Upgrade Voms Service

Introduction

This document describes how to upgrade from VOMS-Admin installed from osg-1.2 (pacman chache) to new osg-voms package (installed via yum): We assume that you are currently running:

  • VOMS Admin 2.0.15-1
  • VOMS Server 1.8.8-2p1
The new version of VOMS-Admin and VOMS-Server, the OSG 3 VOMS, will be installed during the upgrade procedure. You will install:
  • VOMS-Admin 2.6.1
  • VOMS-Server 2.0.0

If you want to do a fresh installation please consult VOMS Installation Guide instead.

HELP NOTE
You can install the OSG 3 VOMS-Admin and VOMS-Server on the same node where your OSG 1.2 servers are running or on a new node. Either ways OSG 3 is installed using yum, so you need root access on the node.

Preparing For Upgrade

warning WARNING: VOMS-Admin assumes hostname resolves to the fully-qualified domain name; if it does not, the upgrade will fail in mysterious ways. Type hostname and verify it is of the form voms.example.com and not voms. If your pacman-based install was installed with the wrong hostname, you may have to contact osg-software for expert help if the upgrade fails.

In order to prepare for upgrade you will need to stop all the services and create complete myslqdump of your voms databases. You have to perform the following steps:

  1. Login on the node where voms is install
  2. setup VDT_LOCATION
    [root@voms ~]$ cd VDT_LOCATION
    [root@voms ~]$. setup.sh
    
  3. Stop all the services:
    [root@voms ~]$vdt-control -off
    
  4. Restart MySql server:
    [root@voms ~]$vdt-control -on mysql5
    
  5. Create database dump:
    [root@voms ~]$  mysqldump --all-databases --flush-privileges >  ~/voms_database_dump.sql
    
  6. Stop MySql server
    [root@voms ~]$vdt-control -off mysql5
    
  7. The VDT pollutes the environment of your shell. Log out of this one.

For the remainder of this document, all pacman-based services should remain off.

Requirements for the OSG 3 VOMS server

Wether you install on the same node or on a new one, you must make sure that the node wehre you install the OSG 3 VOMS server satisfies all the following requirements.

If you are using the same node you can re-use the service certificates. If not you have to get new ones. In doubt, get new ones (see below).

OSG 3 VOMS Installation

ALERT! WARNING!
Open a new window on the node you are doing upgrade to make sure that you start with a clean environment!

Upgrade and Configuration

The configuration requires some initial steps plus the import or addition of one or more VO. You will not be able to start voms-admin if you don't import or add at least one VO.

Restore The Old Database

If you did not already, please start MySQL with /sbin/service mysqld start .

Restore database for the database dump:

[root@voms ~]$  mysql -p < ~/voms_database_dump.sql
When asked at the prompt, you must enter the top_secret password that you choose above. If mysql has no root password (we highly recommend a root password), you will have to drop the -p option.

Configure VOMS and VOMS-Admin

In order to configure database you will need to figure out the password and admin name of the database you have used before. Gather information from the following files:
  • VDT_LOCATION/glite/etc/voms/VO_NAME/voms.conf
    • OLD_USER_NAME: Search for --username attribute (e.g --username=test1_adm)
    • OLD_VOMS_PORT: Seach for --port (e.g --port=15000)
  • VDT_LOCATION/glite/etc/voms/VO_NAME/voms.pass
    • OLD_USER_PASSWORD: This file contains the previous MySQL user password (e.g secret).
  • /etc/my.conf
    • MYSQL_PORT: Look for "port"; if it is not set in this file, it is 3306.

Run voms-admin-configure script:

[root@voms ~]$ voms-admin-configure install --dbtype mysql --vo VO_NAME \
    --dbauser root  --dbapwd MYSQL_ROOT_PASSD --dbport MYSQL_PORT \
    --dbusername  OLD_USER_NAME --dbpassword OLD_USER_PASSWORD \
    --port OLD_VOMS_PORT  --mail-from email --smtp-host smtp.domain \
    --sqlloc /usr/lib64/voms/libvomsmysql.so --cert /etc/grid-security/voms/vomscert.pem \
    --key  /etc/grid-security/voms/vomskey.pem --read-access-for-authenticated-clients 
For example:
[root@voms ~]$ voms-admin-configure install --dbtype mysql --vo test1 \
     --dbauser root --dbapwd  top_secret --dbport 3306 \
     --dbusername test1_adm --dbpassword secret
     --port 15000 --mail-from tlevshin@fnal.gov --smtp-host smtp.fnal.gov \
     --sqlloc /usr/lib64/voms/libvomsmysql.so --cert /etc/grid-security/voms/vomscert.pem \
     --key  /etc/grid-security/voms/vomskey.pem --read-access-for-authenticated-clients 

If your VO:

  • Has Custom-made scripts for managing voms-admin, or
  • Uses VOMRS,
These items might be broken due to new CSRF security checks (Cross Site Request Forgery). Affected VOs may chose to disable these security checks. To do this, edit /etc/voms-admin/VO_NAME/voms.service.properties and include the following line:
#### Add other options after this line
voms.csrf.log_only = true

We recommend that unaffected VOs do not make this change.

Upgrade The Database Schema

For each VO that you imported form the old VOMS server you must run the upgrade command:

[root@voms ~]$voms-admin-configure upgrade --vo VO_NAME
For example:
[root@voms ~]$voms-admin-configure upgrade --vo test1

Remember that before using VOMS or VOMS-Admin you must start VOMS, VOMS-Admin and all the other required services.

Add and configure additional VOs

HELP NOTE
You can add additional VOs if you like. If you migrated at least one pre-existing VO and do not desire to add additional VOs, then you can skip this section.

Advertise your VOMS server

HELP NOTE
If you are installing VOMS on the same node or are replacing the old server with a new node that has the same hostname, then you can skip this section. Otherwise you need to notify everyone using your VOMS server about the new IP address as described in the remaining of this section.

How to get Help?

To get assistance please use Help Procedure.

Comments

Topic revision: r18 - 06 Dec 2016 - 18:12:45 - KyleGross
Hello, TWikiGuest!
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..