VOMS Service Intervention Information

First of all, please have look at ServiceInterventions.

VOMS Service interruption announcement template

Publish on the CIC portal with the following options:

News on cic.gridops.org: YES

Email to:

ROC managers,
VO managers of ALICE, ATLAS, CMS, LHCb, DTEAM, Geant4 and OPS only!!,
VO users of ALICE, ATLAS, CMS only!!,
Production and PPS Site Admins *only if gridmap file generation is affected!!*

Add in copy on the CIC portal OSG contacts goc@opensciencegridNOSPAMPLEASE.org and rquick@iuNOSPAMPLEASE.edu NB!! There is no such button on the broadcast form!!

Title: DATE TIME TIMEZONE scheduled interruption of the CERN vomrs and voms services

Text: All voms and vomrs services (registration, gridmap file update and proxies) will not be accessible

This applies to VOname = ALICE, ATLAS, CMS, LHCb, DTEAM, OPS, Sixt, Unosat, Geant4

Please contact project-lcg-vo-dteam-admin@cernNOSPAMPLEASE.ch in case of problem.

Thank you for your understanding.

Steps for an intervention on lcg-voms.cern.ch (voms102,voms103)

Normally, such an intervention must be completely transparent for users, because there is always one of the 2 machines which is up.
So, is it necessary to do some announcements via broadcasts (by GMOD) ?

Steps to follow :

  • Identify the slave
  • Be sure that Lemon alarms are disabled by putting the machine into maintenance state with SMS tool (use website or follow instructions in the next paragraphe)
  • Do intervention on the slave only: eg. reinstallation (see corresponding paragraph below)
  • Check that all is ok
    • Verify global environment variables (TNS_ADMIN, Java-related, catalina-related, ...)
  • Put the machine into production state with SMS tool
  • Do manually the switch between the slave and the master
  • Be sure that Lemon alarms are disabled by putting the machine into maintenance state with SMS tool (use website or follow instructions in the next paragraphe)
  • Do intervention on the slave (only)
  • Check that all is ok
  • Put the machine into production state with SMS tool

Use of SMS tool from lxdm[01-03]

To put a node in maintenance mode :

sms set maintenance other 'the reason' <nodes>

To put back a node in production mode :

sms set production other 'the reason' <nodes>

Steps to keep VOMRS configuration after a reinstallation (according to Lanxin Ma)

Before scratching the host, the following files and directories have to be backed up somewhere :

  • /opt/vomrs-1-3/var/etc/*
  • /opt/vomrs-1-3/etc/profile.d/vomrs.sh
  • /var/lib/tomcat5/conf/Catalina/localhost/vomrs_*.xml
Once the host is reinstalled, you have to :
  • Copy back the files/directories mentionned above
  • ' chown tomcat:tomcat /opt/vomrs-1.3/var/etc/vomrs_*/vomrs.xml '
  • ' mkdir /var/log/vomrs '
After these steps are done, VOMRS can be started !

To reinstall a node

Requirements : lxadm account, Access to upload ks files for voms10[1-3].ks

Note : All things are done from a lxadm node (lxadm[01-03]).

PrepareInstall -v <node>
wassh root@<node> "/afs/cern.ch/project/linux/redhat/kickstart/bin/kickstart-me -f -e link -a i386 slc308 ; shutdown -r now"

It is possible to cancel reinstallation after doing 'PrepareInstall', but before rebooting the node with :
/afs/cern.ch/project/linux/redhat/kickstart/bin/aims pxeoff <node>

You can check if pxe is enabled or not with :
/afs/cern.ch/project/linux/redhat/kickstart/bin/aims show <node>

When installation is done (be patient it can take about 30 min), if you are in CDB as an authorized user, you should be able to login as root with your AFS ticket. If not, destroy your AFS ticket, recreate it, and try again. And you are still unable to login, either you are not in the authorized user list in CDB, or the installation is not finished yet.

All voms10{1-3} nodes use TSM to backup files. So, remember to configure the TSM password before putting back nodes in production mode, else lemon alarms will be raised.To do that, you just have to run the fllowing command : ' dsmc -i '
For username, just press enter (hostname is the default value).
Enter the password, and then it will takes minutes

To use a new certificate for VOM(R)S servers

The new certificate must in PEM format with a separate file for the certificate and the private key with the following names : hostcert.pem and hostkey.pem.

Then the following steps must be done :

  • Add the new certificate into lcg-vomscerts package (without removing the old : to have a smoother transition)
  • If the DN is modified, make (several) official announcements, to remind users and site admins to modify their configuration files with the new DN.
  • At the date the certificate change must be done, the new certificates files must be copied to the 2 following directories :
    • /etc/grid-security/
    • /usr/share/tomcat5/.certs
  • Finally, VOMS/VOMS-Admin/VOMRS/tomcat must be restarted in order to use the new certificate.

In case of a new certificate for the VOMRS server, with a different DN and/or CA, please do as explained here :

-- Main.rmollon - 21 Mar 2007

Edit | Attach | Watch | Print version | History: r16 < r15 < r14 < r13 < r12 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r16 - 2008-03-18 - RemiMollon
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback