Argus

From T2B Wiki
Jump to navigation Jump to search

ARGUS server and glexec on the workernodes

PageOutline

ARGUS cheat-sheet

Start/stop services

  • Beware: the order of starting/stopping the services is important!
/opt/argus/pap/sbin/pap-standalone start #needs to be started before pdp
/opt/argus/pdp/sbin/pdpctl.sh start
/opt/argus/pepd/sbin/pepdctl.sh start
  • In case a new set of policies needs to be applied the pdp component needs to be reloaded:
/etc/init.d/pdp reloadpolicy 
/etc/init.d/pepd clearcache

Log files and monitoring

  • Log files on the argus server
/opt/argus/pap/logs/pap-standalone.log
/opt/argus/pdp/logs/
/opt/argus/pepd/logs/
  • The log files tend to become rather big

Configuration

  • Configuration is done through *.ini files in following directories
/opt/argus/pap/conf/
/opt/argus/pdp/logs/
/opt/argus/pepd/logs/

specific considerations

cd /root
./from-groupmap-to-policy.sh /opt/glite/etc/lcmaps/groupmapfile > my-policy.spl
/opt/argus/pap/bin/pap-admin add-policies-from-file my-policy.spl
  • Don't forget to reload the policies when adding new policies

glexec on the WNs cheat-sheet

Start/stop services

  • No services run on the workernodes

Log files and monitoring

  • log-only mode: syslog. eg.
/var/log/messages (| grep glexec)
  • setuid mode:
/var/log/glexec/glexec.log
  • See argus server for glexec SAM test

Configuration

  • This file contains the user_white_list to specify users allowed to run glexec
/opt/glite/etc/glexec.conf
  • increase verbosity level log_level = 1(up to 5)


specific considerations


Debugging a faulty argus test

Restart Argus

service restart argus

This will call all the dependent services (like PAP and PEP) to restart.

Grimapdir mount

Gridmapdir must be mounted on argus, cream and the WN:

ls /etc/grid-security/gridmapdir/


should give an list of directories

Test access with glexec

  • Find a valid valid proxy in /pooluser
  • su to this user (same name as the directory
  • launch the following command:
export X509_USER_PROXY=/pooluser/pilocms006/x509up_u20606
export GLEXEC_CLIENT_CERT=${GLEXEC_CLIENT_CERT:-$X509_USER_PROXY}
$GLITE_LOCATION/sbin/glexec /usr/bin/whoami
  • This should return a user name if all went well.
  • In case of error, look at the log file
tailf /var/log/glexec/lcas_lcmaps.log

Installation of ARGUS server

  • The following templates have been updated from the lal repo (June 29th 2011)
  • /QWG-lal/grid/glite-3.2/machine-types/argus.tpl -> was up to date
  • /QWG-lal/os/sl550-x86_64/config/glite/3.2/argus.tpl -> was up to date
  • /QWG-lal/grid/glite-3.2/glite/argus/ (machine definitions)
    • config.tpl -> was up to date
    • pap.tpl -> updated
    • pdp.tpl -> updated
    • pep.tpm -> updated
    • service.tpl -> was up to date
    • rpms/config.tpl -> was up to date
    • rpms/x86_64/config.tpl -> was up to date
  • Adding the argus host template
    • /CBv6/cfg/sites/ulb-vub/hardware/machine/Virtual/virtual_kvm_argus.tpl
    • change the name + add virtual mac addresses
    • /CBv6/cfg/clusters/iihe-glite-32/profiles/profile_argus.iihe.ac.be.tpl
    • include machine type
    • /CBv6/cfg/sites/iihe-production/site/os_version_db.tpl
    • add os version for this machine
    • /CBv6/cfg/sites/iihe-production/config/glite_base.tpl
    • add direct route (?)
    • /CBv6/cfg/clusters/iihe-glite-32/private/argus.iihe.ac.be.tpl
    • add this file
    • /CBv6/cfg/sites/iihe-production/site/databases.tpl
    • added ip address (? what is this address)
    • added the hardware
    • /CBv6/cfg/sites/iihe-production/site/config_grid.tpl -> Did not change this file but might need a parameter like ARGUS_HOST
  • Modifying the rpm template
  • RPM updates:
    • the rpm needed for argus are in
cd /opt/CB5/tmp/src/begrid/cb-client/cb-client-swrep/rpm-argus-glexec
./swrep.py --debug --mode=up --plat i386_glite_32_sl4,/grid/glite3/updates --dir=/opt/CB5/tmp/src/begrid/cb-client/cb-client-swrep/rpm-argus/
  • Installation of the host
    • To be able to install this host as a virtual machine, follow instructions on VirtWithKVM to set up the virtual disk correctly
    • Attention; needed to add variable GLITE_UPDATE_VERSION = '21'; in the argus template to overcome rpm dependency issue
    • The argus machine needs a host certificate
    • UpdateCertificates
ccq:/opt/CB5/tmp/src/begrid/cb-client/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=argus.wn.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be --debug
    • After the installation the gridmapdir from cream02 needs to be shared
    • On the cream02 add the following line in /etc/exports
/etc/grid-security/gridmapdir argus.wn.iihe.ac.be(rw,async)
    • And make sure the changes are adopted
exportfs -avr
    • On the argus add this in /etc/fstab
cream02.wn.iihe.ac.be:/etc/grid-security/gridmapdir /etc/grid-security/gridmapdir nfs hard,intr 0 0
    • Then, mount the directory
mount -a
    • Make sure that on both machines the nfs is running
service nfs status

Installation of glexec on the workernodes

  • /QWG-lal/grid/glite-3.2/glite/cream_ce/ (machine config)
    • cemonitor.tpl -> was up to date
    • config.tpl -> updated (changelog: location of glexec)
    • sudoers.tpl -> was up to date
  • /QWG-lal/grid/glite-3.2/glite/wn/service.tpl -> updated (include GLEXEC_WN_INCLUDE variable)
  • /QWG-lal/grid/glite-3.2/common/glexec/
    • config.tpl -> updated
    • cream_ce/config.tpl -> added
    • wn/config.tpl -> added
    • wn/service.tpl -> added
    • wn/rpms/config.tpl -> added
    • wn/rpms/x86_64/config.tpl -> added
  • /QWG-lal/grid/glite-3.2/common/lcas/
    • glexec.tpl -> was up to date (+home-made modifications for banning users)
    • glexec_wn.tpl -> added
  • /QWG-lal/grid/glite-3.2/common/lcmaps/
    • glexec.tpl -> was up to date
    • glexec_wn.tpl -> added
  • /QWG-lal/grid/glite-3.2/users/glexec.tpl -> updated
  • /QWG-lal/grid/glite-3.2/vo/functions.tpl -> updated
  • RPM updates:
    • the rpm needed for glexec_wn are all in i386_glite_32_sl4 rpm template
  • Parameters to be set for each workernode
variable GLEXEC_WN_ENABLED = true;
variable GLEXEC_OPMODE = 'log-only';
variable GLEXEC_SCAS_ENABLED = false;
variable GLEXEC_ARGUS_ENABLED = true;
variable GLITE_UPDATE_VERSION = '16';
variable GLEXEC_ARGUS_PEPD_ENDPOINTS = list('https://argus.iihe.ac.be:8154/authz'); # be careful on the secure (httpS)
variable GLEXEC_LOG_DESTINATION = 'syslog';
variable GLEXEC_EXTRA_WHITELIST = list('.cms','.dteam');



Links


Template:TracNotice