Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide (coming soon)
- Migrating from GT2
- Migrating from GT3
Reference
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces (coming soon)
- Resource Properties
- Samples
- Glossary
- Performance Studies (coming soon)
Manuals
Common Runtime
Security
- Non-WS (General) Security
- WS Java Security
- Message-level
- Authz Framework
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
- SGAS
Data Mgt
MDS4
Execution Mgt
Table of Contents
- 1. Typical Configuration
- 2. Non-default Configuration
- 3. Locating configuration files
- 4. Web service deployment configuration
- 5. JNDI application configuration
- 6. Security descriptor
- 7. GRAM and GridFTP file system mapping
- 8. Scheduler-Specific Configuration Files
- 9. GRAM4 auto-registration with default WS MDS Index Service
- 10. Registering GRAM4 manually with default WS MDS Index Service
- 11. Customizing Extensions Support
When the credentials of the service account and the job submitter are different (multi user mode), then GRAM will prepend a call to sudo to the local adapter callout command. Important: If sudo is not configured properly, the command and thus job will fail.
As root, here are the two lines to add to the
/etc/sudoers file for each GLOBUS_LOCATION installation, where
/opt/globus/GT4.1.3 should be replaced with the GLOBUS LOCATION for your
installation:
# Globus GRAM entries
globus ALL=(username1,username2)
NOPASSWD: /opt/globus/GT4.1.3/libexec/globus-gridmap-and-execute
-g /etc/grid-security/grid-mapfile
/opt/globus/GT4.1.3/libexec/globus-job-manager-script.pl *
globus ALL=(username1,username2)
NOPASSWD: /opt/globus/GT4.1.3/libexec/globus-gridmap-and-execute
-g /etc/grid-security/grid-mapfile
/opt/globus/GT4.1.3/libexec/globus-gram-local-proxy-tool *
The globus-gridmap-and-execute program is
used to ensure that GRAM only runs programs under accounts that are in the
grid-mapfile. In the sudo configuration, it is the first program called.
It looks up the account in the grid-mapfile and then runs the requested
command. It is redundant if sudo is properly locked down. This tool
could be replaced with your own authorization program.
The GRAM4 scheduler adapters included in the release tarball are: PBS, Condor and LSF. To install, follow these steps (shown for pbs):
% cd $GLOBUS_LOCATION\gt4.1.3-all-source-installer
% make gt4-gram-pbs
% make install
Using PBS as the example, make sure the scheduler commands are in your path (qsub, qstat, pbsnodes).
For PBS, another setup step is required to configure the remote shell for rsh access:
% cd $GLOBUS_LOCATION/setup/globus
% ./setup-globus-job-manager-pbs --remote-shell=rsh
The last thing is to define the GRAM and GridFTP file system mapping for PBS. A default mapping in this file is created to allow simple jobs to run. However, the actual file system mappings for your compute resource should be entered to ensure:
files staging is performed correctly
jobs with erroneous file path directives are rejected
Done! You have added the PBS scheduler adapters to your GT installation.
Note for future GT builds with scheduler adapters: scheduler adapters can be enabled by adding --enable-wsgram-pbs to the configure line when building the entire toolkit.
% configure --prefix=$GLOBUS_LOCATION --enable-wsgram-pbs ...
% make
% make install
The database that stores the information about job resources is configured
in the JNDI container registry in
$GLOBUS_LOCATION/etc/globus_wsrf_gram/jndi-config.xml.
By default Derby, which is shipped as part of the GT, is used as DMBS.
The necessary tables are created during installation of the GT and no
additional configuration must be done.
Aside from Derby, persistence data can also be stored in MySQL or PostgreSQL. For information about how to configure MySQL or PostgreSQL, see the Non-default Configuration section on this page.
In case the Derby database should be cleared or recreated the following can be done:
Delete the existing database:
rm -rf $GLOBUS_LOCATION/var/gram/ResourceDatabase
Recreate the database:
ant -f $GLOBUS_LOCATION/setup/globus/create-gram-database.xml
To run the container using just a user proxy, instead of host creds,
edit the
$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml
file, and either comment out the credentials section...
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
<!--
<credential>
<key-file value="/etc/grid-security/containerkey.pem"/>
<cert-file value="/etc/grid-security/containercert.pem"/>
<credential>
-->
<gridmap value="/etc/grid-security/grid-mapfile"/>
<securityConfig>
or replace the credentials section with a proxy file location...
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
<proxy-file value="<PATH TO PROXY FILE>"/>
<gridmap value="/etc/grid-security/grid-mapfile"/>
<securityConfig>
Running in personal mode (user proxy), another GRAM configuration setting is required. For GRAM to authorize the RFT service when performing staging functions, it needs to know the subject DN for verification. Here are the steps:
% cd $GLOBUS_LOCATION/setup/globus
% ./setup-gram-service-common --staging-subject=
"/DC=org/DC=doegrids/OU=People/CN=Stuart Martin 564720"
You can get your subject DN by running this command:
% grid-cert-info -subject
By default, the GridFTP server is assumed to run as root on localhost:2811.
If this is not true for your site then change it by editing the GridFTP host
and/or port in the GRAM and GridFTP file system mapping config file: $GLOBUS_LOCATION/etc/gram-service/globus_gram_fs_map_config.xml.
By default, the globus services will assume 8443 is the port the Globus container is using. However the container can be run under a non-standard port, for example:
% globus-start-container -p 4321
If you wish to specify a non-standard gridmap file in a multi-user installation, two basic configurations need to be changed:
$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml
- As specified in the gridmap config instructions, add a <gridmap value="..."/> element to the file appropriately.
/etc/sudoers
Change the file path after all -g options
-g /path/to/grid-mapfile
.
Example: global_security_descriptor.xml
...
<gridmap value="/opt/grid-mapfile"/>
...
sudoers
...
# Globus GRAM entries
globus ALL=(username1,username2)
NOPASSWD: /opt/globus/GT4.1.3/libexec/globus-gridmap-and-execute
-g /opt/grid-mapfile
/opt/globus/GT4.1.3/libexec/globus-job-manager-script.pl *
globus ALL=(username1,username2)
NOPASSWD: /opt/globus/GT4.1.3/libexec/globus-gridmap-and-execute
-g /opt/grid-mapfile
/opt/globus/GT4.1.3/libexec/globus-gram-local-proxy-tool *
...
RFT is used by GRAM to stage files in and out of the job execution environment. In the default configuration, RFT is hosted in the same container as GRAM and is assumed to have the same service path and standard service names. This need not be the case. For example, the most likely alternative scenario is that RFT would be hosted seperately in a container on a different machine. In any case, both the RFT and the Delegation Service endpoints need to be adjustable to allow this flexibility. The following options can be passed to the setup-gram-service-common script to affect these settings:
--staging-protocol=<protocol>
--staging-host=<host>
--staging-port=<port>
--staging-service-path=<RFT and Delegation factory service path>
--staging-factory-name=<RFT factory service name>
--staging-delegation-factory-name=<name of Delegation factory service used by RFT>
for example
% setup-gram-service-common \
--staging-protocol=http
--staging-host=somemachine.fakedomain.net
--staging-port=8444
--staging-service-path=/tomcat/services/
--staging-factory-name=MyReliableFileTransferFactoryService
--staging-delegation-factory-name=MyDelegationFactoryServiceForRFT
will internally cause the GRAM service code to construct the following EPR addresses:
http://somemachine.fakedomain.net:8444/tomcat/services/MyReliableFileTransferFactoryService
http://somemachine.fakedomain.net:8444/tomcat/services/MyDelegationFactoryServiceForRFT
Aside from Derby, database schemas for MySQL and PostgreSQL are provided.
They can be found in $GLOBUS_LOCATION/share/globus_wsrf_gram/.
After creating the database, the JNDI configuration of WS-GRAM must be adapted in
order to use the non-default database.
Note, that there's more than one configuration section for ManagedJobFactoryService in the JNDI registry:
ManagedJobFactoryService: This is the factory for jobs described in the job description language defined by WS-GRAM.
v4_2/ManagedJobFactoryService: This is the factory for jobs described in JSDL
bes/ManagedJobFactoryService This is the not yet functional Basic Execution Service.
The database configuration must be specified for each factory, except for the BES factory which can't be used at the moment due to it's prototype status. The database settings must be specified in the section for the ManagedJobFactoryService and the v4_2/ManagedJobFactoryService. The important parameters are driverClassName, url, username and password.
The following describes how to configure MySQL as DBMS. Similar settings must be done if PostgreSQL is used.
Create the database as root of the MySQL DMBS and grant permissions to the user globus with password "foo" assuming that the container is run as user globus:
[root@lappi ~]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 to server version: 4.1.22-standard Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create database ResourceDatabase; Query OK, 1 row affected (0.03 sec) mysql> GRANT all on ResourceDatabase.* to globus@localhost identified by "foo"; Query OK, 0 rows affected (0.08 sec) mysql> quit Bye
Create the tables as user globus:
globus@lappi ~]$ mysql -u globus ResourceDatabase -p < $GLOBUS_LOCATION/share/globus_wsrf_gram/gram_schema_mysql.sql Enter password: globus@lappi ~]$
Adapt the sections of
$GLOBUS_LOCATION/etc/globus_wsrf_gram/jndi-config.xml<service name="ManagedJobFactoryService"> ... <resource name="ResourceDatabase" type="javax.sql.DataSource"> ... <parameter> <name>driverClassName</name> <value>com.mysql.jdbc.Driver</value> </parameter> <parameter> <name>url</name> <value>jdbc:mysql://localhost/ResourceDatabase</value> </parameter> <parameter> <name>username</name> <value>globus</value> </parameter> <parameter> <name>password</name> <value>foo</value> </parameter> ... </resource> </service> ... <service name="v4_2/ManagedJobFactoryService"> ... <resource name="ResourceDatabase" type="javax.sql.DataSource"> ... <parameter> <name>driverClassName</name> <value>com.mysql.jdbc.Driver</value> </parameter> <parameter> <name>url</name> <value>jdbc:mysql://localhost/ResourceDatabase</value> </parameter> <parameter> <name>username</name> <value>globus</value> </parameter> <parameter> <name>password</name> <value>foo</value> </parameter> ... </resource> </service>Make sure that the MySQL Connector/J has been copied to
$GLOBUS_LOCATION/lib/. Otherwise the connection to the database will fail.
All the GRAM service configuration files are located in subdirectories of
the $GLOBUS_LOCATION/etc directory. The names of the GRAM
configuration directories all start with gram-service.
For instance, with a default GRAM installation, the command line:
% ls etc | grep gram-service
gives the following output:
gram-service gram-service-Fork gram-service-Multi
The file $GLOBUS_LOCATION/etc/gram-service/server-config.wsdd
contains information necessary to deploy and instantiate the GRAM
services in the Globus container.
Three GRAM services are deployed:
- ManagedExecutableJobService: service invoked when querying or managing an executable job
- ManagedMultiJobService: service invoked when querying or managing a multijob
- ManagedJobFactoryService: service invoked when submitting a job
Each service deployment information contains the name of the Java service implementation class, the path to the WSDL service file, the name of the operation providers that the service reuses for its implementation of WSDL-defined operations, etc. More information about the service deployment configuration information can be found in Configuration interface.
The configuration of WSRF resources and application-level service configuration not related to service deployment is contained in JNDI files. The JNDI-based GRAM configuration is of two kinds:
The file $GLOBUS_LOCATION/etc/gram-service/jndi-config.xml contains
configuration information that is common to every local resource manager.
More precisely, the configuration data it contains pertains to the implementation of the GRAM WSRF resources (factory resources and job resources), as well as initial values of WSRF resource properties that are always published by any Managed Job Factory WSRF resource.
The data is categorized by service, because according to WSRF, in spite of the service/resource separation of concern, a given service will use only one XML Schema type of resource. In practice it is therefore clearer to categorize the configuration resource implementation by service, even if theoretically speaking a given resource implementation could be used by several services. For more information, refer to the Java WS Core documentation.
Here is the decomposition, in JNDI objects, of the common configuration
data, categorized by service. Each XYZHome object contains the same
Globus Core-defined information for the implementation of the WSRF resource,
such as the Java implementation class for the resource (resourceClass datum),
the Java class for the resource key (resourceKeyType datum), etc.
ManagedExecutableJobService
- ManagedExecutableJobHome: configuration of the implementation of resources for the service.
ManagedMultiJobService
- ManagedMultiJobHome: configuration of the implementation of resources for the service
ManagedJobFactoryService
- FactoryServiceConfiguration: this encapsulates configuration information used by the factory service. Currently this identifies the service to associate to a newly created job resource in order to create an endpoint reference and return it.
- ManagedJobFactoryHome: implementation of resources for the service resourceClass
- FactoryHomeConfiguration: this contains GRAM application-level configuration data i.e. values for resource properties common to all factory resources. For instance, the path to the Globus installation, host information such as CPU type, manufacturer, operating system name and version, etc.
When a SOAP call is made to a GRAM factory service in order to submit a job, the call is actually made to a GRAM service-resource pair, where the factory resource represents the local resource manager to be used to execute the job.
There is one directory gram-service-<manager>/
for each local resource manager supported by the GRAM installation.
For instance, let's assume the command line:
% ls etc | grep gram-service-
gives the following output:
gram-service-Fork gram-service-LSF gram-service-Multi
In this example, the Multi, Fork and LSF job factory resources have been
installed. Multi is a special kind of local resource manager
which enables the GRAM services to support multijobs.
The JNDI configuration file located under each manager directory contains configuration information for the GRAM support of the given local resource manager, such as the name that GRAM uses to designate the given resource manager. This is referred to as the GRAM name of the local resource manager.
For instance, $GLOBUS_LOCATION/etc/gram-service-Fork/jndi-config.xml
contains the following XML element structure:
<service name="ManagedJobFactoryService">
<!-- LRM configuration: Fork -->
<resource
name="ForkResourceConfiguration"
type="org.globus.exec.service.factory.FactoryResourceConfiguration">
<resourceParams>
[...]
<parameter>
<name>
localResourceManagerName
</name>
<value>
Fork
</value>
</parameter>
<!-- Site-specific scratchDir
Default: ${GLOBUS_USER_HOME}/.globus/scratch
<parameter>
<name>
scratchDirectory
</name>
<value>
${GLOBUS_USER_HOME}.globus/scratch
</value>
</parameter>
-->
</resourceParams>
</resource>
</service>
In the example above, the name of the local resource manager is
Fork. This value can be used with the GRAM
command line client in order to specify which factory resource to use when
submitting a job. Similarly, it is used to create an endpoint reference to the
chosen factory WS-Resource when using the GRAM client API.
In the example above, the scratchDirectory is set to
${GLOBUS_USER_HOME}/.globus/scratch. This is
the default setting. It can be configured to point to an alternate file system
path that is common to the compute cluster and is typically less reliable (auto
purging), while offering a greater amount of disk space (thus "scratch").
The file $GLOBUS_LOCATION/etc/gram-service/managed-job-factory-security-config.xml contains the Core security configuration for the GRAM ManagedJobFactory service:
default security information for all remote invocations, such as:
- the authorization method, based on a Gridmap file (in order to resolve user credentials to local user names)
- limited proxy credentials will be rejected
- security information for the
createManagedJoboperation
The file $GLOBUS_LOCATION/etc/gram-service/managed-job-security-config.xml contains the Core security configuration for the GRAM job resources:
- The default is to only allow the identity that called the createManagedJob operation to access the resource.
Note: GRAM does not override the container security credentials defined in $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml. These are the credentials used to authenticate all service requests.
The file $GLOBUS_LOCATION/etc/gram-service/globus_gram_fs_map_config.xml
contains information to associate local resource managers with GridFTP servers. GRAM uses the GridFTP server (via RFT) to perform all file staging directives.
Since the GridFTP server and the Globus service container can be run on separate hosts, a mapping is needed between the common file system paths of these 2 hosts.
This enables the GRAM services to resolve file:/// staging directives to the local GridFTP URLs.
Below is the default Fork entry. Mapping a jobPath of / to ftpPath of / will allow any file staging directive to be attempted.
<map>
<scheduler>Fork</scheduler>
<ftpServer>
<protocol>gsiftp</protocol>
<host>myhost.org</host>
<port>2811</port>
</ftpServer>
<mapping>
<jobPath>/</jobPath>
<ftpPath>/</ftpPath>
</mapping>
</map>
For a scheduler, where jobs will typically run on a compute node, a default entry is not provided. This means staging directives will fail until a mapping is entered. Here is an example of a compute cluster with PBS installed that has 2 common mount points between the front end host and the GridFTP server host.
<map>
<scheduler>PBS</scheduler>
<ftpServer>
<protocol>gsiftp</protocol>
<host>myhost.org</host>
<port>2811</port>
</ftpServer>
<mapping>
<jobPath>/pvfs/mount1/users</jobPath>
<ftpPath>/pvfs/mount2/users</ftpPath>
</mapping>
<mapping>
<jobPath>/pvfs/jobhome</jobPath>
<ftpPath>/pvfs/ftphome</ftpPath>
</mapping>
</map>
The file system mapping schema doc is here.
In addition to the service configuration described above, there are scheduler-specific configuration files for the Scheduler Event Generator modules. These files consist of name=value pairs separated by newlines. These files are:
Table 1. Scheduler-Specific Configuration Files
| $GLOBUS_LOCATION/etc/globus-fork.conf | Configuration for the Fork SEG module implementation. The attributes names for this file are:
|
| $GLOBUS_LOCATION/etc/globus-condor.conf | Configuration for the Condor SEG module implementation. The attributes names for this file are:
|
| $GLOBUS_LOCATION/etc/globus-pbs.conf | Configuration for the PBS SEG module implementation. The attributes names for this file are:
|
| $GLOBUS_LOCATION/etc/globus-lsf.conf | Configuration for the PBS SEG module implementation. The attributes names for this file are:
|
With a default GT 4.1.3 installation, the GRAM4 service is automatically registered with the default WS MDS Index Service running in the same container for monitoring and discovery purposes.
This is how auto-registration is configured:
There is a jndi resource defined in $GLOBUS_LOCATION/etc/gram-service/jndi-config.xml as follows :
<resource name="mdsConfiguration"
type="org.globus.wsrf.impl.servicegroup.client.MDSConfiguration">
<resourceParams>
<parameter>
<name>reg</name>
<value>true</value>
</parameter>
<parameter>
<name>factory</name>
<value>org.globus.wsrf.jndi.BeanFactory</value>
</parameter>
</resourceParams>
</resource>
To configure the automatic registration of GRAM4 to the default WS MDS Index Service, change the value of the parameter
<reg> as follows:
trueturns on auto-registration; this is the default in GT 4.1.3.falseturns off auto-registration.
By default, the GLUECE: resource property (which contains GLUE data) is sent to the default Index Service:
You can configure which resource properties are sent in GRAM4's registration.xml file, $GLOBUS_LOCATION/etc/gram-service/registration.xml.
The following is the relevant section of the file (as it is set by default):
<Content xsi:type="agg:AggregatorContent"
xmlns:agg="http://mds.globus.org/aggregator/types">
<agg:AggregatorConfig xsi:type="agg:AggregatorConfig">
<agg:GetResourcePropertyPollType
xmlns:glue="http://mds.globus.org/glue/ce/1.1">
<!-- Specifies that the index should refresh information
every 60000 milliseconds (once per minute) -->
<agg:PollIntervalMillis>60000</agg:PollIntervalMillis>
<!-- specifies the resource property that should be
aggregated, which in this case is the GLUE cluster
and scheduler information RP -->
<agg:ResourcePropertyName>glue:GLUECE</agg:ResourcePropertyName>
</agg:GetResourcePropertyPollType>
</agg:AggregatorConfig>
<agg:AggregatorData/>
</Content>
If a third party needs to register an GRAM4 service manually, see Registering with mds-servicegroup-add in the WS MDS Aggregator Framework documentation.
Two Perl modules will have to be edited to customize extensions support. The
first is ExtensionsHandler.pm. This is where
the WS-GRAM job description XML of the
extensions element is parsed and entries are
added or appended to the Perl job description hash. The second module that needs
to be edited is the particular resource manager adapter module that will use any
new hash entries to either alter it's behavior or create additional parameters
in the resource manager job description.
NOTE: if you are using one of the generic constructs described in the Section 2, “Additional Extension Constructs” section of the WS-GRAM User's Guide, skip to the subsection titled Customizing the Adapter Module.
For starters, this module logs various things to the log file specified in
the logfile extension element. If you place
this element at the start of the extensions you are creating support for,
then you can look at the specified log file to get some idea of what the
handler is doing. You can add new logging lines by using the
$self->log() function. This simply takes a
string that gets appended to the log file with a prefix of
"<date string> EXTENSIONS HANDLER:".
There are three main subroutines that are used to handle parsing events and
process them accordingly:
Char(), StartTag(), and
EndTag().
More handlers can be specified for other specific events when creating the
XML::Parser instance in
new() (for details, see the
Section 6, “Technology Dependencies” section of the WS-GRAM Release
Notes for a olink to the XML::Parser documentation). Descriptions of what the
three main subroutines do currently are layed out bellow. Modify the
subroutines as neccesary to achieve your goal.
Char() doesn't do anything but collect
CDATA found between the current element start and end tags. You can access
the CDATA for the current element by using
$self->{CDATA}.
StartTag() is responsible for collecting
the attributes associated with the element. It also increments the counter
which keeps track of the number of child elements under the current
extension element, and pushes the current element name onto the
@scope queue for later use.
EndTag() is used for taking the CDATA
collected by Char() and creating new Perl job description hash entries. This
is most likely where you will need to do most of your work when adding
support for new extension elements. Two useful variables are
$currentScope and
$parentScope. These indicate the current
element that is being parsed and the parent of the element being parsed
respectively. This is useful for establishing a context from which to work
from. The @scope queue is poped at the end
of this subroutine.
Each adapter and each extension's purpose is different, so there aren't any specific instructions for modifying the resource manager/scheduler adapter module. It is suggested that you spend some time trying to understand what the adapter does and how before making your changes.
Any new hash entries you created in
ExtensionsHandler.pm (see the "Customizing
ExtensionsHandler.pm" section above) can be accessed by calling
$description->entryname() from the adapter
module, where 'entryname' is the name of the entry that was added.
See the Section 2, “Additional Extension Constructs” section of the WS-GRAM User's Guide for details on generic constructs that are already supported in ExtensionsHandler.pm. This is often an easier route to implmenting your extensions than creating a custom construct.