cluster:Cfengine/228/server

From Dgiref

Please open a NGI-DE ticket if you experience any Installation or Configuration problem.

Cfengine/228/server

Prepare

Operating system

Scientific Linux version 4.5 64 bit

Optimizing the configuration: 

Use minimal operating system installation without firewall.
To verify installed packages use the command 
rpm -qa | grep package_name
Install the following additional packages:
yum -y install wget yum rpm make gcc gcc-c++ tar sed zlib openssl
After the installation is complete, turn off any unnecessary services (like gpm, sendmail, cups, haldaemon, messagebus, pcmcia, anacron, atd) with the following command: 
chkconfig <SERVICE> off

Configure the following settings for the server:

Additional software packages

Berkeley DB version 4
OpenSSL (openssl.i686 krb5-libs.i386 openldap.i386 cyrus-sasl.i386 compat-openldap.i386)

Firewall configuration

Port 5308 should be open (how to open port in firewall).

administrator's script: prepare.sh

```
 
```
```
#!/bin/bash
```

# prepare cfengine server for installation

REPO_URL="http://svn.rz.uni-karlsruhe.de/svn/dgiref/PROD/cf3/repl/repos/external/"

wget -O /etc/yum.repos.d/sl-dgiref.repo ${REPO_URL}/sl-dgiref.repo

```
yum -y install db4
```

yum -y install openssl.i686 krb5-libs.i386 openldap.i386 cyrus-sasl.i386 compat-openldap.i386

Install

The following steps are needed to install a Cfengine Server. Execute as root user:

administrator's script: install.sh

```
 
```
```
#!/bin/bash
```
```
# install cfengine server 
```
```
# Choose the OS architecture: 
```
```
OS_arch="x86_64"   # x86_64 for 64 bit
```
```
# OS_arch="i386"   # i386 for 32 bit
```
```
# Scientific Linux installation:
```

yum -y install cfengine-2.2.8-1.el4.rf.${OS_arch}

# If you are installing the Cfengine Client on Scientific Linux you have to do the following:

```
mkdir -p /var/cfengine/outputs 
```
```
chmod go-rx /var/cfengine/outputs
```

ln -s /var/cfengine/masterfiles/inputs /var/cfengine/inputs

Configure

Setup basic configuration files

You must edit the following files to reflect your hostnames, domain name a.s.o.

cfagent.conf
update.conf (change your domain and IP address for your policyhost (cfengine server))
cf.main (change your site, domain  and IP address for your policyhost (cfengine server))
cf.site (list of name of config files which should be distributed - and edit the /etc/motd on client)
cf.groups (edit role_cfengine_master and group your hosts with equal services together)
cfservd.conf (change domain name and grant access for the files, which will be distributed)

Setup the configuration for each file/directory which should be distributed:

cf.CAcerts (distribute the ROOT CA certificates)
cf.dgridmap (distribute the /etc/grid-security/grid-mapfile)
cf.etc-group (distribute the file /etc/group)
cf.etc-passwd (distribute the file /etc/passwd)
cf.ogsadai-roles (update the ogsadai role mapping)
cf.unicore-uudb (update the Unicore UUDB)

Keep data sets, which will be distributed with cfengine up to date

Many data sets or directories are distributed with cfengine in this reference installation. So additional work should be done on the cfengine server to keep these files up to date:

/etc/grid-security/certificates/*: The Revocation lists must be up to date every day. So get the newest ROOT CA certificates and install the fetch-crl script.
The scripts for updating /etc/group and /etc/passwd are also distributed and then executed with cfengine.
The dgridmap script for updating grid-mapfiles should run every day, to support all VO and local users
The script for updating the OGSA-DAI role mapping have to be executed on the OGSA-DAI server
The script for updating the Unicore UUDB have to be executed on the Unicore NJS server

The Following Steps are needed:

ROOT CA certificates Update
merge-passwd.pl and merge-group.pl scripts for updating the /etc/passwd and /etc/group. In order to update the full list of users (VO users AND all local users), the following two perl scripts are distributed by the cfengine server to all nodes: Merge-passwd.pl for updating passwd; Merge-group.pl for updating groups (VOs). These scripts will be executed after distribution and needs as inputs the actual passwd and group files for D-Grid users: passwd-dgrid actual passwd file; group-dgrid actual group file
script dgridmap for updating the user mapping on all middleware frontends
updateRoleMap.sh script for updating the role mapping for OGSA-DAI. In order to update the role mapping for OGSA-DAI from the newest ogsadai grid-mapfile, the following script is distributed by the cfengine server and will be executed only on the ogsadai server: /etc/grid/etc/updateRoleMap.sh for updating OGSA-DAI role mapping
updateUUDB.sh script for updating the UUDB for Unicore. In order to update the UUDB for Unicore from the newest D-Grid UUDB file, the following script is distributed by the cfengine server and will be executed only on the Unicore NJS server: /etc/grid/etc/updateUUDB.sh for updating the Unicore UUDB

In order to update the full list of users (VO users AND all local users), the following two perl scripts are distributed by the cfengine server to all nodes:

script:Merge-passwd.pl for updating passwd 
script:Merge-group.pl for updating groups (VOs)

These scripts will be executed after distribution and needs as inputs the actual passwd and group files for D-Grid users:

passwd-dgrid actual passwd file 
group-dgrid actual group file

administrator's script: configure.sh

```
 
```
```
#!/bin/bash
```
```
# configure cfengine server
```
```
cfagent -q -v --update-only 
```
```
 
```
```
# 1- ROOT CA certificates Update
```
```
 
```

# get ROOT-CA-certificates RPM and install:

wget -r -l1 -np -nH -nd -A.noarch.rpm http://glitesoft.cern.ch/LCG-CAs/current/RPMS.production/ .

```
rpm -ivh * 
```
```
 
```
```
# or yum install ROOT CA certificates:
```
```
vi /etc/yum.repos.d/lcg-CA.repo 
```
```
[CA] 
```
```
name    = CAs 
```

baseurl = http://linuxsoft.cern.ch/LCG-CAs/current

```
enabled = 1 
```
```
protect = 0 
```
```
yum install lcg-CA
```
```
 
```

# fetch-crl script for updating the ROOT-CA Revocation lists

rpm -ivh http://glitesoft.cern.ch/EGEE/gLite/R3.1/lcg-CE/sl4/i386/RPMS.externals/fetch-crl-2.6.3-1.noarch.rpm

```
 
```

# setup the cron-job for updating the ROOT CA revocation lists

```
vi /etc/cron.d/fetch-crl: 
```
```
PATH=/sbin:/bin:/usr/sbin:/usr/bin 
```

50 3,14,19 * * * root /software/scripts/fetch-crl >> /var/log/fetch-crl-cron.log 2>&1

```
 
```

# 2- merge-passwd.pl and merge-group.pl scripts for updating the /etc/passwd and /etc/group

# The two script and the actual passwd-dgrid / group-dgrid files must be placed e.g. in the directory /etc/grid/etc/

```
mkdir /etc/grid
```
```
cd /etc/grid
```
```
mkdir /etc/
```
```
 
```

# edit the passwd and group files to be sure that all supported users / VOs are up to date.

```
vi  etc/passwd-dgrid 
```
```
vi  etc/group-dgrid
```

# be sure that the two scripts are executable

```
chmod 755 etc/merge-passwd.pl
```
```
chmod 755 etc/merge-group.pl
```
```
 
```

# 3- script dgridmap for updating the user mapping on all middleware frontends

```
# download the dgridmap script 
```
```
cd /usr/local/sbin/
```

wget https://dispatch.fz-juelich.de:8814/dgridmap --no-check-certificate

```
# create a cron job to be run every day
```
```
vi /etc/cron.daily/mk-dgridmap.sh 
```
```
 
```
```
outdir=/etc/grid-security
```
```
outfile=grid-mapfile
```
```
outfileogsa=grid-mapfile-ogsa
```
```
outfileunicore=UUDB.in
```
```
logfile=/var/local/log/mk-dgridmap.log
```
```
echo "" >> $logfile
```
```
echo "starte $0 ($(date))" >> $logfile
```

/usr/local/sbin/dgridmap -output-g $outdir/$outfile -pre dg >> $logfile 2>&1

/usr/local/sbin/dgridmap -output-o $outdir/$outfileogsa -pre dg >> $logfile 2>&1

/usr/local/sbin/dgridmap -output-u $outdir/$outfileunicore -pre dg >> $logfile 2>&1

```
echo "beende $0 ($(date))" >> $logfile
```
```
 
```

# 4- updateRoleMap.sh script for updating the role mapping for OGSA-DAI

```
# manually
```

# 5- updateUUDB.sh script for updating the UUDB for Unicore

```
# manually
```
```
 
```
```
exit 0
```

Proceed

To start/stop cfengine use the commands:

administrator's script: proceed.sh

```
 
```
```
#!/bin/bash
```
```
# Start cfengine 
```

# first start of cfengine to get he whole configuration files from server to client:

```
cfagent -q -v --update-only
```

# start of cfengine to get the files which should be distributed:

```
cfagent -q -v
```
```
cfshow --last-seen 
```
```
cfshow --performance
```
```
 
```
```
exit 0
```

Initial test

Try examining the output:

administrator's script: test.sh

```
 
```
```
#!/bin/bash
```
```
# test cfengine server installation
```
```
 
```
```
cfagent -p -d3
```
```
 
```
```
exit 0
```

Update

To update/reinstall/delete cfengine packages, use:

administrator's script: update.sh

```
 
```
```
#!/bin/bash
```
```
#update cfengine
```
```
# Reinstall packages:
```

rpm -Uvh --force package-to-reinstall.rpm

```
 
```
```
# delete installation:
```
```
rpm -evh --force package-to-delete.rpm
```
```
 
```
```
exit 0
```

cluster:Cfengine/228/server

Contents

Cfengine/228/server

Prepare

Install

Configure

Proceed

Initial test

Update

Views

Personal tools

general

guidelines

reference installation

Search

internal

Toolbox