Configuring and Running GPE4GTK

Alexander S. Lukichev, Intel Corporation

Version 1.3 December 10, 2007

Version history

1 Requirements

1.1 Software configuration

• Java Development Kit: JDK 1.5 (1.6 is not recommended however);
• Server-side: Unix operating system. The supplied OS profile samples correspond to RedHat and Suse Linux distributions;
• Target systems: SSH server with support of public key authentication.

1.2 Firewall configuration

The clients connect to the server at the port 8443. That means that this port must be accessible for the incoming connections. Please check your firewall settings.

The server connects to the target systems (the machines where the tests run) via SSH protocol at the port 22. The machines are expected to run Unix-compatible operating system.

2 Installation

The best practice is to create a dedicated Unix user (e.g. gpeadmin) to perform installation and server running and managing on behalf of. All the installation and management scripts should run from this user's concole then. The directories created during the installation will be owned by this user. The default location of these directories is /var/tmp/gpe that means that either /var/tmp or /var/tmp/gpe should exist and be writable for gpeadmin prior to the installation.

Unpack the archive gpe4gtk-service-package-1.5.2.tar.gz. The obtained directory (gpe4gtk-service-package-1.5.2) will be the root directory of the installation.

The next step is the installation of the individual components. Go to directory gpe4gtk-service-package-1.5.2.

Several installation scripts are provided to install separate components.

2.1 Simple CA

The simple Certificate Authority (CA) utility:

$ bin/install-ca

You will have to provide the CA password.

2.2 GTK 4 container

$ bin/install-container

If the Simple CA is already at the same machine the installer script will propose to create the container credentials. Otherwise the credentials may be installed later with the following command:

$ bin/set-container-credentials key-file cert-file

2.3 GPE services

Run this command to install the GPE grid services:

$ bin/install-gpe-services

2.4 VOCS

Virtual Organization Credential Service.

The VO login service with WS interface. This service is used to manage the VO-level user logins.

$ bin/install-vocs

The above command installs both the service and the management util.

If the Simple CA is already installed at the same machine the installer script will propose to integrate VOCS with CA. In this case issuing user certificates will be combined with registering the users at the VOCS.

**NOTE** This is currently the only available mode.

The password for the newly created VO attribute certificate (AC) issuer will be queried (VO password). Each VO user is assigned with the issued AC later. So the VO password is the password for access the VOCS.

The VO administrator user (voadmin) may be automatically created. His password will be queried then.

The default answers are listed in brackets.

2.5 UPRS management

User Profile Repository Service management tools.

The tools for managing the User Profile Repository. The User Profile repository is a mapping of VO-level creedentials (X.509 certificates) to the target system credentials (e.g. username/password pairs, SSH keys, etc.). In the GPE4GTK version 1.5.2 only mapping to SSH keys is supported.

$ bin/install-uprs-manage

2.6 Grid management

Run this command to install the tools for managing the GPE target systems:

$ bin/install-grid-manage

3 Running the server

3.1 Starting/stopping the server

Starting the server:

$ bin/start-container

Stoppping the server:

$ bin/stop-container

The server may be also configured for auto-start during boottime.

4 Credential management with Simple CA

Simple CA tool is used for issuing certificates and (optionally) generating key pairs. Several modes are available for Simple CA:

• Initialize the CA: generate the CA private key and the root certificate.

  ca-tool -init subject -out dest_keystore

• Sign a PKCS#10 certificate request.

  ca-tool -in cert_request -out dest_certificate

• Generate a private key and issue the certificate for it.

  ca-tool -out dest_keystore -keylen key_length -storepass password

-kstype kstype

The type of the generated keystore, JKS or pem.
JKS - dest_keystore is a Java Keystore;
pem - dest_keystore is the name of the directory to write the PEM files to.

-subj subject

The subject of the certificate to write.

-length days

The validity time of the written certificate (in days).

-capass password

The password of the CA keystore (private key).

5 Virtual Organization user management

It is assumed that the special Virtual Organization (/test.gpe.intel.com by default) is created for the installed grid. Each virtual organization user has an entry at the Virtual Organization Credential Service. Such entry has a name (login) and a set of attributes, e.g.: /test.gpe.intel.com/user/ivan

Each entry is also protected with a password.

To create a new VO user you can use the following command:

$ bin/user-manage -add account_name -role user

You will have to input the VO password and the user's password.

It is also possible that the users publich their credentials at the VOCS to request the membership in the VO. The VOCS administrator may then accept or reject the request.

To list the pending requests run the following command:

$ bin/vocs-manage -request -list

Accept a request:

$ bin/vocs-manage -request -accept account_name

Reject a request:

$ bin/vocs-manage -request -remove account_name

Remove the VO user:

$ bin/user-manage -account -remove account_name

List the existing users:

$ bin/user-manage -account -list

The set of attributes (and thus users) can mapped to a real Unix user. Use the bin/map-user tool for that:

$ bin/map-user -create /test.gpe.intel.com/user -user globus

In this case all the VO accounts who have the attributes /test.gpe.intel.com/user (such as /test.gpe.intel.com/user/ivan from one of the examples) will be mapped to the user globus.

The next step is configuring the SSH server at the target system for accepting the connections for that user. Typically this is achieved with special configuration files in the user home directory.

Run the following command to obtain the user home directory skeleton:

• For OpenSSH server:

  $ bin/map-user -export /test.gpe.intel.com/user -dir user-home -f openssh

• For F-Secure SSH server:

  $ bin/map-user -export /test.gpe.intel.com/user -dir user-home

The directory user-home will contain the following files:

• For OpenSSH server:

  • .ssh/
  • .ssh/authorized_keys
  • .ssh/id_rsa.pub

• For F-Secure SSH server:

  • .ssh2/
  • .ssh2/authorization
  • .ssh2/id_rsa_2048.pub

If you don't have yet any SSH configuration you can simply copy the obtained .ssh or .ssh2 directory to the target user home directory. Otherwise you may wish not to break the existing settings. In such case:

• For OpenSSH server:

  $ cat user-home/.ssh/authorized_keys >> user-home/.ssh/authorized_keys

• For F-Secure SSH server:

  $ cp user-home/.ssh2/id_rsa_2048.pub user-home/.ssh2/id_rsa_2048_ICT.pub
  $ echo Key id_rsa_2048_ICT.pub >> ~globus/.ssh2/authorization

To remove the mapping use the following command:

$ bin/map-user -remove /test.gpe.intel.com/user

Another way to set up user's SSH configuration is to create a setup script. Run the command like:

$ bin/update-users -account /test.gpe.intel.com/user

You'll obtain a script in the current directory. You can run the script to update the user SSH configuration at all the machines registered in the GPE registry.

6 Managing target systems

Before creating target systems you should make sure that the VO administrator (usually voadmin) account can be mapped to any real user. See VO user management for this (the attribute set will be /test.gpe.intel.com/admin).

Run the following command to create a target system:

$ bin/grid-manage -create some.host.intel.com

You will be required to input some configuration settings as follows:

Target System name [some.host.intel.com]
OS Profile name (ict-linux) [ict-linux]
CPU architecture (x86_64|ia64|x86_32) [x86_64]
Number of CPUs per one node [4]
Individual processor speed (MHz) [3200.319]
Individual node memory (kB) [4034968]
Total node count [1]
The OS type (LINUX|Windows_XP|Solaris) [LINUX]
The OS version [suse9]
Available interconnect (Ethernet|Myrinet|-) [Ethernet]
Available interconnect (Myrinet|-) [Myrinet] -
Cluster node list file (mpd.hosts) [/var/tmp/gpe/mpd.some.host.intel.com.hosts]
Make this target system a STORAGE one? (yn) [n]

The strings in parenthesis are the possible options. The strings in brackets are the default answers.

After creating the target system the scripts for updating the users' SSH configurations at the cluster machines will be created for each user account (see VO user management). The scripts will be placed in the current directory.

Run the following command to list the available target systems:

$ bin/grid-manage -list

Run the following command to destroy the target system:

$ bin/grid-manage -destroy target_system_name

Run the following command to update the target system:

$ bin/grid-manage -update target_system_name

The target system properties will be re-queried from the target system.

For the submitted jobs the target system creates working directories at the working directory location specified in the OS profile. The working directory location must be an existing directory with the permission mask of 0777 (i.e. accessible for reading and writing for everyone).

7 Adding more containers to the grid

To install the container and the GPE services run the following commands:

$ bin/install-container
$ bin/install-gpe-services

Now you are about to create the container credentials. You should obtain the PEM-encoded private key and certificate for the container. The private key should not be password protected (password must be empty). The subject of the certificate should contain the common name (CN) of the form:

host/full-host-name

E.g.: CN=host/some.server.intel.com

If you have installed somewhere the GPE Simple CA tool you can obtain the server credentials with:

$ bin/ca-tool -kstype pem \
        -subj "CN=host/some.server.intel.com" \
        -out container-creds

You will obtain the directory container-creds with the files:

• key.pem - the private key
• cert.pem - the signed certificate

Installing the container credentials. Run the following command:

$ bin/set-container-credentials key_file cert_file

Installing the trusted CA certificate. Run the following command:

$ bin/set-trusted-certificates trusted_cert

GPE Simple CA tool certificate is stored in the file creds/ca/ca_cert.pem.

Installing the trusted VO certificate. The VO certificate is the VOCS issuer certificate (see VO user management). Run the following command:

$ bin/set-vo-certificates vo_cert

The GPE VO certificate can be usually found at the directory creds/admin at the primary container.

Installing the Grid manage tool. Run the following command:

$ bin/install-grid-manage

You will have to provide "no" (n) answers for requests of using the local services. Provide the service URLs pointing to the primary container (the locations of the actual services of your grid).

8 GPE4GTK services configuration

Additional services configuration may be performed manually by editing the corresponding jndi-config.xml and server-config.wsdd files:

8.1 Resource security configurations

Each GPE4GTK resource implements the authorization process. This process involves one PIP and several PDPs depending on the type of the resource (see below). PIP extracts the VO attributes assigned to the client from the connection properties. PDPs are used for matching the extracted attributes with the configured values. The attributes are stored within an Attribute Certificate extension of the proxy certificate. This AC is signed by the central VOCS entity. Before the attributes are processed the signature should be verified. The certificates of trusted VOCS entities are stored in the directory that is specified by the parameter authz-issuers.

There are 2 types of resource security configurations available:

• private resource - can be accessible by container administrators and by the VO members those created these resources
• shared resource - can be accessible by all VO members

The VO members and container administrators can be identified by their VO attributes. The global server-config.wsdd configuration file contains both parameters (ws-core-4.0.3/etc/globus_wsrf_core/server-config.wsdd):

8.2 JNDI configuration

8.2.1 General structure

The JNDI configuration file consists of service elements which in turn consist of resource elements. The available configuration options are listed below.

8.2.2 BrokerService

The configuration of the Broker Service. The resource configuration requires the following configurable parameters:

8.2.3 PrivateBrokerFactoryService

The configuration of the Privtae Broker Factory. This factory creates private broker resources. The resource configuration requires the following configurable parameters:

8.2.4 SSHTargetSystemFactoryService

The configuration of the Atomic Target System Factory. This service creates shared target system resources those access the physical machines via SSH connections. The resource configuration requires the following configurable parameters:

8.2.5 TargetSystemService

The configuration of the Atomic Target System Service. The resource configuration requires the following configurable parameters:

8.2.6 JobManagementService

The configuration of the Atomic Job Management Service. The resource configuration requires the following configurable parameters:

8.2.7 StorageManagementService

The configuration of the Storage Management Service. The resource configuration requires the following configurable parameters:

But additional resources may be specified to configure the available file transfer protocols (one per protocol). Each of the resources has the following form:

 <resource name="protocol-name"
           type="com.intel.gpe.services.gtk4.fts.TransferConfiguration">
     <resourceParams>
         <parameter>
             <name>factory</name>
             <value>org.globus.wsrf.jndi.BeanFactory</value>
         </parameter>
         <parameter>
             <name>servicePath</name>
             <value>service</value>
         </parameter>
         <parameter>
             <name>resourceCreator</name>
             <value>java-class-for-creating-the-resource</value>
         </parameter>
     </resourceParams>
 </resource>

The parameters are as follows:

8.2.8 File Transfer Services (RandomByteIOService, SFTPFileTransferService,...)

The configuration of the custom File Transfer Service. The resource configuration requires the following configurable parameters:

8.2.9 PrivateGridletTargetSystemFactoryService

The configuration of the Gridlet Target System Factory. The service creates private gridlet target systems. The resource configuration requires the following configurable parameters:

8.2.10 GridletTargetSystemService

The configuration of the Gridlet Target System Service. The resource configuration requires the following configurable parameters:

8.2.11 GridletJobManagementService

The configuration of the Gridlet Job Management Service. The resource configuration requires the following configurable parameters:

8.2.12 RegistryService

The configuration of the Registry Service. The resource configuration requires the following configurable parameters:

8.2.13 RegistryEntryService

The configuration of the Registry Entry Service doesn't require any additional parameters.

8.2.14 OSProfileRepositoryService

The configuration of the OS Profile Respository Service. The resource profileManager corresponds to the used profile manager. The default profile manager is com.intel.gpe.osprs.data.SimpleOSProfileManager. If you wish to change the used profile manager you need to edit the attribute type of the resource element. The default profile manager requires the following configurable parameters:

8.2.15 VirtualOrganizationCredentialService

The configuration of the Virtual Organization Credential Service. The resource configuration requires the following configurable parameters:

8.2.16 SSHCredentialService

The configuration of the SSH-based User Profile Respository Service. The resource configuration requires for following configurable parameters:

The resource profileManager corresponds to the used profile manager. The default profile manager is com.intel.gpe.uprs.ssh.data.SimpleSSHUserProfileManager. If you wish to change the used profile manager you need to edit the attribute type of the resource element. The default profile manager requires the following configurable parameters:

8.2.17 GridBeanService

The configuration of the GridBean Service. The resource configuration requires the following configurable parameters:

The GridBean Service will look for available GridBeans in this directory. If the path is relative it will be appended to the Globus container working directory. As examples we provide several gridbeans that are described in the client documentation. If you want to add your own gridbean to the service simply place the corresponding Jar archive in this directory. The GridBean file name must end with GridBean.jar.