Tags:
create new tag
,
view all tags
%TOC% ---+ A guideline on how to deploy ARGUS and gLexec on own grid site %TWISTY{ mode="div" showlink=" *It was sent the following broadcast* " hidelink=" *It was sent the following broadcast* " remember="off" firststart="hide" showimgright="%ICONURLPATH{toggleopen}%" hideimgright="%ICONURLPATH{toggleclose}%" }% <verbatim> Dear site admins, this message is relevant for sites supporting one or more LHC experiments, i.e. any of the VOs "alice", "atlas", "cms" or "lhcb". These VOs submit Multi User Pilot Jobs that are foreseen to make use of the "glexec" utility to run payloads of individual users. Deployment ---------- Please proceed with the deployment of gLExec as detailed on this page: https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment Monitoring ---------- The glexec setup of any EGI partner site can be monitored by the SAM-Nagios instance of the site's NGI or ROC: 1. The NGI/ROC needs to run SAM-Nagios Update-10 or later and configure it to run glexec tests (e.g. apply for "pilot" role in "ops" VO). 2. The _site_ should declare its CEs with the "gLExec" type in the GOC DB. These matters are further explained here: https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment#Monitoring_of_gLExec_tests Please apply the necessary configurations such that your CEs appear on the MyWLCG gLExec summary page (the link marked "NEW" on that page). </verbatim> %ENDTWISTY% thereby all the sites that belong to [[http://gstat-prod.cern.ch/gstat/summary/GRID/WLCG/][WLCG]] federation should install gLexec on their farm and make monitor it. Here you can see how to do it ---++ *1 - Install an ARGUS server* We recommend to install the *[[http://www.eu-emi.eu/products/-/asset_publisher/1gkD/content/argus-2][EMI-3 Argus]]*. Use the following *[[https://twiki.cern.ch/twiki/bin/view/EMI/GenericInstallationConfigurationEMI3#Configuring_the_use_of_EMI_3_rep][repository settings]]*, from the *[[https://twiki.cern.ch/twiki/bin/view/EMI/GenericInstallationConfigurationEMI3][EMI-3 generic installation and configuration guide]]*; there is also an *[[https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment][Argus specific installation guide]]* that you may follow to install and configure this service The Mandatory general variables are the following * *USERS_CONF* * *GROUPS_CONF* * *VOS* List of supported VO names * *VO_<vo-name>_VOMS_CA_DN VOMS CA DN* for each VO name listed in *VOS* * *VO_<vo-name>_VOMSES* VOMS definition for each VO name listed in *VOS* The mandatory service specific variables can be found in */opt/glite/yaim/examples/siteinfo/services/glite-authz_server* * *ARGUS_HOST* Hostname of the Argus node * *PAP_ADMIN_DN* User certificate DN of the user that will be the PAP administrator Moreover, have a look at the [[https://twiki.cern.ch/twiki/pub/EMI/ArgusEMIDocumentation/emi-argus-sys_admin_guide-1.0.0.pdf][Administrators guide]] ore [[https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework][here]] in order to see how to create and manage the authorization policies (an example will be provided soon). Briefly the steps are the following: * *Installation*: yum install emi-argus * *Configuration* create a site.def with only the *[[https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIYaimConfiguration][mandatory variables]]* (and in case some of the default ones if you need a different value for them) * Yaim: */opt/glite/yaim/bin/yaim -c -s site-info.def -n ARGUS_server* * At this point, the Argus services (PAP, PDP andP PEP Server, see [[https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework][Authorization Framework]]) must be configured, up and running: * information on [[https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage][The Simplified Policy Language]]. * information on [[https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI][pap-admin command line interface]]. * this is an example on the rules to set: <verbatim> # pap-admin lp default (local): resource "http://cnaf.infn.it/igi-bologna" { obligation "http://glite.org/xacml/obligation/local-environment-map" { } action ".*" { rule permit { vo="ops" } rule permit { vo="dteam" } rule permit { vo="infngrid" } rule permit { vo="comput-er.it" } rule permit { vo="gridit" } rule permit { vo="igi.italiangrid.it" } rule permit { vo="drihm.eu" } rule deny { vo="enmr.eu" } } } resource "http://authz-interop.org/xacml/resource/resource-type/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" { } action "http://glite.org/xacml/action/execute" { rule permit { fqan="/ops/Role=pilot" } } } </verbatim> ---++ *2 - Install and configure gLexec on your WNs* We suggest you upgrade the WNs to EMI-3 so you install the [[http://www.eu-emi.eu/releases/emi-3-montebianco/products/-/asset_publisher/5dKm/content/glexec-wn-1][latest gLExec version]]. Briefly the steps are the following: * *Installation*: yum install glexec-wn yaim-glexec-wn * *Configuration*: set at least the *[[https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn][mandatory variables]]* (and in case some of the default ones if you need a different value for them) tipically set the following in services/glite-glexec_wn: GLEXEC_WN_SCAS_ENABLED="no" GLEXEC_WN_ARGUS_ENABLED="yes" GLEXEC_WN_OPMODE="setuid" * Yaim: (example of WN with torque and MPI) */opt/glite/yaim/bin/yaim -c -s site-info.def -n MPI_WN -n WN -n TORQUE_client -n GLEXEC_wn* ---++ *3 - properly configure your CREAM* You have to properly set 3 yaim variable in the site.def related to CREAM/ARGUS interaction * *USE_ARGUS* * *ARGUS_PEPD_ENDPOINTS* * *CREAM_PEPC_RESOURCEID* Here an exeample on how to set them: <verbatim> ######################################### # ARGUS authorisation framework control # ######################################### # Set USE_ARGUS to yes to enable the configuration of ARGUS USE_ARGUS=yes # In case ARGUS is to be used the following should be set # The ARGUS service PEPD endpoints as a space separated list: #ARGUS_PEPD_ENDPOINTS="http://pepd.example.org:8154/authz" ARGUS_PEPD_ENDPOINTS="https://arguto.cnaf.infn.it:8154/authz" # ARGUS resource identities: The resource ID can be set # for the cream CE, WMS and other nodes respectively. # If a resource ID is left unset the ARGUS configuration # will be skipped on the associated node. # CREAM_PEPC_RESOURCEID=urn:mysitename.org:resource:ce # WMS_PEPC_RESOURCEID=urn:mysitename.org:resource:wms # GENERAL_PEPC_RESOURCEID=urn:mysitename.org:resource:other CREAM_PEPC_RESOURCEID="http://cnaf.infn.it/igi-bologna" </verbatim> Don't forget to set in CE_CAPABILITY the glexec parameter, for example: <verbatim> CE_CAPABILITY="CPUScalingReferenceSI00=1039 glexec" </verbatim> Then reconfigure with yaim your CREAM as usual ---++ *4 - enable gLexec monitoring* go on https://goc.egi.eu/portal/index.php and add the service endpoint "gLExec" to your CREAM -- Main.AlessandroPaolini - 2013-10-25
E
dit
|
A
ttach
|
PDF
|
H
istory
: r5
<
r4
<
r3
<
r2
<
r1
|
B
acklinks
|
V
iew topic
|
M
ore topic actions
Topic revision: r5 - 2014-02-13
-
AlessandroPaolini
Home
Site map
CEMon web
CREAM web
Cloud web
Cyclops web
DGAS web
EgeeJra1It web
Gows web
GridOversight web
IGIPortal web
IGIRelease web
MPI web
Main web
MarcheCloud web
MarcheCloudPilotaCNAF web
Middleware web
Operations web
Sandbox web
Security web
SiteAdminCorner web
TWiki web
Training web
UserSupport web
VOMS web
WMS web
WMSMonitor web
WeNMR web
SiteAdminCorner Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
E
dit
A
ttach
Copyright © 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback