Maintenance script: Created page with " == ARGUS server and glexec on the workernodes == PageOutline === ARGUS cheat-sheet === *General service reference wiki for argus server: https://twiki.cern.ch/twiki/..."

2015-08-26T12:28:13Z

Created page with " == ARGUS server and glexec on the workernodes == PageOutline === ARGUS cheat-sheet === *General service reference wiki for argus server: https://twiki.cern.ch/twiki/..."

New page

== ARGUS server and glexec on the workernodes ==
[[PageOutline]]
=== ARGUS cheat-sheet ===

*General service reference wiki for argus server: https://twiki.cern.ch/twiki/bin/view/EGEE/GLiteARGUS
*Below follows some site specific configurations

==== Start/stop services ====

*Beware: the order of starting/stopping the services is important!
<pre>
/opt/argus/pap/sbin/pap-standalone start #needs to be started before pdp
/opt/argus/pdp/sbin/pdpctl.sh start
/opt/argus/pepd/sbin/pepdctl.sh start
</pre>

*In case a new set of policies needs to be applied the pdp component needs to be reloaded:
<pre>
/etc/init.d/pdp reloadpolicy
/etc/init.d/pepd clearcache
</pre>

==== Log files and monitoring ====

*Log files on the argus server
<pre>
/opt/argus/pap/logs/pap-standalone.log
/opt/argus/pdp/logs/
/opt/argus/pepd/logs/
</pre>

*Links to monitoring pages
**https://sam-glexec.cern.ch/nagios/cgi-bin/status.cgi?servicegroup=SERVICE_CREAM-CE&style=detail
**https://sam-cms.cern.ch/nagios/cgi-bin/status.cgi?servicegroup=SERVICE_CREAM-CE&style=detail

*The log files tend to become rather big

==== Configuration ====

*Configuration is done through *.ini files in following directories
<pre>
/opt/argus/pap/conf/
/opt/argus/pdp/logs/
/opt/argus/pepd/logs/
</pre>

==== specific considerations ====

*The argus server needs to share its gridmapdir with the creamce
*Setting up site policies by hand: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthzQSPolicySetup
*Setting up site policies by translating the groupmap file https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment
<pre>
cd /root
./from-groupmap-to-policy.sh /opt/glite/etc/lcmaps/groupmapfile > my-policy.spl
/opt/argus/pap/bin/pap-admin add-policies-from-file my-policy.spl
</pre>
*Don't forget to reload the policies when adding new policies

=== glexec on the WNs cheat-sheet ===

==== Start/stop services ====

*No services run on the workernodes

==== Log files and monitoring ====

*log-only mode: syslog. eg.
<pre>/var/log/messages (| grep glexec)
</pre>
*setuid mode:
<pre>
/var/log/glexec/glexec.log
</pre>
*See argus server for glexec SAM test

==== Configuration ====

*This file contains the user_white_list to specify users allowed to run glexec
<pre>
/opt/glite/etc/glexec.conf
</pre>
*increase verbosity level log_level = 1(up to 5)

==== specific considerations ====

*debugging the glexec installation: https://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Debugging_hints
*debugging results at another site: http://lists.grid.sinica.edu.tw/apwiki/ARGUS/glexec_install

----
=== Debugging a faulty argus test ===
==== Restart Argus ====

<pre>
service restart argus
</pre>

This will call all the dependent services (like PAP and PEP) to restart.
==== Grimapdir mount ====
Gridmapdir must be mounted on argus, cream and the WN:<br>

<pre>
ls /etc/grid-security/gridmapdir/
</pre>

<br>
should give an list of directories
==== Test access with glexec ====
*Find a valid valid proxy in /pooluser
*su to this user (same name as the directory
*launch the following command:

<pre>
export X509_USER_PROXY=/pooluser/pilocms006/x509up_u20606
export GLEXEC_CLIENT_CERT=${GLEXEC_CLIENT_CERT:-$X509_USER_PROXY}
$GLITE_LOCATION/sbin/glexec /usr/bin/whoami
</pre>
*This should return a user name if all went well.
*In case of error, look at the log file

<pre>
tailf /var/log/glexec/lcas_lcmaps.log
</pre>

----

=== Installation of ARGUS server ===

*The following templates have been updated from the lal repo (June 29th 2011)
*/QWG-lal/grid/glite-3.2/machine-types/argus.tpl -> was up to date
*/QWG-lal/os/sl550-x86_64/config/glite/3.2/argus.tpl -> was up to date
*/QWG-lal/grid/glite-3.2/glite/argus/ (machine definitions)
**config.tpl -> was up to date
**pap.tpl -> updated
**pdp.tpl -> updated
**pep.tpm -> updated
**service.tpl -> was up to date
**rpms/config.tpl -> was up to date
**rpms/x86_64/config.tpl -> was up to date

*Adding the argus host template
**/CBv6/cfg/sites/ulb-vub/hardware/machine/Virtual/virtual_kvm_argus.tpl
**change the name + add virtual mac addresses
**/CBv6/cfg/clusters/iihe-glite-32/profiles/profile_argus.iihe.ac.be.tpl
**include machine type
**/CBv6/cfg/sites/iihe-production/site/os_version_db.tpl
**add os version for this machine
**/CBv6/cfg/sites/iihe-production/config/glite_base.tpl
**add direct route (?)
**/CBv6/cfg/clusters/iihe-glite-32/private/argus.iihe.ac.be.tpl
**add this file
**/CBv6/cfg/sites/iihe-production/site/databases.tpl
**added ip address (? what is this address)
**added the hardware
**/CBv6/cfg/sites/iihe-production/site/config_grid.tpl -> Did not change this file but might need a parameter like ARGUS_HOST

