FCR Manual Installation

During the installation there are a few areas that must be installed/configured.

• database
• httpd
• FCR Portal software
• cron jobs

Dependencies

FCR depends on several perl modules. These are available in the CERN SAM apt/yum repository.

    perl-DBI
    perl-DBD-Oracle
    perl-AppConfig
    mod_perl
    perl-Apache-Session
    perl-Apache-DBI
    perl-IPC-Shareable
    perl-Log-Dispatch
    perl-Log-Log4perl

    oracle-instantclient-basic
    oracle-instantclient-tnsnames.ora
    oracle-instantclient-sqlplus
    oracle-instantclient-devel

The configuration we're using on the production servers at CERN right now is the following:

    perl-DBI-1.40-8
    perl-DBD-Oracle-1.16-4.el4
    perl-AppConfig-caf-1.4.12-1
    mod_perl-1.99_16-4.5
    perl-Apache-Session-1.80-1.2.el4.rf
    perl-Apache-DBI-0.94-4
    perl-IPC-Shareable-0.6-1
    perl-Log-Dispatch-2.11-1
    perl-Log-Log4perl-1.06-1

    oracle-instantclient-basic-10.2.0.3-2.slc4
    oracle-instantclient-tnsnames.ora-10.2.0.1-1.cern
    oracle-instantclient-sqlplus-10.2.0.3-2.slc4
    oracle-instantclient-devel-10.2.0.3-2.slc4

• Warning:
  • Not all perl oracle-instantclient versions are compatible with the perl DB modules :-/ The versions we are running right now seem to be compatible, but this is not always the case...
  • Also, we've observed that oracle-instantclient doesn't take in account other tnsnames.ora files, than the one at /etc, even if theoretically such a configuration would be suppoerted.

Database

FCR sharing the database with SAM. FCR preferably should have a separate database service than SAM. Both applications are using Oracle databases. Some of the FCR tables have currently reside on the SAM DB so the BDII2Oracle tool could easily update them.

Included in the FCR software there are scripts to create the necessary tables and synonyms in case of having the SAM database separated from FCR. There are scripts to take care of granting sufficient privileges to the tables/synonyms.

In the CERN production instance we have 3 DB accounts to use:

• admin account (LCG_FCR): to perform admin operations on the DB (creating, dropping tables, etc.)
• read-write account (LCG_FCR_PORTAL_VO): for the FCR Admin portal, to enable operations performed by VO responsibles (modifications on Critical Test list, black-whitelisting, etc)
• read account (LCG_FCR_PORTAL_USER): for the FCR User portal to query current status of services

The FCR DB scripts suppose that you have the same usernames set up in your DB where you want to install FCR.

The DB scripts are available in the /db directory under $FCR_HOME. See FCR Production Services in order to undestand more about the purpose of these tables, triggers, synonyms. (In the lists below, ordering numbers indicate the sequence how the scripts should be executed one after the other.)

Scripts to be executed by the SAM DB user

• 1. create-sam-priv.sql: privileges for FCR users for FCR-related tables in the SAM namespace
• 6. create-sam-syn.sql: synonyms for FCR tables that should be modified by trigger in SAM DB
• 7. create-sam-triggers.sql: triggers for the SAM tables

Scripts to be executed by the FCR DB user

• 2. create-fcr-root-syn.sql: synonyms for the FCR DB root user
• 3. create-fcr-tables.sql: FCR-specific tables (see FCR Production Service in order to undestand more about the purpose of these tables)
• 4. create-fcr--priv.sql: privileges on FCR-portal-specific tables (storing user settings, etc.) for the FCR portal DB users
• 5. create-fcr-triggers.sql: triggers for the SAM tables

Scripts to be executed by the FCR portal users

• 8. create-fcr-user-syn.sql: synonyms for the FCR portal users

httpd

At FCR Production Services you find information about the layout required to run an FCR server in terms of httpd web server configuration.

(At least) 2 virtual hosts have to be configured for the HTTPS and HTTP accesses. So a file like /etc/httpd/conf.d/fcr.conf should contain at least the following:

# Application fcr
NameVirtualHost *:8083
NameVirtualHost *:8443
NameVirtualHost <hostname>:80
Listen 0.0.0.0:8083

LoadModule perl_module modules/mod_perl.so

<VirtualHost *:8443>

    ServerName lcg-fcr.cern.ch

    Alias /fcr /opt/lcg/FCR/cgi
    Alias /fcr-styles /opt/lcg/FCR/styles
    Alias /fcr-data      /opt/lcg/FCR/bdii-data

    DocumentRoot /var/www/html

    ErrorLog logs/ssl_error_log
    CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    TransferLog logs/ssl_access_log

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    # Module perl

    PerlModule ModPerl::Registry
    PerlPassEnv TLS_ADMIN
    PerlPassEnv ORACLE_HOME
    PerlOptions +Parent
    PerlSwitches -Mlib=/opt/lcg/FCR/lib/perl
    PerlWarn On

    # Module ssl

    SSLCertificateKeyFile /etc/grid-security/hostkey.pem
    SSLCACertificatePath /etc/grid-security/certificates
    SSLCertificateFile /etc/grid-security/hostcert.pem
    SSLCARevocationPath /etc/grid-security/certificates

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLEngine on
    SSLVerifyClient require
    SSLVerifyDepth 10


    <Directory "/var/www/cgi-bin">
        # Module ssl
        SSLOptions +StdEnvVars
    </Directory>

    <Location /fcr>
        SetHandler perl-script

        Options +ExecCGI

        # Module perl
        PerlHandler ModPerl::Registry

        # Module ssl
        SSLRequireSSL 
    </Location>

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        # Module ssl
        SSLOptions +StdEnvVars
    </Files>

</VirtualHost>


<VirtualHost *:8083 <hostname>:80>

    ServerName lcg-fcr.cern.ch
    Alias /fcr-data         /opt/lcg/FCR/bdii-data
    DocumentRoot /var/www/html

</VirtualHost>

In order to help httpd configuration, a template file is available at /opt/lcg/FCR/conf/fcr-httpd.conf.template.

FCR Portal configuration

The portals have a configuration file in /opt/lcg/FCR/conf/fcr.conf. This is the place to define the DB connection parameters using variables:

• dbname: FCR DB (service) name
• dbuser: FCR Admin Portal database user (LCG_FCR_PORAL_VO)
• dbpw: FCR Admin Portal database user password
• dbuseruser: FCR User Portal database user (LCG_FCR_PORTAL_USER)
• dbuserpw: FCR User Portal database user password
• oracle_home: $ORACLE_HOME
• tns_admin: location of tnsnames.ora

oracle_home and tns_admin does not necessarily need to be configured in case of using Oracle instantclient.

The following variables should be used in order to define the nature of the portal:

• sitestatus=["Certified"]
• sitetype=["Production"]

Values should be specified in the following format (python list): ["value1", "value2", "value3"]

The rest of the variables normally don't need to be modified.

Cron jobs

In order to have the "blacklisting" LDIF file generated regularily, cron jobs need to be set up. The script that contacts the DB in order to collect information about what should go into the "blacklist" is /opt/lcg/FCR/bin/gen-exclude-ldif.pl. In order to ease the usage of this script, a wrapper script is provided, which should be used in a cron jobs something like this:

0,10,20,30,40,50 * * * * root  /opt/lcg/FCR/cron/cron-gen-exclude-ldif.sh 2>> /opt/lcg/FCR/log/gen-exclude-ldif.log 2>&1

For the file to be copied to /etc/cron.d a template file is available at /opt/lcg/FCR/cron/fcr-exclude-ldif_template.

-- JuditNovak - 25 Sep 2007