Notes about Installation and Configuration of EMI2 VOMS MySQL on SL6 (WORK IN PROGRESS)

  • These notes are provided by site admins on a best effort base as a contribution to the IGI communities and MUST not be considered as a subsitute of the Official IGI documentation.
  • This document is addressed to site administrators responsible for middleware installation and configuration.
  • The goal of this page is to provide some hints and examples on how to install and configure a VOMS server based on EMI middleware.

References

  1. About IGI - Italian Grid infrastructure
  2. VOMS System administrator guide
  3. EMI website: VOMS
  4. EMI website: VOMS Admin
  5. EMI2 Generic Installation Guide
  6. About IGI Release
  7. IGI Official Installation and Configuration guide
  8. Troubleshooting Guide for Operational Errors on EGI Sites
  9. Grid Administration FAQs page
  10. VOMS Replication

Service installation

O.S. and Repos

  • Starts from a fresh installation of Scientific Linux 6.x (x86_64).
# cat /etc/redhat-release 
Scientific Linux release 6.2 (Carbon) 

* Install the additional repositories: EPEL, Certification Authority, EMI2

# # yum install yum-priorities yum-protectbase epel-release
# cd /etc/yum.repos.d/
# wget http://repo-pd.italiangrid.it/mrepo/repos/egi-trustanchors.repo
#  rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/2/sl6/x86_64/base/emi-release-2.0.0-1.sl6.noarch.rpm

  • Be sure that SELINUX is disabled (or permissive). Details on how to disable SELINUX are here:

# getenforce 
Disabled

  • Check the repos list (sl-*.repo are the repos of the O.S. and they should be present by default).

# ls /etc/yum.repos.d/
cnaf-local.repo        emi2-base.repo      emi2-third-party.repo  epel.repo          lemon.repo       sl-other.repo
egi-trustanchors.repo  emi2-contribs.repo  emi2-updates.repo      epel-testing.repo  puppetlabs.repo  sl.repo

yum install

# yum clean all
Loaded plugins: downloadonly, kernel-module, priorities, protect-packages, protectbase, security, verify, versionlock
Cleaning up Everything

# yum install ca-policy-egi-core
# yum install emi-voms-mysql
# yum install xml-commons-apis

see here for details

Service configuration

You have to copy the configuration files in another path, for example root, and set them properly (see later):

# cp -r /opt/glite/yaim/examples/siteinfo/* .
and rename glite-voms_mysql as glite-voms

mysql configuration

  • if not running, start mysqld
# service mysqld start
Initializing MySQL database:  Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h vomsmania.cnaf.infn.it password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
                                                           [  OK  ]
Starting MySQL:                                            [  OK  ]

  • define the password for root user:
# /usr/bin/mysqladmin -u root password qualcosa;
Make sure that the MySQL administrator password that you specify in the YAIM VOMS configuration files matches the password that is set for the root MySQL account

OPTIONAL: importing a DB

Previously: dump the voms databases before schratch your server:
mysqldump -uroot -p --all-databases --flush-privileges > voms2_database_dump.sql

Now: restore the databases:

# mysql -uroot -p < voms2_database_dump.sql

site-info.def

MYSQL_PASSWORD=qualcosa
SITE_NAME=INFN-CNAF
BDII_DELETE_DELAY=0
VOS="icarus-exp.org"

services/glite-voms

# VOMS server hostname
VOMS_HOST=vomsmania.cnaf.infn.it

# The port on the VOMS server listening for request for each VO
# This is used in the vomses configuration file
# By convention, port numbers are allocated starting with 15000

VO_ICARUS_EXP_ORG_VOMS_PORT=15000

# Database name to be used to store VOMS information.
# Required on oracle installations, refers to the tns alias associated with the db.
#VO_<vo_name>_VOMS_DB_NAME=db_name

VO_ICARUS_EXP_ORG_VOMS_DB_NAME=voms_icarusexp_org

# Name of database user.
#VO_<vo_name>_VOMS_DB_USER=user_name

VO_ICARUS_EXP_ORG_VOMS_DB_USER=vo_adm

# Password of database user account.
#VO_<vo_name>_VOMS_DB_USER_PASSWORD=password

VO_ICARUS_EXP_ORG_VOMS_DB_PASS=qualcosa

# Hostname of the database server. Put 'localhost'
# if you run the database on the same machine.
# This parameter can be specified per VO in the following way:
# VO_<vo_name>_VOMS_DB_HOST
VOMS_DB_HOST='localhost'

# Host to which voms-admin-service-generated emails should
# be submitted. Use 'localhost' if you have an fully configured SMTP
# server running on this host. Otherwise specify the hostname of a working
# SMTP submission service.
# This parameter can be specified per VO in the following way:
# VO_<vo_name>_VOMS_ADMIN_SMTP_HOST
VOMS_ADMIN_SMTP_HOST=postino.cnaf.infn.it

# E-mail address that is used to send notification mails
# from the VOMS-admin.
# This parameter can be specified per VO in the following way:
# VO_<vo_name>_VOMS_ADMIN_MAIL
#VOMS_ADMIN_MAIL=mail

VO_ICARUS_EXP_ORG_VOMS_ADMIN_MAIL=indirizzo

# The path of the certificate file (in pem format) of an initial VO administrator.
# The VO will be set up so that this user has full VO administration
# privileges.
# Uncomment this variable if you want to set up an initial VO administrator.
# This parameter can be specified per VO in the following way:
# VO_<vo_name>_VOMS_ADMIN_CERT
# VOMS_ADMIN_CERT=user_certificate
VOMS_ADMIN_CERT=/root/qualcuno.pem

# The UNIX group that Tomcat is run under
# voms admin default is tomcat 5
# VOMS_ADMIN_TOMCAT_GROUP=new_value

# The UNIX group that the VOMS core service is run under
# voms admin default is voms
# VOMS_ADMIN_VOMS_GROUP=new_value


yaim verify

# /opt/glite/yaim/bin/yaim -v -s site-info.def -n VOMS
   INFO: Configuring HOST: voms2.cnaf.infn.it
   INFO: Using site configuration file: site-info.def
   INFO: Sourcing service specific configuration file: ./services/glite-voms
   INFO: 
         ###################################################################
         
         .             /'.-. ')
         .     yA,-"-,( ,m,:/ )   .oo.     oo    o      ooo  o.     .oo
         .    /      .-Y a  a Y-.     8. .8'    8'8.     8    8b   d'8
         .   /           ~ ~ /         8'    .8oo88.     8    8  8'  8
         . (_/         '===='          8    .8'     8.   8    8  Y   8
         .   Y,-''-,Yy,-.,/           o8o  o8o    o88o  o8o  o8o    o8o
         .    I_))_) I_))_)
         
         
         current working directory: /root
         site-info.def date: Dec 21 09:46 site-info.def
         yaim command: -v -s site-info.def -n VOMS
         log file: /opt/glite/yaim/bin/../log/yaimlog
         Wed May 30 12:19:39 CEST 2012 : /opt/glite/yaim/bin/yaim
         
         Installed YAIM versions:
         glite-yaim-bdii 4.3.9-1
         glite-yaim-core 5.1.0-1
         yaim-voms 1.1.1-1.el6
         
         ####################################################################
   INFO: The default location of the grid-env.(c)sh files will be: /usr/libexec
   INFO: Sourcing the utilities in /opt/glite/yaim/functions/utils
   INFO: Detecting environment
   INFO: Executing function: config_host_certs_check 
   INFO: Executing function: config_edgusers_check 
   INFO: Executing function: config_add_pool_env_check 
   INFO: Executing function: config_info_service_voms_check 
   INFO: Executing function: config_info_service_voms_admin_check 
   INFO: Executing function: config_glue2_info_service_voms_check 
   INFO: Executing function: config_voms_check 
   INFO: Detecting TOMCAT
   INFO: Executing function: config_voms_logrotate_check 
   INFO: Executing function: config_bdii_5.2_check 
   INFO: Checking is done.
   INFO: All the necessary variables to configure VOMS are defined in your configuration files.
   INFO: Please, bear in mind that YAIM only guarantees the definition of variables
   INFO: controlled in the _check functions.
   INFO: YAIM terminated succesfully.

yaim config

# /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS
   INFO: Using site configuration file: site-info.def
   INFO: Sourcing service specific configuration file: ./services/glite-voms
   [...]
Stopping vo eumed
Starting vo eumed
Stopping siblings webapp
Starting siblings webapp
   INFO: User and password for read-only database access for VOMS-CORE not specified.
   INFO: Using the credentials for read-write access (VOMS-ADMIN).
voms-admin-configure, version 2.7.0

Checking installation...
Checking local installation...
Installation ok.
Setting up user credentials...
Using host credentials (/etc/grid-security/hostcert.pem) since running as root.
Setting defaults for the VOMS AA credentials
AA certificates settings:
cert:/etc/grid-security/tomcat-cert.pem
key:/etc/grid-security/tomcat-key.pem
Prefix: //usr
Configuration dir: /etc/voms-admin
Cheking input parameters
Installing vo euchina
Skipping voms core configuration creation
Will not set read-only access for authenticated clients as the --skip-database option is set
VO euchina configured correctly.



VO euchina installation finished.
 
You can start the voms services using the following commands:
    //etc/init.d/voms start euchina
    //etc/init.d/voms-admin start euchina
voms_euchina
   INFO: Checking VOMS database schema existence and deploying one if missing...
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...
Existing voms database found. Will not overwrite the database!
   INFO: Opening the VO to all authenticated clients.
Checking that the database is writable...
Database is writable.
Granting read-only access to any authenticated user on group '/euchina'
Granting read-only access to any authenticated user on role '/euchina/Role=SoftwareManager'
Granting read-only access to any authenticated user on role '/euchina/Role=VO-Admin'
   INFO: Adding default admin from /etc/grid-security/hostcert.pem
   INFO: Ignoring email from the administrator certificate: /etc/grid-security/hostcert.pem
Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' already exists in database...
This admin will be granted full privileges on the VOMS database.
Adding ALL permissions on '/euchina' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/euchina/Role=SoftwareManager' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/euchina/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Stopping vo euchina
Starting vo euchina
Stopping siblings webapp
Starting siblings webapp
   INFO: User and password for read-only database access for VOMS-CORE not specified.
   INFO: Using the credentials for read-write access (VOMS-ADMIN).
voms-admin-configure, version 2.7.0

Checking installation...
Checking local installation...
Installation ok.
Setting up user credentials...
Using host credentials (/etc/grid-security/hostcert.pem) since running as root.
Setting defaults for the VOMS AA credentials
AA certificates settings:
cert:/etc/grid-security/tomcat-cert.pem
key:/etc/grid-security/tomcat-key.pem
Prefix: //usr
Configuration dir: /etc/voms-admin
Cheking input parameters
Installing vo glast.org
Skipping voms core configuration creation
Will not set read-only access for authenticated clients as the --skip-database option is set
VO glast.org configured correctly.



VO glast.org installation finished.
 
You can start the voms services using the following commands:
    //etc/init.d/voms start glast.org
    //etc/init.d/voms-admin start glast.org
voms_glast_org
   INFO: Checking VOMS database schema existence and deploying one if missing...
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...
Existing voms database found. Will not overwrite the database!
   INFO: Opening the VO to all authenticated clients.
Checking that the database is writable...
Database is writable.
Granting read-only access to any authenticated user on group '/glast.org'
Granting read-only access to any authenticated user on role '/glast.org/Role=prod'
Granting read-only access to any authenticated user on role '/glast.org/Role=SoftwareManager'
Granting read-only access to any authenticated user on role '/glast.org/Role=VO-Admin'
   INFO: Adding default admin from /etc/grid-security/hostcert.pem
   INFO: Ignoring email from the administrator certificate: /etc/grid-security/hostcert.pem
Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' already exists in database...
This admin will be granted full privileges on the VOMS database.
Adding ALL permissions on '/glast.org' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/glast.org/Role=prod' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/glast.org/Role=SoftwareManager' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/glast.org/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Stopping vo glast.org
Starting vo glast.org
Stopping siblings webapp
Starting siblings webapp
   INFO: User and password for read-only database access for VOMS-CORE not specified.
   INFO: Using the credentials for read-write access (VOMS-ADMIN).
Stopping tomcat6:                                          [  OK  ]
Starting tomcat6:                                          [  OK  ]
Stopping voms(ams02.cern.ch): (already stopped)
Stopping voms(compassit): (already stopped)
Stopping voms(comput-er.it): (already stopped)
Stopping voms(cyclops): (already stopped)
Stopping voms(enmr.eu): (already stopped)
Stopping voms(euchina): (already stopped)
Stopping voms(euindia): (already stopped)
Stopping voms(eumed): (already stopped)
Stopping voms(glast.org): (already stopped)
Stopping voms(ipv6.hepix.org): (already stopped)
Stopping voms(pacs.infn.it): (already stopped)
Stopping voms(superbvo.org): (already stopped)
Stopping voms(tps.infn.it): (already stopped)
Starting voms(ams02.cern.ch):                              [  OK  ]
Starting voms(compassit):                                  [  OK  ]
Starting voms(comput-er.it):                               [  OK  ]
Starting voms(cyclops):                                    [  OK  ]
Starting voms(enmr.eu):                                    [  OK  ]
Starting voms(euchina):                                    [  OK  ]
Starting voms(euindia):                                    [  OK  ]
Starting voms(eumed):                                      [  OK  ]
Starting voms(glast.org):                                  [  OK  ]
Starting voms(ipv6.hepix.org):                             [  OK  ]
Starting voms(pacs.infn.it):                               [  OK  ]
Starting voms(superbvo.org):                               [  OK  ]
Starting voms(tps.infn.it):                                [  OK  ]
   INFO: Executing function: config_voms_logrotate_setenv 
   INFO: Executing function: config_voms_logrotate 
   INFO: Executing function: config_bdii_5.2 
Stopping BDII: BDII already stopped
Starting BDII slapd:                                       [  OK  ]
Starting BDII update process:                              [  OK  ]
   INFO: Configuration Complete.                                               [  OK  ]
   INFO: YAIM terminated succesfully.

many VOs workaround

If you have many VOs configured on your server, add the following lines
* soft nofile 2048
* hard nofile 2048

in the file /etc/security/limits.conf and then restart tomcat6

-- AlessandroPaolini - 2012-05-30

Topic revision: r2 - 2012-05-30 - AlessandroPaolini
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback