TWiki> EGEE Web>EGEEgLite>EGEEgLiteglexec (revision 11)EditAttachPDF
Glexec installation

The glexec version should come from the certified patch 1985. This gives version

glexec

  • glite-security-glexec-0.5.33-1.slc4.i386.rpm

LCAS & LCMAPS

Install the following set of RPMs from the certified patch number 1830:

LCAS

  • glite-security-lcas-1.3.7-2.slc4.i386.rpm
  • glite-security-lcas-interface-1.3.6-3.slc4.i386.rpm
  • glite-security-lcas-plugins-basic-1.3.2-3.slc4.i386.rpm
  • glite-security-lcas-plugins-voms-1.3.4-5.slc4.i386.rpm
  • glite-security-lcas-plugins-check-executable-1.2.1-3.slc4.i386.rpm

LCMAPS

  • glite-security-lcmaps-1.4.3-4.slc4.i386.rpm
  • glite-security-lcmaps-plugins-voms-1.3.7-5.slc4.i386.rpm
  • glite-security-lcmaps-plugins-verify-proxy-1.3.2-1.slc4.i386.rpm
  • glite-security-lcmaps-plugins-basic-1.3.8-2.slc4.i386.rpm
  • glite-security-lcas-lcmaps-gt4-interface-0.0.14-2.slc4.i386.rpm (CE only!)

Location of the gridmapdir and grid-mapfile

Create an NFS export on which to put the gridmapdir and grid-mapfile. This should be mounted on each worker node as /etc/grid-security/ and this is where the gridmapdir and grid-mapfile pool account information will be placed. By centralizing these files within a site i.e. through NFS, the information is consistent across the worker nodes. The mappings are cached (by LCMAPS?) and when a job enters the site with a previously-used proxy the previous mapping is recalled.

Note

The NFS export is not mandatory, but if these files are deployed on a per-worker node basis then any changes need to be propagated to "N" worker nodes simultaneously. If this is not followed then the following situation could arise:

  • A job belonging to "JohnDoe" arrives on Worker Node 1 (WN1) and is mapped to pool001 on WN1.
  • A job belonging to "JaneDoe" arrives on WN2 and is mapped to pool001 on WN2.
  • A job belonging to "JohnDoe" arrives on WN2 and is mapped to pool002 on WN2.

This may cause problems in a shared file system cluster as now JohnDoe as pool002 may not be able to access data in the pool001 directories. Or worse, JohnDoe as pool002 may be able to overwrite JaneDoe's files.

Location of the gridmapdir and grid-mapfile

Let us continue with an NFS export which needs to be mounted on each worker node as '/etc/grid-security/'. In this directory the 'gridmapdir' and 'grid-mapfile' pool account information is created. The location of the 'gridmapdir' and 'grid-mapfile' can be changed in the configuration file for LCAS, as the plugin handling the pool accounts may accept a different location. For example:

Generic LCAS configuration file (lcas.db)

Install the following lcas.db at the location defined in glexec.conf (usually /opt/glite/etc/lcas/lcas.db) In the scenario where glexec is installed with setuid bit enabled, let the lcmaps.db file be owned by root.root and the file permissions should be 0644 or 0640. In the scenario where glexec is installed without setuid bit enabled (= a regular executable), let the lcas.db file be owned by root.root and the file permissions should be 0644.

pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db

Create an empty file at /opt/glite/etc/lcas/ban_users.db.

A glexec configuration file for the default (CE) case.

A glexec configuration file for deployment on a WN.

A glexec configuration file for deployment on a WN with logging mode only enabled.

-- JohnWhite - 27 Jun 2008

Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r11 - 2008-08-20 - JohnWhite
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback