HELP NOTE
This document is for a standalone GridFTP server. For installation and configuration of GridFTP with Hadoop's HDFS, click here

Installing and Maintaining a GridFTP Server

About This Guide

This page explains how to install the stand-alone Globus GridFTP server.

The GridFTP package contains components necessary to set up a stand-alone gsiftp server and tools used to monitor and report its performance. A stand-alone GridFTP server might be used under the following circumstances:

  • You are serving VOs that use storage heavily (CMS, ATLAS, CDF, and D0) and your site has more than 250 cores
  • Your site will be managing more than 50 TB of disk space
  • A simple front-end to a filesystem allowing access over WAN - for example NFS.
  • BeStMan is capable of distributing its workload among several gsiftp servers so if you expect large movements of data into/out of your site, multiple gsiftp servers can be set up.

Before Starting

Before starting the installation process, consider the following points (consulting the Reference section below as needed):

  • Service certificate: The HTCondor-CE service uses a host certificate at /etc/grid-security/hostcert.pem and an accompanying key at /etc/grid-security/hostkey.pem
  • Network ports: GridFTP listens on TCP port 2811 and the list of ports configured by GLOBUS_TCP_SOURCE_RANGE

As with all OSG software installations, there are some one-time (per host) steps to prepare in advance:

Installing GridFTP

First, you will need to install the GridFTP meta-package:

[root@client ~]$ yum install osg-gridftp

Configuring GridFTP

Configuring authentication

In OSG 3.3, there are three methods to manage authentication for incoming jobs: the LCMAPS VOMS plugin, edg-mkgridmap and GUMS. edg-mkgridmap is easy to set up and maintain, and GUMS has more features and capabilities. The LCMAPS VOMS plugin is the new OSG-preferred authentication, offering the simplicity of edg-mkgridmap and many of GUMS' rich feature set. If you need to support pool accounts, GUMS is the only software with that capability.

In OSG 3.4, the LCMAPS VOMS plugin is the only available authentication solution.

Authentication with the LCMAPS VOMS plugin

To configure your CE to use the LCMAPS VOMS plugin:

  1. If you are using OSG 3.3, add the following line to /etc/sysconfig/globus-gridftp-server:

    export LLGT_VOMS_ENABLE_CREDENTIAL_CHECK=1
    
  2. Follow the instructions in the LCMAPS VOMS plugin installation and configuration document to prepare the LCMAPS VOMS plugin

Authentication with edg-mkgridmap

HELP NOTE
edg-mkgridmap is unavailable in OSG 3.4

By default, GridFTP uses a gridmap file, found in /etc/grid-security/grid-mapfile. This file is not generated by default. There are two ways you can generate this file. You can generate this file manually, by including DN/username combinations. This is most useful for debugging. Otherwise, you can install edg-mkgridmap, which will periodically contact a list of VOMS servers that you specify. It assembles a list of users from those servers and creates a grid-mapfile. This grid-mapfile serves both as a list of authorized users and provides a mapping from user dns to local user ids.

To install edg_mkgridmap, perform the following steps

yum install edg-mkgridmap
Review /etc/edg-mkgridmap.conf to make sure that it has all VOs that you are interested in and also to comment out any VOs that you do not wish to support.
vi /etc/edg-mkgridmap.conf
This utility edg-mkgridmap runs as a cronjob /etc/cron.d/edg-mkgridmap-cron (by default every 6 hours). You can also run edg-mkgridmap manually to see that it generates /etc/grid-security/grid-mapfile.
edg-mkgridmap
Then, you can enable/start the service.
/sbin/service edg-mkgridmap start
/sbin/chkconfig edg-mkgridmap on

You can read more on this page: edg_mkgridmap (on the CE)

Authentication with GUMS

HELP NOTE
GUMS is unavailable in OSG 3.4

By default, GridFTP uses a gridmap file, found in /etc/grid-security/gridmap-file. If you want to use GUMS security (recommended), you will need to enable it using the following steps:

First, edit /etc/grid-security/gsi-authz.conf and uncomment the globus callout.

globus_mapping liblcas_lcmaps_gt4_mapping.so lcmaps_callout
Note that this used to be the full path to the library (/usr/lib64 or /usr/lib), but now we rely on the linker for proper resolution in this file.

Next edit /etc/lcmaps.db to edit your gums information:


...
gumsclient = "lcmaps_gums_client.mod"
             "-resourcetype ce"
             "-actiontype execute-now"
             "-capath /etc/grid-security/certificates"
             "-cert   /etc/grid-security/hostcert.pem"
             "-key    /etc/grid-security/hostkey.pem"
             "--cert-owner root"
# Change this URL to your GUMS server
             "--endpoint https://gums.fnal.gov:8443/gums/services/GUMSXACMLAuthorizationServicePort"

If you would like to run SAZ, you will need to enable the relevant lines in the above file as well (more documentation to be added later).

Enabling Gratia GridFTP transfer probe

The Gratia GridFTP probe collects the information about the Gridftp transfers and forwards it to central Gratia collector. You need to enable the probe first. To do this, make sure following is set in /etc/gratia/gridftp-transfer/ProbeConfig:

EnableProbe="1"

All other configuration settings should be suitable for most purposes. However, you can edit them if needed. The probe runs every 30 minutes as a cron job.

Optional configuration

Modifying the environment

Environment variables are stored in /etc/sysconfig/globus-gridftp-server which is sourced on service startup. If you want to change LCMAPS log levels, or globus port ranges, you can edit them there.

#Uncomment and modify for firewalls
#export GLOBUS_TCP_PORT_RANGE=min,max
#export GLOBUS_TCP_SOURCE_RANGE=min,max

Note that the variables GLOBUS_TCP_PORT_RANGE and GLOBUS_TCP_SOURCE_RANGE can be set here to allow globus to navigate around firewall rules.

To troubleshoot LCMAPS authorization, you can add the following to /etc/sysconfig/globus-gridftp-server and choose a higher debug level:

# level 0: no messages, 1: errors, 2: also warnings, 3: also notices,
#  4: also info, 5: maximum debug
LCMAPS_DEBUG_LEVEL=2
Output goes to /var/log/messages by default. Do not set logging to 5 on any production systems as that may cause systems to slow down significantly or become unresponsive.

Configuring a multi-homed server

The GridFTP uses control connections, data connections and IPC connections. By default it listens in all interfaces but this can be changed by editing the configuration file /etc/gridftp.conf.

To use a single interface you can set hostname to the Hostname or IP address to use:

hostname IP-TO-USE
You can also set separately the control_interface, data_interface and ipc_interface. E.g. on systems that have multiple network interfaces, you may want to associate data transfers with the fastest possible NIC available. This can be done in the GridFTP server by setting data_interface:
control_interface IP-TO-USE
data_interface IP-TO-USE
ipc_interface IP-TO-USE

For more options available for the GridFTP server, read the comments in the configuration file (/etc/gridftp.conf) or see the Globus manual.

Using GridFTP

As a site administrator, there are a few ways in which you might use the HTCondor-CE:

  • Managing the GridFTP server and associated services
  • Using GridFTP user tools to test transfer operations

Managing GridFTP and associated services

In addition to the GridFTP service itself, there are a number of supporting services in your installation. The specific services are:

Software Service name Notes
Fetch CRL fetch-crl-boot and fetch-crl-cron See CA documentation for more info
Gratia gratia-probes-cron Accounting software
GridFTP globus-gridftp-server  

Start the services in the order listed and stop them in reverse order. As a reminder, here are common service commands (all run as root):

To … On EL 6, run the command… On EL 7, run the command…
Start a service service SERVICE-NAME start systemctl start SERVICE-NAME
Stop a service service SERVICE-NAME stop systemctl start SERVICE-NAME
Enable a service to start during boot chkconfig SERVICE-NAME on systemctl enable SERVICE-NAME
Disable a service from starting during boot chkconfig SERVICE-NAME off systemctl disable SERVICE-NAME

Validating GridFTP

The GridFTP service can be validated by using globus-url-copy. You will need to run grid-proxy-init or voms-proxy-init in order to get a valid user proxy in order to communicate with the GridFTP server.

[user@client ~]$ globus-url-copy file:///tmp/zero.source gsiftp://yourhost.yourdomain/tmp/zero
[user@client ~]$ echo $?
0
Note that you should preferably not try to run validation as root, as globus-url-copy will sometimes attempt to use the host certificate instead of your user certificate, with confusing results.

Getting Help

For assistance, please use this page.

Reference

Configuration and Log Files

Service/Process Configuration File Description
GridFTP /etc/sysconfig/globus-gridftp-server Environment variables for GridFTP and LCMAPS
/usr/share/osg/sysconfig/globus-gridftp-server-plugin Where environment variables for GridFTP plugin are included
Gratia Probe /etc/gratia/gridftp-transfer/ProbeConfig GridFTP Gratia Probe configuration
Gratia Probe /etc/cron.d/gratia-probe-gridftp-transfer.cron Cron tab file

Service/Process Log File Description
GridFTP /var/log/gridftp.log GridFTP transfer log
/var/log/gridftp-auth.log GridFTP authorization log
Gratia probe /var/logs/gratia

Certificates

Certificate User that owns certificate Path to certificate
Host certificate root /etc/grid-security/hostcert.pem
/etc/grid-security/hostkey.pem

Instructions to request a service certificate.

You will also need a copy of CA certificates (see below).

Users

For this package to function correctly, you will have to create the users needed for grid operation. Any user that can be authenticated should be created.

For grid-mapfile users, each line of the grid-mapfile is a certificate/user pair. Each user in this file should be created on the server.

For gums users, this means that each user that can be authenticated by gums should be created on the server.

Note that these users must be kept in sync with the authentication method. For instance, if new users or rules are added in gums, then new users should also be added here.

Networking

For more details on overall Firewall configuration, please see our Firewall documentation.

Service Name Protocol Port Number Inbound Outbound Comment
GRAM callback tcp GLOBUS_TCP_PORT_RANGE Y   contiguous range of ports
GRAM callback tcp GLOBUS_TCP_SOURCE_RANGE   Y contiguous range of ports
GridFTP tcp 2811 and GLOBUS_TCP_SOURCE_RANGE Y   contiguous range of ports

If you have a multi-homed host you may be interested in reading this section.

Topic revision: r50 - 05 Jun 2017 - 20:45:26 - BrianLin
Hello, TWikiGuest!
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..