(r9) IgiEmi < IGIRelease

Tags: , view all tags
---+ IGI (based on EMI) Installation and Configuration

%TOC%
---++ *Installation*
---+++ OS installation

Install SL5 using [[http://linuxsoft.cern.ch/scientific/5x/][SL5.X repository (CERN mirror)]] or one of the supported <acronym title="Operating System">OS</acronym> (RHEL5 clones).

You may find information on official repositories at [[https://www.scientificlinux.org/documentation/faq/yum.apt.repo][Repositories for APT and YUM]] <br /> If you want to set up a local installation server please refer to [[http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:tips:mrepo][Mrepo Quick Guide]]

*NOTE*: Please check if <em> =NTP= </em>, <em> =cron= </em> and <em> =logrotate= </em> are installed, otherwise install them!

---++++ Check the FQDN hostname

Ensure that the hostnames of your machines are correctly set. Run the command:
<pre> hostname -f</pre>

It should print the fully qualified domain name (e.g. =prod-ce.mydomain.it=). Correct your network configuration if it prints only the hostname without the domain. If you are installing WN on private network the command must return the external FQDN for the CE and the SE (e.g. =prod-ce.mydomain.it=) and the internal FQDN for the WNs (e.g. =node001.myintdomain=).
---+++ Repository Settings

To have more details to the repository have a look to the this link [[http://wiki.italiangrid.org/twiki/bin/view/IGIRelease/RepositoriesSpecifications][Repository Specifications]]

If not present by default on your SL5/x86_64 nodes, you should enable the EPEL repository (https://fedoraproject.org/wiki/EPEL)

EPEL has an 'epel-release' package that includes gpg keys for package signing and repository information. Installing this package, <a target="_top" href="http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm">http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm</a>, should allow you to use normal tools such as yum to install packages and their dependencies. By default the stable EPEL repo is enabled. Example of *epel.repo* file:
<pre>[extras]
name=epel
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
protect=0
</pre>

IMPORTANT NOTE

If present remember to disable the dag.repo if it is enabled.

You need to have enabled only the above repositories (Operating System, EPEL, Certification Authority, EMI):
| *Common repositories *x86_64** |
| epel.repo |
| emi.repo (emi1-base.repo emi1-third-party.repo emi1-updates.repo) |
| [[http://repo-pd.italiangrid.it/mrepo/repos/egi-trustanchors.repo][egi-trustanchors.repo]] |

To install emi repo files with its gp key associated install these packages to protect the base repo files and the rpm:
<pre>yum install yum-priorities yum-protectbase</pre>
<pre>rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/1/sl5/x86_64/updates/emi-release-1.0.1-1.sl5.noarch.rpm</pre> 

---++ *Generic Configuration*
---+++ Configuration files
---++++ IGI YAIM configuration files

YAIM configuration files should be stored in a _directory structure_. All the involved files *HAVE* to be under the same folder &lt;confdir&gt;, in a safe place, which *is not world readable*. This directory should contain:
| *File* | *Scope* | *Example* | *Details* |
| =&lt;your-site-info.def&gt;= | *whole-site* | [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/siteinfo/ig-site-info.def?rev=5964&root=igrelease&view=markup][ig-site-info.def]] | List of configuration variables in the format of key-value pairs. <br /> It's a *mandatory* file. <br /> It's a parameter passed to the ig_yaim command. <br /> *IMPORTANT*: You should always check if your &lt;your-site-info.def&gt; is up-to-date comparing with the last /opt/glite/yaim/examples/siteinfo/ig-site-info.def template deployed with ig-yaim and get the differences you find. <br /> For example you may use vimdiff: <pre>vimdiff /opt/glite/yaim/examples/siteinfo/ig-site-info.def &lt;confdir&gt;/&lt;your-site-info.def&gt;</pre> |
| =&lt;your-wn-list.conf&gt;= | *whole-site* | - | Worker nodes list in the format of hostname.domainname per row. <br /> It's a *mandatory* file. <br /> It's defined by WN_LIST variable in &lt;your-site-info.def&gt;. |
| =&lt;your-users.conf&gt;= | *whole-site* | [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/ig-users.conf?rev=6066&root=igrelease&view=markup][ig-users.conf]] | Pool account user mapping. <br /> It's a *mandatory* file. <br /> It's defined by USERS_CONF variable in &lt;your-site-info.def&gt;. <br /> *IMPORTANT*: You may create &lt;your-users.conf&gt; starting from the /opt/glite/yaim/examples/ig-users.conf template deployed with ig-yaim, but probably you have to fill it on the base of your site policy on uids/guis. We suggest to proceed as explained here: _&rdquo;&lt;a href="http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:use_cases:users" title="doc:use_cases:users"&gt;Whole site: How to create local users.conf and configure users&lt;/a&gt;&rdquo;_. |
| =&lt;your-groups.conf&gt;= | *whole-site* | [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/ig-groups.conf?rev=6075&root=igrelease&view=markup][ig-groups.conf]] | VOMS group mapping. <br /> It's a *mandatory* file. <br /> It's defined by GROUPS_CONF variable in &lt;your-site-info.def&gt;. <br /> *IMPORTANT*: You may create &lt;your-groups.conf&gt; starting from the /opt/glite/yaim/examples/ig-groups.conf template deployed with ig-yaim. |
---++++ Additional files

Furthermore the configuration folder can contain:
| *Directory* | *Scope* | *Details* |||
| =services/= | *service-specific* | It contains a file per nodetype with the name format: ig-node-type. <br /> The file contains a list of configuration variables specific to that nodetype.<br /> Each yaim module distributes a configuration file in /opt/glite/yaim/examples/siteinfo/services/[ig or glite]-node-type. <br /> It's a *mandatory* directory if required by the profile and *you should copy it* under the same directory where &lt;your-site-info.def&gt; is. | | |
| =nodes/= | *host-specific* | It contains a file per host with the name format: hostname.domainname. <br /> The file contains host specific variables that are different from one host to another in a certain site. <br /> It's an *optional* directory. |||
| =vo.d/= | *VO-specific* | It contains a file per VO with the name format: vo_name, but most of VO settings are still placed in ig-site-info.def template. For example, for &rdquo;<code>lights.infn.it</code>&rdquo;: <pre># cat vo.d/lights.infn.it<br />SW_DIR=$VO_SW_DIR/lights<br />DEFAULT_SE=$SE_HOST<br />VOMS_SERVERS="vomss://voms2.cnaf.infn.it:8443/voms/lights.infn.it?/lights.infn.it"<br />VOMSES="lights.infn.it voms2.cnaf.infn.it 15013 /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it lights.infn.it"</pre> <p>It's an *optional* directory for &ldquo;normal&rdquo; VOs (like atlas, alice, babar), *mandatory* only for &ldquo;fqdn-like&rdquo; VOs. In case you support such VOs *you should copy* the structure vo.d/&lt;vo.specific.file&gt; under the same directory where &lt;your-site-info.def&gt; is.</p> |||
| =group.d/= | *VO-specific* | It contains a file per VO with the name format: groups-&lt;vo_name&gt;.conf. <br /> The file contains VO specific groups and it replaces the former &lt;your-groups.conf&gt; file where all the VO groups were specified all together. <br /> It's an *optional* directory. |||

The optional folders are created to allow system administrators to organise their configurations in a more structured way.&rdquo;
---++ *BDII Site installation and Configuration*

Have a look to the section Repository Settings of this documentation, ensure to have the common repo files.<BR/>
Before starting the installation procedure remember to clean all yum cache and headers:

<pre>yum clean all
</pre>

---+++ CAa installation:

   * Install CAs on ALL profiles:
<pre>yum install ca-policy-egi-core
</pre>

---+++ Service installation

   * Install the BDII_site metapackage, containing all packages needed by this service:
<pre>yum install emi-bdii-site 
</pre>

---+++ *Service Configuration*

To proper configure the BDII site profile you have to customize this file with you site parameter:

- [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/siteinfo/ig-site-info.def?rev=5964&root=igrelease&view=markup][ig-site-info.def]]

If you would like to cutomize the BDII_site service you can modify the variables in the service-specific file in the =services/= directory. You will find an example in:
<pre>/opt/glite/yaim/examples/siteinfo/services/glite-bdii_site</pre>

---++++ YAIM Verification
  Certificate will not expire.

   * Before starting the configuration *PLEASE TEST* that you have defined all the mandatory variables and that all configuration files contain all the site-specific values needed:
<pre> /opt/glite/yaim/bin/yaim -v -s &lt;site-info.def&gt; -n BDII_site </pre>

The mandatory variables are:

SITE_DESC<br /> SITE_EMAIL<br /> SITE_NAME<br /> SITE_LOC<br /> SITE_LAT <br />SITE_LONG<br /> SITE_WEB <br />SITE_SECURITY_EMAIL <br />SITE_SUPPORT_EMAIL<br /> SITE_OTHER_GRID<br /> SITE_BDII_HOST <br />BDII_REGIONS

Most of those are in the file [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/siteinfo/services/ig-bdii_site?rev=5986&root=igrelease&view=markup][ig-bdii_site]] in directory services (the better things is to modify it). Remember in particular to set:
<pre>SITE_OTHER_GRID="WLCG|EGI"
SITE_OTHER_EGI_NGI="NGI_IT"
</pre>

If no errors are reported you can proceed to the configuration, otherwise correct them before continuing with the configuration.

