WLCG VOBOX deployment documentation

Functional description

The WLCG VOBOX is a grid service that provides:

• a grid UI
• a GSI-OpenSSH (gsisshd) service
• a proxy renewal and VO agent service

The VOBOX typically is dedicated to a single VO of which only certain privileged users (e.g. software managers, "sgm" users) are given access through GSI-OpenSSH, while only the site admins have root access. The privileged users can register proxies to be regularly renewed by the proxy renewal service. The same service can also be used to start (stop) VO daemons automatically at boot (shutdown) time. The VO daemons can use grid UI functionalities as needed. The proxy renewal service relies on the VOBOX host DN being recognized as an authorized renewer by the MyProxy server that was specified when a particular proxy was registered (by default $MYPROXY_SERVER).

Installation instructions

We assume the machine already has a basic OS setup compatible with CentOS/EL7,
as well as a host certificate and key ready to be installed as /etc/grid-security/host{cert,key}.pem
(mind the key file needs to have mode 400 or 600).

The grid UI should be taken from the EGI UMD:

• UMD 4 - CentOS7

  yum install http://repository.egi.eu/sw/production/umd/4/centos7/x86_64/updates/umd-release-4.1.3-1.el7.centos.noarch.rpm
     

Install the WLCG repo rpm:

• WLCG CentOS7

  yum install http://linuxsoft.cern.ch/wlcg/centos7/x86_64/wlcg-repo-1.0.0-1.el7.noarch.rpm
     

Install the WLCG VOBOX meta package:

• yum install wlcg-vobox

If many dependencies cannot be resolved, ensure the epel repository is enabled.

The Certificate Authorities should get pulled in automatically via the grid UI.

If the host certificate and key were not yet installed as /etc/grid-security/host{cert,key}.pem ,
please do that now (mind the key file needs to have mode 400 or 600).

Beware: CVMFS and/or HEP_OSlibs from the WLCG repository may also be required, e.g. for an ALICE VOBOX.

Next the VOBOX can be configured with YAIM:

• example site-info.def

  #############################################################################
  GROUPS_CONF=/root/groups.conf
  USERS_CONF=/root/users.conf
  
  SITE_NAME=MY-SITE
  
  VOBOX_HOST=`hostname -f`
  WMS_HOST=required.but.unused
  PX_HOST=myproxy.cern.ch
  BDII_HOST=lcg-bdii.cern.ch
  
  SE_LIST=my-se.my-domain   # required, but unused on an ALICE VOBOX
  
  VOS="alice"
  
  VO_ALICE_SW_DIR=.   # a dot value means YAIM should skip it (CVMFS is used instead)
  VO_ALICE_DEFAULT_SE=my-se.my-domain   # required, but unused on an ALICE VOBOX
  VO_ALICE_VOMS_SERVERS="\
  'vomss://lcg-voms2.cern.ch:8443/voms/alice?/alice/' \
  'vomss://voms2.cern.ch:8443/voms/alice?/alice/' \
  "
  VO_ALICE_VOMSES="\
  'alice lcg-voms2.cern.ch 15000 \
  /DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch alice 24' \
  'alice voms2.cern.ch 15000 \
  /DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch alice 24' \
  "
  VO_ALICE_VOMS_CA_DN="\
  '/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
  '/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
  "
  #############################################################################
     

• example groups.conf

  "/alice/ROLE=lcgadmin":::sgm:
     

• example users.conf

  60101:sgmali01:1397,1395:alicesgm,alice:alice:sgm
     

• example YAIM command

  /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOBOX
     

Finally, ensure port 1975 is open for remote access to the GSI-OpenSSH service.

NOTE: gsissh may prompt for a password if the SELinux context of the host certificate or key is incorrect.
To fix that, run this command:

      chcon -v --type=etc_t /etc/grid-security/host*.pem