Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide (coming soon)
- Migrating from GT2
- Migrating from GT3
Reference
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces (coming soon)
- Resource Properties
- Samples
- Glossary
- Performance Studies (coming soon)
Manuals
Common Runtime
Security
- Non-WS (General) Security
- WS Java Security
- Message-level
- Authz Framework
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
- SGAS
Data Mgt
MDS4
Execution Mgt
Table of Contents
I will be installing all of the toolkit from source, so I'm going to double-check my system for pre-requisites. The full list of prereqs is available at Software Prerequisites in the GT 4.1.3 Admin Guide.
First I'll check for zlib development libraries for GSI-OpenSSH:
choate% dpkg --list | grep zlibii zlib-bin 1.2.2-4.sarge. compression library - sample programs ii zlib1g 1.2.2-4.sarge. compression library - runtime ii zlib1g-dev 1.2.2-4.sarge. compression library - development
I have zlib1g-dev installed, so I will be okay for building GSI-OpenSSH.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
The package names may vary for non-Debian systems. The RPM name
we would look for is |
Next, I'll install java from Sun. It's called the "J2SE SDK" on their website.
root@choate:/usr/java#./j2sdk-1_4_2_10-linux-i586.binSun Microsystems, Inc. Binary Code License Agreement for the JAVATM 2 SOFTWARE DEVELOPMENT KIT (J2SDK), STANDARD EDITION, ... Creating j2sdk1.4.2_10/jre/lib/plugin.jar Creating j2sdk1.4.2_10/jre/javaws/javaws.jar Done.
Next, we install ant:
root@choate:/usr/local#tar xzf apache-ant-1.6.5-bin.tar.gzroot@choate:/usr/local#ls apache-ant-1.6.5bin INSTALL LICENSE LICENSE.xerces TODO docs KEYS LICENSE.dom NOTICE welcome.html etc lib LICENSE.sax README WHATSNEW
| Note |
|---|---|
This was fine on my Debian box, because it doesn't come with ant pre-installed. Most RedHat and Fedora Core boxes already ship with ant, but it is configured to use gcj. We don't want to use gcj! To fix this, look for an /etc/ant.conf file. If you have one, rename it to /etc/ant.conf.orig for the duration of this quickstart. |
My system already has C/C++ compilers:
choate% gcc --versiongcc (GCC) 3.3.5 (Debian 1:3.3.5-13) Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.choate% g++ --versiong++ (GCC) 3.3.5 (Debian 1:3.3.5-13) Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
GNU versions of tar/make/sed:
choate% tar --versiontar (GNU tar) 1.14 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with NO WARRANTY, to the extent permitted by law. You may redistribute it under the terms of the GNU General Public License; see the file named COPYING for details. Written by John Gilmore and Jay Fenlason.choate% sed --versionGNU sed version 4.1.2 Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, to the extent permitted by law.choate% make --versionGNU Make 3.80 Copyright (C) 2002 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
I have sudo for GRAM:
choate% sudo -VSudo version 1.6.8p7
Let's check for postgres:
choate% dpkg --list | grep postgresii postgresql-cli 7.4.7-6sarge1 front-end programs for PostgreSQLchoate% dpkg --list | grep psqlchoate%
I don't have the server installed, so I'll install it:
root@choate:/usr/local#apt-get install postgresqlReading Package Lists... Done Building Dependency Tree... Done Suggested packages: libpg-perl libpgjava libpgtcl postgresql-doc postgresql-dev postgresql-contrib pidentd ident-server pgdocs pgaccess The following NEW packages will be installed: postgresql ... Success. The database server should be started automatically. If not, you can start the database server using: /etc/init.d/postgresql start
I will have to edit the configuration files later for RFT, but having it installed is enough for now.
