Install Globus Toolkit 4.0.x on CentOS

+

CentOS logo

Disclosure: this tutorial is intended for legacy applications which mandatory need the version 4.0.x of Globus Toolkit. If you don’t have an impelling reason to install that particular version, it is highly recommended that you install the latest version available of Globus Toolkit from its official web site and follow the installation guide of the official documentation.

  1. Install Sun JDK 1.6 following these instructions;
  2. install Perl XML Parser:
    root:# yum -y install perl-XML-Parser
  3. install and configure PostgreSQL 7.1+:
    root:# yum install -y postgresql-server postgresql-odbc
    root:# service postgresql start
    root:# ntsysv

    scroll down the list of services until you reach postgresql, select the checkbox beside it and press OK in order to automatically load the service at every boot;

    root:# vim /var/lib/pgsql/data/postgresql.conf

    uncomment the line beginning with “listen_addresses” by removing the initial #, and set it to listen_addresses = ‘*’

    root:# vim /var/lib/pgsql/data/pg_hba.conf

    add the following line to the bottom of the file, replacing the “160.100.100.111” with the public external IP:

    host rftDatabase "globus" "160.100.100.111" 255.255.255.255 md5

    then run:

    root:# service postgresql restart
  4. create the ant environment variables:
    root:# mkdir /usr/share/java/lib
    root:# cp /usr/share/java/ant-1.6.5.jar /usr/share/java/lib
    root:# cp /usr/share/java/ant-launcher-1.6.5.jar /usr/share/java/lib
  5. create the file /etc/profile.d/ant.sh and paste into it:
    export ANT_HOME=/usr/share/java
    export JAVA_HOME=/usr/lib/jvm/java-1.6.0-sun-1.6.0.11
    export PATH=${PATH}:${ANT_HOME}/bin

    then run:

    root:# chmod +x /etc/profile.d/ant.sh
    root:# source /etc/profile.d/ant.sh

    note: when you change your java virtual machine (JVM) version through the alternatives system remember you need to edit the ant.sh accordingly, that is you must replace “jdk1.6.0_06” with the name of the directory of the new JVM version you switched to, and then you must log out and log back in in order to make the changes have effect;

  6. create the globus environment variables:
    root:# vim /etc/profile.d/globus.sh

    and paste into it the following lines:

    export GLOBUS_LOCATION=/usr/local/globus-4.0.8
    export GLOBUS_OPTIONS=-Xmx1024m
    PATH=$PATH:$GLOBUS_LOCATION/bin
    source $GLOBUS_LOCATION/etc/globus-user-env.sh

    Note: by default on Sun JVMs a 64MB maximum heap size is used. It is recommended to increase the maximum heap size of the JVM when running the container. Above we have set the maximum JVM heap size to 1024MB with the GLOBUS_OPTIONS=-Xmx1024m. To figure out a reasonable -Xmx you should ensure that the total of the -Xmx settings does not exceed the “spare” memory on your server. You can figure your “spare” memory by stopping your Java processes and starting up everything else that is normally running on your server. By running “free -m” you may know how much memory you are using. If you subtract that value from your total memory and then subtract a bit more (for safety) that will be the maximum you should allocate with -Xmx.

    Then run:

    root:# chmod +x /etc/profile.d/globus.sh
  7. create a user named “globus”:
    root:# useradd globus
    root:# passwd globus
  8. now for the Globus Toolkit installation you can choose between either procedure (1) (which will take several hours to complete) or procedure (2) (quicker).
    1. Install from the official Globus Toolkit source installer (as globus user):
      • download the Full Toolkit Source Installer from here and place it in your globus user home directory;
      • do not apply the Java 1.6 patch: despite the fact that the software prerequisites of the Globus Toolkit 4.0.x installation guide states that in order to install the toolkit from the source installer using Java 6 you must apply a given patch, unofficial sources from the gt-user mailing-list, together with our own experience, suggest that Globus Toolkit 4.0.8 doesn’t actually need this patch, because it already supports Java 6.
      • run the following commands:
        root:# mkdir /usr/local/globus-4.0.8/
        root:# chown globus. /usr/local/globus-4.0.8/
        root:# source /etc/profile.d/globus.sh
      • enter the directory where you have downloaded the installer, then run:
        globus:$ tar xjvf gt4.0.8-all-source-installer.tar.bz2
        globus:$ cd gt4.0.8-all-source-installer
        globus:$ ./configure --prefix=/usr/local/globus-4.0.8/
                                                          --with-iodbc=/usr/lib
        globus:$ make | tee installer.log


        (time for a coffee break here, the build will take over an hour, possibly longer depending on how fast your machine is)

      • if everything went fine in the end you should see “Your build completed successfully. Please run make install”; so now run:
        globus:$ make install
    2. Install from the unofficial Globus Toolkit binaries compiled by me for CentOS 5.2:
      • as root, download the Globus Toolkit CentOS 5.2 binaries from here;
      • move the downloaded file in your /user/local/ directory;
      • enter that directory and run:
        root:# tar xzvf gt4.0.8-x86_centos_5.2-installer.tar.gz
        root:# source /etc/profile.d/globus.sh
        root:# chown globus. -R globus-4.0.8/
      • then as globus user run:
        globus:$GLOBUS_LOCATION/sbin/gpt-postinstall
  9. if your machine is under a DHCP server then you must add an entry to your /etc/hosts file putting the IP address and full the hostname of the machine (e.g. 160.100.100.11 hostname.example.com)
  10. run:
    root:# vim /etc/grid-security/grid-mapfile

    copy and paste into the grid-mapfile all the distinguished names of the users and machines which are going to use your container; for example:

    "/O=Grid/OU=Monty Python/CN=Graham Chapman" graham
    "/O=Grid/OU=Monty Python/CN=John Cleese" john
    "/O=Grid/OU=Monty Python/CN=Terry Gilliam" terry
    "/O=Grid/OU=Monty Python/CN=Eric Idle" eric
    "/O=Grid/OU=Monty Python/CN=Terry Jones" terry
    "/O=Grid/OU=Monty Python/CN=Michael Palin" michael
    
    "/O=Grid/CN=host/mercury.domain.com" globus
    "/O=Grid/CN=host/venus.domain.com" globus
    "/O=Grid/CN=host/earth.domain.com" globus
    "/O=Grid/CN=host/mars.domain.com" globus
  11. do the Security set up by following these instructions;
  12. at the end of the procedure your certificates should be inside the /etc/grid-security directory and they should have the following permissions and owners:
    -rw-r--r--  1 globus globus 2710 2005-11-15 07:48 containercert.pem
    -r--------  1 globus globus  887 2005-11-15 07:48 containerkey.pem
    -rw-r--r--  1 root   root   2710 2005-11-15 07:47 hostcert.pem
    -r--------  1 root   root    887 2005-11-15 07:40 hostkey.pem

    where containercert.pem is a copy of hostcert.pem, and containerkey.pem is a copy of hostkey.pem. If the permissions or owners are not as indicated above then you can change them by running:

    root:# chown globus. containercert.pem containerkey.pem
    root:# chown root. hostcert.pem hostkey.pem
    root:# chmod 644 containercert.pem hostcert.pem
    root:# chmod 400 containerkey.pem hostkey.pem
  13. install GridFTP:
    • run:
      root:# yum install -y xinetd
    • create the file /etc/xinetd.d/gridftp and paste into it:
      service gsiftp
      {
      instances       = 100
      socket_type     = stream
      wait            = no
      user            = root
      env             += GLOBUS_LOCATION=/usr/local/globus-4.0.8
      env             += LD_LIBRARY_PATH=/usr/local/globus-4.0.8/lib
      env             += GLOBUS_TCP_PORT_RANGE=50000,55000
      server          = /usr/local/globus-4.0.8/sbin/globus-gridftp-server
      server_args     = -i
      log_on_success  += DURATION
      nice            = 10
      disable         = no
      }
    • run:
      root:# service xinetd start
  14. configure RFT:
    • run:
      root:# su postgres -c "createuser -P globus"

      when prompted answer to the questions in the following way:

      Shall the new role be a superuser? (y/n) n
      Shall the new role be allowed to create databases? (y/n) y
      Shall the new role be allowed to create more new roles? (y/n) n
    • run:
      globus:$ createdb rftDatabase
      globus:$ psql -d rftDatabase -f
                          $GLOBUS_LOCATION/share/globus_wsrf_rft/rft_schema.sql
    • open the file $GLOBUS_LOCATION/etc/globus_wsrf_rft/jndi-config.xml
    • look for the “dbConfiguration” resource and:
      • change the “password” parameter from “foo” to the one you entered when creating the user globus in PostgresSQL;
      • also check that the value of the “connectionString” parameter contains the full address of your machine (e.g. “jdbc:postgresql://machine.domain.org/rftDatabase”).
  15. configure GRAM:
    • run:
      root:# visudo

      and add the two following lines:

      globus  ALL=(username1,username2) NOPASSWD:
      /usr/local/globus-4.0.8/libexec/globus-gridmap-and-execute -g
      /etc/grid-security/grid-mapfile
      /usr/local/globus-4.0.8/libexec/globus-job-manager-script.pl *
      
      globus  ALL=(username1,username2) NOPASSWD:
      /usr/local/globus-4.0.8/libexec/globus-gridmap-and-execute -g
      /etc/grid-security/grid-mapfile
      /usr/local/globus-4.0.8/libexec/globus-gram-local-proxy-tool *

      where the user names “username1” and “username2” are to be substituted with a comma-separated list of usernames that you actually want the user “globus” to be able to sudo to (i.e. “jack,tom”). Also, make sure these two entries are each on a single line. If there are any line breaks within an entry then it won’t work.

    • to check whether GRAM is working run as normal user:
      user:$ globusrun-ws -submit -c /bin/touch touched_it

      if everything is working fine you should see something like this:

      Submitting job...Done.
      Job ID: uuid:6adb70fa-62d1-11dc-92fe-0013d46f2605
      Termination time: 09/15/2007 14:47 GMT
      Current job state: Active
      Current job state: CleanUp
      Current job state: Done
      Destroying job...Done.
  16. configure your firewall according to this extensive documentation.
    • Essentially you need to set up both the firewall of the machine where you installed Globus Toolkit and the router to which the machine is connected in order to accept traffic on ports 8443 (for the Globus Container), 2811 (for Gridftp) 8080 (for the Globus Container with no security) plus the port range set in the GLOBUS_TCP_PORT_RANGE variable in the Gridftp script (we used 50000-55000 in this tutorial). You can do that either by accepting all traffic to those ports or accepting only the one coming from known machines.
    • To see the rules currently enforced by your firewall run:
      root:# cat /etc/sysconfig/iptables
    • if the client and server of your application resides on different networks, you may get an error like the following:
      org.globus.common.ChainedIOException: Authentication failed
      [Caused by: Operation unauthorized (Mechanism level: Authorization failed.
      Expected "/CN=host/192.168.0.50" target but received "/O=KGrid/CN=host/your.globus.machine.domain.net")]

      then you need to add the following line to your /etc/hosts file

      192.168.0.50 your.globus.machine.domain.net

      where 192.168.0.50 is the local IP address of the LAN where the Globus machine is connected.

Errors reports and suggestions are more than welcome. Please leave a comment if you have faced and solved a problem which is not mentioned here or even only to say whether this tutorial has been of any help to you.

Some other installation notes for globus on CentOS can be found at this page.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s