Please note that these documents are for an OBSOLETE version of the Globus Toolkit. For more information see 5.2 End of Life

GT 5.2 Quickstart

Introduction

This is a quickstart that shows a full installation of the Toolkit on two Fedora machines. It shows the installation of prereqs, installation of the toolkit, creation of certificates, and configuration of services. It is designed to supplement the main admin guide, Installing GT 5.2.0.

Scenarios are shown for running GridFTP and GRAM services, and using GridFTP and GRAM clients.


1. Pre-requisites

The Globus Toolkit 5.2 consists of a set of RPMs or .debs for several Linux distributions and a source installer which can be used on platforms that do not use RPM or Debian packaging. In this quickstart, we will be installing from native RPM packages. Thus, it is a pre-requisite for following this quickstart that you are running a distribution for which we provide native binary packages.

We will show how to set up and use the Globus RPM repository. If your distribution has Globus 5.2.0 packages within its repository, you can skip to the next section.

The repo-config rpms for the various binary (RPM and deb) repositories can be found here.

To install from binary RPMs, get the appropriate repo-config rpm from the link above, install it with

#rpm -i Globus-repo-config.<distro>.noarch.rpm

2. Setting up the first machine (GridFTP, GRAM, and MyProxy services)

2.1. Installing the Toolkit

Install packages

      #yum groupinstall globus-gridftp globus-gram5
       
      #yum install globus-gridftp-server-progs globus-gass-copy-progs myproxy myproxy-server myproxy-admin globus-simple-ca globus-gss-assist-progs
      
    

2.2. Setting up security on your first machine

All of the work we're going to do now requires that we be authenticated and authorized. We use certificates for this purpose. The Distinguished Name (DN) of a certificate will serve as our authenticated identity. That identity will then be authorized.

We will need identities for both the services and users. For the services, we will use an identity that is equal to their hostname. For the users, we'll use their full name. To create the certificates, we're going to use the SimpleCA that is distributed with the toolkit. More in depth information about setting up SimpleCA can be found in the Installing SimpleCA Appendix.

[Note]Note

In many deployment scenarios, certificates for both services and users are obtained through one or more third party CAs. In such scenarios, it is unnecessary to use SimpleCA or MyProxy to issue certificates. Since this quickstart is intended to describe a simple, standalone deployment scenario, we describe how to use these tools to issue your own certificates.

root@elephant:~# wget http://globus.org/toolkit/docs/5.2/5.2.0/admin/quickstart/setup-simpleca

root@elephant:~# sh setup-simpleca -y
Setting up /sandbox/globus/globus-5.2.0/
Please enter a password of at least four characters for the CA: 
Confirm password:
Creating a new simpleCA, logging to gt-server-ca.log...
Running setup-gsi...
Your CA hash is: b906298a
It is located at /sandbox/globus/globus-5.2.0//share/certificates/b906298a.0
Your host DN is /O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/CN=host/elephant.globus.org
The hostcert is located at /sandbox/globus/globus-5.2.0//etc/hostcert.pem
[Note]Note

This will fail if /tmp is mounted noexec. If you get a failure, you might try setting GLOBUS_SH_TMP=`pwd` and trying again.

Here's what has happened. The files created by SimpleCA are all explained in the Security Admin Guide.

2.3. Creating a MyProxy server

We are going to create a MyProxy server on elephant, following the instructions at http://grid.ncsa.illinois.edu/myproxy/fromscratch.html#server. This will be used to store our user's certificates. Recall that so far we have made a host certificate, but we don't have any certificates for end users yet.

root@elephant:~# vim /etc/myproxy-server.config 

Uncomment every line in the section "Complete Sample Policy #1" such that it looks like this.

root@elephant:~# cp /etc/grid-security/myproxy/host*.pem /etc/grid-security/

Start the myproxy server:

root@elephant:~# service myproxy-server start
  

Check that it is listening

root@elephant:~# netstat -an | grep 7512
tcp        0      0 0.0.0.0:7512            0.0.0.0:*               LISTEN     

Now that MyProxy is set up, we'll get a user certificate for our sample user. The root user will add a new credential into MyProxy. I have to specify a full name and a login name. I'll be using QuickStart User as the first and last name and quser as the UNIX account name for my user.

I must supply two different passwords. The first password is going to be the quser user's password, and must be at least 6 characters long. The second password must be my SimpleCA password from when I ran gt-server-ca.

root@elephant:~ # sudo -H -E -u myproxy myproxy-admin-adduser -c "QuickStart User" -l quser

The output looks like this.

Our last act will be to create a grid-mapfile as root for authorization. You can copy and paste the /O=Grid/OU=... subject name from the output above:

root@elephant:~ # grid-mapfile-add-entry -dn "/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User" -ln quser
[Note]Note

The globus user doesn't need a user certificate! It's a dummy account that we are using to manage the Globus Toolkit installation. Only real people need user certs.

2.4. Setting up GridFTP

Now that we have our host and user credentials in place, we can start a service. This set up comes from the GridFTP Admin Guide.

Start the GridFTP server:

root@elephant:/etc/grid-security# service globus-gridftp-server start
    

check that it is listening:

root@elephant:/etc/grid-security# grep gsiftp /etc/services 
gsiftp          2811/tcp    #GSI FTP
gsiftp          2811/udp    #GSI FTP
root@elephant:/etc/grid-security# netstat -an | grep 2811
tcp        0      0 0.0.0.0:2811            0.0.0.0:*               LISTEN     
        

Now the GridFTP server is waiting for a request, so we'll run a client and transfer a file:

quser@elephant $ myproxy-logon -s elephant
Enter MyProxy pass phrase: ******
A credential has been received for user quser in /tmp/x509up_u1817.
quser@elephant $ globus-url-copy gsiftp://elephant.globus.org/etc/group file:///tmp/quser.test.copy
quser@elephant $ diff /tmp/quser.test.copy /etc/group
quser@elephant $ 

Okay, so the GridFTP server works. If you had trouble, check the security troubleshooting section in the Security Admin Guide. Now we can move on to setting up GRAM5 resource management.

2.5. Setting up GRAM5

Now that we have security and GridFTP set up, we can set up GRAM for resource management. There are several different Local Resource Managers (LRMs) that one could configure GRAM to use, but this guide will explain the simple case of setting up a "fork" jobmanager, without auditing. For details on all other configuration options, and for reference, you can see the GRAM5 Admin Guide.


root@elephant:/etc/grid-security# grep gsigatekeeper /etc/services 
gsigatekeeper   2119/tcp    # GSIGATEKEEPER
gsigatekeeper   2119/udp    # GSIGATEKEEPER
        

Start the GRAM gatekeeper:

root@elephant:/etc/grid-security# service globus-gatekeeper start
    

check that it is listening:

root@elephant:/etc/grid-security# netstat -an | grep 2119
tcp        0      0 0.0.0.0:2119            0.0.0.0:*               LISTEN     

The gatekeeper is set up to run, and is ready to authorize job submissions and pass them on to the fork job manager. We can now run a couple of test jobs:

quser@elephant $ myproxy-logon -s elephant
Enter MyProxy pass phrase: ******
A credential has been received for user quser in /tmp/x509up_u1817.
quser@elephant $ globusrun -o -r elephant.globus.org:2119/jobmanager-fork '&(executable="/bin/hostname" )'
elephant
quser@elephant $ globusrun -s -r elephant.globus.org:2119/jobmanager-fork '&(executable=/usr/bin/whoami)'
quser

Success! If you had trouble, check the security troubleshooting section in the Security Admin Guide. To learn more about using GRAM 5, take a look at the GRAM User's Guide

3. Setting up your second machine

Alas, it's not much of a grid with just one machine. So let's start up on another machine and add it to this little test grid.

3.1. Setting up your second machine: Prereqs

See Prereqs.

3.2. Setting up your second machine: Installation

Now we can install from binaries:

Install packages

      #yum groupinstall globus-gridftp
       
      #yum install globus-gridftp-server-progs globus-gass-copy-progs myproxy globus-simple-ca globus-gss-assist-progs
      
    

3.3. Setting up your second machine: Security

Now let's get security set up on the second machine. We're going to just add trust for the original simpleCA to this new machine; there's no need to create a new one. All we need to do is copy the $GLOBUS_LOCATION/share/certificates from our first machine to our second:

globus@donkey:~$ scp -r elephant:/etc/grid-security/certificates /etc/grid-security/certificates

We're going to create the host certificate for donkey, but we create it on elephant:

root@elephant:~# myproxy-admin-addservice -c "donkey.globus.org" -l donkey

Then as root on donkey:

root@donkey:~# myproxy-retrieve -s elephant -k donkey.globus.org -l donkey
Enter MyProxy pass phrase:******
Credentials for quser have been stored in
/etc/grid-security/hostcert.pem and
/etc/grid-security/hostkey.pem.
root@donkey:/etc/grid-security# ls -l *.pem
-rw-------  1 root root 912 2008-06-19 13:45 hostcert.pem
-rw-------  1 root root 887 2008-06-19 13:45 hostkey.pem
root@donkey:/etc/grid-security# myproxy-destroy -s  elephant -k donkey.globus.org -l donkey
MyProxy credential 'donkey.globus.org' for user donkey was successfully removed.

There. Now donkey is set up with host certs, and it trusts the CA of my grid. The last step for root is to create a grid-mapfile for myself again:

root@donkey:~ # grid-mapfile-add-entry -dn "/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.globus.org/OU=globus.org/CN=QuickStart User" -ln quser

3.4. Setting up your second machine: GridFTP

GridFTP set up on the second machine is identical to the first. I'll just list the commands here; see Section 2.4, “Setting up GridFTP” for additional information.

          root@donkey:/etc/grid-security# service globus-gridftp-server start

Now we can test it:


donkey % myproxy-logon -s elephant
Enter MyProxy pass phrase: ******
A credential has been received for user quser in /tmp/x509up_u1817.
donkey % globus-url-copy gsiftp://donkey.globus.org/etc/group \
   gsiftp://elephant.globus.org/tmp/from-donkey

That was a slightly fancier test than I ran on elephant. In this case, I did a third-party transfer between two GridFTP servers. It worked, so I have the local and remote security set up correctly.

If it did not work, perhaps you have a firewall between the two machines? GridFTP needs to communicate on data ports, not just port 2811. The error looks like:

error: globus_ftp_client: the server responded with an error
500 500-Command failed. : callback failed.
500-globus_xio: Unable to connect to 140.221.8.19:42777
500-globus_xio: System error in connect: No route to host
500-globus_xio: A system call failed: No route to host
500 End.

You can set up a range of ports to be open on the firewall and configure GridFTP to use them. See the GridFTP admin firewall doc.

3.5. Setting up your second machine: GRAM5

Now we can submit a staging job. This job will copy the /bin/echo command from donkey to a file called /tmp/my_echo. Then it runs it with some arguments, and captures the stderr/stdout. Finally, it will clean up the my_echo file when execution is done.

donkey % wget http://globus.org/toolkit/docs/5.2/5.2.0/admin/quickstart/a.rsl

donkey %  globusrun -f a.rsl -s -r elephant.globus.org:2119/jobmanager-fork
donkey % cat ~/stdout
-rw-r--r-- 1 quser quser 24228 Nov 21 07:16 /tmp/my_echo

donkey % ls /tmp/my_echo
ls: /tmp/my_echo: No such file or directory

This example staged in a file, had an executable act on that file, and cleaned up the file afterward.

You can get other examples of GRAM RSL files from GRAM usage scenarios.

Glossary