Tags:
, view all tags

System Administrator Guide for CREAM for EMI-1 release

1 Installation and Configuration

1.1 Prerequisites

1.1.1 Operating system

A standard 64 bit SL(C)5 distribution is supposed to be properly installed.

1.1.2 Node synchronization

A general requirement for the Grid nodes is that they are synchronized. This requirement may be fulfilled in several ways. One of the most common one is using the NTP protocol with a time server.

1.1.3 Cron and logrotate

Many components deployed on the CREAM CE rely on the presence of cron (including support for /etc/cron.* directories) and logrotate. You should make sure these utils are available on your system.

1.1.4 Batch system

If you plan to use LSF as batch system for your CREAM CE, you have to install and configure it before installing and configuring the CREAM software. Since LSF is a commercial software it can't be distributed together with the middleware.

1.2 Plan how to deploy the CREAM CE

1.2.1 CREAM CE and gLite-cluster

glite-CLUSTER is a node type that can publish information about clusters and subclusters in a site, referenced by any number of compute elements.

glite-CLUSTER can be deployed in the same host of the CREAM-CE or in a different one.

The following deployment models are possible:

  • CREAM-CE can be configured without worrying about the glite-CLUSTER node. This can be useful for small sites who don't want to worry about cluster/subcluster configurations because they have a very simple setup. In this case CREAM-CE will publish a single cluster/subcluster. This is called no cluster mode. This is done as described below by defining the yaim setting CREAMCE_CLUSTER_MODE=no (or by no defining at all that variable).

  • CREAM-CE can work on cluster mode using the glite-CLUSTER node type. This is done as described below by defining the yaim setting CREAMCE_CLUSTER_MODE=yes. The CREAM-CE can be in the same host or in a different host from the glite-CLUSTER node.
More information about glite-CLUSTER can be found at https://twiki.cern.ch/twiki/bin/view/LCG/CLUSTER

1.2.2 Choose the authorization model

The CREAM CE can be configured to use as authorization system:

  • the ARGUS authorization framework
OR

  • the grid Java Authorization Framework (gJAF)
In the former case a ARGUS box (usually at site level) where to define policies for the CREAM CE box is needed.

To use ARGUS as authorization system, yaim variable USE_ARGUS must be set in the following way:

USE_ARGUS=yes

In this case it is also necessary to set the following yaim variables:

  • ARGUS_PEPD_ENDPOINTS The endpoint of the ARGUS box (e.g."https://cream-43.pd.infn.it:8154/authz")
  • CREAM_PEPC_RESOURCEID The id of the CREAM CE in the ARGUS box (e.g. "http://pd.infn.it/cream-18")
If instead gJAF should be used as authorization system, yaim variable USE_ARGUS must be set in the following way:

USE_ARGUS=no

1.2.3 Choose the BLAH BLparser deployment model

The BLAH Blparser is the component of the CREAM CE responsible to notify CREAM about job status changes.

For LSF and PBS/Torque it is possible to configure the BLAH blparser in two possible ways:

  • The new BLAH BLparser, which relies on the status/history batch system commands
  • The old BLAH BLparser, which parses the batch system log files

For SGE and Condor, only the configuration with the new BLAH blparser is possible

1.2.3.1 New BLAH Blparser

The new Blparser runs on the CREAM CE machine and it is automatically installed when installing the CREAM CE. The configuration of the new BLAH Blparser is done when configuring the CREAM CE (i.e. it is not necessary to configure the Blparser separately from the CREAM CE).

To use the new BLAH blparser, it is just necessary to set:

BLPARSER_WITH_UPDATER_NOTIFIER=true

in the siteinfo.def and then configure the CREAM CE. This is the default value.

The new BLParser doesn't parse the log files. However the bhist (for LSF) and tracejob (for Torque) commands (used by the new BLParser) require the batch system log files, which therefore must be available (in case e.g. via NFS in the CREAM CE node. Actually for Torque the blparser uses tracejob (which requires the log files) only when qstat can't find anymore the job. And this can happen if the job has been completed more than keep_completed seconds ago and the blparser was not able to detect before that the job completed/was cancelled/whatever. This can happen e.g. if keep_completed is too short or if the BLAH blparser for whatever reason didn't run for a while. If the log files are not available and the tracejob command is issued (for the reasons specified above), the BLAH blparser will not be able to find the job, which will considered "lost" (DONE-FAILED wrt CREAM).

