WMS Service Reference Card

Daemons running

  • WmProxy:
    /usr/sbin/httpd -k start -f /etc/glite-wms/glite_wms_wmproxy_httpd.conf
      \_ /usr/sbin/httpd -k start -f /etc/glite-wms/glite_wms_wmproxy_httpd.conf
        \_ /usr/bin/glite_wms_wmproxy_server
  • WorkloadManager:
    /usr/bin/glite-wms-workload_manager --conf glite_wms.conf --daemon /tmp/glite-wms-workload_manager.pid
  • LogMonitor
    /usr/bin/glite-wms-log_monitor -c glite_wms.conf
  • JobController
    /usr/bin/glite-wms-job_controller -c glite_wms.conf
  • Condor
    /opt/condor-c/sbin/condor_master
      \_ condor_collector -f
      \_ condor_schedd -f
      |   \_ perl /opt/condor-7.4.2/libexec/glite/condorc-authorizer
      |   \_ perl /opt/condor-7.4.2/libexec/glite/condorc-advertiser
      |   \_ perl /opt/condor-7.4.2/libexec/glite/condorc-vo-advertiser
      |   \_ perl /opt/condor-7.4.2/libexec/glite/condorc-launcher
      \_ condor_negotiator -f
  • ICE
    /usr/bin/glite-wms-ice-safe --conf glite_wms.conf --daemon /tmp/glite-wms-ice-safe.pid
      \_ sh -c /usr/bin/glite-wms-ice --conf glite_wms.conf /var/log/wms/ice_console.log 2>&1
          \_ /usr/bin/glite-wms-ice --conf glite_wms.conf /var/log/wms/ice_console.log
  • Proxy Renewal Daemon
    /usr/bin/glite-proxy-renewd -r /var/glite/spool/glite-renewd -t /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -A
      \_ /usr/bin/glite-proxy-renewd -r /var/glite/spool/glite-renewd -t /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -A
  • LB locallogger
    /usr/bin/glite-lb-logd -i /var/glite-lb-logd.pid -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
     /usr/bin/glite-lb-interlogd -i /var/glite-lb-interlogd.pid -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
  • LB Server
    /usr/bin/glite-lb-bkserverd --notif-il-sock=/tmp/glite-lb-notif.sock --notif-il-fprefix=/var/tmp/glite-lb-notif -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -i /var/glite-lb-bkserverd.pid --dump-prefix /var/dump --purge-prefix /var/purge -B --proxy-il-sock /tmp/glite-lbproxy-ilog.sock --proxy-il-fprefix /tmp/glite-lbproxy-ilog_events --policy /etc/glite-lb/glite-lb-authz.conf
      \_ /usr/bin/glite-lb-bkserverd --notif-il-sock=/tmp/glite-lb-notif.sock --notif-il-fprefix=/var/tmp/glite-lb-notif -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem -i /var/glite-lb-bkserverd.pid --dump-prefix /var/dump --purge-prefix /var/purge -B --proxy-il-sock /tmp/glite-lbproxy-ilog.sock --proxy-il-fprefix /tmp/glite-lbproxy-ilog_events --policy /etc/glite-lb/glite-lb-authz.conf
    [ ... ]
    /usr/bin/glite-lb-notif-interlogd -f /var/tmp/glite-lb-notif -s /tmp/glite-lb-notif.sock -i /var/glite-lb-notif-interlogd.pid -M 10485760 -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
     /usr/bin/glite-lb-interlogd -f /tmp/glite-lbproxy-ilog_events -s /tmp/glite-lbproxy-ilog.sock -i /var/glite-lb-proxy-interlogd.pid -c /home/glite/.certs/hostcert.pem -k /home/glite/.certs/hostkey.pem
  • Globus Gridftp
    /usr/sbin/globus-gridftp-server -p 2811 -d error,warn,info -l /var/log/gridftp-session.log -Z /var/log/globus-gridftp.log -no-detach
  • resource BDII
    /usr/sbin/slapd -f /etc/bdii/bdii-slapd.conf -h ldap://0.0.0.0:2170 -u ldap
     /usr/bin/python /usr/sbin/bdii-update -c /etc/bdii/bdii.conf -d
  • Mysql Daemon
    /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql
      \_ /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock

Init scripts and options

  • /etc/init.d/gLite { start | stop | restart | status | version }
    • /etc/init.d/globus-gridftp {start|stop|status|restart|condrestart|try-restart|reload|force-reload}
    • /etc/init.d/glite-wms-wmproxy {start|stop|restart|status|help|configtest}
    • /etc/init.d/glite-wms-wm {start|stop|restart|status}
    • /etc/init.d/glite-wms-lm {start|stop|restart|status|check}
    • /etc/init.d/glite-wms-jc {start|stop|restart|reload|status|check} [JobController|CondorG]
    • /etc/init.d/glite-proxy-renewald {start|stop|restart|status}
    • /etc/init.d/glite-lb-locallogger {start|stop|restart|status}
    • /etc/init.d/glite-lb-bkserverd {start|stop|restart|status}
  • /etc/init.d/bdii {start|stop|restart|status|condrestart}
  • /etc/init.d/mysqld {start|stop|status|condrestart|restart}

Configuration files location with example or template

The configuration files for the WMS services are located in:

  • /etc/glite-wms/glite_wms.conf (wms.conf.template) configuration of all the WMS services
  • /etc/glite-wms/glite_wms_wmproxy_httpd.conf (wmproxy_httpd.conf.template) specifying the configuration of the httpd server
  • /etc/glite-wms/glite_wms_wmproxy.gacl (wmproxy.gacl.template) define the access control list for wmproxy

The configuration files for globus gridftp are:

  • /etc/grid-security/gridftp.conf Globus gridftp configuration file
  • /etc/sysconfig/globus

The configuration files for the LB services are

  • /etc/glite-lb/lcas.db defining the location of the lcas plugin
  • /etc/glite-lb/log4crc defining the behavior and granularity of log4c logging
  • /etc/glite-lb/glite-lb-harvester.conf specifying the configuration of the L&B harvester
  • /etc/glite-lb/msg.conf defining the configuration (brokers, permissible topic prefixes, plugin location) for messaging over ActiveMQ
  • /etc/glite-lb/glite-lb-authz.conf giving authorization settings for the L&B server

The configuration files for condor are:

  • /opt/condor-c/etc/condor_config (/opt/condor-c/etc/examples/condor_config.generic) generic configuration file
  • /opt/condor-c/local./condor_config.local (/opt/condor-c/etc/examples/condor_config.local.generic) local configuration file

Lcas and Lcmaps configuration files are:

  • /etc/lcas/ban_users.db List of banned users for Lcas
  • /etc/lcas/lcas.db (/etc/lcas.db.in) Lcas rules
  • /etc/lcmaps/lcmaps.db (/etc/lcmaps/lcmaps.db.template) Lcmaps rules for wmproxy mapping
  • /etc/lcmaps/lcmaps.db.gridftp Lcmaps rules for gridftp mapping
  • /etc/grid-security/gsi-authz.conf globus mapping

BDII service configuration files are:

  • /etc/bdii/bdii.conf
  • /etc/sysconfig/bdii
  • /etc/bdii/bdii-slapd.conf

Security configuration files are:

  • /etc/grid-security/grid-mapfile User mapping
  • /etc/grid-security/groupmapfile Group mapping
  • /etc/grid-security/voms-grid-mapfile Voms mapping
  • and the directory /etc/grid-security/vomsdir/ with vomses .lsc files

Logfile locations (and management) and other useful audit information

The WMS log files can be found under $WMS_LOCATION_LOG and are (most of them are define in /etc/glite-wms/glite_wms.conf):

  • WmProxy
    • httpd-wmproxy-access.log
    • httpd-wmproxy-errors.log
    • wmproxy.log
    • glite-wms-wmproxy-purge-proxycache.log
    • glite-wms-wmproxy.restart.cron.log
    • wmproxy_logrotate.log
  • WorkloadManager
    • workload_manager_events.log
  • Logmonitor and JobController
    • logmonitor_events.log
    • jobcontoller_events.log
  • ICE
    • ice.log
  • Purger (running from cron job)
    • glite-wms-purgeStorage.log

Gridftp log files are:

  • /var/log/gridftp-session.log
  • /var/log/globus-gridftp.log

BDII service log file is:

  • /var/log/bdii/bdii-update.log

fetch crl log is:

  • /var/log/fetch-crl-cron.log

expiry gridmapdir cron job log is:

  • /var/log/lcg-expiregridmapdir.log

LB services log file are:

  • /var/log/glite/glite-lb-lcas.log
  • /var/log/glite/glite-lb-purger.log
  • other information can be found in /var/log/messages

Lcas and Lcmaps information can be found in

  • /var/log/messages

Condor log files are located under /var/local/condor/log/ and are:

  • MasterLog
  • NegotiatorLog
  • SchedLog
  • CollectorLog
  • MatchLog
  • GridmanagerLog.glite
  • and the directory /var/logmonitor/CondorG.log/

The log information of the LB service can be found in:

  • /var/log/messages

Open ports

The default ports used by WMS are:

  • 2170 : standard BDII
  • 2811 : Globus GridFTP control channel
  • 7443 : Apache/GridSite web service (SOAP over https)
  • 9003 : LB WS client queries
  • 9618 : condor_collector

  • 20000-25000 : GLOBUS_TCP_PORT_RANGE for GridFTP data channels, Condor-G LOWPORT/HIGHPORT

Possible unit test of the service

Submission of various type of jobs.

Where is service state held (and can it be rebuilt)

The submitted jobs go through various queues one for each services:

  • /var/workload_manager/jobdir/new/ WorkloadManager queue
  • /var/jobcontrol/jobdir/new/ JobController queue
  • /var/ice/jobdir/new/ ICE queue
  • /var/local/condor/spool Condor queue

LB information are stored in a mysql database

ICE information are stored in a sqlite database /var/ice/persist_dir/ice.db

LogMonitor internal information are stored in the directory /var/logmonitor/internal/

JobController internal information are stored in the directory /var/jobcontrol/submit/

Cron jobs

The cron jobs can be found in /etc/cron.d/ and are:

  • bdii-proxy
  • fetch-crl
  • glite-lb-purge.cron
  • glite-wms-purger.cron
  • glite-wms-wmproxy-purge-proxycache.cron
  • glite-wms-create-host-proxy.cron
  • glite-wms-check-daemons.cron
  • glite-wms-wmproxy.restart.cron
  • lcg-expiregridmapdir
  • wmproxy_logrotate
  • locallogger.cron

Security information

The authZ in WMS is managed by GridFTP and GridSite with two different mechanisms:

  • GridFTP: performed by LCAS
  • GridSite: specified by means of GACL, an XML-based formalism

Access control Mechanism description (authentication & authorization)

TBD

How to block/ban a user

  • The file "/etc/glite-wms/glite_wms_wmproxy.gacl" contains the identities (VO, user, etc) with distinct permissions (exec, read, write, ...) to use the WMS.
  • If it is necessary to ban a user/group/VO the site admin must add his/her DN/FQAN and a deny tag, e.g.:
           <entry>
             <person>
               <dn>/C=IT/O=INFN/OU=Personal Certificate/L=DATAMAT DSAGRD/CN=John Doe</dn>
             </person>
             <deny>
               <exec/>
             </deny>
           </entry>

Security recommendations

TBD

Other security relevant comments

  • Each user sandbox, stored in the filesystem, contains delegated credentials (which can be renewed by MyProxy) together with users input/output data.

Utility scripts

Useful script are:

  • /usr/sbin/glite_wms_wmproxy_load_monitor
    Usage:/usr/sbin/glite_wms_wmproxy_load_monitor [OPTIONS]...
          --load1       threshold for load average (1min)
          --load5       threshold for load average (5min)
          --load15    threshold for load average (15min)
          --memusage    threshold for memory usage (%)
          --swapusage    threshold for swap usage (%)
          --fdnum       threshold for used file descriptor
          --diskusage    threshold for disk usage (%)
          --flsize    threshold for input filelist size (KB)
          --flnum    threshold for number of unprocessed jobs (for filelist)
          --jdsize    threshold for input jobdir size (KB)
          --jdnum    threshold for number of unprocessed jobs (for jobdir)
           --ftpconn    threshold for number of FTP connections
           --oper       operation to monitor (can be listed with --list)
          --list       list operation supported
          --show       show all the current values
          --help       print this help message
  • /usr/bin/queryDb
    USAGE: queryDb --conf|-c <WMS CONFIGURATION FILE> [options]
    
    options: 
      --verbose|-v      Verbose output (print each db's record
      --status-filter|-s   Select only records in which the status column is one
               of those specified as option argument; more states can
               be ',' separated and they must be:
             REGISTERED
             PENDING
             IDLE
             RUNNING
             REALLY_RUNNING
             CANCELLED
             HELD
             ABORTED
             DONE_OK
             DONE_FAILED
             UNKNOWN
             PURGED
    
      --userdn|-u      Print the USERDN column of the job table
      --creamjobid|-C   Print the CREAM JOB ID column of the job table
      --gridjobid|-G   Print the GRID JOB ID column of the job table
      --userproxy|-p   Print the USER PROXY column of the job table
      --cream-url|-r   Print the CREAM URL column of the job table
      --myproxy-url|-m   Print the MYPROXY URL column of the job table
      --status|-S      Print the STATUS column of the job table
      --lease-id|-L      Print the LEASE-ID column of the job table
      --delegation-id|-D   Print the DELEGATION-ID column of the job table
      --worker-node|-w   Print the WORKER-NODE column of the job table
      --help|-h      Print this help
  • /usr/bin/queryStats
    USAGE: queryDb --conf|-c <WMS CONFIGURATION FILE> [options]
    
    options: 
      --from-date|-f   Set the lower time limit to collect the stats from
      --to-date|t   Set the upper time limit to collect the stats to
      --help|-h      Print this help
  • /usr/bin/glite-wms-ice-db-rm
    Safely remove Job(s) (identified by Grid Job ID(s)) from ICE's database
    
      Usage: /usr/bin/glite-wms-ice-db-rm [-c <conf_file>] [--from-file <input_file>] GridJobID
    
      - If not specified -c <conf_file> the default will be used
        (glite_wms.conf) in order to determine the path of ICE's database
      - Argument GridJobID and option --from-file <input_file>
        are mutually exclusive
      - If --from-file is specified the list of Grid JobIDs to remove
        will be retrieved from <input_file> (the IDs must be newline separated)
Topic revision: r2 - 2011-11-29 - AlessioGianelle
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback