WMS Service Reference Card
Daemons running
- WmProxy:
/usr/sbin/httpd -k start -f /etc/glite-wms/glite_wms_wmproxy_httpd.conf
\_ /usr/sbin/httpd -k start -f /etc/glite-wms/glite_wms_wmproxy_httpd.conf
\_ /usr/bin/glite_wms_wmproxy_server
- WorkloadManager:
/usr/bin/glite-wms-workload_manager --conf glite_wms.conf --daemon /tmp/glite-wms-workload_manager.pid
- LogMonitor
/usr/bin/glite-wms-log_monitor -c glite_wms.conf
- JobController
/usr/bin/glite-wms-job_controller -c glite_wms.conf
- Condor
/opt/condor-c/sbin/condor_master
\_ condor_collector -f
\_ condor_schedd -f
| \_ perl /opt/condor-7.4.2/libexec/glite/condorc-authorizer
| \_ perl /opt/condor-7.4.2/libexec/glite/condorc-advertiser
| \_ perl /opt/condor-7.4.2/libexec/glite/condorc-vo-advertiser
| \_ perl /opt/condor-7.4.2/libexec/glite/condorc-launcher
\_ condor_negotiator -f
- ICE
/usr/bin/glite-wms-ice-safe --conf glite_wms.conf --daemon /tmp/glite-wms-ice-safe.pid
\_ sh -c /usr/bin/glite-wms-ice --conf glite_wms.conf /var/log/wms/ice_console.log 2>&1
\_ /usr/bin/glite-wms-ice --conf glite_wms.conf /var/log/wms/ice_console.log
- Proxy Renewal Daemon
/usr/bin/glite-proxy-renewd -r /var/glite/spool/glite-renewd -t /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -A
\_ /usr/bin/glite-proxy-renewd -r /var/glite/spool/glite-renewd -t /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -A
- LB locallogger
/usr/bin/glite-lb-logd -i /var/glite-lb-logd.pid -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
/usr/bin/glite-lb-interlogd -i /var/glite-lb-interlogd.pid -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
- LB Server
/usr/bin/glite-lb-bkserverd --notif-il-sock=/tmp/glite-lb-notif.sock --notif-il-fprefix=/var/tmp/glite-lb-notif -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -i /var/glite-lb-bkserverd.pid --dump-prefix /var/dump --purge-prefix /var/purge -B --proxy-il-sock /tmp/glite-lbproxy-ilog.sock --proxy-il-fprefix /tmp/glite-lbproxy-ilog_events --policy /etc/glite-lb/glite-lb-authz.conf
\_ /usr/bin/glite-lb-bkserverd --notif-il-sock=/tmp/glite-lb-notif.sock --notif-il-fprefix=/var/tmp/glite-lb-notif -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -i /var/glite-lb-bkserverd.pid --dump-prefix /var/dump --purge-prefix /var/purge -B --proxy-il-sock /tmp/glite-lbproxy-ilog.sock --proxy-il-fprefix /tmp/glite-lbproxy-ilog_events --policy /etc/glite-lb/glite-lb-authz.conf
[ ... ]
/usr/bin/glite-lb-notif-interlogd -f /var/tmp/glite-lb-notif -s /tmp/glite-lb-notif.sock -i /var/glite-lb-notif-interlogd.pid -M 10485760 -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
/usr/bin/glite-lb-interlogd -f /tmp/glite-lbproxy-ilog_events -s /tmp/glite-lbproxy-ilog.sock -i /var/glite-lb-proxy-interlogd.pid -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
- Globus Gridftp
/usr/sbin/globus-gridftp-server -p 2811 -d error,warn,info -l /var/log/gridftp-session.log -Z /var/log/globus-gridftp.log -no-detach
- resource BDII
/usr/sbin/slapd -f /etc/bdii/bdii-slapd.conf -h ldap://0.0.0.0:2170 -u ldap
/usr/bin/python /usr/sbin/bdii-update -c /etc/bdii/bdii.conf -d
- Mysql Daemon
/bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql
\_ /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock
Init scripts and options
- /etc/init.d/gLite { start | stop | restart | status | version }
- /etc/init.d/globus-gridftp {start|stop|status|restart|condrestart|try-restart|reload|force-reload}
- /etc/init.d/glite-wms-wmproxy {start|stop|restart|status|help|configtest}
- /etc/init.d/glite-wms-wm {start|stop|restart|status}
- /etc/init.d/glite-wms-lm {start|stop|restart|status|check}
- /etc/init.d/glite-wms-jc {start|stop|restart|reload|status|check} [JobController|CondorG]
- /etc/init.d/glite-proxy-renewald {start|stop|restart|status}
- /etc/init.d/glite-lb-locallogger {start|stop|restart|status}
- /etc/init.d/glite-lb-bkserverd {start|stop|restart|status}
- /etc/init.d/bdii {start|stop|restart|status|condrestart}
- /etc/init.d/mysqld {start|stop|status|condrestart|restart}
Configuration files location with example or template
The configuration files for the
WMS services are located in:
-
/etc/glite-wms/glite_wms.conf
(wms.conf.template) configuration of all the WMS services
-
/etc/glite-wms/glite_wms_wmproxy_httpd.conf
(wmproxy_httpd.conf.template) specifying the configuration of the httpd server
-
/etc/glite-wms/glite_wms_wmproxy.gacl
(wmproxy.gacl.template) define the access control list for wmproxy
The configuration files for
globus gridftp are:
-
/etc/grid-security/gridftp.conf
Globus gridftp configuration file
-
/etc/sysconfig/globus
The configuration files for the
LB services are
-
/etc/glite-lb/lcas.db
defining the location of the lcas plugin
-
/etc/glite-lb/log4crc
defining the behavior and granularity of log4c logging
-
/etc/glite-lb/glite-lb-harvester.conf
specifying the configuration of the L&B harvester
-
/etc/glite-lb/msg.conf
defining the configuration (brokers, permissible topic prefixes, plugin location) for messaging over ActiveMQ
-
/etc/glite-lb/glite-lb-authz.conf
giving authorization settings for the L&B server
The configuration files for
condor are:
-
/opt/condor-c/etc/condor_config
(/opt/condor-c/etc/examples/condor_config.generic) generic configuration file
-
/opt/condor-c/local./condor_config.local
(/opt/condor-c/etc/examples/condor_config.local.generic) local configuration file
Lcas and
Lcmaps configuration files are:
-
/etc/lcas/ban_users.db
List of banned users for Lcas
-
/etc/lcas/lcas.db
(/etc/lcas.db.in) Lcas rules
-
/etc/lcmaps/lcmaps.db
(/etc/lcmaps/lcmaps.db.template) Lcmaps rules for wmproxy mapping
-
/etc/lcmaps/lcmaps.db.gridftp
Lcmaps rules for gridftp mapping
-
/etc/grid-security/gsi-authz.conf
globus mapping
BDII service configuration files are:
-
/etc/bdii/bdii.conf
-
/etc/sysconfig/bdii
-
/etc/bdii/bdii-slapd.conf
Security configuration files are:
-
/etc/grid-security/grid-mapfile
User mapping
-
/etc/grid-security/groupmapfile
Group mapping
-
/etc/grid-security/voms-grid-mapfile
Voms mapping
- and the directory
/etc/grid-security/vomsdir/
with vomses .lsc files
Logfile locations (and management) and other useful audit information
The
WMS log files can be found under
$WMS_LOCATION_LOG
and are (most of them are define in /etc/glite-wms/glite_wms.conf):
- WmProxy
- httpd-wmproxy-access.log
- httpd-wmproxy-errors.log
- wmproxy.log
- glite-wms-wmproxy-purge-proxycache.log
- glite-wms-wmproxy.restart.cron.log
- wmproxy_logrotate.log
- WorkloadManager
- workload_manager_events.log
- Logmonitor and JobController
- logmonitor_events.log
- jobcontoller_events.log
- ICE
- Purger (running from cron job)
- glite-wms-purgeStorage.log
Gridftp log files are:
- /var/log/gridftp-session.log
- /var/log/globus-gridftp.log
BDII service log file is:
- /var/log/bdii/bdii-update.log
fetch crl log is:
- /var/log/fetch-crl-cron.log
expiry gridmapdir cron job log is:
- /var/log/lcg-expiregridmapdir.log
LB services log file are:
- /var/log/glite/glite-lb-lcas.log
- /var/log/glite/glite-lb-purger.log
- other information can be found in /var/log/messages
Lcas and
Lcmaps information can be found in
Condor log files are located under
/var/local/condor/log/
and are:
- MasterLog
- NegotiatorLog
- SchedLog
- CollectorLog
- MatchLog
- GridmanagerLog.glite
- and the directory
/var/logmonitor/CondorG.log/
The log information of the
LB service can be found in:
Open ports
The default ports used by WMS are:
- 2170 : standard BDII
- 2811 : Globus GridFTP control channel
- 7443 : Apache/GridSite web service (SOAP over https)
- 9003 : LB WS client queries
- 9618 : condor_collector
- 20000-25000 : GLOBUS_TCP_PORT_RANGE for GridFTP data channels, Condor-G LOWPORT/HIGHPORT
Possible unit test of the service
Submission of various type of jobs.
Where is service state held (and can it be rebuilt)
The submitted jobs go through various queues one for each services:
-
/var/workload_manager/jobdir/new/
WorkloadManager queue
-
/var/jobcontrol/jobdir/new/
JobController queue
-
/var/ice/jobdir/new/
ICE queue
-
/var/local/condor/spool
Condor queue
LB information are stored in a mysql database
ICE information are stored in a sqlite database
/var/ice/persist_dir/ice.db
LogMonitor internal information are stored in the directory
/var/logmonitor/internal/
JobController internal information are stored in the directory
/var/jobcontrol/submit/
Cron jobs
The cron jobs can be found in
/etc/cron.d/
and are:
- bdii-proxy
- fetch-crl
- glite-lb-purge.cron
- glite-wms-purger.cron
- glite-wms-wmproxy-purge-proxycache.cron
- glite-wms-create-host-proxy.cron
- glite-wms-check-daemons.cron
- glite-wms-wmproxy.restart.cron
- lcg-expiregridmapdir
- wmproxy_logrotate
- locallogger.cron
Security information
The authZ in WMS is managed by GridFTP and GridSite with two different mechanisms:
- GridFTP: performed by LCAS
- GridSite: specified by means of GACL, an XML-based formalism
Access control Mechanism description (authentication & authorization)
TBD
How to block/ban a user
- The file "/etc/glite-wms/glite_wms_wmproxy.gacl" contains the identities (VO, user, etc) with distinct permissions (exec, read, write, ...) to use the WMS.
- If it is necessary to ban a user/group/VO the site admin must add his/her DN/FQAN and a deny tag, e.g.:
<entry>
<person>
<dn>/C=IT/O=INFN/OU=Personal Certificate/L=DATAMAT DSAGRD/CN=John Doe</dn>
</person>
<deny>
<exec/>
</deny>
</entry>
Security recommendations
TBD
Other security relevant comments
- Each user sandbox, stored in the filesystem, contains delegated credentials (which can be renewed by MyProxy) together with users input/output data.
Utility scripts
Useful script are:
- /usr/sbin/glite_wms_wmproxy_load_monitor
Usage:/usr/sbin/glite_wms_wmproxy_load_monitor [OPTIONS]...
--load1 threshold for load average (1min)
--load5 threshold for load average (5min)
--load15 threshold for load average (15min)
--memusage threshold for memory usage (%)
--swapusage threshold for swap usage (%)
--fdnum threshold for used file descriptor
--diskusage threshold for disk usage (%)
--flsize threshold for input filelist size (KB)
--flnum threshold for number of unprocessed jobs (for filelist)
--jdsize threshold for input jobdir size (KB)
--jdnum threshold for number of unprocessed jobs (for jobdir)
--ftpconn threshold for number of FTP connections
--oper operation to monitor (can be listed with --list)
--list list operation supported
--show show all the current values
--help print this help message
- /usr/bin/queryDb
USAGE: queryDb --conf|-c <WMS CONFIGURATION FILE> [options]
options:
--verbose|-v Verbose output (print each db's record
--status-filter|-s Select only records in which the status column is one
of those specified as option argument; more states can
be ',' separated and they must be:
REGISTERED
PENDING
IDLE
RUNNING
REALLY_RUNNING
CANCELLED
HELD
ABORTED
DONE_OK
DONE_FAILED
UNKNOWN
PURGED
--userdn|-u Print the USERDN column of the job table
--creamjobid|-C Print the CREAM JOB ID column of the job table
--gridjobid|-G Print the GRID JOB ID column of the job table
--userproxy|-p Print the USER PROXY column of the job table
--cream-url|-r Print the CREAM URL column of the job table
--myproxy-url|-m Print the MYPROXY URL column of the job table
--status|-S Print the STATUS column of the job table
--lease-id|-L Print the LEASE-ID column of the job table
--delegation-id|-D Print the DELEGATION-ID column of the job table
--worker-node|-w Print the WORKER-NODE column of the job table
--help|-h Print this help
- /usr/bin/queryStats
USAGE: queryDb --conf|-c <WMS CONFIGURATION FILE> [options]
options:
--from-date|-f Set the lower time limit to collect the stats from
--to-date|t Set the upper time limit to collect the stats to
--help|-h Print this help
- /usr/bin/glite-wms-ice-db-rm
Safely remove Job(s) (identified by Grid Job ID(s)) from ICE's database
Usage: /usr/bin/glite-wms-ice-db-rm [-c <conf_file>] [--from-file <input_file>] GridJobID
- If not specified -c <conf_file> the default will be used
(glite_wms.conf) in order to determine the path of ICE's database
- Argument GridJobID and option --from-file <input_file>
are mutually exclusive
- If --from-file is specified the list of Grid JobIDs to remove
will be retrieved from <input_file> (the IDs must be newline separated)