TWiki> LCG Web>LCGGridDeployment>WLCGvoboxDeployment (revision 14)EditAttachPDF

WLCG VOBOX deployment documentation

Functional description

The WLCG VOBOX is the successor of the gLite VOBOX and provides:

  • an EMI UI
  • a GSI-OpenSSH (gsisshd) service
  • a proxy renewal and VO agent service

The VOBOX typically is dedicated to a single VO of which only certain privileged users (e.g. software managers, "sgm" users) are given access through GSI-OpenSSH, while only the site admins have root access. The privileged users can register proxies to be regularly renewed by the proxy renewal service. The same service can also be used to start (stop) VO daemons automatically at boot (shutdown) time. The VO daemons can use EMI UI functionalities as needed. The proxy renewal service relies on the VOBOX host DN to be recognized as an authorized renewer by the MyProxy server that was specified when a particular proxy was registered (by default $MYPROXY_SERVER).

Changes from gLite to WLCG VOBOX

  • paths have been made compliant with the Filesystem Hierarchy Standard (FHS)
    • /var/lib/vobox instead of /opt/vobox
      • a symlink could be created as needed
    • commands are located in /usr/bin, libraries in /usr/lib64 etc.
  • no resource BDII

Upgrade instructions

Upgrading an existing gLite VOBOX is not explicitly supported, but various ALICE sites have managed as follows:

  • stop the running services
  • remove all gLite 3.2 VOBOX rpms
  • remove gLite repositories from /etc/yum.repos.d
  • apply further steps as detailed below

Such an upgrade will leave stale files and directories behind, which might interfere with the usage of the VOBOX later on. It generally is cleaner to (re)install the VOBOX from scratch. In that case, please contact the affected VO(s) to arrange for a convenient timeline.

Installation instructions

We assume the machine already has a basic SL5- or SL6-compatible setup and a host certificate. Then:

  • yum install yum-priorities yum-protectbase

The EMI UI can be taken either directly from EMI or from the EGI UMD:

  • EMI-3 SL6
       rpm -Uvh http://emisoft.web.cern.ch/emisoft/dist/EMI/3/sl6/x86_64/base/emi-release-3.0.0-2.el6.noarch.rpm
       

  • EMI-3 SL5
       rpm -Uvh http://emisoft.web.cern.ch/emisoft/dist/EMI/3/sl5/x86_64/base/emi-release-3.0.0-2.el5.noarch.rpm
       

  • UMD-3 SL6
       rpm -Uvh http://repository.egi.eu/sw/production/umd/3/sl6/x86_64/updates/umd-release-3.0.1-1.el6.noarch.rpm
       

  • UMD-3 SL5
       rpm -Uvh http://repository.egi.eu/sw/production/umd/3/sl5/x86_64/updates/umd-release-3.0.1-1.el5.noarch.rpm
       

Note: older versions are unsupported and do not work with RFC proxies created from SHA-2 certificates.

Install the WLCG repo rpm (recommended since 2015) or just the WLCG VOBOX repo file from the EGI AppDB:

  • WLCG SL6
       rpm -Uvh http://linuxsoft.cern.ch/wlcg/sl6/x86_64/wlcg-repo-1.0.0-1.el6.noarch.rpm
       

  • WLCG SL5
       rpm -Uvh http://linuxsoft.cern.ch/wlcg/sl5/x86_64/wlcg-repo-1.0.0-1.el5.noarch.rpm
       

  • EGI AppDB SL6
       wget -O /etc/yum.repos.d/wlcg-vobox.repo \
       http://repository.egi.eu/community/software/wlcg-vobox/1.x/releases/repofiles/sl-6-x86_64.repo
       

  • EGI AppDB SL5
       wget -O /etc/yum.repos.d/wlcg-vobox.repo \
       http://repository.egi.eu/community/software/wlcg-vobox/1.x/releases/repofiles/sl-5-x86_64.repo
       

Install the WLCG VOBOX meta package:

  • yum install wlcg-vobox

If many dependencies cannot be resolved, ensure the epel repository is enabled.

Ensure the Certificate Authorities are installed as well.

Beware that HEP_OSlibs_SL6 from the WLCG repository may also be required, e.g. for an ALICE VOBOX.

Next the VOBOX needs to be configured with YAIM:

  • example site-info.def
    #############################################################################
    GROUPS_CONF=/root/groups.conf
    USERS_CONF=/root/users.conf
    
    SITE_NAME=MY-SITE
    
    VOBOX_HOST=`hostname -f`
    WMS_HOST=some-wms.some-domain
    PX_HOST=myproxy.cern.ch
    BDII_HOST=lcg-bdii.cern.ch
    
    SE_LIST=my-se.my-domain
    
    VOS="alice"
    
    VO_ALICE_SW_DIR=.   # a dot value means YAIM should skip it (CVMFS is used instead)
    VO_ALICE_DEFAULT_SE=my-se.my-domain
    VO_ALICE_VOMS_SERVERS="\
    'vomss://lcg-voms2.cern.ch:8443/voms/alice?/alice/' \
    'vomss://voms2.cern.ch:8443/voms/alice?/alice/' \
    "
    VO_ALICE_VOMSES="\
    'alice lcg-voms2.cern.ch 15000 \
    /DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch alice 24' \
    'alice voms2.cern.ch 15000 \
    /DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch alice 24' \
    "
    VO_ALICE_VOMS_CA_DN="\
    '/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
    '/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
    "
    #############################################################################
       

  • example groups.conf
    "/alice/ROLE=lcgadmin":::sgm:
       

  • example users.conf
    60101:sgmali01:1397,1395:alicesgm,alice:alice:sgm
       

  • example YAIM command
    /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOBOX
       

Finally, ensure port 1975 is open for remote access to the GSI-OpenSSH service.

Edit | Attach | Watch | Print version | History: r20 | r16 < r15 < r14 < r13 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r14 - 2015-03-05 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback