Install After Installation

From UGP-Wiki

Contents 1 III. After Installation 1.1 Set Root Privileges and Configure your Certificate Authority (CA) 1.2 Synchronize the system clock with a time server 1.3 Entries for Running GRAM jobs on Appliance nodes 1.4 Start Various Processes 1.5 Configure UGP and Create Administative Users 1.6 Modify your Grid Portal Home Page

[edit] III. After Installation

[edit] Set Root Privileges and Configure your Certificate Authority (CA)

Do the following after a Grid Portal or a Grid Appliance installation. Login as root and change to the directory containing UGP and enter:

   cd 3rdParty

You will now run a script named postinstall.sh. This does a number of operations that must be performed as root. Among them it performs operations having to do with the CA. Each Appliance and the Portal itself must establish a trust releationship with the CA.

Now run postinstall.sh using one of the following commands:

   ./postinstall.sh portal -- for Grid Portal
   ./postinstall.sh appliance -- for Grid Appliance

You can answer the prompts by accepting the defaults. Make sure you point to the default CA that you will use. The files hostcert_request.pem and hostkey.pem are created when you run this script.

Email the file /etc/grid-security/hostcert_request.pem to your CA administrator. The administrator will send you back a signed certificate named hostcert.pem. Copy that file to your /etc/grid-security/ directory.

If you are the CA administrator, on the machine containing the CA (by default the Grid Portal machine), login as user globus, or issue the command:

   source ~globus/.bash_profile

to get the user globus's user environment. Then issue the following command to generate the signed certificate:

   grid-ca-sign -in hostcert_request.pem -out hostcert.pem

This will ask you for a password. The password is the value of uc.ca.pass in UCLAGridPortal/portal.properties.

After you receive the hostcert.pem, place it in /etc/grid-security (as root) and issue the following commands (as root) to create the container credential:

   cd /etc/grid-security
   cp hostcert.pem containercert.pem
   cp hostkey.pem containerkey.pem
   chown globus:globus container*.pem

[edit] Synchronize the system clock with a time server

   Either run ntpd server or add an entry like the one below in  /etc/crontab
  
   02 4 * * * root /usr/sbin/ntpdate -s -b -p 8 -u 128.97.60.1

   Replace 128.97.60.1 with a time server hotname

[edit] Entries for Running GRAM jobs on Appliance nodes

On the Appliance node update the /etc/sudoers for submitting GRAM jobs as root user

   globus  ALL=(username1,username2) 
   NOPASSWD: /home/globus/GT4/libexec/globus-gridmap-and-execute 
   -g /etc/grid-security/grid-mapfile
   /home/globus/GT4/libexec/globus-job-manager-script.pl *
   globus  ALL=(username1,username2) 
   NOPASSWD: /home/globus/GT4/libexec/globus-gridmap-and-execute 
   -g /etc/grid-security/grid-mapfile
   /home/globus/GT4/libexec/globus-gram-local-proxy-tool *

[edit] Start Various Processes

 • For a Grid Portal:

     □ Restart MySQL as root:

           /etc/init.d/mysqld restart

     □ Start the Globus Toolkit as user globus:

           cd $GLOBUS_LOCATION
           ./globus-start.sh

     □ Start Apache Tomcat as user globus.

           cd $CATALINA_HOME/bin
           ./startup.sh

     □ If the machine runs iptables open port 9443 in /etc/sysconfig/iptables
       file (Fedora Core)

 • For a Grid Appliance:

     □ Start the Globus Toolkit as user globus:

           cd $GLOBUS_LOCATION
           ./globus-start.sh

     □ As user globus:            cd $GLOBUS_LOCATION
           cd etc/globus_wsrf_mds_index/DefaultIndex
           ./srun.sh

[edit] Configure UGP and Create Administative Users

In this step you will create the GridSphere Super User for the Grid Portal, attach your first Grid Appliance to the Grid Portal and designate a Cluster Admin for the cluster that that Grid Appliance is connected to. Then a user of that cluster must apply for Grid access, be Grid-Enabled by the Cluster Admin and approved and made Grid Admin for the Portal (UGP) by the GridSphere Super User.

The GridSphere Super User is NOT a cluster user and does not have a Certificate for normal use of the Grid. The person who will be Grid Admin should retain the Super User Username and Password. The only use that will be made of the Super User in the future will be to designate additional Grid Admins. There can be more than one Grid Admin and the GridSphere Super User is the only user that can designate them.

The Grid Admin should be an actual user of the first cluster to be connected to the Grid Portal. It is required that the Grid Admin have full user privledges as the Grid Admin has to test various features of the Portal and make sure that they are working. The GridSphere Super User cannot do this.

You must do the following steps in the order given as the creation of the first Grid Admin is a kind of bootstrap process.

1. Create the GridSphere Super User

    a. Open a web browser and go to https://portal.hostname:9443/gridsphere/
       gridsphere. Replace portal.hostname with the address of your Grid
       Portal machine. Since this if the first time anyone has gone to this
       URL, GridSphere will present you with a form to fill in and asked to
       create the GridSphere Super User. (UGP runs under GridSphere.)

    b. Login as the Super User.

    c. Make the Super User one of the administrators.

       Click on Groups under the Administration tab. (The Administration tab
       and the pages under it are part of GridSphere. You will see a table
       showing the two Groups currently configured. Click on Edit Users in the
       row whose Group Name is uclagridportal. On the next page that appears,
       make Super User the Admin of this group.

2. After your first Grid Appliance has been set up, add that Appliance to the
   TrustedCluster List:

    a. Open a web browser and go to https://portal.hostname:9443/gridsphere/
       gridsphere again. Login as the GridSphere Super User.

    b. Select TrustedClusterList under the Grid Admin tab. (The Grid Admin tab
       is part of UGP and is where all UGP administrative activities are
       performed.) The TrustedClusterList includes every cluster that is
       connected to the Grid Portal. Since no clusters are as yet in this
       list, click on Add. You will be presented with a table. Fill in the
       information about the cluster that will be connected to the Grid Portal
       by your first Grid Appliance. In the table, you will fill in the email

       address of the administrator for that cluster under the heading
       SupportEmail. You have just designated the Cluster Admin for that
       cluster. In the future, the Cluster Admin will be sent all requests to
       Grid-Enable users of this cluster.

3. The person who is to be Grid Admin should now apply to use the Grid.

    a. Open a web browser and go to https://portal.hostname:9443/gridsphere/
       gridsphere.

    b. In the Login Box in the upper right of that page, click on Apply for
       Grid Access. A page will open asking you to authenticate. After you
       authenticate you will be asked to fill in a form including your
       proposed Grid Username and Password. On that form, select the cluster
       that you just added to the TrustedClusterList where it says Select a
       Resource:. This will cause a email to be sent to the Cluster Admin's
       email address for that cluster. Of course, the person who is to become
       Grid Admin must already have a login id on that cluster before he/she
       can do this.

4. The Cluster Admin should follow the instructions in the UGP Administrators
   Guide to Grid-Enable the user and then click on the link that is in the
   email message. Clicking on the link will take the Cluster Admin to the Grid
   Portal where he/she will be asked to ssh authenticate on his/her cluster
   and then taken to a page where he/she can click on Approve next to the
   proposed Grid Administrator's name. Clicking on Approve will cause an email
   message to be sent to the GridSphere Super User.

5. When the email message is received by the GridSphere Super User, that
   person should click on the link in the message. This will take him/her to
   the Grid Portal where he/she will authenticate and then also click on
   Approve, Clicking on Approve will create a GridSphere account for the Grid
   Admin and the signed Certificate needed by UGP. The proxy Certificate will
   be sent to the MyProxy server (if there is one).

6. The GridSphere Super User should next login to the Grid Portal and make the
   Grid Admin User an Admin.

    1. Under the Administration tab click on Users. Each user in the user list
       will either have User or Admin to the right of his/her name. The
       proposed Grid Admin should have User next to his/her name. Clicking on
       User will cause another page to appear. On that page, under
       uclagridportal change User to Admin and click on Save.
    2. Under the Administration tab click on Groups. Then click on Edit Users
       to the right of uclagridportal. On the next page add the proposed Grid
       Admin to Admin.

[edit] Modify your Grid Portal Home Page

Modify the Grid Portal home page in:

   UCLAGridPortal/Portal/html/main/main.html

The one that is distributed with UGP is the one for UCLA. After modifying the home page:

   cd
   cd UCLAGridPortal/Portal
   ant deployhtml