Introduction
This is a quickstart that shows a full installation of the Toolkit on two Fedora machines. It shows the installation of prereqs, installation of the toolkit, creation of certificates, and configuration of services. It is designed to supplement the main admin guide, Installing GT 5.2.2.
Scenarios are shown for running GridFTP and GRAM services, and using GridFTP and GRAM clients.
Table of Contents
The Globus Toolkit 5.2 consists of a set of RPMs or .debs for several Linux distributions and a source installer which can be used on platforms that do not use RPM or Debian packaging. In this quickstart, we will be installing from native RPM packages. Thus, it is a pre-requisite for following this quickstart that you are running a distribution for which we provide native binary packages.
We will show how to set up and use the Globus RPM repository. If your distribution has Globus 5.2.2 packages within its repository, you can skip to the next section.
The repo-config rpms for the various binary (RPM and deb) repositories can be found at the repo config download page.
To install from binary RPMs, get the appropriate repo-config rpm from the link above, install it with
#rpm -i Globus-repo-config.<distro>.noarch.rpm
Install packages
#yum install globus-gridftp globus-gram5
#yum install globus-gridftp-server-progs globus-gass-copy-progs myproxy myproxy-server myproxy-admin globus-simple-ca globus-gss-assist-progs
All of the work we're going to do now requires that we be authenticated and authorized. We use certificates for this purpose. The Distinguished Name (DN) of a certificate will serve as our authenticated identity. That identity will then be authorized.
We will need identities for both the services and users. For the services, we will use an identity that is equal to their hostname. For the users, we'll use their full name. To create the certificates, we're going to use the SimpleCA that is distributed with the toolkit. More in depth information about setting up SimpleCA can be found in the Installing SimpleCA Appendix.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
In many deployment scenarios, certificates for both services and users are obtained through one or more third party CAs. In such scenarios, it is unnecessary to use SimpleCA or MyProxy to issue certificates. Since this quickstart is intended to describe a simple, standalone deployment scenario, we describe how to use these tools to issue your own certificates. |
root@elephant:~#wget http://globus.org/toolkit/docs/5.2/5.2.2/admin/quickstart/setup-simplecaroot@elephant:~#sh setup-simpleca -ySetting up /sandbox/globus/globus-5.2.2/ Please enter a password of at least four characters for the CA: Confirm password: Creating a new simpleCA, logging to gt-server-ca.log... Running setup-gsi... Your CA hash is: b906298a It is located at /sandbox/globus/globus-5.2.2//share/certificates/b906298a.0 Your host DN is /O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/CN=host/elephant.globus.org The hostcert is located at /sandbox/globus/globus-5.2.2//etc/hostcert.pem
| Note |
|---|---|
This will fail if /tmp is mounted noexec. If you get a failure, you might try setting GLOBUS_SH_TMP=`pwd` and trying again. |
Here's what has happened. The files created by SimpleCA are all explained in the Security Admin Guide.
We are going to create a MyProxy server on elephant, following the instructions at http://grid.ncsa.illinois.edu/myproxy/fromscratch.html#server. This will be used to store our user's certificates. Recall that so far we have made a host certificate, but we don't have any certificates for end users yet.
root@elephant:~#vim /etc/myproxy-server.config
Uncomment every line in the section "Complete Sample Policy #1" such that it looks like this.
root@elephant:~#cp /etc/grid-security/myproxy/host*.pem /etc/grid-security/
Start the myproxy server:
root@elephant:~#service myproxy-server start
Check that it is listening
root@elephant:~#netstat -an | grep 7512tcp 0 0 0.0.0.0:7512 0.0.0.0:* LISTEN
Now that MyProxy is set up, we'll get a user certificate for our sample user. The
root user will add a new credential into MyProxy. I have
to specify a full name and a login name. I'll be using QuickStart
User as the first and last name and quser as the UNIX account name for my user.
I must supply two different passwords. The first password is going to be the
quser user's password, and must be at least 6 characters
long. The second password must be my SimpleCA password from when I ran gt-server-ca.
root@elephant:~ #sudo -H -E -u myproxy myproxy-admin-adduser -c "QuickStart User" -l quser
The output looks like this.
Our last act will be to create a grid-mapfile as root
for authorization. You can copy and paste the /O=Grid/OU=... subject name from the output
above:
root@elephant:~ #grid-mapfile-add-entry -dn "/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User" -ln quser
| Note |
|---|---|
The |
Now that we have our host and user credentials in place, we can start a service. This set up comes from the GridFTP Admin Guide.
Start the GridFTP server:
root@elephant:/etc/grid-security#service globus-gridftp-server start
check that it is listening:
root@elephant:/etc/grid-security#grep gsiftp /etc/servicesgsiftp 2811/tcp #GSI FTP gsiftp 2811/udp #GSI FTProot@elephant:/etc/grid-security#netstat -an | grep 2811tcp 0 0 0.0.0.0:2811 0.0.0.0:* LISTEN
Now the GridFTP server is waiting for a request, so we'll run a client and transfer a file:
quser@elephant $myproxy-logon -s elephantEnter MyProxy pass phrase:******A credential has been received for user quser in /tmp/x509up_u1817.quser@elephant $globus-url-copy gsiftp://elephant.globus.org/etc/group file:///tmp/quser.test.copyquser@elephant $diff /tmp/quser.test.copy /etc/groupquser@elephant $
Okay, so the GridFTP server works. If you had trouble, check the security troubleshooting section in the Security Admin Guide. Now we can move on to setting up GRAM5 resource management.
Now that we have security and GridFTP set up, we can set up GRAM for resource management. There are several different Local Resource Managers (LRMs) that one could configure GRAM to use, but this guide will explain the simple case of setting up a "fork" jobmanager, without auditing. For details on all other configuration options, and for reference, you can see the GRAM5 Admin Guide.
root@elephant:/etc/grid-security#grep gsigatekeeper /etc/servicesgsigatekeeper 2119/tcp # GSIGATEKEEPER gsigatekeeper 2119/udp # GSIGATEKEEPER
Start the GRAM gatekeeper:
root@elephant:/etc/grid-security#service globus-gatekeeper start
check that it is listening:
root@elephant:/etc/grid-security#netstat -an | grep 2119tcp 0 0 0.0.0.0:2119 0.0.0.0:* LISTEN
The gatekeeper is set up to run, and is ready to authorize job submissions and pass them on to the fork job manager. We can now run a couple of test jobs:
quser@elephant $myproxy-logon -s elephantEnter MyProxy pass phrase:******A credential has been received for user quser in /tmp/x509up_u1817.quser@elephant $globusrun -o -r elephant.globus.org:2119/jobmanager-fork '&(executable="/bin/hostname" )'elephantquser@elephant $globusrun -s -r elephant.globus.org:2119/jobmanager-fork '&(executable=/usr/bin/whoami)'quser
Success! If you had trouble, check the security troubleshooting section in the Security Admin Guide. To learn more about using GRAM 5, take a look at the GRAM User's Guide
Alas, it's not much of a grid with just one machine. So let's start up on another machine and add it to this little test grid.
See Prereqs.
Now we can install from binaries:
Install packages
#yum install globus-gridftp
#yum install globus-gridftp-server-progs globus-gass-copy-progs myproxy globus-simple-ca globus-gss-assist-progs
Now let's get security set up on the second machine. We're going to just add trust for
the original simpleCA to this new machine; there's no need to create a new one. All we need
to do is copy the $GLOBUS_LOCATION/share/certificates from our first
machine to our second:
globus@donkey:~$scp -r elephant:/etc/grid-security/certificates /etc/grid-security/certificates
We're going to create the host certificate for donkey, but we create it on elephant:
root@elephant:~#myproxy-admin-addservice -c "donkey.globus.org" -l donkey
Then as root on donkey:
root@donkey:~#myproxy-retrieve -s elephant -k donkey.globus.org -l donkeyEnter MyProxy pass phrase:******Credentials for quser have been stored in /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem.root@donkey:/etc/grid-security#ls -l *.pem-rw------- 1 root root 912 2008-06-19 13:45 hostcert.pem -rw------- 1 root root 887 2008-06-19 13:45 hostkey.pemroot@donkey:/etc/grid-security#myproxy-destroy -s elephant -k donkey.globus.org -l donkeyMyProxy credential 'donkey.globus.org' for user donkey was successfully removed.
There. Now donkey is set up with host certs, and it trusts the CA of my grid. The last step
for root is to create a grid-mapfile for myself again:
root@donkey:~ #grid-mapfile-add-entry -dn "/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User" -ln quser
GridFTP set up on the second machine is identical to the first. I'll just list the commands here; see Section 2.4, “Setting up GridFTP” for additional information.
root@donkey:/etc/grid-security# service globus-gridftp-server start
Now we can test it:
donkey %myproxy-logon -s elephantEnter MyProxy pass phrase:******A credential has been received for user quser in /tmp/x509up_u1817.donkey %globus-url-copy gsiftp://donkey.globus.org/etc/group \ gsiftp://elephant.globus.org/tmp/from-donkey
That was a slightly fancier test than I ran on elephant. In this case, I did a third-party transfer between two GridFTP servers. It worked, so I have the local and remote security set up correctly.
If it did not work, perhaps you have a firewall between the two machines? GridFTP needs to communicate on data ports, not just port 2811. The error looks like:
error: globus_ftp_client: the server responded with an error 500 500-Command failed. : callback failed. 500-globus_xio: Unable to connect to 140.221.8.19:42777 500-globus_xio: System error in connect: No route to host 500-globus_xio: A system call failed: No route to host 500 End.
You can set up a range of ports to be open on the firewall and configure GridFTP to use them. See the GridFTP admin firewall doc.
Now we can submit a staging job. This job will copy the /bin/echo
command from donkey to a file called /tmp/my_echo. Then it runs it with
some arguments, and captures the stderr/stdout. Finally, it will clean up the my_echo file when execution is done.
donkey %wget http://globus.org/toolkit/docs/5.2/5.2.2/admin/quickstart/a.rsldonkey %globusrun -f a.rsl -s -r elephant.globus.org:2119/jobmanager-forkdonkey %cat ~/stdout-rw-r--r-- 1 quser quser 24228 Nov 21 07:16 /tmp/my_echodonkey %ls /tmp/my_echols: /tmp/my_echo: No such file or directory
This example staged in a file, had an executable act on that file, and cleaned up the file afterward.
You can get other examples of GRAM RSL files from GRAM usage scenarios.