Notes about Installation and Configuration of a MyProxy server - EMI-2 - SL6 x86_64
- These notes are provided by site admins on a best effort base as a contribution to the IGI communities and MUST not be considered as a subsitute of the Official IGI documentation.
- This document is addressed to site administrators responsible for middleware installation and configuration.
- The goal of this page is to provide some hints and examples on how to install and configure an IGI myproxy service based on EMI-2 middleware on SL6.
NB: The myproxy service is a
CORE service, it should not be installed at Resource Center level. The official endpoint provided by IGI is
myproxy.cnaf.infn.it
and
MUST be used by all Resource Centers and Services part of the IGI infrastructure.
References
- About IGI - Italian Grid infrastructure
- About IGI Release
- EMI-2 Release
- Yaim Guide
- site-info.def yaim variables
- site-BDII yaim variables
- Site Certification GIIS Check
- Troubleshooting Guide for Operational Errors on EGI Sites
- Grid Administration FAQs page
Service installation
O.S. and Repos
- Starts from a fresh installation of Scientific Linux 6.x (x86_64).
# cat /etc/redhat-release
Scientific Linux release 6.2 (Carbon)
* Install the additional repositories: EPEL, Certification Authority, EMI-2
# yum install yum-priorities yum-protectbase epel-release
# rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/2/sl6/x86_64/base/emi-release-2.0.0-1.sl6.noarch.rpm
# cd /etc/yum.repos.d/
# wget http://repo-pd.italiangrid.it/mrepo/repos/egi-trustanchors.repo
- Be sure that SELINUX is disabled (or permissive). Details on how to disable SELINUX are here:
# getenforce
Disabled
yum install
# yum clean all
Loaded plugins: downloadonly, kernel-module, priorities, protect-packages, protectbase, security, verify, versionlock
Cleaning up Everything
# yum install ca-policy-egi-core
# yum install emi-px
Service configuration
The configuration file for this service is really basic.
For autorization:
- DN list of authorized renewals (WMS and nagios)
- DN list of trusted retrievers (nagios)
site-info.def
# cp -vr /opt/glite/yaim/examples/siteinfo /root/
`/opt/glite/yaim/examples/siteinfo' -> `/root/siteinfo'
`/opt/glite/yaim/examples/siteinfo/site-info.def' -> `/root/siteinfo/site-info.def'
`/opt/glite/yaim/examples/siteinfo/services' -> `/root/siteinfo/services'
`/opt/glite/yaim/examples/siteinfo/services/glite-px' -> `/root/siteinfo/services/glite-px'
`/opt/glite/yaim/examples/siteinfo/services/glite-bdii_site' -> `/root/siteinfo/services/glite-bdii_site'
# cat /root/siteinfo/site-info.def
SITE_NAME=IGI-BOLOGNA
PX_HOST=`hostname -f`
BDII_DELETE_DELAY=0
glite-px
# cat siteinfo/services/glite-px
GRID_AUTHORIZED_RETRIEVERS="\*"
GRID_AUTHORIZED_RENEWERS="
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=gridit-wms-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-wms-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Ferrara/CN=gridrb.fe.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-02.cnaf.infn.it'
'/C=IT/O=INFN/OU=grid014.ct.infn.it/L=Catania/CN=grid014.ct.infn.it/emailAddress=giuseppe.platania@ct.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=gridit-cert-rb.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=eumed-rb-1.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=euchina-rb-1.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-03.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-04.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-05.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-06.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=gridit-rb-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=egrid-rb-01.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=prod-rb-01.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=prod-rb-02.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=prod-wms-01.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=eu-india-02.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=sc2.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Bari/CN=wms1.ba.infn.it'
'/C=IT/O=INFN/OU=Host/L=Bari/CN=wms2.ba.infn.it'
'/C=IT/O=INFN/OU=Host/L=Bari/CN=wms3.ba.infn.it'
'/C=CH/O=CERN/OU=GRID/CN=host/lxn1185.cern.ch'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-07.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-08.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-09.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-rb-06.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=glite-rb-00.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=glite-rb-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel07.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel09.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel10.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel11.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel12.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel14.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel18.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel19.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel20.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=cream-06.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms001.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms002.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms003.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms004.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms005.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms006.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms007.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms008.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms009.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms011.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms012.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms013.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms014.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms015.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms016.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms017.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-02.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=pps-fts.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=tigerman.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Milano/CN=egee-rb-01.mi.infn.it'
'/C=IT/O=INFN/OU=Host/L=CIRMMP/CN=wms-enmr.cerm.unifi.it'
'/DC=ch/DC=cern/OU=computers/CN=wms101.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms102.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms103.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms104.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms105.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms106.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms107.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms108.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms109.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms110.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms111.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms112.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms113.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms114.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms115.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms116.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms117.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms118.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms119.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms121.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms122.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms123.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms124.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms125.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms126.cern.ch'
'/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=graszode.nikhef.nl'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-it.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-cnaf.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbrbuild01.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbr-serv09.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee017.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=sb-serv01.cr.cnaf.infn.it'
"
GRID_TRUSTED_RETRIEVERS="
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-it.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-cnaf.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbrbuild01.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbr-serv09.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee017.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=sb-serv01.cr.cnaf.infn.it'
"
host certificate required
# ll /etc/grid-security/host*
-rw-r--r-- 1 root root 1440 Dec 29 09:30 /etc/grid-security/hostcert.pem
-r-------- 1 root root 887 Dec 29 09:30 /etc/grid-security/hostkey.pem
Service configuration
yaim check
# chmod -R 600 /root/siteinfo
# /opt/glite/yaim/bin/yaim -v -s /root/siteinfo/site-info.def -n glite-PX
INFO: Using site configuration file: /root/siteinfo/site-info.def
[...]
INFO: YAIM terminated succesfully.
yaim config
Please use the debug flag (
"-d 6"
) to configure the services in order to have detailed information. For your convenience yo can save all the configuration information in a log file you can look at any time, separated from the
yaimlog
defulat one.
# /opt/glite/yaim/bin/yaim -c -d 6 -s /root/siteinfo/site-info.def -n glite-PX
DEBUG: Checking siteinfo dir is not world readable
[...]
INFO: Configuration Complete. [ OK ]
INFO: YAIM terminated succesfully.
Know Issue and Workaround
Al momento il servizio non parte al boot (baco di yaim, notificato in
GGUS.
# chkconfig myproxy-server on
Service checks
myproxy-init
On a user interface:
# $ myproxy-init -s myproxy.cnaf.infn.it -k veronesi-test
username: veronesi
owner: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
name: veronesi-test
timeleft: 167:55:38 (7.0 days)
[veronesi@ui ~]$ myproxy-init -s myproxy.cnaf.infn.it -k veronesi-test
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Enter GRID pass phrase for this identity:
Creating proxy ............................................................................................ Done
Proxy Verify OK
Your proxy is valid until: Thu Jan 5 10:03:38 2012
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user veronesi now exists on myproxy.cnaf.infn.it.
On the MyProxy server:
# tail -f /var/log/messages
Dec 29 10:03:40 myproxy myproxy-server[9119]: Connection from 131.154.101.141
Dec 29 10:03:41 myproxy myproxy-server[9119]: Authenticated client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Dec 29 10:03:42 myproxy myproxy-server[9119]: Received PUT request for username veronesi
Dec 29 10:03:43 myproxy myproxy-server[9119]: Client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi disconnected
# ls -ltr /var/lib/myproxy/
total 36
-rw------- 1 myproxy myproxy 132 Dec 29 10:03 veronesi-veronesi-test.data
-rw------- 1 myproxy myproxy 5912 Dec 29 10:03 veronesi-veronesi-test.creds
myproxy-info
On a user interface:
# myproxy-info -s myproxy.cnaf.infn.it -k veronesi-test
username: veronesi
owner: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
name: veronesi-test
timeleft: 167:55:38 (7.0 days)
On the MyProxy server:
# tail -f /var/log/messages
Dec 29 10:42:08 myproxy myproxy-server[9209]: Connection from 131.154.101.141
Dec 29 10:42:08 myproxy myproxy-server[9209]: Authenticated client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Dec 29 10:42:08 myproxy myproxy-server[9209]: Received INFO request for username veronesi
Dec 29 10:42:08 myproxy myproxy-server[9209]: Client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi disconnected
myproxy-get-delegation
On a user interface:
$ myproxy-get-delegation -s myproxy.cnaf.infn.it -k veronesi-test
Enter MyProxy pass phrase:
A credential has been received for user veronesi in /tmp/x509up_u23019.
On the MyProxy server:
# tail -f /var/log/messages
Dec 29 11:01:05 myproxy myproxy-server[31270]: Connection from 131.154.101.141
Dec 29 11:01:05 myproxy myproxy-server[31270]: Authenticated client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Dec 29 11:01:08 myproxy myproxy-server[31270]: Received GET request for username veronesi
Dec 29 11:01:08 myproxy myproxy-server[31270]: credential passphrase matched
Dec 29 11:01:08 myproxy myproxy-server[31270]: Delegating credentials for /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi lifetime=43200
Dec 29 11:01:08 myproxy myproxy-server[31270]: Client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi disconnected
Additional notes
In order to make the WMS renewal function it is necessary:
- To include the DN of the WMS that process the jobs among the authorized renewers on the MyProxy server, i.e. to add
authorized_renewers DN
to the configuration and restart the server;
- Upload the proxy of the job submitter in the MyProxy server using
myproxy-init -s myproxy_server -d -n
- Submit the job with the MyProxy server hostname being given in the JDL
Revision