Internal MWT2 note: this PUBLIC VERSION of the DeployingOSG1dot0onUCT2P documented installation.


These are installation notes for OSG 1.0 on (site name UC_ATLAS_MWT2). This is being installed before the official OSG 1.0 release date and therefore before the official documentation is available. For now:

Host assignments for the UC_ATLAS_MWT2 "site plan":
  • is the CE
  • is the $APP and wn-client host; exports /share and also /etc/grid-security.
  • atlashome is the home server for the usatlas1 user
  • se5 is the /home for all other users




  • cd /opt/pacman; source; cd /opt/osg-1.0.0
  • export VDTSETUP_CONDOR_LOCATION=/opt/condor/
  • export
  • export OLD_VDT_LOCATION=/opt/osg-0.8.0
  • PATH=$PATH:/opt/condor/bin/

Install of the CE package

  • pacman -get OSG:ce-1.0.0 (Note: this is a pre-release version. After 6/13/08, use pacman -get OSG:ce.)
  • source
  • pacman -get OSG:Globus-Condor-Setup-1.0.0

Managed Fork

  • I decide to skip the managed-fork in this installation.

Authorization mode: full privilege


  • No change


  • vdt-control --enable gums-host-cron
  • $VDT_LOCATION/gums/scripts/gums-host-cron
  • logout

Configuring attributes

  • Reference
  • cd /opt/osg-1.0.0/
  • source
  • cd monitoring
  • export OLD_VDT_LOCATION=/opt/osg-0.8.0/
  • / -e
  • vi extracted-config.ini and modify for updates
    • disabled managed fork
    • changed these from /osg-0.8.0:
    • gridftp_log = /opt/osg-1.0.0/globus/var/gridftp.log
    • user_vo_map = /opt/osg-1.0.0/monitoring/grid3-user-vo-map.txt
    • osg = /opt/osg-1.0.0
  • ./ -c -f ./extracted-config.ini

Turning on services

To disable services so they don't restart after reboot or full =vdt-control --on=:
  • vdt-control --disable fetch-crl, etc.

[root@tier2-osg ~]# vdt-control --list
Service            | Type   | Desired State
fetch-crl          | cron   | do not enable
vdt-rotate-logs    | cron   | enable
vdt-update-certs   | cron   | do not enable
gris               | init   | do not enable
globus-gatekeeper  | inetd  | enable
gsiftp             | inetd  | enable
mysql              | init   | enable
globus-ws          | init   | do not enable
edg-mkgridmap      | cron   | do not enable
gums-host-cron     | cron   | enable
MLD                | init   | do not enable
condor-cron        | init   | enable
apache             | init   | enable
osg-rsv            | init   | do not enable
tomcat-55          | init   | enable
syslog-ng-sender   | init   | do not enable
gratia-condor      | cron   | enable

Installing worker node client

  • On tier2-05. Also exports certificates and CRLs for the cluster.
  • Update pacman
  • cd /export/share/wn-client; source
  • Inspect it:
    root@tier2-05 wn-client]# vdt-control --list
    Service            | Type   | Desired State
    fetch-crl          | cron   | enable
    vdt-rotate-logs    | cron   | enable
    globus-ws          | init   | do not enable
  • vdt-control --off
  • Move to wn-client-0.8.0.
  • cd /export/share; mkdir wn-client; cd wn-client
  • logout/login
  • cd /share/wn-client Must invoke pacman from this directory (/export/share is bind mounted to /share)
  • pacman -get OSG:wn-client-1.0.0
  • Answers:
    • y to trusting caches
    • y to liscenses
    • y to logfile rotation
    • y to CRLs
    • y to certificates
    • r (root) - install into /etc/grid-security/certificates
  • source
  • vdt-control --on
  • Check crontab -l; should be something like:
[root@tier2-05 wn-client]# crontab -l
56 1 * * * /share/wn-client/fetch-crl/share/doc/fetch-crl-2.6.6/fetch-crl.cron
0 0 * * * /share/wn-client/vdt/bin/vdt-rotate-logs
29 * * * * /share/wn-client/vdt/sbin/vdt-update-certs-wrapper --vdt-install /share/wn-client --called-from-cron

Requesting a service certificate for RSV

  • Reference
  • [root@tier2-osg ~]# cert-request -ou s -service rsv -host -label
  • This produced two files: /root/rsv-tier2-osg.uchicago.edukey.pem and /root/
  • Went home
  • Next morning, got an email from which said to do: # cert-retrieve -serialnum 24546, but this wont work because of the options used. Note - this has to be done from the directory where cert-request was invoked, as well.
  • cert-retrieve -help
  • [root@tier2-osg ~]# cert-retrieve -serialnum 24546  -dir ~/. -label
  • [root@tier2-osg ~]# mv hostcert.pem /etc/grid-security/rsvcert.pem
  • [root@tier2-osg ~]# mv hostkey.pem /etc/grid-security/rsvkey.pem

Create the rsvuser account

  • Charles created rsvuser using standard Unix utility and propagating /etc/passwd, etc. to all nodes in the cluster.

GUMS configuration for RSV service certificate

  • Reference here is
  • Note: On uct2-grid4, the name of the rsv group is rsvgroup and the rsv user is rsvuser.
  • Added rsvgroup to the UC hostToGroupMapping:
             groupToAccountMappings='rsvgroup,cernusatlas, cernatlas, cernusatlasSoft, cernusatlasProd, mis, osg, gums-test, localusers'
  • Added the DN /DC=org/DC=doegrids/OU=Services/CN=rsv/ to the rsvgroup via the web interface, 'Manual User Group Members' -- SarahWilliams - 13 Jun 2008

Now, returning to RSV configuration


  • Changed /opt/osg/globus/certificates to point to /etc/grid-security/certificates (which is a sym link to the exported /share/certificates from tier2-05, which is being updated automatically by the updater that was installed with wn-client on that host. This makes the org.osg.certificates.crl-expiry RSV probe error go away.

Re-configuring RSV

  • Sometimes, running configure_osg can make the rsv config disappear. To re-enable it:
 /opt/osg-1.0.0/vdt/setup/configure_osg_rsv --consumers --server y --init --grid-type OSG --user rsvuser --ce-probes --ce-uri --gridftp-probes --gridftp-uri --gridftp-dir /share/data/rsvdata/ --gratia --setup-for-apache --use-rsv-cert --rsv-cert-file /etc/grid-security/rsvcert.pem --rsv-key-file /etc/grid-security/rsvkey.pem --rsv-proxy-out-file /tmp/rsvproxy --verbose
--Main.SarahWilliams 2009 02 22

Update of Gratia probes to 1.02.1-5

  • CharlesWaldman - 22 Feb 2009
  • Updated Gratia probes at suggestion of Chris Green, to solve excessive CPU usage problem.
  • cd /opt/osg; .; pacman -update
  • After this, RSV is not working. Fixed this by adding the following stanza to /opt/osg/apache/http.conf (this was clobbered by the update)
<Directory "/opt/osg/osg-rsv/output/html">
    Options None
    AllowOverride None

    Order allow,deny
    Allow from all
Alias /rsv /opt/osg/osg-rsv/output/html

-- RobGardner - 13 Jun 2008
Topic revision: r3 - 17 Apr 2009, RobGardner
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback