Installing OSG Client as Tarball (Anywhere by Anyone)

1 About This Document

hand This document is for grid users and system administrators. It covers the installation of the OSG Client Tools Package as a Tarball. This packaging is provided to allow installations "Anywhere by Anyone" (AbA) (e.g. by non-root users or on NFS shares). If you have root access, your OS is Red Hat Enterprise Linux 5, 6, 7, and variants (see details...), and have no special requirements, we recommend to use the native packages as described in InstallOSGClient. For more background on AbA packages, see the non-root clients project page.

This package is required on every host used by grid users to submit jobs, transfer data, or interact otherwise with the OSG. Note there is also a Worker Node Client (AbA and native) that is not a valid substitute for this package. Likewise the OSG Client cannot replace the Worker Node Client in the batch jobs environment on Worker Node and Compute Element.

The OSG Client Tools Package includes:

HELP NOTE
This document does not cover the usage of the client tools. An introduction how to use the OSG can be found here. A more detailed description how to interact with a Compute Element is located here.

on on

2 Engineering Considerations

The OSG Client Tools Package is required on hosts used to submit jobs to the Open Science Grid. We recommend to install the OSG Client Tools on a dedicated job submission host for large scale job submissions to production resources on the OSG. We recommend to use a public IP address and a fully qualified domain name for shared job submission hosts.

3 Requirements

3.1 Host and OS

  1. A host to install the OSG Client (pristine node). No grid host certificate is required.
  2. OS is Red Hat Enterprise Linux 5, 6, 7, and variants (see details...). Currently most of our testing has been done on Scientific Linux 5.

3.2 Certificates

  1. If you want to test and use the installation then a valid grid user certificate is required.

3.3 Networking

For more details on overall Firewall configuration, please see our Firewall documentation.

Service Name Protocol Port Number Inbound Outbound Comment
GRAM callback tcp GLOBUS_TCP_PORT_RANGE Y   contiguous range of ports
GRAM callback tcp GLOBUS_TCP_SOURCE_RANGE   Y contiguous range of ports
HTCondor port range tcp LOWPORT, HIGHPORT Y   contiguous range of ports

GRAM is not really a service on the client. It is the protocol used by the Globus clients. Anyway the clients still requires the port ranges to be open: job submission needs ports to reach the servers and to transfer back the output; file transfers need ports for control and data sessions.
HTCondor is in reality Condor-G the version configured to submit grid jobs.

You'll find more client specific details also in the Firewall section of this document.

4 Contents of the OSG Client package

The OSG client may be updated from time to time. As of OSG 3.1.8 in September 2012, the OSG client contains:

  • Everything in the OSG worker node client
  • Bandwidth Test Controller (bwctl) client
  • GSI OpenSSH client
  • Globus GRAM clients (including globus-job-run)
  • Globus certificate utilities (including grid-proxy-init)
  • Network Diagnostic Tool (NDT)
  • Nmap (security scanner)
  • One-Way Ping (owamp) client)
  • lcg-info
  • lcg-infosites
  • osg-cert-scripts
  • osg-discovery
  • osg-system-profiler
  • osg-version

The osg-client-condor package, installing also HTCondor, is available only as native package.

5 Download, Installation and Configuration Procedure

5.1 Download the Client

Please pick the osg-client tarball that is appropriate for your distribution and architecture. You will find them in http://repo.grid.iu.edu/tarball-install/ .

The latest available the tarballs for OSG 3.2 are:

HELP NOTE
The OSG 3.2 series is deprecated. It will no longer be supported after August 9th, 2016.

As of OSG 3.3, only the worker node client tarball is available.

5.2 Install the Client

  1. Unpack the tarball.
  2. Move the directory that was created to where you want the tarball client to be.
  3. Run osg-post-install (/path/to/client/osg/osg-post-install) to fix the directories in the installation.
    Note that after this, you will not be able to relocate the install again.
  4. Source the setup source /path/to/client/setup.sh (or setup.csh depending on the shell)
  5. Download and set up CA certificiates using osg-ca-manage (See OsgCaManage for the available options)
  6. Download CRLs using fetch-crl (EL6) or fetch-crl3 (EL5)

Example install (in $HOME/test-install, the /path/to/client/ is $HOME/test-install/osg-client ):

[user@client ~]$ mkdir $HOME/test-install
[user@client ~]$ cd $HOME/test-install
[user@client ~]$ wget http://repo.grid.iu.edu/tarball-install/3.2/osg-client-latest.el6.x86_64.tar.gz
[user@client ~]$ tar xzf osg-client-latest.el6.x86_64.tar.gz
[user@client ~]$ cd osg-client
[user@client ~]$ osg/osg-post-install
[user@client ~]$ . setup.sh
[user@client ~]$ osg-ca-manage setupCA --url osg
[user@client ~]$ fetch-crl

HELP NOTE
Unpacking the tarball creates an osg-client subdirectory

6 Services

The client is a collection of client programs that do not require service startup or shutdown. The only services are osg-update-certs that keeps uptodate the CA certificates and fetch-crl that keeps uptodate the CRLs. Following the instructions below you'll add the services to your crontab that will take care to run them periodically until you remove them.

6.1 Auto-updating certificates and CRLs

You must create cron jobs to run fetch-crl/fetch-crl3 and osg-update-certs to update your CRLs and certificates automatically.

Here is what they should look like. (Note: fill in <OSG_LOCATION> with the full path of your tarball install, including the osg-client directory that is created by the tarball. You can use echo $OSG_LOCATION to see the correct path).

# Cron job to update certs.
# Runs every hour by default, though does not update certs until they're at
# least 24 hours old.  There is a random sleep time for up to 45 minutes (2700
# seconds) to avoid overloading cert servers.
10 * * * *   ( . <OSG_LOCATION>/setup.sh && osg-update-certs --random-sleep 2700 --called-from-cron )

# Cron job to update CRLs for EL5:
# Runs every 6 hours at, 45 minutes +/- 3 minutes.
42 */6 * * *   ( . <OSG_LOCATION>/setup.sh && fetch-crl3 -q -r 360 )

# Cron job to update CRLs for EL6:
# Runs every 6 hours at, 45 minutes +/- 3 minutes.
42 */6 * * *   ( . <OSG_LOCATION>/setup.sh && fetch-crl -q -r 360 )

You might want to configure proxy settings in $OSG_LOCATION/etc/fetch-crl.conf (EL6) or $OSG_LOCATION/etc/fetch-crl3.conf (EL5)

6.2 Starting and Enabling Services

To start the services you must edit your cron with crontab -e and add the lines above. crontab -l lists the current services.

6.3 Stopping and Disabling Services

To stop the services you must edit your cron with crontab -e and remove or comment out the lines above. crontab -l lists the current services.

7 Usage

A user must set up their environment before running any of the software provided in the client.

There are two way to do this: either source setup.sh or setup.csh before running a command, or use the osgrun wrapper. All three files are located in the top-level directory of the client. In the examples below replace <OSG_LOCATION> with the path of your tarball install, including the osg-client directory resulting from the tarball (e.g. $HOME/test-install/osg-client).

HELP NOTE
If setup.sh, setup.csh, or osgrun are missing, then run
osg/osg-post-install to (re)create them.

Example usage with setup.sh:

[user@client ~]$ . <OSG_LOCATION>/setup.sh
[user@client ~]$ grid-proxy-init
[user@client ~]$ globus-job-run GATEKEEPER /usr/bin/id

(If using csh or tcsh, source setup.csh instead of setup.sh)

The user might find it convenient to create a shell alias to setup.sh to avoid having to type the full path every session. For example by adding the following to their ~/.bashrc:

alias osg_setup=". <OSG_LOCATION>/setup.sh"

Example usage with osgrun:

[user@client ~]$ <OSG_LOCATION>/osgrun grid-proxy-init
[user@client ~]$ <OSG_LOCATION>/osgrun globus-job-run GATEKEEPER /usr/bin/id

The advantage of osgrun is that the environment of the user is left unchanged, whereas sourcing setup.sh or setup.csh will modify variables like PATH, LD_LIBRARY_PATH, and others, until the user exits from their shell.

The user might find it useful to set up a shell alias to osgrun to avoid having to type the full path every command. For example by adding the following to their ~/.bashrc:

alias osgrun="<OSG_LOCATION>/osgrun"

8 Firewall Considerations

The Globus Toolkit and HTCondor require the client host to allow inbound and outbound network connections. This section describes what additional configuration steps have to be taken if the client host is located behind a firewall. For a more detailed description on firewalls consult this document.

The ranges that you choose below in the Globus and HTCondor configuration must be consistent with the firewall configuration. If the Globus and HTCondor ranges overlap there won't be port collisions but you will need a bigger range.

8.1 Public IP Address and DNS

If you use the the client host as HTCondor-G submit host for long running jobs, it needs to be reached by remote resources. The easier option is to use a public IP address and not be be located within a private network. For other options check below. To make sure that the client host uses a public IP address and is assigned a fully qualified domain name, use:

[user@client ~]$ hostname -f
client.opensciencegrid.org
[user@client ~]$ nslookup client.opensciencegrid.org
Server:		131.215.125.1
Address:	131.215.125.1#53

Name:           client.opensciencegrid.org
Address:        131.215.114.49

If the client host is not assigned a fully qualified domain name, you can assign the public IP address to the GLOBUS_HOSTNAME environment variable, e.g.:

[user@client ~]$ cat << CFG >> ~/.bashrc
export GLOBUS_HOSTNAME=131.215.114.49
CFG

Make sure to re-login after you update ~/.bashrc so that the changes take effect.

8.2 Configuring the firewall and NAT

If the client host is on a private network with NAT or anyway behind a firewall, even a host firewall, the firewall and eventual NAT must be configured correctly.

Assuming you use iptables and chose the port range 20k-25k, you must

Insert the following rules

-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp -m tcp --dport 20000:24999 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp -m udp --dport 20000:24999 -j ACCEPT
into /etc/sysconfig/iptables and
Restart iptables with
[root@client ~]$ service iptables restart

HELP NOTE
It is possible to use a client host that is located inside a private network using Network Address Translation. In this case the gatekeeper must be configured to forward incoming connections to the client host. The $GLOBUS_HOSTNAME environment variable must be set to the gatekeeper address. This procedure is currently not documented.

8.3 Globus Port Range

GRAM can be configured to only use a specified range of TCP ports on the client host for inbound ($GLOBUS_TCP_PORT_RANGE) and outbound ($GLOBUS_TCP_SOURCE_RANGE) connections. More information can be found in the Globus firewall HowTo. For example:

[user@client ~]$ cat << CFG >> ~/.bashrc
export GLOBUS_TCP_PORT_RANGE=20000,24999
export GLOBUS_TCP_SOURCE_RANGE=20000,24999
CFG

Make sure to re-login after you update ~/.bashrc so that the changes take effect.

HELP NOTE
See also InstallCondor for the installation and configuration of HTCondor (including its Firewall requirements).

9 Test the Client

This document does not cover the usage of the client tools. An introduction how to use the OSG can be found here. A more detailed description how to interact with a Compute Element is located here.

To simply test the functionality of your installation:

10 Getting Help

To get assistance please use this Help Procedure.

11 References

The OSG Client includes also a set of tools that are part of the Internet2 Network Performance Toolkit

Client installation documents:

Some components of OSG Client:

About AbA software:

12 Comments

Topic revision: r20 - 06 Dec 2016 - 18:12:42 - KyleGross
Hello, TWikiGuest!
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..