The init script of the new Blparser is /etc/init.d/glite-ce-blahparser. Please note that it is not needed to explicitly start the new blparser: when CREAM is started, it starts also this new BLAH Blparser if it is not already running.

When the new Blparser is running, you should see the following two processes on the CREAM CE node:

  • /usr/bin/BUpdaterxxx
  • /usr/bin/BNotifier

Please note that the user tomcat on the CREAM CE should be allowed to issue the relevant status/history commands (for Torque: qstat, tracejob, for LSF: bhist, bjobs). Some sites configure the batch system so that users can only see their own jobs (e.g. in torque:

set server query_other_jobs = False

). If this is done at the site, then the tomcat user will need a special privilege in order to be exempt from this setting (in torque:

set server operators += tomcat@creamce.yoursite.domain

).

1.2.3.2 Old BLAH Blparser

The old BLAH blparser must be installed on a machine where the batch system log files are available (let's call this host BLPARSER_HOST. So the BLPARSER_HOST can be the batch system master or a different machine where the log files are available (e.g. they have been exported via NFS). There are two possible layouts:

  • The BLPARSER_HOST is the CREAM CE host
  • The BLPARSER_HOST is different than the CREAM CE host
If the BLPARSER_HOST is the CREAM CE host, after having installed and configured the CREAM CE, it is necessary to configure the old BLAH Blparser as explained below.

If the BLPARSER_HOST is different than the CREAM CE host, after having installed and configured the CREAM CE it is necessary:

  • to install the old BLAH BLparser software on this BLPARSER_HOST as explained below
  • to configure this software

After having configured CREAM, it is necessary to also configure the BLAH Blparser as explained below.

On the CREAM CE, to use the old BLAH blparser, it is necessary to set:

BLPARSER_WITH_UPDATER_NOTIFIER=true

in the siteinfo.def before configuring via yaim.

1.3 Installation

This section explains how to install:

  • a CREAM CE in no cluster mode
  • a CREAM CE in cluster mode
  • a glite-CLUSTER node
For all these scenarios, the setting of the repositories is the same.

1.3.1 Repositories

For a successful installation, you will need to configure your package manager to reference a number of repositories (in addition to your OS);

  • the EPEL repository
  • the EMI middleware repository
  • the CA repository

and to REMOVE (!!!) or DEACTIVATE (!!!)

  • the DAG repository

1.3.1.1 The EPEL repository

You can install the EPEL repository, issuing:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

1.3.1.2 The EMI middleware repository

The EMI-1 RC3 repository can be found under:

http://emisoft.web.cern.ch/emisoft/dist/EMI/1/RC3/sl5/x86_64

To use yum, the yum repo to be installed in /etc/yum.repos.d can be found at https://twiki.cern.ch/twiki/pub/EMI/EMI-1/rc3.repo

1.3.1.3 The Certification Authority repository

The most up-to-date version of the list of trusted Certification Authorities (CA) is needed on your node. The relevant yum repo can be installed issuing:

wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/egi-trustanchors.repo -O /etc/yum.repos.d/egi-trustanchors.repo

1.3.1.4 Important note on automatic updates

An update of an RPM not followed by configuration can cause problems. Therefore WE STRONGLY RECOMMEND NOT TO USE AUTOMATIC UPDATE PROCEDURE OF ANY KIND.

Running the script available at http://forge.cnaf.infn.it/frs/download.php/101/disable_yum.sh (implemented by Giuseppe Platania (INFN Catania) yum autoupdate will be disabled

1.3.2 Installation of a CREAM CE node in no cluster mode

First of all, install the yum-protectbase rpm:

  yum install yum-protectbase.noarch 

Then proceed with the installation of the CA certificates.

1.3.2.1 Installation of the CA certificates

The CA certificate can be installed issuing:

yum install ca-policy-egi-core 

1.3.2.2 Installation of the CREAM CE software

To install the middleware software needed for the CREAM CE, install first of all Sun JDK ( jdk) or openjdk ( java-1.6.0-openjdk)

Then install xml-commons-apis:

yum install xml-commons-apis 

This is due to a dependency problem within the Tomcat distribution

Then install the CREAM-CE metapackage:

yum install emi-cream-ce

1.3.2.3 Installation of the batch system specific software

After the installation of the CREAM CE metapackage it is necessary to install the batch system specific metapackage(s).

If you are running LSF, install the emi-lsf-utils metapackage:

yum install emi-lsf-utils

1.3.3 Installation of a CREAM CE node in cluster mode

First of all, install the yum-protectbase rpm:

  yum install yum-protectbase.noarch 

Then proceed with the installation of the CA certificates.

1.3.3.1 Installation of the CA certificates

The CA certificate can be installed issuing:

yum install ca-policy-egi-core 

1.3.3.2 Installation of the CREAM CE software

To install the middleware software needed for the CREAM CE, install first of all Sun JDK ( jdk) or openjdk ( java-1.6.0-openjdk)

Then install xml-commons-apis:

yum install xml-commons-apis 

This is due to a dependency problem within the Tomcat distribution

Then install the CREAM-CE metapackage:

yum install emi-cream-ce

1.3.3.3 Installation of the batch system specific software

After the installation of the CREAM CE metapackage it is necessary to install the batch system specific metapackage(s).

If you are running LSF, install the emi-lsf-utils metapackage:

yum install emi-lsf-utils

1.3.3.4 Installation of the cluster metapackage

If the CREAM CE node has to host also the glite-cluster, install also this metapackage:

yum install emi-cluster 

1.3.4 Installation of a glite-cluster node

First of all, install the yum-protectbase rpm:

  yum install yum-protectbase.noarch 

Then proceed with the installation of the CA certificates.

1.3.4.1 Installation of the CA certificates

The CA certificate can be installed issuing:

yum install ca-policy-egi-core 

1.3.4.2 Installation of the cluster metapackage

Install the glite-CLUSTER metapackage:

yum install emi-cluster 

1.3.5 Installation of the BLAH BLparser

If the new BLAH Blparser must be used, there isn't anything to be installed for the BLAH Blparser (i.e. the installation of the CREAM-CE is enough).

This is also the case when the old BLAH Blparser must be used AND the BLPARSER_HOST is the CREAM-CE.

Only when the old BLAH Blparser must be used AND the BLPARSER_HOST is different than the CREAM-CE, it is necessary to install the BLParser software on this BLPARSER_HOST. This is done in the following way:

yum install glite-ce-blahp 
yum install glite-yaim-cream-ce

1.3.6 Installation of the CREAM CLI

The CREAM CLI is part of the EMI-UI. To install it please refer to xxx.

1.4 Configuration

1.4.1 Using the YAIM configuration tool

For a detailed description on how to configure the middleware with YAIM, please check the YAIM guide.

The necessary YAIM modules needed to configure a certain node type are automatically installed with the middleware.

1.4.2 Configuration of a CREAM CE node in no cluster mode

1.4.2.1 Install host certificate

The CREAM CE node requires the host certificate/key files to be installed. Contact your national Certification Authority (CA) to understand how to obtain a host certificate if you do not have one already.

Once you have obtained a valid certificate:

  • hostcert.pem - containing the machine public key
  • hostkey.pem - containing the machine private key
make sure to place the two files in the target node into the /etc/grid-security directory. Then set the proper mode and ownerships doing:

chown root.root /etc/grid-security/hostcert.pem
chown root.root /etc/grid-security/hostkey.pem
chmod 600 /etc/grid-security/hostcert.pem
chmod 400 /etc/grid-security/hostkey.pem

1.4.2.2 Configure the siteinfo.def file

Set your siteinfo.def file, which is the input file used by yaim. Documentation about yaim variables relevant for CREAM CE is available at https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#cream_CE

Be sure that CREAMCE_CLUSTER_MODE is set to no (or not set at all).

1.4.2.3 Run yaim

After having filled the siteinfo.def file, run yaim:

/opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n <LRMSnode> 

Examples:

  • Configuration of a CREAM CE in no cluster mode using LSF as batch system

     /opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n LSF_utils 

1.4.3 Configuration of a CREAM CE node in cluster mode

1.4.3.1 Install host certificate

The CREAM CE node requires the host certificate/key files to be installed. Contact your national Certification Authority (CA) to understand how to obtain a host certificate if you do not have one already.

Once you have obtained a valid certificate:

  • hostcert.pem - containing the machine public key
  • hostkey.pem - containing the machine private key
make sure to place the two files in the target node into the /etc/grid-security directory. Then set the proper mode and ownerships doing:

chown root.root /etc/grid-security/hostcert.pem
chown root.root /etc/grid-security/hostkey.pem
chmod 600 /etc/grid-security/hostcert.pem
chmod 400 /etc/grid-security/hostkey.pem

1.4.3.2 Configure the siteinfo.def file

Set your siteinfo.def file, which is the input file used by yaim. Documentation about yaim variables relevant for CREAM CE is available at https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#cream_CE

Be sure that CREAMCE_CLUSTER_MODE is set to yes

1.4.3.3 Run yaim

After having filled the siteinfo.def file, run yaim:

/opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n <LRMSnode> [-n glite-CLUSTER]

-n glite-CLUSTER must be specified only if the glite-CLUSTER is deployed in the same node of the CREAM-CE

Examples:

  • Configuration of a CREAM CE in cluster mode (with glite-CLUSTER deployed on a different node) using LSF as batch system

     /opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n LSF_utils 

  • Configuration of a CREAM CE in cluster mode (with glite-CLUSTER deployed on the same node of the CREAM-CE) using LSF as batch system

     /opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n LSF_utils -n glite-CLUSTER

1.4.4 Configuration of a glite-CLUSTER node

1.4.4.1 Install host certificate

The glite-CLUSTER node requires the host certificate/key files to be installed. Contact your national Certification Authority (CA) to understand how to obtain a host certificate if you do not have one already.

Once you have obtained a valid certificate:

  • hostcert.pem - containing the machine public key
  • hostkey.pem - containing the machine private key
make sure to place the two files in the target node into the /etc/grid-security directory. Then set the proper mode and ownerships doing:

chown root.root /etc/grid-security/hostcert.pem
chown root.root /etc/grid-security/hostkey.pem
chmod 600 /etc/grid-security/hostcert.pem
chmod 400 /etc/grid-security/hostkey.pem

1.4.4.2 Configure the siteinfo.def file

Set your siteinfo.def file, which is the input file used by yaim. Documentation about yaim variables relevant for glite-CLUSTER is available at https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#CLUSTER

1.4.4.3 Run yaim

After having filled the siteinfo.def file, run yaim:

/opt/glite/yaim/bin/yaim -c -s <site-info.def> -n glite-CLUSTER

1.4.5 Configuration of the BLAH Blparser

If the new BLAH Blparser must be used, there isn't anything to be configured for the BLAH Blparser (i.e. the configuration of the CREAM-CE is enough).

If the old BLparser must be used, it is necessary to configure it on the BLPARSER_HOST (which, as said above, can be the CREAM-CE node or on a different host). This is done in the following way:

/opt/glite/yaim/bin/yaim -r -s <site-info.def> -n creamCE -f config_cream_blparser

Then it is necessary to restart tomcat on the CREAM-CE node:

service tomcat5 restart

1.4.5.1 Configuration of the old BLAH Blparser to serve multiple CREAM CEs

The configuration instructions reported above explains how to configure a CREAM CE and the BLAH blparser (old model) considering the scenario where the BLAH blparser has to "serve" a single CREAM CE.

Considering that the blparser (old model) has to run where the batch system log files are available, let's consider a scenario where there are 2 CREAM CEs ( ce1.mydomain and ce2.mydomain) that must be configured. Let's suppose that the batch system log files are not available on these 2 CREAM CEs machine. Let's assume they are available in another machine ( blhost.mydomain), where the old blparser has to be installed.

The following summarizes what must be done:

  • In the /services/glite-creamce for ce1.mydomain set:

BLPARSER_HOST=blhost.mydomain
BLAH_JOBID_PREFIX=cre01_
BLP_PORT=33333

and configure ce1.mydomain via yaim:

/opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n <LRMSnode> [-n glite-CLUSTER]

  • In the /services/glite-creamce for ce2.mydomain set:

BLPARSER_HOST=blhost.mydomain
BLAH_JOBID_PREFIX=cre02_
BLP_PORT=33334

and configure ce2.mydomain via yaim:

/opt/glite/yaim/bin/yaim -c -s <site-info.def> -n creamCE -n <LRMSnode> [-n glite-CLUSTER]

  • In the /services/glite-creamce for blhost.mydomain sets:

CREAM_PORT=56565

and configure blhost.mydomain via yaim:

/opt/glite/yaim/bin/yaim -r -s <site-info.def> -n creamCE -f config_cream_blparser

  • In blhost.mydomain edit the file /etc/blparser.conf setting (considering the pbs/torque scenario):

GLITE_CE_BLPARSERPBS_NUM=2

# ce01.mydomain
GLITE_CE_BLPARSERPBS_PORT1=33333
GLITE_CE_BLPARSERPBS_CREAMPORT1=56565

# ce02.mydomain
GLITE_CE_BLPARSERPBS_PORT2=33334
GLITE_CE_BLPARSERPBS_CREAMPORT2=56566

  • Restart the blparser on blhost.mydomain:

/etc/init.d/glite-ce-blparser restart

  • Restart tomcat on ce01.mydomain and ce02.mydomain
You can of course replace 33333, 33334, 56565, 56566 (reported in the above examples) with other port numbers

1.4.6 Configuration of the CREAM CLI

The CREAM CLI is part of the EMI-UI. To configure it please refer to xxx.

2 Operating the system

2.1 Tomcat configuration guidelines

In /etc/tomcat5/tomcat5.conf, there are some settings related to heap. They are in the JAVA_OPTS setting (see -Xms and -Xmx).

It is suggested to customize such settings taking into account how much physical memory is available, as indicated in the following table (which refers to 64bit architectures):

Memory < 2 GB 2 - 4 GB > 4 GB
JAVA_OPTS setting -Xms128m -Xmx512m -Xms512m -Xmx1024m -Xms512m -Xmx2048m

After having done the changes, it is necessary to restart tomcat

2.2 How to start the CREAM service

A site admin can start the CREAM service just starting the CREAM container:

/etc/init.d/tomcat5 start

In case the new BLAH blparser is used, this will also start it (if not already running).

If for some reason it necessary to explicitly start the new BLAH blparser, the following command can be used:

/etc/init.d/glite-ce-blahparser start

If instead the old BLAH blparser is used, before starting tomcat it is necessary to start it on the BLPARSER_HOST using the command:

/etc/init.d/glite-ce-blparser start

To stop the CREAM service, it is just necessary to stop the CREAM container:

/etc/init.d/tomcat5 stop

2.3 Daemons

Information about daemons running in the CREAM CE is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Daemons_running

2.4 Init scripts

Information about init scripts in the CREAM CE is available in the http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Init_scripts_and_options_start_s

2.5 Configuration files

Information about configuration files in the CREAM CE is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Configuration_files_location_wit

2.6 Log files

Information about log files in the CREAM CE is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Logfile_locations_and_management

2.7 Network ports

Information about ports used in the CREAM CE is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Open_ports

2.8 Cron jobs

Information about cron jobs used in the CREAM CE is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Cron_jobs

2.9 Security related operations

2.9.1 Security recommendations

Security recommendations relevant for the CREAM CE is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Security_recommendations

2.9.2 How to block/ban a user

Information about how to ban users is available in http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#How_to_block_ban_a_user

2.9.3 How to block/ban a VO

To ban a VO, it is suggested to reconfigure the service via yaim without that VO in the siteinfo.def

2.9.4 How to define a CREAM administrator

A CREAM administrator (aka super-user) can manage (e.g. cancel, check the status, etc.) also the jobs submitted by other people.

Moreover he/she can issue some privileged operations, in particular the ones to disable the new job submissions (glite-ce-disable-submission) and then to re-enable them (glite-ce-disable-submission)

To define a CREAM CE administrator for a specific CREAM CE, the DN of this person must be specified in the /etc/grid-security/admin-list of this CREAM CE node, e.g.:

"/C=IT/O=INFN/OU=Personal Certificate/L=Padova/CN=Massimo Sgaravatto"

Please note that including the DN between " is important

http://wiki.italiangrid.org/twiki/bin/view/CREAM/ServiceReferenceCard#Cron_jobs -- MassimoSgaravatto - 2011-04-07

Edit | Attach | PDF | History: r69 | r11 < r10 < r9 < r8 | Backlinks | Raw View | More topic actions...
Topic revision: r9 - 2011-04-19 - MassimoSgaravatto
 

  • Edit
  • Attach
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback