Installing OSG Client

1 About This Document

hand This document is for grid users and system administrators. It covers the installation of the OSG Client Tools Package. This package is required on every host used by grid users to submit jobs, transfer data, or interact otherwise with the OSG. Note there is also a Worker Node Client that is not a valid substitute for this package. Likewise the OSG Client cannot replace the Worker Node Client in the batch jobs environment on Worker Node and Compute Element.

The OSG Cient Tools Package includes:

The osg_client use case is not really a well-defined use case any longer and is dropped from 3.3 series. But the different parts can still be obtained

This document does not cover the usage of the client tools. An introduction how to use the OSG can be found here. A more detailed description how to interact with a Compute Element is located here.

on on

2 Engineering Considerations

The OSG Client Tools Package is required on hosts used to submit jobs to the Open Science Grid. We recommend to install the OSG Client Tools on a dedicated job submission host for large scale job submissions to production resources on the OSG. We recommend to use a public IP address and a fully qualified domain name for shared job submission hosts.

3 Requirements

3.1 Host and OS

  • A host to install the OSG Client (pristine node). No grid host certificate is required.
  • OS is Red Hat Enterprise Linux 6, 7, and variants (see details...)
  • Root access

3.2 Certificates

To test and use the installation a valid grid user certificate is required.

3.3 Networking

For more details on overall Firewall configuration, please see our Firewall documentation.

Service Name Protocol Port Number Inbound Outbound Comment
GRAM callback tcp GLOBUS_TCP_PORT_RANGE Y   contiguous range of ports
GRAM callback tcp GLOBUS_TCP_SOURCE_RANGE   Y contiguous range of ports
HTCondor port range tcp LOWPORT, HIGHPORT Y   contiguous range of ports

GRAM is not really a service on the client. It is the protocol used by the Globus clients. Anyway the clients still requires the port ranges to be open: job submission needs ports to reach the servers and to transfer back the output; file transfers need ports for control and data sessions.
HTCondor is in reality HTCondor-G the version configured to submit grid jobs.

You'll find more client specific details also in the Firewall section of this document.

3.4 Minimum Version

Starting on 11 February 2014, all OSG-issued Digicert certificates (host, service, and personal) use the SHA-2 algorithm. Some software in the Worker Node Client notably dCache SRM client must be on a recent version to support SHA-2 certificates. Please visit our SHA-2 compliance page for more information about minimum required versions of software components.

4 Contents of the OSG Client package

The OSG client may be updated from time to time. As of OSG 3.1.8 in September 2012, the OSG client contains:

  • Everything in the OSG worker node client
  • Bandwidth Test Controller (bwctl) client
  • GSI OpenSSH client
  • Globus GRAM clients (including globus-job-run)
  • Globus certificate utilities (including grid-proxy-init)
  • Network Diagnostic Tool (NDT)
  • Nmap (security scanner)
  • One-Way Ping (owamp) client)
  • lcg-info
  • lcg-infosites
  • osg-cert-scripts
  • osg-discovery
  • osg-system-profiler
  • osg-version

If you installed the osg-client-condor package, it will also install HTCondor.

If you like, you can see exactly what your version of the OSG client package installed:

[user@client ~]$ rpm -q --requires osg-client

More details on using RPM to see what was installed

5 Installation and Configuration Procedure

5.1 Install the Client

  1. Install the osg-client meta package, which will pull in all dependencies.
    [root@client ~]$ yum install osg-client   

The client requires no special configuration. To configure fetch-crl, e.g. to use a proxy, check the CRL documentation.

5.2 Install HTCondor-G

Optionally, you may want to install HTCondor-G, too. HTCondor-G is needed to submit jobs directly to the OSG sites. It is not needed for Glidein-based submission.

  1. Install the osg-client-condor meta package, which will pull in all dependencies.
    [root@client ~]$ yum install osg-client-condor   

6 Services

The client is a collection of client programs that do not require service startup or shutdown. The only services are osg-update-certs that keeps uptodate the CA certificates, fetch-crl that keeps uptodate the CRLs and the optional HTCondor-G, only if you installed it.

Avoid to interfere with the system HTCondor. The commands below may start/stop/... also a HTCondor installed outside of the client installation. Be aware of which one you are controlling.

6.1 Starting and Enabling Services

To start the services:
  1. Optionally, to start HTCondor you can use the service command, e.g.:
    [root@client ~]$ /sbin/service condor start

You should also enable the appropriate services so that they are automatically started when your system is powered on:

  • Optionally, to enable HTCondor by default on the node:
    [root@client ~]$ /sbin/chkconfig condor on

6.2 Stopping and Disabling Services

To stop the services:
  1. Optionally, to stop HTCondor you can use:
    [root@client ~]$ /sbin/service condor stop

In addition, you can disable services by running the following commands. However, you don't need to do this normally.

  • Optionally, to disable HTCondor:
    [root@client ~]$ /sbin/chkconfig condor off

7 Firewall Considerations

The Globus Toolkit and HTCondor require the client host to allow some inbound and outbound network connections to specific ports. This section describes what additional configuration steps have to be taken if the client host is located behind a firewall. For a more detailed description on firewalls consult this document.

The ranges that you choose below in the Globus and HTCondor configuration must be consistent with the firewall configuration. If the Globus and HTCondor ranges overlap there won't be port collisions but you will need a bigger range.

7.1 Public IP Address and DNS

If you use the the client host as HTCondor-G submit host for long running jobs, it needs to be reached by remote resources. The easier option is to use a public IP address and not be be located within a private network. For other options check below. To make sure that the client host uses a public IP address and is assigned a fully qualified domain name, use:

[user@client ~]$ hostname -f
[user@client ~]$ nslookup


If the client host is not assigned a fully qualified domain name, you can assign the public IP address to the GLOBUS_HOSTNAME environment variable:

[root@client ~]$ cat << CFG >> /etc/profile.d/
[root@client ~]$ cat << CFG >> /etc/profile.d/globus_hostname.csh

Make sure to re-login after you update /etc/profile.d so that the changes take effect.

7.2 Configuring the firewall and NAT

If the client host is on a private network with NAT or anyway behind a firewall, even a host firewall, the firewall and eventual NAT must be configured correctly.

Assuming you use iptables and chose the port range 20k-25k, you must

Insert the following rules

-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp -m tcp --dport 20000:24999 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp -m udp --dport 20000:24999 -j ACCEPT
into /etc/sysconfig/iptables and
Restart iptables with
[root@client ~]$ service iptables restart

It is possible to use a client host that is located inside a private network using Network Address Translation. In this case the gatekeeper must be configured to forward incoming connections to the client host. The $GLOBUS_HOSTNAME environment variable must be set to the gatekeeper address. This procedure is currently not documented.

7.3 Globus Port Range

GRAM can be configured to only use a specified range of TCP ports on the client host for inbound ($GLOBUS_TCP_PORT_RANGE) and outbound ($GLOBUS_TCP_SOURCE_RANGE) connections. More information can be found in the Globus firewall HowTo.

[root@client ~]$ cat << CFG >> /etc/profile.d/
export GLOBUS_TCP_PORT_RANGE=20000,24999
export GLOBUS_TCP_SOURCE_RANGE=20000,24999
[root@client ~]$ cat << CFG >> /etc/profile.d/globus_firewall.csh
setenv GLOBUS_TCP_PORT_RANGE 20000,24999
setenv GLOBUS_TCP_SOURCE_RANGE 20000,24999

Make sure to re-login after you update /etc/profile.d so that the changes take effect.

7.4 HTCondor Port Range

HTCondor-G requires a set of ports open in order to talk to OSG CEs. If you are running a restrictive firewall, you will need to open O(1k) ports in the firewall and tell HTCondor what port range you opened.

HTCondor will only use a specified range of TCP ports for inbound and outbound connections on the client host. This range requires both inbound and outbound connectivity (there are not 2 separate ranges like in the Globus configuration). You can select this range by defining LOWPORT and HIGHPORT in the configuration:

Create /etc/condor/config.d/10firewall_condor.config and add

to the file and
Restart HTCondor with
[root@client ~]$ service condor restart

8 Test the Client

This document does not cover the usage of the client tools. An introduction how to use the OSG can be found here. A more detailed description how to interact with a Compute Element is located here.

To simply test the functionality of your installation:

9 Getting Help

To get assistance please use this Help Procedure.

10 References

The OSG Client includes also a set of tools that are part of the Internet2 Network Performance Toolkit

Client installation documents:

Some components of OSG Client:


Topic revision: r57 - 06 Dec 2016 - 18:12:42 - KyleGross
Hello, TWikiGuest!


TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..