*Modifying the rpm template

*Argus parameters:
**https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#ARGUS
**ARGUS_HOST: not set (?)
**PAP_HOST_DN: set DN of machine

*RPM updates:
**the rpm needed for argus are in
<pre>
cd /opt/CB5/tmp/src/begrid/cb-client/cb-client-swrep/rpm-argus-glexec
./swrep.py --debug --mode=up --plat i386_glite_32_sl4,/grid/glite3/updates --dir=/opt/CB5/tmp/src/begrid/cb-client/cb-client-swrep/rpm-argus/
</pre>

*Installation of the host
**To be able to install this host as a virtual machine, follow instructions on [[VirtWithKVM]] to set up the virtual disk correctly
**Attention; needed to add ''variable GLITE_UPDATE_VERSION = '21';'' in the argus template to overcome rpm dependency issue
**The argus machine needs a host certificate
**[[UpdateCertificates]]
<pre>
ccq:/opt/CB5/tmp/src/begrid/cb-client/certificate_tool.py --mode=new --dir=/root/new-cert/ --att=OU=IIHE,CN=argus.wn.iihe.ac.be,emailAddress=grid_admin@listserv.vub.ac.be --debug
</pre>
**After the installation the gridmapdir from cream02 needs to be shared
**On the cream02 add the following line in /etc/exports
<pre>
/etc/grid-security/gridmapdir argus.wn.iihe.ac.be(rw,async)
</pre>
**And make sure the changes are adopted
<pre>
exportfs -avr
</pre>
**On the argus add this in /etc/fstab
<pre>
cream02.wn.iihe.ac.be:/etc/grid-security/gridmapdir /etc/grid-security/gridmapdir nfs hard,intr 0 0
</pre>
**Then, mount the directory
<pre>
mount -a
</pre>
**Make sure that on both machines the nfs is running
<pre>
service nfs status
</pre>

=== Installation of glexec on the workernodes ===

*/QWG-lal/grid/glite-3.2/glite/cream_ce/ (machine config)
**cemonitor.tpl -> was up to date
**config.tpl -> updated (changelog: location of glexec)
**sudoers.tpl -> was up to date
*/QWG-lal/grid/glite-3.2/glite/wn/service.tpl -> updated (include GLEXEC_WN_INCLUDE variable)
*/QWG-lal/grid/glite-3.2/common/glexec/
**config.tpl -> updated
**cream_ce/config.tpl -> added
**wn/config.tpl -> added
**wn/service.tpl -> added
**wn/rpms/config.tpl -> added
**wn/rpms/x86_64/config.tpl -> added
*/QWG-lal/grid/glite-3.2/common/lcas/
**glexec.tpl -> was up to date (+home-made modifications for banning users)
**glexec_wn.tpl -> added
*/QWG-lal/grid/glite-3.2/common/lcmaps/
**glexec.tpl -> was up to date
**glexec_wn.tpl -> added
*/QWG-lal/grid/glite-3.2/users/glexec.tpl -> updated
*/QWG-lal/grid/glite-3.2/vo/functions.tpl -> updated

*Variables to set:
**https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn
**GLEXEC_WN_INCLUDE in wn profile

*RPM updates:
**the rpm needed for glexec_wn are all in i386_glite_32_sl4 rpm template

*Parameters to be set for each workernode
<pre>
variable GLEXEC_WN_ENABLED = true;
variable GLEXEC_OPMODE = 'log-only';
variable GLEXEC_SCAS_ENABLED = false;
variable GLEXEC_ARGUS_ENABLED = true;
variable GLITE_UPDATE_VERSION = '16';
variable GLEXEC_ARGUS_PEPD_ENDPOINTS = list('https://argus.iihe.ac.be:8154/authz'); # be careful on the secure (httpS)
variable GLEXEC_LOG_DESTINATION = 'syslog';
variable GLEXEC_EXTRA_WHITELIST = list('.cms','.dteam');
</pre>

*debugging: https://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Debugging_hints
*debugging at other site: http://lists.grid.sinica.edu.tw/apwiki/ARGUS/glexec_install

=== Links ===

*https://twiki.cern.ch/twiki/bin/viewauth/CMS/Poll-gLExec-2011
*https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework
*https://trac.lal.in2p3.fr/Quattor/wiki/Doc/gLite/TemplateCustomization/Services#ARGUS
*http://glite.cern.ch/glite-ARGUS/
*https://twiki.cern.ch/twiki/bin/view/EGEE/GLiteARGUS
*http://www.gridpp.ac.uk/wiki/Glexec,_LCAS,_LCMAPS_and_Pilot_Job
*https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment
*http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/HOWTO_set_up_gLExec_on_the_worker_node
*https://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/GLExec
*www.nikhef.nl/~davidg/presentations/On-MUPJs-SARA-20100105.pptx
*https://twiki.cern.ch/twiki/bin/view/EGEE/AuthzQSManInstall
*http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Set_up_gLExec_for_Argus
*https://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/FAQs_and_misconceptions

{{TracNotice|{{PAGENAME}}}}

Argus - Revision history

Maintenance script: Created page with " == ARGUS server and glexec on the workernodes == PageOutline === ARGUS cheat-sheet === *General service reference wiki for argus server: https://twiki.cern.ch/twiki/..."