ARGUSandGLEXECInstallations < SiteAdminCorner

Tags: , view all tags
%TOC%

---+ A guideline on how to deploy ARGUS and gLexec on own grid site

%TWISTY{
mode="div"
showlink="   *It was sent the following broadcast* "
hidelink="     *It was sent the following broadcast* " 
remember="off" firststart="hide"
showimgright="%ICONURLPATH{toggleopen}%"
hideimgright="%ICONURLPATH{toggleclose}%"
}%
<verbatim>
Dear site admins,
this message is relevant for sites supporting one or more LHC experiments,
i.e. any of the VOs "alice", "atlas", "cms" or "lhcb".

These VOs submit Multi User Pilot Jobs that are foreseen to make use of
the "glexec" utility to run payloads of individual users.

Deployment
----------

Please proceed with the deployment of gLExec as detailed on this page:

    https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment

Monitoring
----------

The glexec setup of any EGI partner site can be monitored by the SAM-Nagios
instance of the site's NGI or ROC:

1. The NGI/ROC needs to run SAM-Nagios Update-10 or later and configure it
   to run glexec tests (e.g. apply for "pilot" role in "ops" VO).

2. The _site_ should declare its CEs with the "gLExec" type in the GOC DB.

These matters are further explained here:

https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment#Monitoring_of_gLExec_tests

Please apply the necessary configurations such that your CEs appear on the
MyWLCG gLExec summary page (the link marked "NEW" on that page).
</verbatim>
%ENDTWISTY%

thereby all the sites that belong to [[http://gstat-prod.cern.ch/gstat/summary/GRID/WLCG/][WLCG]] federation should install gLexec on their farm and make monitor it. Here you can see how to do it

---++ *1 - Install an ARGUS server*

We recommend to install the *[[http://www.eu-emi.eu/products/-/asset_publisher/1gkD/content/argus-2][EMI-3 Argus]]*.

Use the following *[[https://twiki.cern.ch/twiki/bin/view/EMI/GenericInstallationConfigurationEMI3#Configuring_the_use_of_EMI_3_rep][repository settings]]*, from the *[[https://twiki.cern.ch/twiki/bin/view/EMI/GenericInstallationConfigurationEMI3][EMI-3 generic installation and configuration guide]]*; there is also an *[[https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment][Argus specific installation guide]]* that you may follow to install and configure this service

The Mandatory general variables are the following

   * *USERS_CONF*
   * *GROUPS_CONF*
   * *VOS* List of supported VO names
   * *VO_<vo-name>_VOMS_CA_DN VOMS CA DN* for each VO name listed in *VOS*
   * *VO_<vo-name>_VOMSES* VOMS definition for each VO name listed in *VOS*

The mandatory service specific variables can be found in */opt/glite/yaim/examples/siteinfo/services/glite-authz_server*

   * *ARGUS_HOST* Hostname of the Argus node
   * *PAP_ADMIN_DN* User certificate DN of the user that will be the PAP administrator

Moreover, have a look at the [[https://twiki.cern.ch/twiki/pub/EMI/ArgusEMIDocumentation/emi-argus-sys_admin_guide-1.0.0.pdf][Administrators guide]] ore [[https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework][here]] in order to see how to create and manage the authorization policies (an example will be provided soon).

Briefly the steps are the following:

   * *Installation*: yum install emi-argus

   *  *Configuration* create a site.def with only the *[[https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIYaimConfiguration][mandatory variables]]* (and in case some of the default ones if you need a different value for them)

   * Yaim: */opt/glite/yaim/bin/yaim -c -s site-info.def -n ARGUS_server*

   * At this point, the Argus services (PAP, PDP andP PEP Server, see [[https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework][Authorization Framework]]) must be configured, up and running:
      * information on [[https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage][The Simplified Policy Language]].
      * information on [[https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI][pap-admin command line interface]].
      * this is an example on the rules to set:
<verbatim>
# pap-admin lp

default (local):

resource "http://cnaf.infn.it/igi-bologna" {
    obligation "http://glite.org/xacml/obligation/local-environment-map" {
    }

    action ".*" {
        rule permit { vo="ops" }
        rule permit { vo="dteam" }
        rule permit { vo="infngrid" }
        rule permit { vo="comput-er.it" }
        rule permit { vo="gridit" }
        rule permit { vo="igi.italiangrid.it" }
        rule permit { vo="drihm.eu" }
        rule deny { vo="enmr.eu" }
    }
}

resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
    obligation "http://glite.org/xacml/obligation/local-environment-map" {
    }

    action "http://glite.org/xacml/action/execute" {
        rule permit { fqan="/ops/Role=pilot" }
    }
}
</verbatim>

---++ *2 - Install and configure gLexec on your WNs*

We suggest you upgrade the WNs to EMI-3 so you install the [[http://www.eu-emi.eu/releases/emi-3-montebianco/products/-/asset_publisher/5dKm/content/glexec-wn-1][latest gLExec version]].

Briefly the steps are the following:

   * *Installation*: yum install glexec-wn yaim-glexec-wn

   *  *Configuration*: set at least the *[[https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn][mandatory variables]]* (and in case some of the default ones if you need a different value for them)
tipically set the following in services/glite-glexec_wn:
GLEXEC_WN_SCAS_ENABLED="no"

GLEXEC_WN_ARGUS_ENABLED="yes"

GLEXEC_WN_OPMODE="setuid"

   * Yaim: (example of WN with torque and MPI) */opt/glite/yaim/bin/yaim -c -s site-info.def -n MPI_WN -n WN -n TORQUE_client -n GLEXEC_wn*


---++ *3 - properly configure your CREAM*

You have to properly set 3 yaim variable in the site.def related to CREAM/ARGUS interaction

   * *USE_ARGUS*
   * *ARGUS_PEPD_ENDPOINTS*
   * *CREAM_PEPC_RESOURCEID*

Here an exeample on how to set them:

<verbatim>
#########################################
# ARGUS authorisation framework control #
#########################################

# Set USE_ARGUS to yes to enable the configuration of ARGUS
USE_ARGUS=yes

# In case ARGUS is to be used the following should be set
# The ARGUS service PEPD endpoints as a space separated list:
#ARGUS_PEPD_ENDPOINTS="http://pepd.example.org:8154/authz"
ARGUS_PEPD_ENDPOINTS="https://arguto.cnaf.infn.it:8154/authz"

# ARGUS resource identities: The resource ID can be set
# for the cream CE, WMS and other nodes respectively.
# If a resource ID is left unset the ARGUS configuration
# will be skipped on the associated node.
# CREAM_PEPC_RESOURCEID=urn:mysitename.org:resource:ce
# WMS_PEPC_RESOURCEID=urn:mysitename.org:resource:wms
# GENERAL_PEPC_RESOURCEID=urn:mysitename.org:resource:other
CREAM_PEPC_RESOURCEID="http://cnaf.infn.it/igi-bologna"
</verbatim>

Don't forget to set in CE_CAPABILITY the  glexec parameter, for example:

<verbatim>
CE_CAPABILITY="CPUScalingReferenceSI00=1039 glexec"
</verbatim>

Then reconfigure with yaim your CREAM as usual

---++ *4 - enable gLexec monitoring*

go on https://goc.egi.eu/portal/index.php and add the service endpoint "gLExec" to your CREAM

-- Main.AlessandroPaolini - 2013-10-25
Topic revision: r5 - 2014-02-13 - AlessandroPaolini
Account
- Log In
Edit
Attach