200 likes | 369 Views
AMGA Server Installation and configuration. Tony Calanducci INFN – Catania Third EELA Tutorial for Managers and Users Rio de Janeiro, 26-30 June 2006. Outline. How to install an AMGA Server AMGA Server Configuration Reference. Installation requirements.
E N D
AMGA Server Installation and configuration • Tony Calanducci • INFN – Catania • Third EELA Tutorial for Managers and Users • Rio de Janeiro, 26-30 June 2006
Outline • How to install an AMGA Server • AMGA Server Configuration • Reference
Installation requirements • Start from a fresh install of SLC 3.0.x • Verify that apt is installed and properly configured: • rpm -qa | grep apt • Install apt if necessary • Create a /etc/apt/source.list.d/egee-ca.list file with this line: • rpm http://grid018.ct.infn.it/rep glite_sl3-i386 security • Run apt-get update • Configure ntpd as illustrated in the SysAdmin Intro tutorial
Security pre-requisites • Install the RPMs of all the CA supported by EGEE: • apt-get install lcg-CA • If you plan to use certificates released by unsupported EGEE CA’s, be sure that their public key, signing policy and CRLs (usually distributed with an rpm) are installed in /etc/grid-security/certificates. • For the VO GILDA, the RPM is available at • https://gilda.ct.infn.it/RPMS/ca_GILDA-1.0-2.i386.rpm • Additionally install the RPMs of GILDA and EELA VOMS: • https://gilda.ct.infn.it/RPMS/edg-voms-vo-gilda-1.0-0.noarch.rpm • https://gilda.ct.infn.it/RPMS/lcg-voms-vo-eela_1.0-0_noarch.rpm
Security pre-requisites (II) • Download and install edg-utils-system RPM from: • http://grid018.ct.infn.it/rep/glite_sl3-i386/RPMS/edg-utils-system-1.8.2-1_sl3.noarch.rpm • Edit /etc/cron.d/edg-fetch-crl to look like: • PATH=/sbin:/bin:/usr/sbin:/usr/bin • 39 2,8,14,20 * * * root /opt/edg/etc/cron/edg-fetch-crl-cron >> /var/log/edg-fetch-crl-cron.log 2>&1 • Request a X509 host certificate for the AMGA Server you are going to install from a Certification Autority (CA). For example, to get host certificates from the GILDA CA, go to: • https://gilda.ct.infn.it/CA/mgt/restricted/srvreq.php • Install host certificates (hostcert.pem and hostkey.pem) in /etc/grid-security. • chmod 644 hostcert.pem • chmod 400 hostkey.pem
AMGA Server and Client RPMs • The following packages are necessary to use AMGA and must be installed first: unixODBC, libxml2 and Boost-lib. You can get the package via • apt-get install unixODBC • apt-get install libxml2 • apt-get install boost • Download and install the latest AMGA server and client from the AMGA download directory (http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/) • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/glite-amga-server-1.2.3-1.SLC3.i386.rpm • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/glite-amga-cli-1.2.3-1.SLC3.i386.rpm
DB and ODBC installation • You also need a database and the appropriate ODBC driver. AMGA currently supports 4 different database backends via ODBC drivers (PostgreSQL, MySQL, Oracle and SQLite). • Install postgreSQL that comes with SLC with: • apt-get install rh-postgresql-server rh-postgresql • Install a postgreSQL ODBC driver (at least version 08.01.0200) • Download it from: http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/amga-odbc.tar.gz • Just run the INSTALL.sh script after unpacking • NB: don’t use the postgresql-odbc package that comes with SLC. It’s too old and AMGA will not work with it
postgreSQL configuration • Initialize the DB configuration: • /etc/init.d/rhdb start • /etc/init.d/rhdb stop • Uncomment out the line and set the parameter to true in /var/lib/pgsql/data/postgresql.conf as follow: • tcpip_socket = true • This is needed to enable TCP/IP connections used by the ODBC driver • Add the following lines to /var/lib/pgsql/data/pg_hba.conf: • host metadata arda 127.0.0.1 255.255.255.255 trust • local metadata arda trust • (Used to authorize the arda db user to connect to the metadata db)
postgreSQL configuration (II) • Start again postgreSQL: • /etc/init.d/rhdb start • Create the DB user arda allowing him to create new DBs: • su postgres -c 'createuser -d -A arda' • Create the Unix user arda: • adduser arda • Let arda user create metadata DB: • su arda -c 'createdb metadata' • Allow stored procedures for metadata db: • su postgres –c ‘createlang -d metadata plpgsql’
ODBC driver configuration • The ODBC data source is created by appending the following lines to /etc/odbc.ini: • [PSQL] Description = AMGA metadata catalogue database Driver = PostgreSQL Trace = No TraceFil = /tmp/metadata/odbc.log Database = metadata Servername = localhost Port = 5432 ReadOnly = No • Double check the /etc/odbcinst.ini ensuring it contains the proper settings for the postgreSQL ODBC driver (it should have been configure by the INSTALL.sh during the installation)
ODBC Testing and metadata DB creation • To test if the ODBC was set up correctly you can use the generic unixODBC CLI tool: • isql PSQL metadata • Now you can initialize the database using the createInitialXXX.sql scripts (where XXX has to be replaced with the DB of choice which you will find in /opt/glite/share/doc/glite-amga-server-1.2.3/) • su arda psql metadata < /opt/glite/share/doc/glite-amga-server-1.2.3/createInitialPG.sql • If you want to use also ACL per entries you need also to create some store procedures with • psql metadata < /opt/glite/share/doc/glite-amga-server-1.2.3/proceduresPSQL.sql
AMGA initial configuration • /etc/mdserver.conf contains all the variables you need to set up and fine tune the AMGA server. By default it configures AMGA with no authentication checks. • Start the AMGA server with: • /etc/init.d/mdservice start • AMGA server demon should be listening on 8822 port: • lsof -i | grep 8822 • mdserver 13856 root 6u IPv4 27296 TCP *:8822 (LISTEN) • mdserver 13857 root 6u IPv4 27296 TCP *:8822 (LISTEN) • mdserver 13860 root 6u IPv4 27296 TCP *:8822 (LISTEN)
AMGA testing • Log in into a User Interface where the AMGA Client tools are installed. • You can check it with ‘rpm –qa | grep -i amga’ • Copy the amga client template config file from /etc/mdclient.config to your home as .mdclient.config • cp /etc/mdclient.config $HOME/.mdclient.config • Edit the Host variable filling it with the right hostname and ensure Login one equals to root • Connect to the AMGA server using the AMGA mdclient tool: • $mdclient • Connecting to amgarm3.trigrid.it:8822... • ARDA Metadata Server 1.2.3 • Query> whoami • >> root • Query>
Create a root user • Inside the Mdclient shell, create the root user (called also ‘role’ inside AMGA) with: • Query> user_create root • Bind the amga root role to the subject of the AMGA administrator (you in this case): • Query> user_subject_add root 'C = IT, O = GILDA, OU = Personal Certificate, L = INFN Catania, CN = Tony Calanducci, emailAddress = tony.calanducci@ct.infn.it‘ • You can get it by: • openssl x509 -in usercert.pem -subject -noout -nameopt oneline • You can also define an AMGA root passwd if you plan to enable also password authentication, with: • Query> user_password_change root ‘bondia’
Enabling Certificate Authentication • Edit /etd/mdserver.config in AMGA server and change the following variables: • UseSSL = 1 • RequireAuthentication = 1 • AllowCertificateAuthentication = 1 • CertFile = /etc/grid-security/hostcert.pem • KeyFile = /etc/grid-security/hostkey.pem • TrustedCertDir = /etc/grid-security/certificates • AllowGridProxyLogin = 1 • MyProxyHack = 1 • Enable the users from the VOs you want to give access to: • VirtualOrganizations = gilda(gilda), eela(eela) • VOGroupMap = gilda:/gilda(gilda:users), eela(eela:users) • Restart the AMGA server with • /etc/init.d/mdserver restart
Test the VOMS proxy authentication • Log in to the UI and edit the $HOME/.mdclient.config: • Login = NULL • UseSSL = require • AuthenticateWithCertificate = 1 • UseGridProxy = 1 • Initialize your proxy asking the membership to one of the enabled VO (gilda for example) • Start the mdclient tool. You should be authenticated as gilda user(role) belonging to gilda:users group • $ mdclient • Connecting to amgarm3.trigrid.it:8822... • ARDA Metadata Server 1.2.3 • Query> whoami • >> gilda • Query> grp_member • >> gilda:users
Set up a collection per each VO • Initialize the voms proxy with the user defined as root. • Change the previous $HOME/.mdclient.config to login as root • Start the Mdclient. You should be authenticated as root (by your subject): • $ mdclient • Connecting to amgarm3.trigrid.it:8822... • ARDA Metadata Server 1.2.3 • Query> whoami • >> root • Create a root collection for each VO you support. You can also create specific collection to support specific roles or applications. • createdir /gilda • createdir /eela
Set up collections for VOs (II) • Anyone will be allowed to read the new collections, but we want also grant write permissions to the VO users: • Query> acl_show /gilda • >> root rwx • >> system:anyuser rx • Query> acl_add /gilda gilda:users rwx • Query> acl_show gilda • >> root rwx • >> gilda:users rwx • >> system:anyuser rx • You could achieve the same results changing the ownership of the /gilda collection with • chown /gilda gilda • If you don’t allow others to read inside /gilda collection remove from the ACLs the system:anyuser group: • Query> acl_remove /gilda/ system:anyuser
References • AMGA project Homepage: • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/ • AMGA Documentation: • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/pages.html • AMGA User’s and Administrator’s manual: • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/amga-manual_1_2_3.pdf • AMGA Installation Notes on GILDA Team Wiki: • https://grid.ct.infn.it/twiki/bin/view/GILDA/AMGA