AliEn2 'Site' Installation Guide

Installing AliEn2 is very simple but please read attentively everything written herein, most complaints received were simply the result of admins skipping paragraphs in this wiki.

Please remember that the uid used for installation (protopop in this example) has to have site-wide access and that the installation should be visible from the worker nodes (compute farm). Don't install as root. The front end machine should run the same platform as the worker nodes and contain a full linux installation, including:

• termcap
• python-devel
• libbz2-devel
• libX11-devel
• libXpm
• libXext-devel
• libxft-devel
• gcc
• g++
• gfortran
• g77

This is important if we choose to distribute our software packages as source and compile them locally via a postinstall script.

Submit info

To register your site, you should obtain a host certificate from your local CA (see below), and fill in and submit the following info:

Name of the institute (e.g. GSI):
Domain name (e.g. gsi.de):
Site admin name:
Site admin email:
Location (e.g. Darmstadt, Germany):
Front-end machine where alien is installed (e.g. pc1.gsi.de):
SE (data storage) directory (e.g. /panda/data/SEData):
Submission key (*see hint below):

*Hint: The other guest house at GSI.

The grid administrator has to do a few things before you can connect:

1. add your site to the LDAP
2. open the firewall for incoming communication from your site
3. add your IP to /etc/hosts.allow
4. create your SE database

After you complete your installation, check whether the above actions are completed before you bring your site online.

Prerequisites

There are a few prerequisites in what regards the OS of the head and worker nodes:

• We suggest that you run Scientific Linux 4.5 or later
• The headnode and worker nodes must share the same OS and platform. This is because the software packages distributed as source are compiled by PackMan on the headnode and must be able to run on the woker nodes.
• You must have an English locale on your system

Current version

Current version is: 2-17. Doublecheck this here: http://mlr2.gla.ac.uk:7001/stats?page=services_status

Installation

There is a very simple way to install if you are able to use the defaults settings.

Make sure your ~/.alien/installer.rc contains only these two lines:

ALIEN_INSTALLER_PREFIX=/path/to/your/installation/alien
ALIEN_INSTALLER_TYPE="site+lcg+xrootd+monitor"

where /path/to/your/installation should be replaced with the actual path (no symbolic links in the path please) to you alien installation.

Then download:

[protopop@panda ~]$ wget http://alien.cern.ch/alien-auto-installer

make it executable, and run it

[protopop@panda ~]$ chmod u+x alien-auto-installer
[protopop@panda ~]$ ./alien-auto-installer

If it installs successfully, then skip to 'Configuration'. Else, please report any problems to the grid admin.

Configuration

First add the alien bin directory to the path:

[protopop@panda ~]$ export PATH=/panda/users/protopop/installation/alien/bin:${PATH}

IMPORTANT: To avoid complications during future automatic upgrades, please do not create a symbolic link in /bin, but set the PATH as shown above here. It is important to add the alien at the beginning of the PATH, because on some linux distributions there is another application called alien, a package utility. Don't confuse them.

You have to create now a ~/.alien/Environment configuration file that should look like this (nothing more):

[protopop@panda ~]$ cat ~/.alien/Environment
export ALIEN_USER=pbarserv
export ALIEN_ORGANISATION=PANDA
#  Set this on your PBS or LSF nodes, so that jobs are run on a local disk
export ALIEN_WORKDIR=/tmp/panda-workdir

Where pbarserv is now the alien user who runs the services. It means that the actual user id (protopop in this example) is irrelevant, since the login to alien will be done as pbarserv.

Do not confuse the alien user with the local user. The local user (protopop in this example) is the uid under which you installed the gridware and who will run the services. The alien user (pbarserv in this example) is the uid assigned to you in LDAP by the grid administrator. File ownerships are important.

If your linux installation's locale is not English, add these lines to your ~/.alien/Environment:

export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8

Otherwise, some scripts will not work properly (e.g. a 'yes' will be given when a 'ja' or 'oui' is expected).

You will have to obtain a digital certificate from your local Certification Authority (CA). Once you obtain it, you have to copy the host certificate and key into the directory ~/.globus/:

[protopop@panda ~]$ mkdir ~/.globus
[protopop@panda ~]$ cd ~/.alien
[protopop@panda ~]$ ln -s ~/.globus globus
[protopop@panda ~]$ ls -la ~/.globus/
-rw-r--r--   1 protopop pandagrid 3608 Sep 30 18:01 usercert.pem
-rw-------   1 protopop pandagrid  886 Sep 30 18:01 userkey.pem

Please pay attention to the correct file permissions.

There are another configuration files that you should have. Create the directory structure:

[protopop@panda ~]$ mkdir -p  ~/.alien/etc/aliend/PANDA

Then put there the following file which is read by MonaLisa and tells it to which organization to report status.

[protopop@panda ~]$ cat ~/.alien/etc/aliend/startup.conf
#Startup configuration for alien
ALIEN_ORGANISATIONS="PANDA"

Then there is another file which contains the settings for aliend, and it is self-explanatory. For example, I have services MonaLisa? , Monitor, CE and PackMan:

[protopop@panda ~]$ cat ~/.alien/etc/aliend/PANDA/startup.conf
#Startup configuration for alien
#User under which services will run locally. Not the alien user!
AliEnUser=protopop
AliEnCommand="/panda/users/protopop/installation/alien/bin/alien"
#Services to start (no need for explicit FTD after version 2.17)
AliEnServices="MonaLisa SE Monitor CE PackMan"

but you will have to customize it as per your local configuration.

Configuration for xrootd

Obtain the authz_xrootd.tgz from the grid administrator. Unpack it in the home directory of the user that runs alien:

[protopop@panda ~] $ tar -zxvf authz_xrootd.tgz
.authz/xrootd/
.authz/xrootd/lpub.pem
.authz/xrootd/TkAuthz.Authorization
.authz/xrootd/rpriv.pem
[protopop@panda ~]$ cat .authz/xrootd/TkAuthz.Authorization
KEY VO:*       PRIVKEY:/home/protopop/.authz/xrootd/rpriv.pem PUBKEY:/home/protopop/.authz/xrootd/lpub.pem
EXPORT PATH:/ VO:*     ACCESS:ALLOW CERT:*
RULE PATH:/ AUTHZ:read|write|write-once|delete| NOAUTHZ:| VO:*| CERT:*

Edit the file TkAuthz.Authorization to have the correct paths for your system.

Access to ports

If your headnode is behind a firewall, you will have to ask your sysadmin to let through connections from the server and the other panda grid sites.

The port range to be open is: 8081-9000. Please take the list of hostnames from this MonALISA table

Please make sure that those hostnames are also allowed by your /etc/hosts.allow configuration.

There is a bug in the SL default configuration, so please check that your /etc/hosts is correct. It should be like:

[protopop@panda ~]$ cat /etc/hosts
#127.0.0.1    localhost.localdomain localhost panda.gla.ac.uk panda # WRONG!
127.0.0.1     localhost.localdomain localhost          # OK
# Add here
#'your IP number'    'your computer's name'     'your computer's shortname'
130.209.45.237 panda.gla.ac.uk      panda              # OK

The line commented and labeled 'WRONG!' would make your daemons listen on the localhost ports, hence not visible from outside.

Services

Enable the proxy for authentication:

[Protopop@panda ~]$ alien proxy-init -valid 100:0
Your identity: /C=GB/O=GRID/OU=PANDA/CN=pc1.panda.gla.ac.uk
Creating proxy .................................................................... Done
Your proxy is valid until: Mon Oct 10 06:59:08 2008

If you get an authentication error, please try alien login -debug 5 and look for Server said: server_step error. If this error message is present, then please make sure your time and date are properly set (we suggest you use ntpd).

Try starting MonaLisa and the site services, for example.

[protopop@panda ~]$ alien StartSE
Starting with generic Service.pl
Starting the "Storage_element"
"Storage_element" started with 0 (pid  11058)
Log file: /tmp/PANDA/log/SE.log
[protopop@panda ~]$ tail -f /tmp/PANDA/log/SE.log

The services can be started by hand, one by one:

 [protopop@panda ~]$ alien Start[service]

where [service] is one of MonaLisa, SE, Monitor, CE or PackMan. The services (configured in ~/.alien/etc/aliend/PANDA/startup.conf) can be all started via aliend with the command

 [protopop@panda ~]$ $ALIEN_ROOT/etc/rc.d/init.d/aliend start

Make the alien services start at boot time by logging in as root and doing:

 [protopop@panda ~]$ cd /etc/rc.d/init.d/
 [protopop@panda ~]$ ln -s $ALIEN_ROOT/etc/rc.d/init.d/aliend  .
 [protopop@panda ~]$ chkconfig aliend on

On some platforms the procedure might be different, but you got the general idea.

Once you start MonaLisa, it should take 5-10 minutes before you will see your site on our MonALISA repository. You can check services status on http://mlr2.gla.ac.uk:7001/stats?page=services_status .

MonALISA control module

You must re-install this package after each middleware upgrade. Install the MonALISA control module with:

[protopop@panda ~]$ alien login
...
[pgdb1.physics.gla.ac.uk:3307] /panda/user/p/pbarserv/ > packman remove pbarprod@mlcert::1.0  
[pgdb1.physics.gla.ac.uk:3307] /panda/user/p/pbarserv/ > packman install pbarprod@mlcert::1.0  

Check the installation and make sure it finished successfully. If the OS language is not set to English it might fail, and you should run the postinstall by hand and reply with "ja" or "si" instead of "yes".

If you can not remove the pbarprod@mlcert::1.0 package via packman, then exit the alien prompt, cd to the packages directory (~/.alien/packages/), find and remove the mlcert directory. The re-enter alien prompt and continue with the install.

Troubleshooting

Please reread this manual attentively. If problem persists read TroubleshootingCommonErrors. If problem still persists contact GridGroup.

Comments and suggestions should be sent to DanProtopopescu.

Related topics: PANDA Grid

-- DanProtopopescu - 10 Nov 2009