GT 5.0 Quickstart

Introduction

This is a quickstart that shows a full installation of the Toolkit on two Debian 5.0 machines. It shows the installation of prereqs, installation of the toolkit, creation of certificates, and configuration of services. It is designed to supplement the main admin guide, Installing GT 5.0.4.


1. Setting up the first machine

1.1. Pre-requisites

I will be installing all of the toolkit from source, so I'm going to double-check my system for pre-requisites. The full list of prereqs is available at Software Prerequisites in Installing GT 5.0.4.

First I'll check for security libraries:

elephant % openssl version
OpenSSL 0.9.8g 19 Oct 2007

elephant % dpkg --list | grep libssl
ii  libssl-dev              0.9.8g-15+lenny5           SSL development libraries, header files and documentation
ii  libssl0.9.8             0.9.8g-15+lenny5           SSL shared libraries
  
  
elephant % dpkg --list | grep zlib
ii  zlib1g                  1:1.2.3.3.dfsg-12          compression library - runtime
ii  zlib1g-dev              1:1.2.3.3.dfsg-12          compression library - development

openssl 0.9.7 (or newer, 0.9.8 is okay) and the zlib and libssl development libraries are required.

[Note]Note

The package names for zlib may vary for non-Debian systems. The RPM name we would look for is zlib-devel.

My system already has C/C++ compilers:

elephant % which gcc
/usr/bin/gcc
elephant % which g++
/usr/bin/g++

GNU versions of tar/make/sed:

elephant % tar --version
tar (GNU tar) 1.20
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
    
Written by John Gilmore and Jay Fenlason.
elephant % sed --version
GNU sed version 4.1.5
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE,
to the extent permitted by law.
elephant % make --version
GNU Make 3.81
Copyright (C) 2006  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

1.2. Building the Toolkit

That completes the list of build prereqs, so now I will download the installer and build it. The long version of these instructions is at Installing GT. First I created a globus user, and I will start the installation from that user.

globus@elephant:~$ tar xzf gt5.0.4-all-source-installer.tar.gz
globus@elephant:~$ cd gt5.0.4-all-source-installer
globus@elephant:~/gt5.0.4-all-source-installer$ ./configure --prefix=/sandbox/globus/globus-5.0.4/
checking build system type... i686-pc-linux-gnu
configure: creating ./config.status
config.status: creating Makefile

[Note]Note

I could have used the binary installer for this example, because Debian x86 Lenny binaries are available. To make the quickstart more general, I decided to use source instead.

Now it's time to build the toolkit:

globus@elephant:~/gt5.0.4-all-source-installer$ make | tee installer.log
cd gpt-3.2autotools2004 && OBJECT_MODE=32 ./build_gpt
build_gpt ====> installing GPT into /sandbox/globus/globus-5.0.4/
...
Time for a coffee break here, the build will take over an hour, possibly
longer depending on how fast your machine is
...
Your build completed successfully.  Please run make install.

globus@elephant:~/gt5.0.4-all-source-installer$ make install
/sandbox/globus/globus-5.0.4//sbin/gpt-postinstall
...
..Done

globus@elephant:~/gt5.0.4-all-source-installer$ 

1.3. Setting up security on your first machine

All of the work we're going to do now requires that we be authenticated and authorized. We use certificates for this purpose. The Distinguished Name (DN) of a certificate will serve as our authenticated identity. That identity will then be authorized. In this simple tutorial, the authorization will happen in a file lookup.

We will need identities for both the services and users. For the services, we will use an identity that is equal to their hostname. For the users, we'll use their full name. To create the certificates, we're going to use the SimpleCA that is distributed with the toolkit. Here's how we set it up, based on the instructions at SimpleCA Admin:

[Note]Note

In many deployment scenarios, certificates for both services and users are obtained through one or more third party CAs. In such scenarios, it is unnecessary to use SimpleCA or MyProxy to issue certificates. Since this quickstart is intended to describe a simple, standalone deployment scenario, we describe how to use these tools to issue your own certificates.

root@elephant:~# export GLOBUS_LOCATION=/sandbox/globus/globus-5.0.4
root@elephant:~# source $GLOBUS_LOCATION/etc/globus-user-env.sh
root@elephant:~# cd ~globus/gt5.0.4-all-source-installer/quickstart
root@elephant:gt5.0.4-all-source-installer/quickstart# perl gt-server-ca.pl -y
Setting up /sandbox/globus/globus-5.0.4/
Please enter a password of at least four characters for the CA: 
Confirm password:
Creating a new simpleCA, logging to gt-server-ca.log...
Running setup-gsi...
Your CA hash is: b906298a
It is located at /sandbox/globus/globus-5.0.4//share/certificates/b906298a.0
Your host DN is /O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/CN=host/elephant.globus.org
The hostcert is located at /sandbox/globus/globus-5.0.4//etc/hostcert.pem

[Note]Note

This will fail if /tmp is mounted noexec. If you get a failure, you might try setting GLOBUS_SH_TMP=`pwd` and trying again.

Here's what has happened:

root@elephant:~# ls ~/.globus/
simpleCA
root@elephant:~# ls ~/.globus/simpleCA/
cacert.pem  globus_simple_ca_b906298a_setup-0.20.tar.gz  newcerts
certs       grid-ca-ssl.conf                             private
crl         index.txt                                    serial

That's the directory where my SimpleCA has been created. These files are all explained in the Security Admin Guide.

Our last step is to copy that signed certificate and our trusted certificates into /etc:

root@elephant:~# mkdir /etc/grid-security
root@elephant:~# mv $GLOBUS_LOCATION/etc/host*.pem /etc/grid-security/
root@elephant:~# cp -r $GLOBUS_LOCATION/share/certificates/ /etc/grid-security/

1.4. Creating a MyProxy server

We are going to create a MyProxy server on elephant, following the instructions at configuring MyProxy. This will be used to store our user's certificates. Recall that so far we have made a host certificate, but we don't have any certificates for end users yet.

root@elephant:~# export GLOBUS_LOCATION=/sandbox/globus/globus-5.0.4/
root@elephant:~# cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config /etc
root@elephant:~# vim /etc/myproxy-server.config 
root@elephant:~# diff /etc/myproxy-server.config $GLOBUS_LOCATION/share/myproxy/myproxy-server.config
18,27c18,27
< accepted_credentials  "*"
< authorized_retrievers "*"
< default_retrievers    "*"
< authorized_renewers   "*"
< default_renewers      "none"
< authorized_key_retrievers "*"
< default_key_retrievers "none"
< trusted_retrievers         "*"
< default_trusted_retrievers "none"
< cert_dir /etc/grid-security/certificates
---
> #accepted_credentials  "*"
> #authorized_retrievers "*"
> #default_retrievers    "*"
> #authorized_renewers   "*"
> #default_renewers      "none"
> #authorized_key_retrievers "*"
> #default_key_retrievers "none"
> #trusted_retrievers         "*"
> #default_trusted_retrievers "none"
> #cert_dir /etc/grid-security/certificates
root@elephant:~# cat $GLOBUS_LOCATION/share/myproxy/etc.services.modifications >> /etc/services 
root@elephant:~# tail /etc/services 
binkp           24554/tcp                       # binkp fidonet protocol
asp             27374/tcp                       # Address Search Protocol
asp             27374/udp
dircproxy       57000/tcp                       # Detachable IRC Proxy
tfido           60177/tcp                       # fidonet EMSI over telnet
fido            60179/tcp                       # fidonet EMSI over TCP
# Local services
myproxy-server  7512/tcp                        # Myproxy server
root@elephant:~# cp $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy /etc/xinetd.d/myproxy
root@elephant:~# vim /etc/xinetd.d/myproxy 
root@elephant:~# cat /etc/xinetd.d/myproxy 
service myproxy-server
{
  socket_type  = stream
  protocol     = tcp
  wait         = no
  user         = root
  server       = /sandbox/globus/globus-5.0.4/sbin/myproxy-server
  env          = GLOBUS_LOCATION=/sandbox/globus/globus-5.0.4 LD_LIBRARY_PATH=/sandbox/globus/globus-5.0.4/lib 1
  disable      = no
}
root@elephant:~# /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.
root@elephant:~# netstat -an | grep 7512
tcp        0      0 0.0.0.0:7512            0.0.0.0:*               LISTEN     

1 Your system may require a different environment variable than LD_LIBRARY_PATH if you are using MacOS X or IRIX.

Now that MyProxy is set up, we'll get a user certificate for our sample user. The root user will add a new credential into MyProxy. I have to specify a full name and a login name. I'll be using QuickStart User as the first and last name and quser as the UNIX account name for my user.

I must supply two different passwords. The first password is going to be the quser user's password, and must be at least 6 characters long. The second password must be my SimpleCA password from when I ran gt-server-ca.pl.

root@elephant:~ # myproxy-admin-adduser -c "QuickStart User" -l quser
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
  
To sign the request
please enter the password for the CA key:
  
The new signed certificate is at: /root/.globus/simpleCA//newcerts/02.pem
  
using storage directory /var/myproxy
Credential stored successfully
Certificate subject is:
/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User
 

Our last act will be to create a grid-mapfile as root for authorization. You can copy and paste the /O=Grid/OU=... subject name from the output above:

root@elephant:/etc/grid-security# vim /etc/grid-security/grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User" quser

[Note]Note

The globus user doesn't need a user certificate! It's a dummy account that we are using to own the GLOBUS_LOCATION. Only real people need user certs.

1.5. Set up GridFTP

Now that we have our host and user credentials in place, we can start a service. This setup comes from the GridFTP Admin Guide.

root@elephant:/etc/grid-security# vim /etc/xinetd.d/gridftp 1
root@elephant:/etc/grid-security# cat /etc/xinetd.d/gridftp
service gsiftp
{
instances               = 100
socket_type             = stream
wait                    = no
user                    = root
env                     += GLOBUS_LOCATION=/sandbox/globus/globus-5.0.4
env                     += LD_LIBRARY_PATH=/sandbox/globus/globus-5.0.4/lib 2
server                  = /sandbox/globus/globus-5.0.4/sbin/globus-gridftp-server
server_args             = -i
log_on_success          += DURATION
disable                 = no
}
root@elephant:/etc/grid-security# vim /etc/services 
root@elephant:/etc/grid-security# tail /etc/services 
vboxd           20012/udp
binkp           24554/tcp                       # binkp fidonet protocol
asp             27374/tcp                       # Address Search Protocol
asp             27374/udp
dircproxy       57000/tcp                       # Detachable IRC Proxy
tfido           60177/tcp                       # fidonet EMSI over telnet
fido            60179/tcp                       # fidonet EMSI over TCP

# Local services
myproxy-server  7512/tcp                        # Myproxy server
gsiftp          2811/tcp
root@elephant:/etc/grid-security# /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.
root@elephant:/etc/grid-security# netstat -an | grep 2811
tcp        0      0 0.0.0.0:2811            0.0.0.0:*               LISTEN     

1

I already had xinetd installed:

quser@elephant:~$ dpkg --list xinetd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  xinetd         1:2.3.14-7     replacement for inetd with many enhancements
    

You can use inetd instead, see "Configuring the GridFTP server to run under xinetd/inetd" in System Administrator's Guide for details. For now, though, you might want to apt-get install xinetd.

2 On MacOS X, this would be DYLD_LIBRARY_PATH. Check your system documentation if LD_LIBARARY_PATH doesn't work on your system.

Now the GridFTP server is waiting for a request, so we'll run a client and transfer a file:

quser@elephant $ myproxy-logon -s elephant
Enter MyProxy pass phrase: ******
A credential has been received for user quser in /tmp/x509up_u1817.
quser@elephant $ globus-url-copy gsiftp://elephant.globus.org/etc/group file:///tmp/quser.test.copy
quser@elephant $ diff /tmp/quser.test.copy /etc/group
quser@elephant $ 

Okay, so the GridFTP server works. If you had trouble, check the security troubleshooting section in the Security Admin Guide. Now we can move on to setting up GRAM5 resource management.

1.6. Setting up GRAM5

Now that we have security and GridFTP set up, we can set up GRAM for resource management. There are several different Local Resource Managers (LRMs) that one could configure GRAM to use, but this guide will explain the simple case of setting up a "fork" jobmanager, without auditing. For details on all other configuration options, and for reference, you can see the GRAM5 Admin Guide.

root@elephant:/etc/grid-security# vim /etc/services 
root@elephant:/etc/grid-security# tail /etc/services 
vboxd           20012/udp
binkp           24554/tcp                       # binkp fidonet protocol
asp             27374/tcp                       # Address Search Protocol
asp             27374/udp
dircproxy       57000/tcp                       # Detachable IRC Proxy
tfido           60177/tcp                       # fidonet EMSI over telnet
fido            60179/tcp                       # fidonet EMSI over TCP

# Local services
myproxy-server  7512/tcp                        # Myproxy server
gsiftp          2811/tcp
gsigatekeeper   2119/tcp

root@elephant:/etc/grid-security# vim /etc/xinetd.d/gsigatekeeper 1
root@elephant:/etc/grid-security# cat /etc/xinetd.d/gsigatekeeper
service gsigatekeeper
{
    socket_type = stream
    protocol = tcp
    wait = no
    user = root
    env = LD_LIBRARY_PATH=/sandbox/globus/globus-5.0.4/lib 2
    server = /sandbox/globus/globus-5.0.4/sbin/globus-gatekeeper
    server_args = -conf /sandbox/globus/globus-5.0.4/etc/globus-gatekeeper.conf
    disable = no
}

root@elephant:/etc/grid-security# /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.
root@elephant:/etc/grid-security# netstat -an | grep 2119
tcp        0      0 0.0.0.0:2119            0.0.0.0:*               LISTEN     

1

For this Quickstart, we're using xinetd. You can use inetd instead, see "Deploying GRAM5 via inetd or xinetd" in the GRAM5 Admin Guide for details. For now, though, you might want to apt-get install xinetd.

2 On MacOS X, this would be DYLD_LIBRARY_PATH. Check your system documentation if LD_LIBARARY_PATH doesn't work on your system.

The gatekeeper is now set up to run from xinetd, and is ready to authorize job submissions and pass them on to the fork job manager. We can now run a couple of test jobs:

quser@elephant $ myproxy-logon -s elephant
Enter MyProxy pass phrase: ******
A credential has been received for user quser in /tmp/x509up_u1817.
quser@elephant $ globusrun -o -r elephant.globus.org:2119/jobmanager-fork '&(executable="/bin/hostname" )'
elephant
quser@elephant $ globusrun -s -r elephant.globus.org:2119/jobmanager-fork '&(executable=/usr/bin/whoami)'
quser

Success! If you had trouble, check the security troubleshooting section in the Security Admin Guide. To learn more about using GRAM 5, take a look at the GRAM User's Guide

2. Setting up your second machine

2.1. Setting up your second machine: Prereqs

Alas, it's not much of a grid with just one machine. So let's start up on another machine and add it to this little test grid. For a change of pace, I'm going to use the binary installer on this machine.

globus@donkey:~$ tar xzf gt5.0.4-x86_debian_5.0-binary-installer.tar.gz

2.2. Setting up your second machine: Installation

Now we can install from binaries:


globus@donkey:~/gt5.0.4-x86_debian_5.0-installer$ ./configure \
   --prefix=/usr/local/globus-5.0.4
configure: creating ./config.status
config.status: creating Makefile
globus@donkey:~/gt5.0.4-x86_debian_5.0-installer$ make
cd gpt-3.2autotools2004 && OBJECT_MODE=32 ./build_gpt
...
Binaries are much faster!  This is done in less than 10 minutes.
...
Your build completed successfully.  Please run make install.
globus@donkey:~/gt5.0.4-x86_debian_5.0-installer$ make install
ln -s /usr/local/globus-5.0.4/etc/gpt/packages /usr/local/globus-5.0.4/etc/globus_packages
...
config.status: creating fork.pm
..Done

2.3. Setting up your second machine: Security

Now let's get security setup on the second machine. We're going to just add trust for the original simpleCA to this new machine, there's no need to create a new one. All we need to do is copy the $GLOBUS_LOCATION/share/certificates from our first machine to our second:

globus@donkey:~$ export GLOBUS_LOCATION=/usr/local/globus-5.0.4
globus@donkey:~$ scp -r elephant:/sandbox/globus/globus-5.0.4/share/certificates $GLOBUS_LOCATION/share

We're going to create the host certificate for donkey, but we create it on elephant:

root@elephant:~# myproxy-admin-addservice -c "donkey.globus.org" -l donkey

Then as root on donkey:

root@donkey:~# export GLOBUS_LOCATION=/usr/local/globus-5.0.4
root@donkey:~# source $GLOBUS_LOCATION/globus-user-env.sh
root@donkey:~# myproxy-retrieve -s elephant -k donkey.globus.org -l donkey
Enter MyProxy pass phrase:******
Credentials for quser have been stored in
/etc/grid-security/hostcert.pem and
/etc/grid-security/hostkey.pem.
root@donkey:/etc/grid-security# ls -l *.pem
-rw-------  1 root root 912 2008-06-19 13:45 hostcert.pem
-rw-------  1 root root 887 2008-06-19 13:45 hostkey.pem
root@donkey:/etc/grid-security# myproxy-destroy -s  elephant -k donkey.globus.org -l donkey
MyProxy credential 'donkey.globus.org' for user donkey was successfully removed.

There. Now donkey is setup with host certs, and it trusts the CA of my grid. The last step for root is to create a grid-mapfile for myself again:

root@donkey:/etc/grid-security# vim grid-mapfile
root@donkey:/etc/grid-security# cat grid-mapfile 
"/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User" quser

2.4. Setting up your second machine: GridFTP

GridFTP setup on the second machine is identical to the first. I'll just list the commands here; see Section 1.5, “Set up GridFTP” for the file contents, or just copy them from the first machine.

root@donkey:/etc/grid-security# vim /etc/xinetd.d/gridftp
root@donkey:/etc/grid-security# vim /etc/services 
root@donkey:/etc/grid-security# /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.

Now we can test it:

donkey % setenv GLOBUS_LOCATION /usr/local/globus-5.0.4
donkey % source $GLOBUS_LOCATION/etc/globus-user-env.csh
donkey % myproxy-logon -s elephant
Enter MyProxy pass phrase: ******
A credential has been received for user quser in /tmp/x509up_u1817.
donkey % globus-url-copy gsiftp://donkey.globus.org/etc/group \
   gsiftp://elephant.globus.org/tmp/from-donkey

That was a slightly fancier test than I ran on elephant. In this case, I did a third-party transfer between two GridFTP servers. It worked, so I have the local and remote security set up correctly.

If it did not work, perhaps you have a firewall between the two machines? GridFTP needs to communicate on data ports, not just port 2811. The error looks like:

error: globus_ftp_client: the server responded with an error
500 500-Command failed. : callback failed.
500-globus_xio: Unable to connect to 140.221.8.19:42777
500-globus_xio: System error in connect: No route to host
500-globus_xio: A system call failed: No route to host
500 End.

You can set up a range of ports to be open on the firewall and configure GridFTP to use them. See GridFTP Firewall HOWTO for details. That document also contains firewall information for the rest of the services too.

2.5. Setting up your second machine: GRAM5

Now we can submit a staging job. This job will copy the /bin/echo command from donkey to a file called /tmp/my_echo. Then it runs it with some arguments, and captures the stderr/stdout. Finally, it will clean up the my_echo file when execution is done.

donkey % vim a.rsl
donkey % cat a.rsl
donkey % cat a.rsl
&(rsl_substitution = (GRIDFTP_SERVER "gsiftp://donkey.globus.org:2811"))
 (executable=/bin/ls) (arguments=-alt /tmp/my_echo) 
 (file_stage_in = ($(GRIDFTP_SERVER)/bin/echo /tmp/my_echo)) 
 (file_clean_up=/tmp/my_echo)

donkey %  globusrun -f a.rsl -s -r elephant.globus.org:2119/jobmanager-fork
donkey % cat ~/stdout
-rw-r--r-- 1 quser quser 24228 Nov 21 07:16 /tmp/my_echo

donkey % ls /tmp/my_echo
ls: /tmp/my_echo: No such file or directory

This example staged in a file, had an executable act on that file, and cleaned up the file afterward.

You can get other examples of GRAM RSL files from GRAM usage scenarios.

Glossary