ITB Release 0.1.6

Summary of this Release

This page provides a general overview of the OSG release candidate 0.1.6, to be deployed on the OSG Integration Testbed (ITB). We expect this release will be likely picked up by the OSG Provisioning Activity for large scale deployment (at least we hope so).

• Guides for site and VO administrators are provided below.
• This release of the ITB will incorporate major changes in the VDT %OSG_ITB_VDT_VERSION6%
• VO services should be registered using the VO registration procedure.
• A new MIS-CI release, version 0.2.6RC2, is included,
• Generic Information Providers (GIP) from LCG

Release version indicator

We are tracking non-critical updates using a "-Number" release designation. On a resource the output of the command

 
$ $VDT_LOCATION/osg-version 

is used to indicate the specific version of OSG installed.

OSG Release	Date	Note
OSG-0.1.6	5-24-05	VDT %OSG_ITB_VDT_VERSION6%

Validation

Descriptions of validation exercises of both applications and services using ITB release 0.1.6.

• Validation documentation located at ValidationPageRel01 is currently shared with previous ITB releases.

Known Problems

Please put your name and the date next to your item. Green items are thought to be corrected. Also include a resolution or work-around (if available) with you name and date.

PRIMA Authorization (PRIMA-GUMS-VOMS) Issues

• Service/host (e.g. CN of certificate is CN=service/host.site.com) problem in PRIMA/GUMS. See (ServiceHostCertGumsProblem ) for details.
  Work Around: In the wildcard attribute of the hostGroup element of the gums.config file, force GUMS to match on the service part of the DN. In the example, below, this is the word 'host'. The caveat here is that any gatekeeper node requesting authorization will be allowed access.
  e.g. wildcard="*.fnal.gov,host", will match on all fnal.gov requests and any from 'host'.
  (GabrieleCarcassi - 4/29/2005)
  Resolution: Will be fixed in GUMS 1.1.0, which will be in VDT 1.3.7 - per Gabriele Carcassi
  (JohnWeigand - 5/31/05)

• VOs and subgroups containing an underscore character (e.g. ppd_theory) are not being accepted by GUMS. The problem was identified when GUMS was retrieving members for a VO called ppd_astro. (JohnWeigand - 6/1/05)
  Work-around: The only site currently using underscore in the VO name/group are in the fermigrid environment and they have agreed to change the names. Consistency in validation of all elements of an FQAN (VO/group/subgroup/role) across VOMRS/VOMS/GUMS is still required to fully resolve the issue. JohnWeigand - 03 Jun 2005

  Resolution: Still under review by Gabriele Carcassi.
  Symptom:The retrieval from the VOMS server for the ppd_astro vo was successful, but GUMS failed to update its database with the following error in the gums-service-admin.log:

  31 May 2005 21:02:34,268 [WARN ]: VOMSGroup:
      https://voms.fnal.gov:8443/edg-voms-admin/ppd_astro/services/VOMSAdmin - 
      voGroup='/ppd_astro' - voRole='null' - sslCAFiles='null' 
      sslCertfile='/etc/grid-security/http/httpcert.pem' 
      sslKey='/etc/grid-security/http/httpkey.pem' 
      sslKeyPasswd=[not set] wasn't updated successfully: 
      Couldn't retrieve users from VOMS server: FQAN '/ppd_astro' is malformed 
        (syntax: /VO[/group[/subgroup(s)]][/Role=role][/Capability=cap])]
           

• Need policy instructions on minimal GUMS config (Steve Timm)--minimal GUMS config is included in gums-service package now and instructions are available Anne Heavey Working on this May 20,2005 Dan Yocum contacting VOs for policy. Plan is also to have a minimal default configuration for folks who do not reply.
  Partial resolution:Anne H provided instructions in GumsConfigStepByStep, but hasn't addressed policy issues (5/27/05.)

VOMS Specific Issues

• In the VDT 1.3.6 VOMS cache the edg-crl-upgrade daemon package is missing. This should probably affect those installing VOMS for the first time or if another VDT package has been installed on the host and the crl_upgrade daemon is needed.

  To verify, check for VDT_LOCATION/edg/sbin/edg-crl-upgrade. You should also verify that it is set to start on boot by the existence of /etc/init.d/edg-crl-upgraded.

  Work-around: Install the VDT EDG-CRL-Update cache. It can be installed without shutting down any other services.
  Resolution: Will be added to the VDT 1.3.7 release. VDT ticket 619
  JohnWeigand - 16 Jun 2005

GUMS Specific Issues

• In the VDT 1.3.6 GUMS cache the edg-crl-upgrade daemon package is missing. This should probably affect those installing VOMS for the first time or if another VDT package has been installed on the host and the crl_upgrade daemon is needed.

  To verify, check for VDT_LOCATION/edg/sbin/edg-crp-upgrade. You should also verify that it is set to start on boot by the existence of /etc/init.d/edg-crl-upgraded.

  Work-around: Install the VDT EDG-CRL-Update cache. It can be installed without shutting down any other services.
  Resolution: Will be added to the VDT 1.3.7 release. VDT ticket 619
  JohnWeigand - 16 Jun 2005

VDT Installation Issues

• Conflict with PERL 32 bit libraries and 64 bit PERL on x86_64 machines.
  Work Around: Put a 32 bit PERL first in the execution path before performing the pacman get. (Not yet reported as successfully done) (DaneSkow - 6/2/2005)
  Work Around verification: Even after building the 32 bit PERL, and placing in the execution path, pacman will still fail due to most of the scripts, Globus in particular, have defined a default perl location of /usr/bin/perl. A second work around is to replace the location on the top of each string with /usr/bin/env perl. (ChristoperBaumbauer? - 11/14/2005)
  Resolution: VDT working on more persistent solution.
  
• GIP configuration wrapper $VDT_LOCATION/lcg/libexec/lcg-info-wrapper did not contain the full path to the configuration file. This prevented the general site configuration from showing up in the BDII server. I'm not sure if this is a general problem, or something that was specific to the CIT_CMS_OSG site installation.
  Workaround: Edit the script and insert the full path to lcg-info-generic.conf (MichaelThomas - 10 Jun 2005)

Guides for Site Administrators

The SiteAdmins web describes how services listed below are installed, configured, and checked by the site administrators. The is where, for example, you'll find the "Core Middleware" or "Computing Element" installation instructions.

• To shut down services prior to the upgrade, see the OSGShutdownGuide.
• For a detailed step-by-step guide to the core installation procedures, see the OSGCEInstallGuide-0.1.6.

Guides for GUMS Administrators

The GumsAdmins topic describes how and why to use the Privilege software, GUMS. The broader context is outlined in PrivilegeSiteWhatToDo.

Guides for VO Administrators

The VoAdmins page provides information for VO administrators. There are also some pages specific to the authentication / authorization chain available:

• VoServiceOverview introduces VOMS, provides some recommendations and discusses strategic direction.
• VomsWhatToDo describes how to install and configure a VOMS service
• PrivilegeOSG describes the components of the Privilege Project, of which VOMS is a part
• VoServices discusses agendae and action items for OSG VO coordinators.
• PrivilegeVOWhatToDo (superseded by VomsWhatToDo).
• OsgCEAuthorization describes the OSG-supported authorization scenarios.
• GoldenChainDebugging for debugging the privilege components and their interaction.

The VO registration procedure should be used to communicate a VO level service to grid resources (sites/gatekeepers).

Pacman Recommendation

The installation instructions are based on PacmanInfo. For this release, we recommend Pacman 3.11.

OSG Compute Element (CE) Description

The OSG CE installation is done with the Pacman command

pacman -get iVDGL:osg-0.1.6.

This delivers the following components:

• Root package: osg-0.1.6.pacman
• Depends on osg-auto-0.1.6.pacman which sets some default answers to VDT configuration questions. It also distributes the OSG Release Notes.
  • VDTSETUP_AGREE_TO_LICENSES=y
  • VDTSETUP_ENABLE_GATEKEEPER=y
  • VDTSETUP_ENABLE_GRIDFTP=y
  • VDTSETUP_ENABLE_GRIS=y
  • VDTSETUP_GRIS_AUTH=y
  • VDTSETUP_EDG_CRL_UPDATE=y
  • VDTSETUP_ENABLE_GLOBUS_ROTATE=y
  • VDTSETUP_INSTALL_CERTS=r
  • VDTSETUP_EDG_MAKE_GRIDMAP=n
• Depends on VDT_136.pacman. Installed are three VDT packages:
  • VDT-Gatekeeper
  • Globus-Client
  • Uber-ftp
  • MyProxy
• Depends on grid3-schema.pacman which installs the Globus MDS Grid3 schema.
• Dependent package: osg-grid3-info-prov.pacman which installs the Globus MDS Grid3 information providers.
• Dependent package: vo-0.1.6.pacman which installs the configurtion script to retrieve VO information.
• Dependent package: MIS-CI.pacman which installs the current Monitoring Core Infrastructure descibed below.

VDT

We will use the %OSG_ITB_VDT_VERSION6% release of the VirtualDataToolkit, see the release notes.

Globus 4 gridftp

Included with VDT. The GridFTP page describes the service integration in detail.

Core MIS

Description of the CoreMIS infrastructure to be used, MIS-CI Version 0.2.6RC2. The Core MIS will be configured by the configure_misci.sh script as a post installation step.

Grid Cat

Description of the GridCat site monitoring catalog to be used.

Generic Information Providers (GIP)

The GenericInformationProviders topic provides information about the scripts that allow OSG sites to be interoperable with LCG.

Grid Exerciser

Description of the GridEx service validation application.

MonALISA

MonALISA from VDT is used for this release.

Privilege and VO services infrastructure

Description of PrivilegeOSG options for this release. As of this release, the PRIMA interpretation of extended proxies has been fixed to match the VOMS usage. Use of PRIMA for role-based authorization decisions is supported as of this release. The GUMS version should be 1.0.1 from VDT 1.3.6 and the VOMS Admin and VOMS Server should be installed from the VDT 1.3.6. to ensure correct functioning.

Discovery Service

Description of the ClarensDiscoveryService deployed in this release. Here are the DiscoveryServiceInstallation instructions.

The Discovery Service version 0.5.3 is deployed on a JClarens server version 0.5.3 for this OTB release. Installation of the Discovery Service is optional for the ITB.

Disk Resource Manager

• We are not recommending installation and use of the disk based storage resource manager, SRM-DRM.
• Stay tuned to DiskResourceManager for updates.

Site Verify

The SiteVerify package has its own http://griddev.uchicago.edu/download/grid3/doc.pkg/WIP/site_verify_pl.html"web page? for release documentation, but has been included in the pacman cache as of this release.

CMS Tier1 SE

The service is based on SRM-dCACHE and satisfies the SRM V1.1 interface, with additions for implicit space reservation. CMSSrmdCache provides the readiness plan. The service will be available to all registered OSG VO's. To use the SE requires an SRM V1.1 compatible client. This is available from VDT (as part of the DRM package) or from anonymous ftp to fnkits.fnal.gov://products/srmcp/v1_11/NULL (v1.12 almost available and should probably be the version deployed.)

[v1_15 has been announced by Timur on May 13. The recommended version may be the same, needs to be confirmed : Abhishek S R, 05/20/2005]

SRM DRM (Testing)

A disk based storage resource manager from the LBL group. Integration plan and associated activities are available at SrmDrm?.

Major updates:

-- LeighGrund - 23 May 2005