GRID

From I.N.F.N. Wiki
Jump to: navigation, search

Reference Guide[edit]

This document describes how to access and use the GRID infrastructure @INFN-PISA. Previous experience is not required to read this guide and to start using the GRID architecture.

This brief howto is based on several Grid user's guides, as reported on the #References and Bibliography section. Authorized by Italian Grid Infrastructure http://www.italiangrid.org

Author: Federico Calzolari

Access the GRID[edit]

Get a personal certificate[edit]

The authentication of users in grid infrastructures is based on X.509 certificates, which are issued by certification authorities (CA). These CAs, mostly covering one country, form grid trust federations in order to allow users to access different grid infrastructures across different nations using only one X.509 certificate.

The personal certificate released by a Certification Authority that is accredited by the European Policy management Authority for Grid Authentication (EUGridPMA). EUGridPMA is the international organisation which coordinates the trust fabric for e-Science grid authentication in Europe. The Grid accredited authority for Italy is the INFN Certification Authority. The certificate has to be installed in a User Interface where you got an account. These are the steps to get your personal certificate from INFN CA:

  1. install the Certification Autority certificate on your browser
  2. identify yourself to the Registration Authority in your department and ask him for an ID . If there no Registration Authority is available in your organization, a new one has to be defined
  3. ask for your Personal Certificate using the ID given to you by the RA
  4. install your Personal Certificate on your browser (the same browser of step 1). You have to wait for a couple of days to receive a mail with a web link to the page containing your certificate.
  5. export your Personal Certificate from your browser
  6. copy your Personal Certificate in your home directory of a User Interface where you got an account

Additional documentation

More information on the process described above is provided here: INFN-GRID personal certificates howto http://igi.cnaf.infn.it/sites/default/files/certificates.pdf

For an exhaustive guide on certificates please refer to: A Brief Guide to Certificate Management http://igi.cnaf.infn.it/sites/default/files/certmgr.pdf

A good introduction on Grid security is also available from the Globus site: Overview of the Grid Security Infrastructure http://www.globus.org/security/overview.html

Register to a VO[edit]

Users need to be authenticated and authorized in order to get access to grid resources. To this end, users need to be members of one or more Virtual Organisations (VOs) through subscription to the relevant VOs. A VO is a user group where members are usually in similar or related research activities, or are part of the same collaboration, for which reason they typically need of the same application software on the grid and have similar middleware requirements.

VOs can be national or global in scope. VOs are described by a VO Idenfication card. The list of VOs enabled in the pan-European grid infrastructure, the respective discipline cluster, the list of VOs that are currently enabled in IGI can be consulted on the CIC Portal. Click here for more information on the scientific disciplines supported by IGI and the European Grid EGI.

Become a VO member

To be VO member a registration request needs to be submitted and then approved by the respective VO manager.

Please select the VO of interest at page http://www.italiangrid.org/grid_operations/users/getting_started/VO and click on the respective cell to start the registration process.

User Interface[edit]

In order for you to access the grid you need an account on a UserInterface (UI).

The UserInterface is the user's "door" to the grid. Once you've got an account on a UI you can login and submit your jobs from your home directory on the UserInterface.

You've got four possibilities to access a UI:

  1. Install/Configure an UserInterface through yum/yaim on a dedicated PC
  2. Identify an existing UserInterface and ask for an account on it
  3. Use the AFS CERN User Interface [suggested method]
  4. Use the GENIUS portal https://genius.ct.infn.it

UI yaim[edit]

Installation through yum and configuration through yaim is suggested if you want to set up a node of the Grid with all the Grid elements (CE, SE, WN, UI). This is a task typically reserved to a site manager.

Please refer to the Installation section https://twiki.cern.ch/twiki/bin/view/LCG/GenericInstallGuide320

UI user[edit]

If you work in one this sites, you ask for an account to a UI server to the site manager:

User Interface
INSTITUTE LOCATION UI HOSTNAME CONTACT
INFN Bari gridba1.ba.infn.it grid-prod@ba.infn.it
INFN Bologna boalice12.bo.infn.it grid-prod@bo.infn.it
INFN Cagliari grid004.ca.infn.it grid-prod@ca.infn.it
INFN Catania genius.ct.infn.it grid-prod@ct.infn.it
INFN Ferrara grid1.fe.infn.it grid-prod@fe.infn.it
INFN Genova gridui.ge.infn.it grid-prod@ge.infn.it
INFN Lecce gridui.le.infn.it grid-prod@le.infn.it
INFN Legnaro PD lcgui.lnl.infn.it grid-prod@lnl.infn.it
INFN Milano ui.mi.infn.it grid-prod@mi.infn.it
INFN Napoli atlasui01.na.infn.it grid-prod@na.infn.it
INFN Padova prod-ui-02.pd.infn.it grid-prod@pd.infn.it
INFN Parma grid-ui.pr.infn.it grid-prod@pr.infn.it
INFN Pisa gridui.pi.infn.it grid-prod@pi.infn.it
INFN Roma beta.roma1.infn.it grid-prod@roma1.infn.it
INFN Roma2 atlas2.roma2.infn.it grid-prod@roma2.infn.it
INFN Roma2 grid001.roma2.infn.it grid-prod@roma2.infn.it
INFN Roma3 ui-01.roma3.infn.it grid-prod@roma3.infn.it
INFN Roma3 ui-02.roma3.infn.it grid-prod@roma3.infn.it
INFN Torino lcg-ui.to.infn.it grid-prod@to.infn.it
CIRMMP Firenze ui-enmr.cerm.unifi.it grid-prod@cerm.unifi.it

UI AFS[edit]

By far the simplest solution to getting a UI on your own machine, e.g. a laptop, is to use an AFS client and access the CERN AFS UI http://pps-public-wiki.egee.cesga.es/cgi-bin/moin.cgi/Using_the_AFS_UI_at_CERN described above, i.e. basically executing the script: 

unset  GLITE_ENV_SET
source /afs/cern.ch/project/gd/LCG-share/current/external/etc/profile.d/grid-env.sh

OR .csh depending on the used shell.

and configuring your Virtual Organization related environment: 

 export EDG_WL_UI_CONFIG_VO=$HOME/.glite/rb.conf
 export EDG_WL_UI_CONFIG_VAR=$HOME/.glite/setup.conf
 export GLITE_WMS_CLIENT_CONFIG=$HOME/.glite/vo.conf
#export X509_VOMS_DIR=~/.glite/vomsdir
#export X509_CERT_DIR=~/.glite/certificates
#export LFC_HOST=`lcg-infosites --vo <VO> lfc`

Configuration:

$HOME/.glite/rb.conf 

[
  VirtualOrganisation = "<VO>";
  ## RB list:  gridit-rb-01.cnaf.infn.it egee-rb-01.cnaf.infn.it
  NSAddresses = "egee-rb-01.cnaf.infn.it:7772";
  LBAddresses = "egee-rb-01.cnaf.infn.it:9000";
  ## HLR location is optional. Uncomment and fill correctly for
  ## enabling accounting
  #HLRLocation = "fake HLR Location"
  ## MyProxyServer is optional. Uncomment and fill correctly for
  ## enabling proxy renewal. This field should be set equal to
  ## MYPROXY_SERVER environment variable
  MyProxyServer = "myproxy.cnaf.infn.it"
]

$HOME/.glite/setup.conf 

[
  rank = - other.GlueCEStateEstimatedResponseTime;
  requirements = other.GlueCEStateStatus == "Production";
  RetryCount = 3;
  ErrorStorage = "/tmp";
  OutputStorage = "/tmp";
  ListenerPort = 44000;
  ListenerStorage = "/tmp";
  LoggingTimeout = 30;
  LoggingSyncTimeout = 30;
  # LoggingDestination = "my-rb.cern.ch:9002";
  # Default NS logger level is set to 0 (null)
  # max value is 6 (very ugly)
  NSLoggerLevel = 0;
  DefaultLogInfoLevel = 0;
  DefaultStatusLevel = 0;
  DefaultVo = "unspecified";

$HOME/.glite/vo.conf 

[
  WmsClient = [
    virtualorganisation = "<VO>";
    requirements = other.GlueCEStateStatus == "Production";
    MyProxyServer = "myproxy.cnaf.infn.it";
    WMProxyEndpoints = {
      "https://glite-rb-00.cnaf.infn.it:7443/glite_wms_wmproxy_server"
    };
    ListenerStorage = "/tmp/jobOutput";
    ErrorStorage = "/tmp/jobOutput";
    ShallowRetryCount = 10;
    AllowZippedISB = true;
    PerusalFileEnable = false;
    rank =- other.GlueCEStateEstimatedResponseTime;
    OutputStorage = "/tmp/jobOutput";
    RetryCount = 3;
    ];
]

$HOME/.glite/vomses 

"biomed" "cclcgvomsli01.in2p3.fr" "15000" "/O=GRID-FR/C=FR/O=CNRS/OU=CC-LYON/CN=cclcgvomsli01.in2p3.fr" "biomed"
"cdf" "voms-01.pd.infn.it" "15001" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "cdf"
"babar" "voms.gridpp.ac.uk" "15002" "/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk" "babar"
"bio" "voms-01.pd.infn.it" "15007" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "bio"
"compchem" "voms-01.pd.infn.it" "15003 " "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "compchem"
"enea" "voms-01.pd.infn.it" "15005" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "enea"
"gridit" "voms-01.pd.infn.it" "15008" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "gridit"
"inaf" "voms-01.pd.infn.it" "15010" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "inaf"
"infngrid" "voms-01.pd.infn.it" "15000" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "infngrid"
"ingv" "voms-01.pd.infn.it" "15011" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "ingv"
"omiieurope" "omii001.cnaf.infn.it" "15001" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=omii001.cnaf.infn.it" "omiieurope"
"pamela" "voms-01.pd.infn.it" "15013" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "pamela"
"planck" "voms-01.pd.infn.it" "15002" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "planck"
"theophys" "voms-01.pd.infn.it" "15006" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "theophys"
"virgo" "voms-01.pd.infn.it" "15009" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "virgo"
"libi" "voms-01.pd.infn.it" "15015" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "libi"
"eumed" "voms2.cnaf.infn.it" "15016" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it" "eumed"
"euchina" "voms2.cnaf.infn.it" "15017" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it" "euchina"
"picard" "kuiken.nikhef.nl" "15010" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl/" "picard"
"crusher" "kuiken.nikhef.nl" "15012" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl/" "crusher"
"riker" "kuiken.nikhef.nl" "15011" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl/" "riker"
"EGEE" "kuiken.nikhef.nl" "15001" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl/" "EGEE"
AFS Install[edit]

RedHat, ScientificLinux

Install the AFS package 

yum install openafs-client kernel-module-openafs-`uname -r`

Configuration:

Setup the cache size 

cat << EOF > /usr/vice/etc/cacheinfo
/afs:/var/cache/openafs:100000
EOF

Setup the AFS Cell [you can set INFN-PISA as Cell Server] 

cat << EOF > /usr/vice/etc/ThisCell
pi.infn.it
EOF

Start the AFS service 

/etc/init.d/afs start

Debian, Ubuntu

Install the AFS package 

apt-get install openafs-client openafs-modules-source

Configuration:

Setup the cache size 

cat << EOF > /etc/openafs/cacheinfo
/afs:/var/cache/openafs:100000
EOF

Setup the AFS Cell [you can set INFN-PISA as Cell Server] 

cat << EOF > /etc/openafs/ThisCell
pi.infn.it
EOF

Install the module installer assistant 

apt-get install module-assistant

Install the required modules 

module-assistant prepare openafs-modules
module-assistant auto-build openafs-modules
m-a install openafs-modules-source
insmod /lib/modules/`uname -r`/fs/openafs.ko

Start the AFS service 

/etc/init.d/openafs-client start

GENIUS portal[edit]

The GENIUS portal https://genius.ct.infn.it is a web portal jointly developed by INFN and Nice srl within the INFN Grid Project. It is based on the Enginframe grid portal framework. GENIUS will be also the default portal for generic applications in EGEE.

Install the certificate[edit]

Conversion: p12 to pem[edit]

Many of the certificate authorities deliver certificates through a web browser. To use these certificates with Globus, they must be exported from the browser and then reformatted for Globus. Exporting is browser-specific so you will need to follow the help provided with your browser. Once you have extracted the certificate you should have a file with a p12 extension. This file is in the PKCS12 format; you will need to change this to PEM format. If the edg-utils package is installed on your machine, simply executing /opt/edg/bin/pkcs12-extract will create appropriate certificate and key files and place them in the standard location. This is a convenience method for the following: 

openssl pkcs12 -nocerts         -in cert.p12 -out ~user/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~user/.globus/usercert.pem

The first command gives you your private key; this file must be readable only by you (e.g. unix permission 0600). The second command gives your public certificate (e.g. unix permission 0644). The ~user should be replaced by the path to your home area. The .globus subdirectory is standard place to put your certificates.

Commandline UI[edit]

Access via ssh to a UserInterface (UI), than: 

mkdir $HOME/.globus
openssl pkcs12 -clcerts -nokeys -in <your cert> -out .globus/usercert.pem
openssl pkcs12 -nocerts         -in <your cert> -out .globus/userkey.pem

chmod 400 .globus/userkey.pem
chmod 644 .globus/usercert.pem

Use the GRID[edit]

Get a Proxy certificate[edit]

A Proxy certificates is a certificate that is derived from, and signed by, a normal X.509 Public Key End Entity Certificate or by another Proxy Certificate for the purpose of providing restricted proxying and delegation within a PKI based authentication system. It is based on X.509 Public Key Infrastructure (PKI) certificates - as defined in RFC 3280 - for use in the Internet.

VOMS (Virtual Organization Membership Service) is a system to classify users that are part of a Virtual Organization (VO) on the base of a set of attributes that will be granted to them upon request and to include that information inside Globus-compatible proxy certificates.

If you are already part of a VO, you can use voms-proxy-init to create a GSI proxy with special permissions that your VO entitles you to. The proxy is fully compatible with the standard Globus proxy format, but it has additional VO-related attributes in it. Grid services that you will subsequently authenticate with may be configured to read these attributes from your proxy and perform decisions based on their values.

When you run voms-proxy-init, it contacts your VO's VOMS server, authenticates to it using your "normal" proxy, receives the VO-specific attributes, and creates a new proxy with these attributes. To specify the name of the VO to contact you use the --voms optin, e.g.: 

voms-proxy-init --voms <VO>

voms-proxy-init finds the address of the server for the given VO by looking through a series of configuration directories, namely:

  • /etc/vomses
  • $X509_VOMS_DIR evnironment variable
  • ~/.edg/vomses

voms-proxy-init example 

[username@UI ~]$  voms-proxy-init --voms VO
  Enter GRID pass phrase:
  Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=City/CN=Name Surname
  Creating temporary proxy .................................. Done
  Contacting  voms.ca.infn.it:15001 [/C=IT/O=INFN/OU=Host/CN=voms.ca.infn.it] "VO" Done
  Creating proxy .................................... Done
  Your proxy is valid until Mon Jan 01 12:00:00 2010

Create a JDL[edit]

This document provides the specification of the Job Description Language (JDL) attributes supported by the gLite software. Attributes and features described in this document are fully supported only if the job submission to WMS is performed through the WMProxy, i.e. the Web services based interface to the gLite Workload Management System: https://edms.cern.ch/file/590869/1/EGEE-JRA1-TEC-590869-JDL-Attributes-v0-9.pdf

Submit a job[edit]

Here a list of some helpful online Job submission and JDL Tutorials:

Retrieve the Output[edit]

Data Management[edit]

After this tutorial you will be able to use files stored on the Grid for your computational task and store files created by your job on Grid SE.

This tutorial http://iag.iucc.ac.il/workshop/data_management.htm provides a complete example to:

  • Prepare input files on an SE for running jobs
  • Creates a job which downloads these input files and uses them
  • Takes the job output and upload it to the SE
  • Downloads the job output to the UI

References and Bibliography[edit]

Information in this guide is taken primarily from:

Retrieved from "http://wiki.pi.infn.it/wiki/index.php?title=GRID&oldid=617"