For the sake of completeness, I will also install IODBC, which is an optional prereq for RLS:
root@choate:/root#apt-get install libiodbc2 libiodbc2-devReading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: libiodbc2 libiodbc2-dev ... Setting up libiodbc2 (3.52.2-3) ... Setting up libiodbc2-dev (3.52.2-3) ...root@choate:/root#
That completes the list of build prereqs, so now I will download the installer and build it. The long version of these instructions is at Installing GT 4.1.3.
root@cognito:~#adduser globusAdding user `globus'... Adding new group `globus' (1023). Adding new user `globus' (1023) with group `globus'. Creating home directory `/home/globus'. Copying files from `/etc/skel' Enter new UNIX password:********Retype new UNIX password:********passwd: password updated successfully Changing the user information for globus Enter the new value, or press ENTER for the default Full Name []: Globus Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/N]yroot@choate:/etc/init.d#mkdir /usr/local/globus-4.1.3/root@choate:/etc/init.d#chown globus:globus /usr/local/globus-4.1.3/
Now, as the newly created globus user:
globus@choate:~$tar xzf gt4.1.3-all-source-installer.tar.gzglobus@choate:~$cd gt4.1.3-all-source-installerglobus@choate:~/gt4.1.3-all-source-installer$./configure --prefix=/usr/local/globus-4.1.3/ \--with-iodbc=/usr/libchecking build system type... i686-pc-linux-gnu checking for javac... no configure: WARNING: A Java compiler is needed for some parts of the toolkitconfigure: WARNING: This message can be ignored if you are only building the C parts of the toolkit checking for ant... no configure: WARNING: ant is needed for some parts of the toolkit configure: WARNING: If you know you will not need one configure: creating ./config.status config.status: creating Makefile
Let's setup my java environment and try again:
globus@choate:~/gt4.1.3-all-source-installer$export ANT_HOME=/usr/local/apache-ant-1.6.5globus@choate:~/gt4.1.3-all-source-installer$export JAVA_HOME=/usr/java/j2sdk1.4.2_10/globus@choate:~/gt4.1.3-all-source-installer$export PATH=$ANT_HOME/bin:$JAVA_HOME/bin:$PATHglobus@choate:~/gt4.1.3-all-source-installer$./configure --prefix=/usr/local/globus-4.1.3/ \--with-iodbc=/usr/libchecking build system type... i686-pc-linux-gnu checking for javac... /usr/java/j2sdk1.4.2_10//bin/javac checking for ant... /usr/local/apache-ant-1.6.5/bin/ant configure: creating ./config.status config.status: creating Makefile
Much better!
| Note |
|---|---|
The machine I am installing on doesn't have access to a scheduler. If it did, I would have specified one of the wsgram scheduler options,
like |
| Note |
|---|---|
Note that I really could have used the binary installer for this example, since Debian ia32 binaries are available. To make the quickstart more general, I decided to use source instead. |
Now it's time to build the toolkit:
globus@choate:~/gt4.1.3-all-source-installer$make | tee installer.logcd gpt-3.2autotools2004 && OBJECT_MODE=32 ./build_gpt build_gpt ====> installing GPT into /usr/local/globus-4.1.3/ ... Time for a coffee break here, the build will take over an hour, possibly longer depending on how fast your machine is ... echo "Your build completed successfully. Please run make install." Your build completed successfully. Please run make install.globus@choate:~/gt4.1.3-all-source-installer$make install/usr/local/globus-4.1.3//sbin/gpt-postinstall ... ..Doneglobus@choate:~/gt4.1.3-all-source-installer$
Now that the toolkit is installed, we're going to want hostcerts for the machine, and a usercert for me. To do that, we're going to use the SimpleCA that is distributed with the toolkit. Here's how we set it up, based on the instructions at SimpleCA Admin:
globus@choate:~$export GLOBUS_LOCATION=/usr/local/globus-4.1.3globus@choate:~$source $GLOBUS_LOCATION/etc/globus-user-env.shglobus@choate:~$$GLOBUS_LOCATION/setup/globus/setup-simple-caWARNING: GPT_LOCATION not set, assuming: GPT_LOCATION=/usr/local/globus-4.1.3 C e r t i f i c a t e A u t h o r i t y S e t u p This script will setup a Certificate Authority for signing Globus users certificates. It will also generate a simple CA package that can be distributed to the users of the CA. The CA information about the certificates it distributes will be kept in: /home/globus/.globus/simpleCA/ /usr/local/globus-4.1.3/setup/globus/setup-simple-ca: line 250: test: res: integer expression expected The unique subject name for this CA is: cn=Globus Simple CA, ou=simpleCA-choate.mcs.anl.gov, ou=GlobusTest, o=Grid Do you want to keep this as the CA subject (y/n) [y]:yEnter the email of the CA (this is the email where certificate requests will be sent to be signed by the CA):bacon@choateThe CA certificate has an expiration date. Keep in mind that once the CA certificate has expired, all the certificates signed by that CA become invalid. A CA should regenerate the CA certificate and start re-issuing ca-setup packages before the actual CA certificate expires. This can be done by re-running this setup script. Enter the number of DAYS the CA certificate should last before it expires. [default: 5 years (1825 days)]:RETURNEnter PEM pass phrase:******Verifying - Enter PEM pass phrase:******/bin/sed: can't read /tmp//globus_tmp_ca_setup//pkgdata/pkg_data_src.gpt.tmpl: No such file or directory creating CA config package... A self-signed certificate has been generated for the Certificate Authority with the subject: /O=Grid/OU=GlobusTest/OU=simpleCA-choate.mcs.anl.gov/CN=Globus Simple CA If this is invalid, rerun this script /usr/local/globus-4.1.3/setup/globus/setup-simple-ca and enter the appropriate fields. ------------------------------------------------------------------- The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem The distribution package built for this CA is stored in /home/globus/.globus/simpleCA//globus_simple_ca_ebb88ce5_setup-0.18.tar.gz This file must be distributed to any host wishing to request certificates from this CA. CA setup complete. The following commands will now be run to setup the security configuration files for this CA: $GLOBUS_LOCATION/sbin/gpt-build \ /home/globus/.globus/simpleCA//globus_simple_ca_ebb88ce5_setup-0.18.tar.gz $GLOBUS_LOCATION/sbin/gpt-postinstall ------------------------------------------------------------------- setup-ssl-utils: Configuring ssl-utils package Running setup-ssl-utils-sh-scripts... *************************************************************************** Note: To complete setup of the GSI software you need to run the following script as root to configure your security configuration directory: /usr/local/globus-4.1.3/setup/globus_simple_ca_ebb88ce5_setup/setup-gsi For further information on using the setup-gsi script, use the -help option. The -default option sets this security configuration to be the default, and -nonroot can be used on systems where root access is not available. *************************************************************************** setup-ssl-utils: Completeglobus@choate:~$
That's quite a lot of output. Here's what has happened:
globus@choate:~$ls ~/.globus/simpleCAglobus@choate:~$ls ~/.globus/simpleCA/cacert.pem globus_simple_ca_ebb88ce5_setup-0.18.tar.gz newcerts certs grid-ca-ssl.conf private crl index.txt serial
That's the directory where my simpleCA has been created. Now I need to make my machine trust that new CA, which I do by running the following command as root:
root@choate:~#export GLOBUS_LOCATION=/usr/local/globus-4.1.3root@choate:~#$GLOBUS_LOCATION/setup/globus_simple_ca_ebb88ce5_setup/setup-gsi -defaultsetup-gsi: Configuring GSI security Making /etc/grid-security... mkdir /etc/grid-security Making trusted certs directory: /etc/grid-security/certificates/ mkdir /etc/grid-security/certificates/ Installing /etc/grid-security/certificates//grid-security.conf.ebb88ce5... Running grid-security-config... Installing Globus CA certificate into trusted CA certificate directory... Installing Globus CA signing policy into trusted CA certificate directory... setup-gsi: Completeroot@choate:~#ls /etc/grid-security/certificates globus-host-ssl.conf globus-user-ssl.conf grid-security.confroot@choate:~#ls /etc/grid-security/certificates/ebb88ce5.0 globus-user-ssl.conf.ebb88ce5 ebb88ce5.signing_policy grid-security.conf.ebb88ce5 globus-host-ssl.conf.ebb88ce5
Those are the configuration files that establish trust for the simpleCA for my Globus Toolkit installation. Notice that the hash value ebb88ce5 matches the hash value of my SimpleCA. These files are all explained in the Security Admin Guide.
Now that we've created a CA and trust it, we'll get a hostcert for the machine:
root@choate:~#source $GLOBUS_LOCATION/etc/globus-user-env.shroot@choate:~#grid-cert-request -host `hostname`Generating a 1024 bit RSA private key ..++++++ ...................................................++++++ writing new private key to '/etc/grid-security/hostkey.pem' ... Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Simple CA at bacon@choate
We need to sign the certificate using our simpleCA, as globus:
globus@choate:~$grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pemTo sign the request please enter the password for the CA key:******The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
Our last step is to copy that signed certificate into /etc:
root@choate:~#cp ~globus/hostsigned.pem /etc/grid-security/hostcert.pem
We'll make a copy of these that are owned by globus:
root@choate:/etc/grid-security#cp hostcert.pem containercert.pemroot@choate:/etc/grid-security#cp hostkey.pem containerkey.pemroot@choate:/etc/grid-security#chown globus:globus container*.pemroot@choate:/etc/grid-security#ls -l *.pem-r-------- 1 root root 887 2005-11-15 07:48 containerkey.pem -rw-r--r-- 1 globus globus 2710 2005-11-15 07:48 containercert.pem -rw-r--r-- 1 root root 2710 2005-11-15 07:47 hostcert.pem -rw-r--r-- 1 root root 1404 2005-11-15 07:40 hostcert_request.pem -r-------- 1 root root 887 2005-11-15 07:40 hostkey.pem
Now we'll get a usercert for bacon. In this example I'm running tcsh, just
to show that the version of globus-user-env depends on your
shell:
choate % setenv GLOBUS_LOCATION /usr/local/globus-4.1.3/ choate % source $GLOBUS_LOCATION/etc/globus-user-env.csh choate % grid-cert-request A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Generating a 1024 bit RSA private key .........................................................++++++ .........................++++++ unable to write 'random state' writing new private key to '/home/bacon/.globus/userkey.pem' Enter PEM pass phrase:****Verifying - Enter PEM pass phrase:****----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank ----- Level 0 Organization [Grid]: Level 0 Organizational Unit [GlobusTest]: Level 1 Organizational Unit [simpleCA-choate.mcs.anl.gov]: Level 2 Organizational Unit [mcs.anl.gov]: Name (e.g., John M. Smith) []: A private key and a certificate request has been generated with the subject: /O=Grid/OU=GlobusTest/OU=simpleCA-choate.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon If the CN=Charles Bacon is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/bacon/.globus/userkey.pem Your request is stored in /home/bacon/.globus/usercert_request.pem Please e-mail the request to the Globus Simple CA bacon@choate You may use a command similar to the following: cat /home/bacon/.globus/usercert_request.pem | mail bacon@choate Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Simple CA at bacon@choate
Now I need to get that certificate request to the globus user so it can be signed, then send the signed cert back to bacon:
choate %cat /home/bacon/.globus/usercert_request.pem | mail globus@choate
Now, sign it as user globus:
globus@choate:~$grid-ca-sign -in request.pem -out signed.pemTo sign the request please enter the password for the CA key:******The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pemglobus@choate:~$cat signed.pem | mail bacon@choate
Now user bacon checks his mail and copies the cert to the proper location:
choate %cp signed.pem ~/.globus/usercert.pemchoate %ls -l ~/.globus/total 12 -rw-r--r-- 1 bacon globdev 895 2005-11-15 07:57 usercert.pem -rw-r--r-- 1 bacon globdev 1426 2005-11-15 07:51 usercert_request.pem -r-------- 1 bacon globdev 963 2005-11-15 07:51 userkey.pem
Our last act will be to create a grid-mapfile as root for authorization:
root@choate:/etc/grid-security#vim /etc/grid-security/grid-mapfileroot@choate:/etc/grid-security#cat /etc/grid-security/grid-mapfile"/O=Grid/OU=GlobusTest/OU=simpleCA-choate.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon" bacon
| Note |
|---|---|
The globus user doesn't need a user certificate! It's a dummy account that we're using to own the GLOBUS_LOCATION. When it starts the container, it will use the containercert. Only real people need user certs. |
Now that we have our secure credentials in place, we can start a service. This setup comes from the GridFTP Admin Guide.
root@choate:/etc/grid-security#vim /etc/xinetd.d/gridftproot@choate:/etc/grid-security#cat /etc/xinetd.d/gridftpservice gsiftp { instances = 100 socket_type = stream wait = no user = root env += GLOBUS_LOCATION=/usr/local/globus-4.1.3 env += LD_LIBRARY_PATH=/usr/local/globus-4.1.3/libserver = /usr/local/globus-4.1.3/sbin/globus-gridftp-server server_args = -i log_on_success += DURATION nice = 10 disable = no }
root@choate:/etc/grid-security#vim /etc/servicesroot@choate:/etc/grid-security#tail /etc/servicesvboxd 20012/udp binkp 24554/tcp # binkp fidonet protocol asp 27374/tcp # Address Search Protocol asp 27374/udp dircproxy 57000/tcp # Detachable IRC Proxy tfido 60177/tcp # fidonet EMSI over telnet fido 60179/tcp # fidonet EMSI over TCP # Local services gsiftp 2811/tcproot@choate:/etc/grid-security#/etc/init.d/xinetd reloadReloading internet superserver configuration: xinetd.root@choate:/etc/grid-security#netstat -an | grep 2811tcp 0 0 0.0.0.0:2811 0.0.0.0:* LISTEN
| | I already had xinetd installed:
bacon@choate:~$ dpkg --list xinetd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii xinetd 2.3.13-3 replacement for inetd with many enhancementsYou can use inetd instead, see "Configuring the GridFTP server to run under xinetd/inetd" in System Administrator's Guide for details. For now, though, you might want to apt-get install xinetd. |
| | On MacOS X, this would be DYLD_LIBRARY_PATH. Check your system documentation if LD_LIBARARY_PATH doesn't work on your system. |
Now the gridftp server is waiting for a request, so we'll run a client and transfer a file:
choate %grid-proxy-init -verify -debugUser Cert File: /home/bacon/.globus/usercert.pem User Key File: /home/bacon/.globus/userkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u1817 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-choate.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon Enter GRID pass phrase for this identity:****Creating proxy .....++++++++++++ ..++++++++++++ Done Proxy Verify OK Your proxy is valid until: Tue Nov 15 20:15:46 2005choate% globus-url-copy gsiftp://choate.mcs.anl.gov/etc/group file:///tmp/bacon.test.copychoate% diff /tmp/bacon.test.copy /etc/groupchoate%
Okay, so the GridFTP server works. If you had trouble, check the security troubleshooting section in the Security Admin Guide. Now we can move on to starting the webservices container.
Now we'll setup an /etc/init.d entry for the webservices container. You can find more details about the container at Java WS Core Admin Guide.
globus@choate:~$ vim $GLOBUS_LOCATION/start-stop
globus@choate:~$ cat $GLOBUS_LOCATION/start-stop
#! /bin/sh
set -e
export GLOBUS_LOCATION=/usr/local/globus-4.1.3
export JAVA_HOME=/usr/java/j2sdk1.4.2_10/
export ANT_HOME=/usr/local/apache-ant-1.6.5
export GLOBUS_OPTIONS="-Xms256M -Xmx512M"
. $GLOBUS_LOCATION/etc/globus-user-env.sh
cd $GLOBUS_LOCATION
case "$1" in
start)
$GLOBUS_LOCATION/sbin/globus-start-container-detached -p 8443
;;
stop)
$GLOBUS_LOCATION/sbin/globus-stop-container-detached
;;
*)
echo "Usage: globus {start|stop}" >&2
exit 1
;;
esac
exit 0
globus@choate:~$ chmod +x $GLOBUS_LOCATION/start-stop
Now, as root, we'll create an /etc/init.d script to call the globus user's start-stop script:
root@choate:~#vim /etc/init.d/globus-4.1.3root@choate:~#cat /etc/init.d/globus-4.1.3#!/bin/sh -e case "$1" in start) su - globus /usr/local/globus-4.1.3/start-stop start ;; stop) su - globus /usr/local/globus-4.1.3/start-stop stop ;; restart) $0 stop sleep 1 $0 start ;; *) printf "Usage: $0 {start|stop|restart}\n" >&2 exit 1 ;; esac exit 0root@choate:~#chmod +x /etc/init.d/globus-4.1.3root@choate:~#/etc/init.d/globus-4.1.3 startStarting Globus container. PID: 29985root@choate:~# cat /usr/local/globus-4.1.3/var/container.log2005-11-15 08:48:00,886 ERROR service.ReliableFileTransferImpl [main,<init>:68] Unable to setup database driver with pooling.A connection error has occurred: FATAL: no pg_hba.conf entry for host "140.221.8.31", user "globus", database "rftDatabase", SSL off
| | GLOBUS_OPTIONS can be used to pass options to the JVM. Here we are setting heap sizes recommended in the Java WS Core Admin Guide. |
| | The RFT warnings are expected right now because we haven't setup our database yet. Otherwise, things look good. |
At this point, we can use one of the sample clients/services to interact with the container:
choate% setenv JAVA_HOME /usr/java/j2sdk1.4.2_10/choate% setenv ANT_HOME /usr/local/apache-ant-1.6.5/choate% setenv PATH $ANT_HOME/bin:$JAVA_HOME/bin:$PATHchoate% counter-client -s https://choate.mcs.anl.gov:8443/wsrf/services/CounterServiceGot notification with value: 3 Counter has value: 3 Got notification with value: 13
That is the expected output, so it looks like the container is up and running. Next we'll configure a database for RFT to get rid of that pesky warning, and so we can reliably transfer files using GridFTP!
Following the instructions at System Administrator's Guide, we'll first configure the system to allow TCP/IP connections to postgres, as well as adding a trust entry for our current host:
root@choate:~#vim /var/lib/postgres/postmaster.confroot@choate:~#grep POSTMASTER /var/lib/postgres/postmaster.confPOSTMASTER_OPTIONS="-i"root@choate:~#vim /var/lib/postgres/data/pg_hba.confroot@choate:~#grep rftDatabase /etc/postgresql/pg_hba.confhost rftDatabase "globus" "140.221.8.31" 255.255.255.255 md5root@choate:~#/etc/init.d/postgresql restartStopping PostgreSQL database server: postmaster. Starting PostgreSQL database server: postmaster.root@choate:~#su postgres -c "createuser -P globus"Enter password for new user:*****Enter it again:*****Shall the new user be allowed to create databases? (y/n) y Shall the new user be allowed to create more new users? (y/n) n CREATE USER
| Note |
|---|---|
This is one of the most system-dependent steps of this quickstart. Your pg_hba.conf and postmaster.conf files may be located in a different directory. Please consult your vendor's notes for details. |
Now the globus user can create the rftDatabase:
globus@choate:~$createdb rftDatabaseCREATE DATABASEglobus@choate:~$psql -d rftDatabase -f $GLOBUS_LOCATION/share/globus_wsrf_rft/rft_schema.sqlpsql:/usr/local/globus-4.1.3/share/globus_wsrf_rft/rft_schema.sql:6: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "requestid_pkey" for table "requestid" CREATE TABLE psql:/usr/local/globus-4.1.3/share/globus_wsrf_rft/rft_schema.sql:11: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "transferid_pkey" for table "transferid" CREATE TABLE psql:/usr/local/globus-4.1.3/share/globus_wsrf_rft/rft_schema.sql:30: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "request_pkey" for table "request" CREATE TABLE psql:/usr/local/globus-4.1.3/share/globus_wsrf_rft/rft_schema.sql:65: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "transfer_pkey" for table "transfer" CREATE TABLE CREATE TABLE CREATE TABLE CREATE INDEXglobus@choate:~$vim $GLOBUS_LOCATION/etc/globus_wsrf_rft/jndi-config.xmlglobus@choate:~$grep -C 3 password $GLOBUS_LOCATION/etc/globus_wsrf_rft/jndi-config.xml</parameter> <parameter> <name> password </name> <value> *****
I have created the database, loaded the RFT schema, and changed the password in the jndi-config.xml file.
The database is setup, so we restart the container to load the new RFT configuration:
root@choate:~#/etc/init.d/globus-4.1.3 restartStopping Globus container. PID: 29985 Starting Globus container. PID: 8620root@choate:~#head /usr/local/globus-4.1.3/var/container.logStarting SOAP server at: https://140.221.8.31:8443/wsrf/services/ With the following services: [1]: https://140.221.8.31:8443/wsrf/services/TriggerFactoryService [2]: https://140.221.8.31:8443/wsrf/services/DelegationTestService [3]: https://140.221.8.31:8443/wsrf/services/SecureCounterService [4]: https://140.221.8.31:8443/wsrf/services/IndexServiceEntry [5]: https://140.221.8.31:8443/wsrf/services/DelegationService [6]: https://140.221.8.31:8443/wsrf/services/InMemoryServiceGroupFactory [7]: https://140.221.8.31:8443/wsrf/services/mds/test/execsource/IndexService ...
Great, we got rid of the warning. Now let's try an RFT transfer to make sure the service is really working:
choate %cp /usr/local/globus-4.1.3/share/globus_wsrf_rft_test/transfer.xfr /tmp/rft.xfrchoate %vim /tmp/rft.xfrchoate %cat /tmp/rft.xfrtrue 16000 16000 false 1 true 1 null null false 10 gsiftp://choate.mcs.anl.gov:2811/etc/group gsiftp://choate.mcs.anl.gov:2811/tmp/rftTest_Done.tmpchoate %rft -h choate.mcs.anl.gov -f /tmp/rft.xfrNumber of transfers in this request: 1 Subscribed for overall status Termination time to set: 60 minutes Overall status of transfer: Finished/Active/Failed/Retrying/Pending 0/1/0/0/0 Overall status of transfer: Finished/Active/Failed/Retrying/Pending 1/0/0/0/0 All Transfers are completedchoate %diff /etc/group /tmp/rftTest_Done.tmpchoate %
RFT did its job, starting up a reliable transfer and notifying us of the status and results.
Now that we have GridFTP and RFT working, we can setup GRAM for resource management. First we have to setup sudo so the globus user can start jobs as a different user. For reference, you can see the System Administrator's Guide.
root@choate:~# visudo
root@choate:~# cat /etc/sudoers
globus ALL=(bacon) NOPASSWD: /usr/local/globus-4.1.3/libexec/globus-gridmap-and-execute
-g /etc/grid-security/grid-mapfile /usr/local/globus-4.1.3/libexec/globus-job-manager-script.pl *
globus ALL=(bacon) NOPASSWD: /usr/local/globus-4.1.3/libexec/globus-gridmap-and-execute
-g /etc/grid-security/grid-mapfile /usr/local/globus-4.1.3/libexec/globus-gram-local-proxy-tool *
Make sure they're all on one line. I split them up in the HTML to keep the page width down. With that addition, we can now run jobs:
choate %globusrun-ws -submit -c /bin/trueSubmitting job...Done. Job ID: uuid:3304e3f2-55f2-11da-8b8f-00d0b7b7c0bc Termination time: 11/16/2005 16:09 GMT Current job state: Active Current job state: CleanUp Current job state: Done Destroying job...Done.choate %echo $?0choate %globusrun-ws -submit -c /bin/falseSubmitting job...Done. Job ID: uuid:456b7c9a-55f2-11da-9b0d-00d0b7b7c0bc Termination time: 11/16/2005 16:09 GMT Current job state: Active Current job state: CleanUp Current job state: Done Destroying job...Done.choate %echo $?1
Success. Now we've got a working GRAM installation.