---++++ YAIM Configuration

Please use the debug flag ( ="-d 6"=) to configure the services in order to have detailed information. For your convenience yo can save all the configuration information in a log file you can look at any time, separated from the =yaimlog= defulat one.
<pre>/opt/glite/yaim/bin/yaim -c -d 6 -s -n BDII_site 2&gt;&1 | tee /root/conf_BDII.`hostname -s`.`date`.log</pre>

---+++ Service Testing - Reference Card

After service installation to have a look if all were installed in a proper way, you could have a look to [[https://twiki.cern.ch/twiki/bin/view/EMI/GLiteInformationSystem][Service BDII_site Reference Card]]. In this page you can found were all the log files are written, what daemons are running after installation and any other useful service information.

---++ *BDII Top installation and Configuration*

Have a look to the section Repository Settings of this documentation, ensure to have the common repo files.<BR/>
Before starting the installation procedure remember to clean all yum cache and headers:

<pre>yum clean all
</pre>

---+++ CAa installation:

   * Install CAs on ALL profiles:
<pre>yum install ca-policy-egi-core
</pre>

---+++ Service installation

   * Install the BDII_top metapackage, containing all packages needed by this service:
<pre>yum install emi-bdii-top 
</pre>

---+++ *Service Configuration*

To proper configure the BDII top profile you have to customize this file with you site parameter:

- [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/siteinfo/ig-site-info.def?rev=5964&root=igrelease&view=markup][ig-site-info.def]]

---++++ YAIM Verification

   * Before starting the configuration *PLEASE TEST* that you have defined all the mandatory variables and that all configuration files contain all the site-specific values needed:
<pre> /opt/glite/yaim/bin/yaim -v -s &lt;site-info.def&gt; -n BDII_top </pre>

The mandatory variable is:

BDII_HOST

If no errors are reported you can proceed to the configuration, otherwise correct them before continuing with the configuration.

---++++ YAIM Configuration

Please use the debug flag ( ="-d 6"=) to configure the services in order to have detailed information. For your convenience yo can save all the configuration information in a log file you can look at any time, separated from the =yaimlog= defulat one.
<pre>/opt/glite/yaim/bin/yaim -c -d 6 -s -n BDII_top 2&gt;&1 | tee /root/conf_BDII.`hostname -s`.`date`.log</pre>

---+++ Service Testing - Reference Card

After service installation to have a look if all were installed in a proper way, you could have a look to [[https://twiki.cern.ch/twiki/bin/view/EMI/GLiteInformationSystem][Service BDII_top Reference Card]]. In this page you can found were all the log files are written, what daemons are running after installation and any other useful service information.


---++ *StoRM installation and Configuration*

Have a look to the section Repository Settings of this documentation, ensure to have the common repo files.<BR/>
Before starting the installation procedure remember to clean all yum cache and headers:

<pre>yum clean all
</pre>

---+++ StoRM Prerequisites

---++++ Host certificate installation:

Hosts participating to the StoRM-SE (FE, BE and GridFTP hosts) must be configured with X.509 certificates signed by a trusted Certification Authority (CA). Usually the hostcert.pem and hostkey.pem certificates are located in the /etc/grid-security/ directory, and they must have permission 0644 and 0400 respectively:

<b>Check existence</b><br/>
<pre>
[~]# ls -l /etc/grid-security/hostkey.pem
-r-------- 1 root root 887 Mar 1 17:08 /etc/grid-security/hostkey.pem
[~]# ls -l /etc/grid-security/hostcert.pem
-rw-r--r-- 1 root root 1440 Mar 1 17:08 /etc/grid-security/hostcert.pem
</pre>

<b> Check expiration </b><br/>
<pre>[~]# openssl x509 -in hostcert.pem -noout -dates</pre>

<b> Change permission: (if needed) </b><br/>
<pre>
[~]# chmod 0400 hostkey.pem
[~]# chmod 0644 hostcert.pem
</pre>

---++++  ACL SUPPORT
If you are installing a new StoRM this check must be done, if you are updating your install or your storage has ACL you can step out to this issue.
StoRM uses the ACLs on files and directories to implement the security model. Doing so, StoRM uses the native access to the file system. Therefore in order to ensure a proper running, ACLs need to be enabled on the underlying file system (sometime they are enabled by default) and work properly.

<b>Check ACL: </b>
<pre>
[~]# touch test
[~]# setfacl -m u:storm:rw test
</pre>
Note: the storm user used to set the ACL entry must exist.
<pre>
[~]# getfacl test
  # file: test
  # owner: root
  # group: root
  user::rw-
  user:storm:rw-
  group::r--
  mask::rw-
  other::r--

[~]# rm -f test
</pre>

<b>Install ACL (eventually): </b><br/>
If the getfacl and setfacl commands are not available on your host:
<pre>[~]# yum install acl
</pre>

<b>Enable ACL (if needed): </b><br/>
To enable ACL, you must add the acl property to the relevant file system in your /etc/fstab file. For example:
<pre>
[~]# vi /etc/fstab
  ...
  /dev/hda3             /storage         ext3         defaults, acl           1 2
  ...
</pre>

Then you need to remount the affected partitions as follows:
<pre> [~]# mount -o remount /storage
</pre>
This is valid for different file system types (i.e., ext3, xfs, gpfs and others).

---+++++ EXTENDED ATTRIBUTE SUPPORT
StoRM uses the Extended Attributes (EA) on files to store some metadata related to the file (e.g. the checksum value); therefore in order to ensure a proper running, the EA support needs to be enabled on the underlying file system and work properly.
Note: Depending on OS kernel distribution, for Reiser3, ext2 and ext3 file systems, the default kernel configuration should not enable the EA.
<b>Check Extended Attribute Support </b>:
<pre> 
[~]# touch testfile
[~]# setfattr -n user.testea -v test testfile
[~]# getfattr -d testfile
  # file: testfile
  user.testea="test"
[~]# rm -f testfile
</pre>

<b>Install attr (eventually): </b><br/>
If the getfattr and setfattrl commands are not available on your host:
<pre>[~]# yum install attr
</pre>

<b>Enable EA (if needed):</b><br/>
To set extended attributes, you must add the user_xattr property to the relevant file systems in your /etc/fstab file. For example:
<pre>
[~]# vi /etc/fstab
   ...
   /dev/hda3         /storage       ext3        defaults,acl,user_xattr     1 2
   ...
</pre>

Then you need to remount the affected partitions as follows:
<pre>[~]# mount -o remount /storage
</pre>


---+++ CAa installation:

   * Install CAs on ALL profiles:
<pre>yum install ca-policy-egi-core
</pre>

---+++ Service installation

   * Install the StoRM metapackages, containing all packages needed by these four services:
<pre>yum install emi-storm-backend-mp
yum install emi-storm-frontend-mp
yum install emi-storm-globus-gridftp-mp
yum install emi-storm-gridhttps-mp
</pre>

---+++ *Service Configuration*

To proper configure the StoRM BackEnd and FrontEnd profiles you have to customize the ig-site-indo.def file with you site parameter:

- [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/siteinfo/ig-site-info.def?rev=5964&root=igrelease&view=markup][ig-site-info.def]]<br/>
- [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/ig-users.conf?rev=6066&root=igrelease&view=markup][ig-users.conf]]<br/>
- [[https://forge.cnaf.infn.it/plugins/scmsvn/viewcvs.php/branches/BRANCH-4_0_X/ig-yaim/examples/ig-groups.conf?rev=6075&root=igrelease&view=markup][ig-groups.conf]] 

---++++ YAIM Verification

   * Before starting the configuration *PLEASE TEST* that you have defined all the mandatory variables for all the StoRM profiles.

<pre> /opt/glite/yaim/bin/yaim -v -s &lt;site-info.def&gt; -n  se_storm_backend -n se_storm_frontend
 </pre>

You can find in this documentation: [[http://storm.forge.cnaf.infn.it/_media/documentation/storm-sysadminguide.pdf?id=documentation][System Administrator Guide]] all mandatory variables. In the section <b>GENERAL YAIM VARIABLES </b>

If no errors are reported with the verification you can proceed to the configuration, otherwise correct them before continuing with the configuration.

---++++ YAIM Configuration

Please use the debug flag ( ="-d 6"=) to configure the services in order to have detailed information. For your convenience yo can save all the configuration information in a log file you can look at any time, separated from the =yaimlog= defulat one.

<pre>/opt/glite/yaim/bin/yaim -c -d 6 -s -n  se_storm_backend -n se_storm_frontend 2&gt;&1 | tee /root/conf_StroRM_BE_FE.`hostname -s`.`date`.log</pre>

<b>IMPORTANT NOTE</b> The order of the profile is important and must be : -n  se_storm_backend -n se_storm_frontend

---+++ Service Testing - Reference Card

After service installation to have a look if all were installed in a proper way, you could have a look to [[https://twiki.cern.ch/twiki/bin/view/EMI/StoRMPTServiceReferenceCard][Service StoRM Reference Card]]. In this page you can found were all the log files are written, what daemons are running after installation and any other useful service information.

-- Main.SergioTraldi - 2011-11-10
Topic revision: r9 - 2011-11-15 - SergioTraldi
Account
- Log In
~~Edit~~
~~Attach~~