TWiki> APACgrid Web>VmdetailsMyproxy (27 Aug 2007, AshleyWright)EditAttach

MyProxy VM Image.

Responsible Person

Ashley Wright QUT

Technology Summary and Contents

  • Based on NG2 (RPMS).
  • MyProxy 0.6.5

Download Links

No Download provided

Installing the Image

  • Configure Site dependent network settings (IP addresses, hostnames, mail servers etc.)
  • Generate host certificate
  • service myproxy start

Setting up Redundancy

Primary Server (myproxy.apac.edu.au)

  • vi /etc/myproxy-server.config 
    slave_servers myproxy2.apac.edu.au
  • crontab -e (Update Secondary Server every 15mins) 
    5,20,35,50 * * * * /usr/local/globus/sbin/myproxy-replicate

Secondary Server (myproxy2.apac.edu.au)

  • vi /etc/myproxy-server.config 
    #slave_servers myproxy2.apac.edu.au
master_server myproxy.apac.edu.au

Client Side (cluster head nodes?)

  • export MYPROXY_SERVER=myproxy.apac.edu.au
  • export MYPROXY_SECONDARY_SERVERS=myproxy2.apac.edu.au

Using my-proxy

  • From a portal
    • Use the credential management portal.

  • From the cluster to run globus
    • myproxy-get-delegation

Creation of the Image

Base Image

  • lvcreate -L 4096M -n ngProxyRoot VolumeGroup00?
  • lvcreate -L 512M -n ngProxySwap VolumeGroup00?
  • mkswap /dev/VolumeGroup00/ngProxySwap
  • mkfs -t ext3 /dev/VolumeGroup00/ngProxyRoot
  • mount /dev/VolumeGroup00/ngProxyRoot /srv/ngproxy/
  • /usr/local/rpmstrap/rpmstrap --verbose centos4.2 /srv/ngproxy
  • cp fstab /srv/ngproxy/etc/
  • cp resolv.conf /srv/ngproxy/etc/
  • cp -Rv sysconfig /srv/ngproxy/etc/
  • vi /srv/ngproxy/etc/sysconfig/network
  • vi /srv/ngproxy/etc/sysconfig/network-scripts/ifcfg-eth0
  • cp CentOS? -Base.repo /srv/ngproxy/etc/yum.repos.d/CentOS-Base.repo
  • chroot /srv/ngproxy/
  • rpm --import http://ftp.monash.edu.au/pub/linux/CentOS/RPM-GPG-KEY-centos4
  • rm /var/lib/rpm/__*
  • rpm --rebuilddb
  • mv /usr/lib/tls /usr/lib/tls.disabled
  • yum update
  • yum install vim-minimal dhclient openssh-clients
  • vi /etc/hosts
  • echo sys.xen.independent_wallclock = 1 >> /etc/sysctl.conf
  • exit
  • for i in console null zero ; do /sbin/MAKEDEV -d /srv/ngproxy/dev -x $i ; done
  • umount /srv/ngproxy/proc/; umount /srv/ngproxy/
  • xm create -c
  • login as root
  • yum install vim-enhanced iptables ntp yp-tools mailx postfix nss_ldap tcsh sudo lsof
  • mv /lib/tls /lib/tls-disabled
  • chkconfig --add ntpd; chkconfig ntpd on; service ntpd start; service postfix start
  • yum install openssh-server
  • cd /tmp/
  • ./j2sdk-1_4_2_10-linux-i586-rpm.bin
  • rpm -ivh j2sdk-1_4_2_10-linux-i586.rpm
  • export JAVA_HOME=/usr/java/j2sdk1.4.2_10
  • cd /etc/yum.repos.d/
  • wget http://vpac.org/grid/files/vpac.repo
  • wget http://vpac.org/grid/files/dag.repo
  • rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
  • yum install man

Install MyProxy only (from globus)

  • yum install globus
  • mkdir /usr/local/src/globus
  • chown globus:globus globus
  • cd /usr/local/src/globus/
  • su globus
  • tar xjf ../gt4.0.1-all-source-installer.tar.bz2
  • cd /usr/local/src/globus/gt4.0.1-all-source-installer

  • ./configure --disable-prewsgram --disable-gridftp --disable-rls --disable-wsjava --disable-wsmds --disable-wsdel --disable-wsrft --disable-wsgram --disable-rendezvous --disable-wscas --disable-wsc --disable-tests --disable-wstests --disable-webmds --disable-gsiopenssh
  • make
  • make install

  • exit
  • cp /usr/local/globus/share/myproxy/myproxy-passphrase-policy /etc/
  • chmod +x /etc/myproxy-passphrase-policy
  • perl -MCPAN -e 'install Crypt::Cracklib'
  • cp /usr/local/globus/share/myproxy/etc.init.d.myproxy /etc/init.d/myproxy
  • vi /etc/init.d/myproxy Edit GLOBUS_LOCATION
  • chmod +x /etc/init.d/myproxy
  • cp /usr/local/globus/share/myproxy/myproxy.cron /etc/cron.daily/
  • cp /usr/local/globus-4.0.1/etc/myproxy-server.config /etc/
  • vi /etc/myproxy-server.config 
    accepted_credentials  "/C=AU/O=APAC-GRID/*"
authorized_retrievers "*"
default_retrievers "/C=AU/O=APAC-GRID/*"
passphrase_policy_program /etc/myproxy-passphrase-policy
  • chkconfig --add myproxy

Disable other scripts

  • cd /etc/cron.hourly
  • mv 01-gridmap-local.cron 01-gridmap-local.cron.swp
  • mv 02-gridmap-conf.cron 02-gridmap-conf.cron.swp
  • mv 03-gridmap-gen.cron 03-gridmap-gen.cron.swp
  • chkconfig gsiftp off
  • chkconfig pbs-logmaker off
  • chkconfig postgresql off
  • chkconfig globus off
  • rm /etc/grid-security/grid-mapfile*

Failover support:

  • yum install unison
  • ssh-keygen -b 2048 -t dsa
  • vi /root/.unison/myproxy.prf 
root = /var/myproxy/
root = ssh://myproxy2.apac.edu.au//var/myproxy/
batch = true
prefer = /var/myproxy/
silent = true
#terse = true
contactquietly = true
repeat = 10
  • unison myproxy

Xen Config: 

kernel = "/boot/vmlinuz-2.6.11-xenU"
memory = 256
name = "ngproxy"
cpu = -1   # leave to Xen to pick
disk = [ 'phy:VolumeGroup00/ngProxyRoot,sda1,w',
         'phy:VolumeGroup00/ngProxySwap,sda2,w']
root = "/dev/sda1"
extra = "ro selinux=0 3"
nics = 1
vif = [ 'mac=aa:bb:cc:dd:ee:40, bridge=xen-br2' ]

Firewall

If you don't use a corporate firewall you can use this iptables script 

#!/bin/bash

# Abort execution on error
set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

IPTABLES=/sbin/iptables

MYPROXY_PORT=7512
SSH_PORT=22

SSH_ALLOWED_HOSTS="firewall.vpac.org 131.181.240.30 131.181.86.102"

$IPTABLES -F
$IPTABLES -X

# Accept lo
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

# Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport $MYPROXY_PORT -j ACCEPT

for IP in $SSH_ALLOWED_HOSTS
do
        $IPTABLES -A INPUT -p tcp -s $IP --dport $SSH_PORT -j ACCEPT
done

$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j ACCEPT

NOTE: Running this script will remove any rules you have in place already

In CentOS? run the command 

service iptables save
to make the firewall remain on a restart of the machine.

-- SamMorrison- 27 Aug 2007

Attachments Attachments
Topic attachments
I Attachment Action Size Date Who Comment
elseEXT myproxy-passphrase-policy manage 0.5 K 30 Apr 2006 - 19:55 AshleyWright MyProxy Password Policy Program
elseconfig myproxy-server.config manage 7.4 K 30 Apr 2006 - 19:55 AshleyWright MyProxy Server Config file
Edit | Attach | Print version | History: r13 < r12 < r11 < r10 < r9 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r13 - 27 Aug 2007 - 10:26:56 - AshleyWright
APACgrid.VmdetailsMyproxy moved from APACgrid.VmdetailsNgMyproxy on 03 Jan 2006 - 06:42 by AshleyWright - put it back
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback