinfo.def file Set your =siteinfo.def= file, which is the input file used by yaim. Documentation about yaim variables relevant for CREAM CE is available at [[https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#cream_CE][https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#cream_CE]] Be sure that =USE_CEMON= is set to =true=. ---#### Run yaim After having filled the =siteinfo.def= file, run yaim: <verbatim> /opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE </verbatim> ---### Configuration of the CEMon CLI The CEMon CLI is part of the EMI-UI. To configure it please refer to xxx. ---# Operating the system ---## How to start the CEMon service A site admin can start the CEMon service just starting the tomcat container: <verbatim> /etc/init.d/tomcat5 start </verbatim> To stop the CEMon service, it is just necessary to stop the CEMon container: <verbatim> /etc/init.d/tomcat5 stop </verbatim> ---## Configuration files Information about configuration files in the CEMonis available at http://wiki.italiangrid.org/twiki/bin/view/CEMon/ServiceReferenceCard#Configuration_files_location_wit ---## Log files Information about log files in the CREAM CE is available at http://wiki.italiangrid.org/twiki/bin/view/CEMon/ServiceReferenceCard#Logfile_locations_and_management ---## Network ports Information about ports used in the CREAM CE is available at http://wiki.italiangrid.org/twiki/bin/view/CEMon/ServiceReferenceCard#Open_ports ---## Security related operations ---### Security recommendations Security recommendations relevant for CEMon is available at http://wiki.italiangrid.org/twiki/bin/view/CEMon/ServiceReferenceCard#Security_recommendations ---### How to block/ban a user Information about how to ban users is available at http://wiki.italiangrid.org/twiki/bin/view/CEMon/ServiceReferenceCard#How_to_block_ban_a_user ---### How to block/ban a VO To ban a VO, it is suggested to reconfigure the service via yaim without that VO in the =siteinfo.def= ---## How to add/remove sensors CEMon sensors that must be plugged in CEMon are defined in the CEMon configuration file (=/etc/glite-ce-monitor/cemonitor-config.xml=). Each active sensor is identified by a section that has the following format: <verbatim> <sensor id=xxx ... ... /sensor> </verbatim> By default only the =CREAM job= sensor is enabled. To enable/disable a specific sensor, it is just necessary to uncomment/comment the sensor definition in the CEMon configuration file. Please note that then it is NOT necessary to restart tomcat ---## How to add a static subscription There are two types of subscriptions: * subscriptions created by an authorized user (using e.g. the =glite-ce-monitor-subscribe= command) * static subscriptions, created by the CEMon system administrator Static subscriptions can be created editing the CEMon configuration file =/etc/glite-ce-monitor/cemonitor-config.xml=. An example of static subscription settings is this one: <verbatim> <subscription id="subscription-1" subscriberId="_C_IT_O_INFN_OU_Personal_Certificate_L_Padova_CN_Massimo_Sgaravatto_dteam_Role_NULL_Capability_NULL" subscriberGroup="dteam" monitorConsumerURL="https://cream-47.pd.infn.it:8788" sslprotocol="SSLv3" retryCount="-1"> <topic name="CREAM_JOBS"> <dialect name="CLASSAD" /> </topic> <policy rate="60" /> </subscription> </verbatim> After having added/removed a static subscription, it is NOT necessary to restart tomcat. -- Main.MassimoSgaravatto - 2011-04-20
Edit
|
Attach
|
PDF
|
H
istory
:
r6
<
r5
<
r4
<
r3
<
r2
|
B
acklinks
|
V
iew topic
|
More topic actions...
Topic revision: r4 - 2011-10-24
-
TWikiAdminUser
Home
Site map
CEMon web
CREAM web
Cloud web
Cyclops web
DGAS web
EgeeJra1It web
Gows web
GridOversight web
IGIPortal web
IGIRelease web
MPI web
Main web
MarcheCloud web
MarcheCloudPilotaCNAF web
Middleware web
Operations web
Sandbox web
Security web
SiteAdminCorner web
TWiki web
Training web
UserSupport web
VOMS web
WMS web
WMSMonitor web
WeNMR web
General Doc
Functional Description
Architecture
Known Issues
User Doc
CEMon CLI User Guide
System Administrator Doc
System Administrator Guide for CEMon for EMI-1
System Administrator Guide for CEMon for EMI-2
System Administrator Guide for CEMon for EMI-3
CEMon Service Reference Card for EMI-1
CEMon Service Reference Card for EMI-2
CEMon Service Reference Card for EMI-3
Other Doc
Testing
Credits
CEMon Web utilities
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
P
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback