TWiki> LCG Web>LCGGridDeployment>WLCGvoboxDeployment (2024-05-09, MaartenLitmaath) EditAttachPDF

WLCG VObox deployment documentation

Functional description

The WLCG VObox is a grid service that provides:

  • a grid UI
  • a GSI-OpenSSH (gsisshd) service
  • a proxy renewal and VO agent service

The VObox typically is dedicated to a single VO of which only certain privileged users (e.g. software managers, "sgm" users) are given access through GSI-OpenSSH, while only the site admins have root access. The privileged users can register proxies to be regularly renewed by the proxy renewal service. The same service can also be used to start (stop) VO daemons automatically at boot (shutdown) time. The VO daemons can use grid UI functionalities as needed. The proxy renewal service relies on the VObox host DN being recognized as an authorized renewer by the MyProxy server that was specified when a particular proxy was registered (by default $MYPROXY_SERVER).

Installation instructions

We assume the host already has a basic OS setup compatible with CentOS/EL7 or EL9,
as well as a host certificate and key ready to be installed as /etc/grid-security/host{cert,key}.pem
(mind the key file needs to have mode 400 or 600).

CentOS 7 instructions

The grid UI should be taken from the EGI UMD 4:

  • UMD 4 - CentOS7 
    yum install http://repository.egi.eu/sw/production/umd/4/centos7/x86_64/updates/umd-release-4.1.3-1.el7.centos.noarch.rpm

Install the WLCG repo rpm:

  • WLCG CentOS7 
    yum install http://linuxsoft.cern.ch/wlcg/centos7/x86_64/wlcg-repo-1.0.0-1.el7.noarch.rpm

Install the WLCG VObox meta package:

  • yum install wlcg-vobox

If many dependencies cannot be resolved, ensure the epel repository is enabled.

The Certificate Authorities should get pulled in automatically via the grid UI.

If the host certificate and key were not yet installed as /etc/grid-security/host{cert,key}.pem ,
please do that now (mind the key file needs to have mode 400 or 600).

Beware: CVMFS and/or HEP_OSlibs from the WLCG repository may also be required, e.g. for an ALICE VObox.

Next the VOBOX can be configured with YAIM:

  • example site-info.def 
    #############################################################################
GROUPS_CONF=/root/groups.conf
USERS_CONF=/root/users.conf

SITE_NAME=MY-SITE

VOBOX_HOST=`hostname -f`
WMS_HOST=required.but.unused
PX_HOST=myproxy.cern.ch
BDII_HOST=lcg-bdii.cern.ch

SE_LIST=my-se.my-domain   # required, but unused on an ALICE VObox

VOS="alice"

VO_ALICE_SW_DIR=.   # a dot value means YAIM should skip it (CVMFS is used instead)
VO_ALICE_DEFAULT_SE=my-se.my-domain   # required, but unused on an ALICE VObox
VO_ALICE_VOMS_SERVERS="\
'vomss://lcg-voms2.cern.ch:8443/voms/alice?/alice/' \
'vomss://voms2.cern.ch:8443/voms/alice?/alice/' \
"
VO_ALICE_VOMSES="\
'alice lcg-voms2.cern.ch 15000 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch alice 24' \
'alice voms2.cern.ch 15000 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch alice 24' \
"
VO_ALICE_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"
#############################################################################

  • example groups.conf 
    "/alice/ROLE=lcgadmin":::sgm:

  • example users.conf 
    60101:sgmali01:1397,1395:alicesgm,alice:alice:sgm

  • example YAIM command 
    /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOBOX

Finally, ensure port 1975 is open for remote access to the GSI-OpenSSH service.

NOTE: gsissh may prompt for a password if the SELinux context of the host certificate or key is incorrect.
To fix that, run this command: 

      chcon -v --type=etc_t /etc/grid-security/host*.pem

EL9 instructions

The grid UI will be taken from the EGI UMD 5 when it has become available.
For the time being, only a subset of the UI functionality gets pulled in.

Install the IGTF CA repo file: 

(cd /etc/yum.repos.d/ && curl -O https://repository.egi.eu/sw/production/cas/1/current/repo-files/egi-trustanchors.repo)

Install the WLCG repo rpm:

  • WLCG EL9 
    yum install http://linuxsoft.cern.ch/wlcg/el9/x86_64/wlcg-repo-1.0.0-1.el9.noarch.rpm

Install the WLCG VObox meta package:

  • yum install wlcg-vobox

If many dependencies cannot be resolved, ensure the epel repository is enabled.

The Certificate Authorities should get pulled in automatically.

If the host certificate and key were not yet installed as /etc/grid-security/host{cert,key}.pem ,
please do that now (mind the key file needs to have mode 400 or 600).

Beware: CVMFS and/or HEP_OSlibs from the WLCG repository may also be required, e.g. for an ALICE VObox.

Next the VObox can be configured with a procedure reminiscent of YAIM as used on previous OS versions:

  • example site-info.def 
    #############################################################################
#
# example site-info.def for configuring a WLCG VObox
#
#############################################################################

GROUPS_CONF=/root/groups.conf
USERS_CONF=/root/users.conf

USER_HOME_PREFIX=/home

CONFIG_USERS=yes
OPEN_VOBOX_PORT=yes   # if set to "yes", it will try to use "firewall-cmd" for that

PX_HOST=myproxy.cern.ch

#
# select the VO(s) to be supported;
# syntax: VOS="vo1 [vo2 ...]" (lower case)
#

VOS="alice"

VO_ALICE_VOMS_SERVERS="\
'vomss://lcg-voms2.cern.ch:8443/voms/alice?/alice/' \
'vomss://voms2.cern.ch:8443/voms/alice?/alice/' \
"

VO_ATLAS_VOMS_SERVERS="\
'vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/' \
'vomss://voms2.cern.ch:8443/voms/atlas?/atlas/' \
"

VO_CMS_VOMS_SERVERS="\
'vomss://lcg-voms2.cern.ch:8443/voms/cms?/cms/' \
'vomss://voms2.cern.ch:8443/voms/cms?/cms/' \
"

VO_LHCB_VOMS_SERVERS="\
'vomss://lcg-voms2.cern.ch:8443/voms/lhcb?/lhcb/' \
'vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb/' \
"

#
# example showing how to have local mappings added
# for any VO that does not have a VOMS-Admin server
# from which to construct grid-mapfile entries;
# mind adding the (pseudo) VO to the set of VOs and
# adjusting users.conf for the necessary accounts
#

VO_ANY_GRID_MAPFILE_LOCAL='
"/C=abc/O=xyz/CN=Jane Doe" any001
"/C=foo/O=bar/CN=John Doe" any002
'
#############################################################################

  • example groups.conf 
    "/alice/ROLE=lcgadmin":::sgm:

  • example legacy users.conf 
    60101:sgmali01:1397,1395:alicesgm,alice:alice:sgm

  • example simpler users.conf 
    18941:alicesgm:1395:alice:alice:sgm

  • example YAIM command 
    /opt/glite/yaim/bin/yaim -s site-info.def

NOTE:

  • The VOMS LSC and vomses files for a VO will not be configured by YAIM anymore.
    Instead, they can e.g. be installed through RPMs taken from the WLCG rpm repository as described here.

  • By default, the command will also open port 1975 for remote access to the GSI-OpenSSH service.
    It will try to use firewall-cmd for that purpose. Please set OPEN_VOBOX_PORT=no if you prefer
    to manipulate the firewall outside of YAIM, e.g. with iptables / ip6tables.

  • To allow gsissh still to work from CentOS 7 clients, YAIM re-enables the SHA-1 cryptography algorithm.
    When CentOS 7 has been phased out, that setting will remain needed on VOboxes that need to deal
    with certificates whose root CA is still signed with that algorithm (in May 2024, there are still many).

  • gsissh may prompt for a password if the SELinux context of the host certificate or key is incorrect.
    To fix that, run this command: 
          chcon -v --type=etc_t /etc/grid-security/host*.pem
Edit | Attach | Watch | Print version | History: r26 < r25 < r24 < r23 < r22 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r26 - 2024-05-09 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback