我们是实验环境,所以用SimpleCA来进行加密认证。
在这里,我采用了本机+虚拟机的安装方式,把本机作为主节点,虚拟机作为子节点。这里的IP地址是我直接从实验室拷贝过来的。
我们就是要确保主机的名称不是默认的localhost.localdomain localhost
本机[xx1.com]:
ip:211.67.141.181
mask:255.255.255.0
gateway:211.67.141.1
虚拟机[xx2.com]:
ip:211.67.141.189
mask:255.255.255.0
gateway:211.67.141.1
我们首先查看一下本机:
# vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=xx1.com
这个主机名字,大家最好修改一下,把这两个节点弄成一个域下面的。
例如:我在实验室用的是
gridnodeone.hnufe.edu.cn
gridnodetwo.hnufe.edu.cn
这里的xx1.com和xx2.com是随便填写的,这样会比较麻烦,尤其是用gridftp进行文件拷贝的时候。
[这一小段大家可能暂时看不明白什么意思,可以跳过]
当大家使用如下命令,进行文件拷贝的时候
globus-url-copy gsiftp://xx1.com/etc/group gsiftp:///xx2.com/test.copy
,可能解析不到域名,或者提示域名跟IP地址不对应,应该就是这里出问题了,大概解决思路就是这个方向。
我也没有利用DNS服务[因为我不懂],后来我一个同学告诉我,直接利用/etc/hosts文件就可以了。
所以我把/etc/hosts文件修改如下:
# more /etc/hosts
127.0.0.1 localhost.localdomain localhost
211.67.141.181 xx1.com xx1
211.67.141.189 xx2.com xx2
然后,我在查看主机名称是不是正确
# more /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=xx1.com
修改主机名称之后,我们可以安装SimpleCA了
切换到如下目录
[globus@xx1 globus]$ pwd
/usr/local/globus/setup/globus
运行安装程序,如果出了下列提示,说明GLOBUS_LOCATION没有设置
[globus@xx1 globus]$ ./setup-simple-ca
WARNING: GLOBUS_LOCATION not set, assuming:
GLOBUS_LOCATION=/usr/local/globus/setup/globus//setup-simple-ca
WARNING: GPT_LOCATION not set, assuming:
GPT_LOCATION=/usr/local/globus/setup/globus//setup-simple-ca
ERROR: Your globus install has not been setup correctly
/usr/local/globus/setup/globus//setup-simple-ca/libexec/globus-script-initializer not found
You most likely need to run gpt-postinstall for this globus install
我建议把GLOBUS_LOCATION写入/etc/profile,因为以后调试容器需要这个变量,每次都用export命令到处,特别麻烦。
这里我们直接导出
[globus@xx1 globus]$ export GLOBUS_LOCATION=/usr/local/globus/
再次运行命令:
[globus@xx1 globus]$ ./setup-simple-ca
WARNING: GPT_LOCATION not set, assuming:
GPT_LOCATION=/usr/local/globus/
C e r t i f i c a t e A u t h o r i t y S e t u p
This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.
The CA information about the certificates it distributes will
be kept in:
/home/globus/.globus/simpleCA/
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-xx1.com, ou=GlobusTest, o=Grid
Do you want to keep this as the CA subject (y/n) [y]:
大家可以看到,本机作为主节点,ou=simpleCA-xx1.com,这就对应了上边让大家修改主机名称的作用。
直接回车键即可,然后又提示让电邮,这里可以随便填写,这是让别人向你索取证书的地址。
Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):
接着,就是证书过期日期,默认五年,直接回车:
The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid. A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires. This can be done
by re-running this setup script. Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:
又提示给打开证书提供一个密码,并且确认
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
接着,又是一堆输出,我们可以看到公钥和私玥放在什么地方了,还有分发包放在那里[分发包可以用来配置自节点]:
-------------------------------------------------------------------
The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in
/home/globus/.globus/simpleCA//globus_simple_ca_b62cb8c1_setup-0.19.tar.gz
This file must be distributed to any host wishing to request
certificates from this CA.
CA setup complete.
The following commands will now be run to setup the security
configuration files for this CA:
$GLOBUS_LOCATION/sbin/gpt-build /home/globus/.globus/simpleCA//globus_simple_ca_b62cb8c1_setup-0.19.tar.gz
$GLOBUS_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------
最后,终于完成了,SimpleCA生成了,但是我们也得到提示,还有一步:
Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:
/usr/local/globus//setup/globus_simple_ca_b62cb8c1_setup/setup-gsi
For further information on using the setup-gsi script, use the -help
option. The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.
***************************************************************************
setup-ssl-utils: Complete
我们查看一下,是不是真的生成了分发包:
[globus@xx1 globus]$ ls ~/.globus/simpleCA/
cacert.pem crl grid-ca-ssl.conf newcerts serial
certs globus_simple_ca_b62cb8c1_setup-0.19.tar.gz index.txt private
接下来,我们要让我们的本机[xx1.com],信任我们的globus的证书,那么我们要切换到root
[globus@xx1 globus]$ su - root
口令:
执行最后一步命令
# export GLOBUS_LOCATION=/usr/local/globus/
# /usr/local/globus/setup/globus_simple_ca_b62cb8c1_setup/setup-gsi -default
setup-gsi: Configuring GSI security
Making /etc/grid-security...
mkdir /etc/grid-security
Making trusted certs directory: /etc/grid-security/certificates/
mkdir /etc/grid-security/certificates/
Installing /etc/grid-security/certificates//grid-security.conf.b62cb8c1...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete
根据上面的输出,我们看看相应的目录下面是不是多了什么。
# ls /etc/grid-security/certificates/
b62cb8c1.0 globus-host-ssl.conf.b62cb8c1 grid-security.conf.b62cb8c1
b62cb8c1.signing_policy globus-user-ssl.conf.b62cb8c1
# ls /etc/grid-security/
certificates globus-host-ssl.conf globus-user-ssl.conf grid-security.conf
这些都是SimpleCA的配置文件,它们的具体总用,可以参考相应的文档。
现在,我们需要让本机请求证书并得到SimpleCA的认证。
如果你自己配置,需要把xx1.com改成你自己主节点的名称
# ./grid-cert-request -host xx1.com
Generating a 1024 bit RSA private key
.++++++
..........................++++++
writing new private key to '/etc/grid-security/hostkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-xx1.com]:Name (e.g., John M. Smith) []:
A private host key and a certificate request has been generated
with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/CN=host/xx1.com
----------------------------------------------------------
The private key is stored in /etc/grid-security/hostkey.pem
The request is stored in /etc/grid-security/hostcert_request.pem
Please e-mail the request to the Globus Simple CA cy_xiaoxiao@yahoo.com.cn
You may use a command similar to the following:
cat /etc/grid-security/hostcert_request.pem | mail cy_xiaoxiao@yahoo.com.cn
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at cy_xiaoxiao@yahoo.com.cn
# pwd
/etc/grid-security
运行完成后会产生以下几个文件:
/etc/grid-security/hostkey.pem
/etc/grid-security/hostcert_request.pem
/etc/grid-security/hostcert.pem (空文件)
我们查看一下,是不是这样
# ls -la *pem
-rw-r--r-- 1 root root 0 07-04 23:16 hostcert.pem
-rw-r--r-- 1 root root 1377 07-04 23:16 hostcert_request.pem
-r-------- 1 root root 887 07-04 23:16 hostkey.pem
下一步,我们要做的,就是转换为SimpleCA的角色,签署一下我们本机的认证请求。
我们首先拷贝请求文件到/usr/local/globus/bin下
# cp /etc/grid-security/hostcert_request.pem /usr/local/globus/bin/
转换到globus下,因为我们本机是用globus用户产生的SimpleCA
# su - globus
[globus@xx1 ~]$ cd /usr/local/globus/bin
签署证书
[globus@xx1 bin]$ ./grid-ca-sign -in hostcert_request.pem -out hostcert.pem
To sign the request
please enter the password for the CA key:
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
把签署过的证书复制回去,覆盖原来的空文件
[globus@xx1 bin]$ su - root
口令:
# cp /usr/local/globus/bin/hostcert.pem /etc/grid-security/
cp:是否覆盖“/etc/grid-security/hostcert.pem”? yes
看一下,已经没有空文件了
# ls /etc/grid-security/*pem -la
-rw-r--r-- 1 root root 2632 07-04 23:32 /etc/grid-security/hostcert.pem
-rw-r--r-- 1 root root 1377 07-04 23:16 /etc/grid-security/hostcert_request.pem
-r-------- 1 root root 887 07-04 23:16 /etc/grid-security/hostkey.pem
这三个文件属主都是root,但是我们的gridftp要用到它们,并且我们要采用globus用户启动web容器,所以我们就得有
两套认证的证书,一套归root使用,另一套归globus
# cp hostcert.pem containercert.pem
# cp hostkey.pem containerkey.pem
# chown globus.globus container*.pem
# ls -la *pem
-rw-r--r-- 1 globus globus 2632 07-04 23:38 containercert.pem
-rw-r--r-- 1 globus globus 887 07-04 23:38 containerkey.pem
-rw-r--r-- 1 root root 2632 07-04 23:32 hostcert.pem
-rw-r--r-- 1 root root 1377 07-04 23:16 hostcert_request.pem
-r-------- 1 root root 887 07-04 23:16 hostkey.pem
下面我们用来给一个普通的可以提交作业的用户签署证书,该过程和给网格容器签署证书类似
# tail /etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
beaglidx:x:58:58:User for Beagle indexing:/var/cache/beagle:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
zx:x:500:500::/home/zx:/bin/bash
globus:x:501:501::/home/globus:/bin/bash
首先查看GLOBUS_LOCATION环境变量是否已经设置
[zx@xx1 ~]$ $GLOBUS_LOCATION
-bash: /usr/local/globus: is a directory
切换到相应目录
[zx@xx1 ~]$ cd /usr/local/globus/bin
执行相应的命令,请求生成一个认证证书
[zx@xx1 bin]$ ./grid-cert-request
Enter your name, e.g., John Smith: zx
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.
Generating a 1024 bit RSA private key
..++++++
............++++++
writing new private key to '/home/zx/.globus/userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-xx1.com]:Level 2 Organizational Unit [com]:Name (e.g., John M. Smith) []:
A private key and a certificate request has been generated with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/OU=com/CN=zx
If the CN=zx is not appropriate, rerun this
script with the -force -cn "Common Name" options.
Your private key is stored in /home/zx/.globus/userkey.pem
Your request is stored in /home/zx/.globus/usercert_request.pem
Please e-mail the request to the Globus Simple CA cy_xiaoxiao@yahoo.com.cn
You may use a command similar to the following:
cat /home/zx/.globus/usercert_request.pem | mail cy_xiaoxiao@yahoo.com.cn
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at cy_xiaoxiao@yahoo.com.cn
我们从上面可以看到,私钥的存储位置为/home/zx/.globus/userkey.pem
请求证书放在/home/zx/.globus/usercert_request.pem
接下来,我们给签署这个普通用户zx的证书,所以,我们把用户的请求证书文件拷贝到/usr/local/globus/bin
# cp /home/zx/.globus/usercert_request.pem /usr/local/globus/bin
然后,切换到globus用户下面,签署证书
[globus@xx1 ~]$ cd /usr/local/globus/bin
[globus@xx1 bin]$ ./grid-ca-sign -in usercert_request.pem -out usercert.pem
To sign the request
please enter the password for the CA key:
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem
然后,以root用户把生成的认证文件拷贝回去,覆盖那个空的文件。
[globus@xx1 bin]$ su - root
口令:
# cp /usr/local/globus/bin/usercert.pem /home/zx/.globus/
cp:是否覆盖“/home/zx/.globus/usercert.pem”? y
然后,切换回普通用户zx,执行生成证书的脚本
[zx@xx1 bin]$ ./grid-proxy-init -valid 24000:0
./grid-proxy-init: error while loading shared libraries: libglobus_gsi_proxy_core_gcc32.so.0: cannot open shared object file: No such file or directory
显然,上面报错了,我们就需要再执行一个环境变量的脚本
[zx@xx1 bin]$ source /usr/local/globus/etc/globus-user-env.sh
再次执行,我加上一个参数valid,就是因为刚开始每次这个作业用户的证书都是一天过期,后来发现忘记带参数了。具体使用方法大家可以看脚本的帮助
[zx@xx1 bin]$ ./grid-proxy-init -valid 24000:0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/OU=com/CN=zx
Enter GRID pass phrase for this identity:
Creating proxy .................................................... Done
Warning: your certificate and proxy will expire Fri Jul 4 11:20:07 2008
which is within the requested lifetime of the proxy
下面我们生成一个映射文件,他的作用就是将远端的证书映射到本地用户,远端拥有该证书的用户提交的信息可以由本地映射的用户代为提交
# cd /etc/grid-security/
# vi grid-mapfile
# cat grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/OU=com/CN=zx" zx
其中的grid-mapfile文件中的前一部分,就是刚才我们请求证书的Your identity信息。
这样,主节点[也就是我们的本机]上面的globus tookit 就安装完成了,运行
/usr/local/globus/bin/globus-start-container 可启动启动容器
我们发现,容器能够启动,但是报错了。这是因为我们没有安装ReliableFileTransferFTP的原因。
[globus@xx1 ~]$ /usr/local/globus/bin/globus-start-container
2007-07-05 11:39:19,111 ERROR monitoring.SchedulerEventGenerator [Thread-2,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 11:39:19,562 ERROR monitoring.SchedulerEventGenerator [Thread-5,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 11:39:21,467 ERROR service.ReliableFileTransferImpl [main,<init>:69] Unable to setup database driver with pooling.Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
2007-07-05 11:39:22,543 WARN service.ReliableFileTransferHome [main,initialize:97] All RFT requests will fail and all GRAM jobs that require file staging will fail.Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
Starting SOAP server at: https://211.67.141.181:8443/wsrf/services/
With the following services:
[1]: https://211.67.141.181:8443/wsrf/services/AdminService
[2]: https://211.67.141.181:8443/wsrf/services/AuthzCalloutTestService
[3]: https://211.67.141.181:8443/wsrf/services/CASService
[4]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryEntryService
[5]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryService
[6]: https://211.67.141.181:8443/wsrf/services/CounterService
[7]: https://211.67.141.181:8443/wsrf/services/DefaultIndexService
[8]: https://211.67.141.181:8443/wsrf/services/DefaultIndexServiceEntry
[9]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerService
[10]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerServiceEntry
[11]: https://211.67.141.181:8443/wsrf/services/DelegationFactoryService
[12]: https://211.67.141.181:8443/wsrf/services/DelegationService
[13]: https://211.67.141.181:8443/wsrf/services/DelegationTestService
[14]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroup
[15]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupEntry
[16]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupFactory
[17]: https://211.67.141.181:8443/wsrf/services/IndexFactoryService
[18]: https://211.67.141.181:8443/wsrf/services/IndexService
[19]: https://211.67.141.181:8443/wsrf/services/IndexServiceEntry
[20]: https://211.67.141.181:8443/wsrf/services/ManagedExecutableJobService
[21]: https://211.67.141.181:8443/wsrf/services/ManagedJobFactoryService
[22]: https://211.67.141.181:8443/wsrf/services/ManagedMultiJobService
[23]: https://211.67.141.181:8443/wsrf/services/ManagementService
[24]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerFactoryService
[25]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerService
[26]: https://211.67.141.181:8443/wsrf/services/NotificationTestService
[27]: https://211.67.141.181:8443/wsrf/services/PersistenceTestSubscriptionManager
[28]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferFactoryService
[29]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferService
[30]: https://211.67.141.181:8443/wsrf/services/RendezvousFactoryService
[31]: https://211.67.141.181:8443/wsrf/services/SampleAuthzService
[32]: https://211.67.141.181:8443/wsrf/services/SecureCounterService
[33]: https://211.67.141.181:8443/wsrf/services/SecurityTestService
[34]: https://211.67.141.181:8443/wsrf/services/ShutdownService
[35]: https://211.67.141.181:8443/wsrf/services/SubscriptionManagerService
[36]: https://211.67.141.181:8443/wsrf/services/TestAuthzService
[37]: https://211.67.141.181:8443/wsrf/services/TestRPCService
[38]: https://211.67.141.181:8443/wsrf/services/TestService
[39]: https://211.67.141.181:8443/wsrf/services/TestServiceRequest
[40]: https://211.67.141.181:8443/wsrf/services/TestServiceWrongWSDL
[41]: https://211.67.141.181:8443/wsrf/services/TriggerFactoryService
[42]: https://211.67.141.181:8443/wsrf/services/TriggerService
[43]: https://211.67.141.181:8443/wsrf/services/TriggerServiceEntry
[44]: https://211.67.141.181:8443/wsrf/services/Version
[45]: https://211.67.141.181:8443/wsrf/services/WidgetNotificationService
[46]: https://211.67.141.181:8443/wsrf/services/WidgetService
[47]: https://211.67.141.181:8443/wsrf/services/gsi/AuthenticationService
[48]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexService
[49]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexServiceEntry
[50]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexService
[51]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexServiceEntry
所以,我们必须安装postgreSQL
首先添加一个postgre用户,用来启动数据库
# adduser postgre -p mypostgre
# cp /mnt/win/globus/postgresql-8.0.7.tar.gz /usr/local/
# cd /usr/local/
# tar -zxvf postgresql-8.0.7.tar.gz
# cd postgresql-8.0.7
# ls
aclocal.m4 configure contrib doc HISTORY Makefile src
config configure.in COPYRIGHT GNUmakefile.in INSTALL README
关于如何安装,我们可以查看一下INSTALL文件。这里,我按照自己喜欢的方式安装
# ./configure
./configure不加prefix参数,默认安装到/usr/local/pgsql目录下。
# mkdir /usr/local/pgsql/data
# chown postgre.postgre !$
chown postgre.postgre /usr/local/pgsql/data
# su - postgre
[postgre@xx1 ~]$ cd /usr/local/pgsql/
[postgre@xx1 pgsql]$ cd bin
[postgre@xx1 bin]$ ./initdb -D /usr/local/pgsql/data
The files belonging to this database system will be owned by user "postgre".
This user must also own the server process.
The database cluster will be initialized with locale zh_CN.UTF-8.
The default database encoding has accordingly been set to UNICODE.
fixing permissions on existing directory /usr/local/pgsql/data ... ok
creating directory /usr/local/pgsql/data/global ... ok
creating directory /usr/local/pgsql/data/pg_xlog ... ok
creating directory /usr/local/pgsql/data/pg_xlog/archive_status ... ok
creating directory /usr/local/pgsql/data/pg_clog ... ok
creating directory /usr/local/pgsql/data/pg_subtrans ... ok
creating directory /usr/local/pgsql/data/base ... ok
creating directory /usr/local/pgsql/data/base/1 ... ok
creating directory /usr/local/pgsql/data/pg_tblspc ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 1000
creating configuration files ... ok
creating template1 database in /usr/local/pgsql/data/base/1 ... ok
initializing pg_shadow ... ok
enabling unlimited row size for system tables ... ok
initializing pg_depend ... ok
creating system views ... ok
loading pg_description ... ok
creating conversions ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the -A option the
next time you run initdb.
Success. You can now start the database server using:
./postmaster -D /usr/local/pgsql/data
or
./pg_ctl -D /usr/local/pgsql/data -l logfile start
# su - postgre
[postgre@xx1 ~]$ cd /usr/local/pgsql/
[postgre@xx1 pgsql]$ bin/createuser globus
Shall the new user be allowed to create databases? (y/n) y
Shall the new user be allowed to create more new users? (y/n) y
CREATE USER
[postgre@xx1 pgsql]$ cd bin
[postgre@xx1 bin]$ ./createdb rftDatabase
CREATE DATABASE
[postgre@xx1 bin]$ ./psql -d rftDatabase -f $GLOBUS_LOCATION/share/globus_wsrf_rft/rft_schema.sql
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:6: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "requestid_pkey" for table "requestid"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:11: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "transferid_pkey" for table "transferid"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:30: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "request_pkey" for table "request"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:65: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "transfer_pkey" for table "transfer"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:71: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "restart_pkey" for table "restart"
CREATE TABLE
CREATE TABLE
CREATE INDEX
首先启动postgresql
[postgre@xx1 bin]$ /usr/local/pgsql/bin/postmaster -i -D /usr/local/pgsql/data
然后,我们启动globus容器,切换到/usr/local/globus/bin下
[globus@xx1 bin]$ ./globus-start-container
2007-07-05 12:27:37,140 ERROR monitoring.SchedulerEventGenerator [Thread-2,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 12:27:38,248 ERROR monitoring.SchedulerEventGenerator [Thread-5,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 12:27:40,660 ERROR service.ReliableFileTransferImpl [main,<init>:69] Unable to setup database driver with pooling.A connection error has occurred: FATAL: no pg_hba.conf entry for host "211.67.141.181", user "globus", database "rftDatabase"
2007-07-05 12:27:41,794 WARN service.ReliableFileTransferHome [main,initialize:97] All RFT requests will fail and all GRAM jobs that require file staging will fail.A connection error has occurred: FATAL: no pg_hba.conf entry for host "211.67.141.181", user "globus", database "rftDatabase"
Starting SOAP server at: https://211.67.141.181:8443/wsrf/services/
With the following services:
[1]: https://211.67.141.181:8443/wsrf/services/AdminService
...................................................................
...................................................................
...................................................................
...................................................................
这里首先报了两个错误,一个是找不到库文件,另一个是连接不到211.67.141.184也就是我们的主节点。
解决方法第一步:
[globus@xx1 bin]$ source /usr/local/globus/etc/globus-user-env.sh
能够帮助找到库文件
第二步
# pwd
/usr/local/pgsql/data
把本机添加到信任区域里面。
# tail pg_hba.conf
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# IPv4 local connections:
host all all 211.67.141.181/32 trust
再次启动容器,已经没有错误了。
[globus@xx1 bin]$ ./globus-start-container
Starting SOAP server at: https://211.67.141.181:8443/wsrf/services/
With the following services:
[1]: https://211.67.141.181:8443/wsrf/services/AdminService
[2]: https://211.67.141.181:8443/wsrf/services/AuthzCalloutTestService
[3]: https://211.67.141.181:8443/wsrf/services/CASService
[4]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryEntryService
[5]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryService
[6]: https://211.67.141.181:8443/wsrf/services/CounterService
[7]: https://211.67.141.181:8443/wsrf/services/DefaultIndexService
[8]: https://211.67.141.181:8443/wsrf/services/DefaultIndexServiceEntry
[9]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerService
[10]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerServiceEntry
[11]: https://211.67.141.181:8443/wsrf/services/DelegationFactoryService
[12]: https://211.67.141.181:8443/wsrf/services/DelegationService
[13]: https://211.67.141.181:8443/wsrf/services/DelegationTestService
[14]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroup
[15]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupEntry
[16]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupFactory
[17]: https://211.67.141.181:8443/wsrf/services/IndexFactoryService
[18]: https://211.67.141.181:8443/wsrf/services/IndexService
[19]: https://211.67.141.181:8443/wsrf/services/IndexServiceEntry
[20]: https://211.67.141.181:8443/wsrf/services/ManagedExecutableJobService
[21]: https://211.67.141.181:8443/wsrf/services/ManagedJobFactoryService
[22]: https://211.67.141.181:8443/wsrf/services/ManagedMultiJobService
[23]: https://211.67.141.181:8443/wsrf/services/ManagementService
[24]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerFactoryService
[25]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerService
[26]: https://211.67.141.181:8443/wsrf/services/NotificationTestService
[27]: https://211.67.141.181:8443/wsrf/services/PersistenceTestSubscriptionManager
[28]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferFactoryService
[29]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferService
[30]: https://211.67.141.181:8443/wsrf/services/RendezvousFactoryService
[31]: https://211.67.141.181:8443/wsrf/services/SampleAuthzService
[32]: https://211.67.141.181:8443/wsrf/services/SecureCounterService
[33]: https://211.67.141.181:8443/wsrf/services/SecurityTestService
[34]: https://211.67.141.181:8443/wsrf/services/ShutdownService
[35]: https://211.67.141.181:8443/wsrf/services/SubscriptionManagerService
[36]: https://211.67.141.181:8443/wsrf/services/TestAuthzService
[37]: https://211.67.141.181:8443/wsrf/services/TestRPCService
[38]: https://211.67.141.181:8443/wsrf/services/TestService
[39]: https://211.67.141.181:8443/wsrf/services/TestServiceRequest
[40]: https://211.67.141.181:8443/wsrf/services/TestServiceWrongWSDL
[41]: https://211.67.141.181:8443/wsrf/services/TriggerFactoryService
[42]: https://211.67.141.181:8443/wsrf/services/TriggerService
[43]: https://211.67.141.181:8443/wsrf/services/TriggerServiceEntry
[44]: https://211.67.141.181:8443/wsrf/services/Version
[45]: https://211.67.141.181:8443/wsrf/services/WidgetNotificationService
[46]: https://211.67.141.181:8443/wsrf/services/WidgetService
[47]: https://211.67.141.181:8443/wsrf/services/gsi/AuthenticationService
[48]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexService
[49]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexServiceEntry
[50]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexService
[51]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexServiceEntry
2007-07-05 12:34:27,240 INFO impl.DefaultIndexService [ServiceThread-10,processConfigFile:107] Reading default registration configuration from file: /usr/local/globus/etc/globus_wsrf_mds_index/hierarchy.xml
现在我们配置GridFTP
首先,查询是不是安装了xinet
# rpm -aq | grep xinet
结果没有,我就从硬盘的镜像里面抠出来安装程序,安装一下
# rpm -ivh /mnt/win/xinetd-2.3.14-8.i386.rpm
warning: /mnt/win/xinetd-2.3.14-8.i386.rpm: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
Preparing... ########################################### [100%]
1:xinetd ########################################### [100%]
# vi gridftp
# cat gridftp
service gsiftp
{
instances = 100
socket_type = stream
wait = no
user = root
env += GLOBUS_LOCATION=/usr/local/globus
env += LD_LIBRARY_PATH=/usr/local/globus/lib
server = /usr/local/globus/sbin/globus-gridftp-server
server_args = -i
log_on_success += DURATION
nice = 10
disable = no
}
编辑/etc/services文件,给local下添加一个gsiftp
# vi /etc/services
# tail !$
tail /etc/services
nimhub 48002/tcp # Nimbus Hub
nimhub 48002/udp # Nimbus Hub
nimgtw 48003/tcp # Nimbus Gateway
nimgtw 48003/udp # Nimbus Gateway
com-bardac-dw 48556/tcp # com-bardac-dw
com-bardac-dw 48556/udp # com-bardac-dw
iqobject 48619/tcp # iqobject
iqobject 48619/udp # iqobject
# Local services
gsiftp 2811/tcp
让xinetd重新载入,出错了。
# /etc/init.d/xinetd reload
重新载入配置: [失败]
原来我还没有启动,现加入到服务里面再说,这样,我们就不用每次手动启动GridFTP了。
# cd /etc/init.d/
# chkconfig --add xinetd
# ./xinetd start
启动 xinetd: [确定]
看一下gsiftp起来没有
# netstat -at | grep gsiftp
tcp 0 0 *:gsiftp *:* LISTEN
呵呵,已经起来了。
下面,让我们看看GridFTP是不是真正的启动起来了。
# cp /usr/local/globus/share/globus_wsrf_rft_test/transfer.xfr /tmp/rft.xfr
# cat /tmp/rft.xfr
true
16000
16000
false
1
true
1
null
null
false
10
gsiftp://xx1.com:2811/etc/group
gsiftp://xx1.com:2811/tmp/rftTest_Done.tmp
对于这个rft.xfr文件,目前我还不是很懂,估计就是个传送任务文件,里面含有配置信息,据我实验的结果,应该就是把倒数第二行的文件传送到最后一行。
我用那个普通用户zx,来进行测验。
[zx@xx1 ~]$ rft -h xx1.com -f /tmp/rft.xfr
Number of transfers in this request: 1
Subscribed for overall status
Termination time to set: 60 minutes
Overall status of transfer:
Finished/Active/Failed/Retrying/Pending
0/1/0/0/0
Overall status of transfer:
Finished/Active/Failed/Retrying/Pending
1/0/0/0/0
All Transfers are completed
这说明,GridFTP不仅仅启动了,而且能够传送文件了。
我们查看一下,看看是不是传送过来了。
# ls /tmp/rft* -la
-rw-r--r-- 1 zx zx 649 07-08 14:53 /tmp/rftTest_Done.tmp
-rw-r--r-- 1 zx zx 126 07-08 14:53 /tmp/rft.xfr
下面,我们可以安装GRAM了。具体GRAM是来干什么的呢?下面,我引用文档中的资料:
The Globus Toolkit provides both a suite of web services and a "pre-web services" Unix server suite to submit, monitor,
and cancel jobs on Grid computing resources. Both systems are known under the moniker "GRAM", while "WS
GRAM" refers only to the web service implementation.
所以,我们首先来编辑sudo文件,在这里,我对sudo命令仍然不是十分了解,但是我通过man,知道应该是让一个用户切换到另一个用户去执行命令。
本来的这个配置文件在/etc/sudoers下面,但是我们用vi编辑的时候,会发现无法保存,出现以下信息:
E45: 'readonly' option is set (add ! to override)
因为这个文件十分重要,系统不允许你随意更改,就是怕你把格式些错了,所以要用visudo命令来修改
我们在最后,添加三行,一行注释,两行配置信息,注意啊,后两行很长,我把他们分开写了。
# Globus GRAM Entities
globus ALL=(zx) NOPASSWD: /usr/local/globus/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /usr/local/globus/libexec/globus-job-manager-script.pl *
globus ALL=(zx) NOPASSWD: /usr/local/globus/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /usr/local/globus/libexec/globus-gram-local-proxy-tool *
我们可以看到,上面配置信息,就是globus用户可以切换到zx用户的身份运行程序/usr/local/globus/libexec/globus- gridmap-and-execute,(后面的-g是个参数,-g之后跟的是网格安全配置文件的位置等参数),而无须输入密码
你也可以相应的修改参数,例如ALL=(zx,wz,xx)等,就是你希望globus用户可以切换到zx,wz,xx等下面。
如果大家不清楚可以参考文档man sudoers
我们提交下面这个命令,看看能否执行。
[zx@xx1 ~]$ globusrun-ws -submit -c /bin/true
Submitting job...Done.
Job ID: uuid:8877fe7c-2d24-11dc-9268-000ae66aa0b9
Termination time: 07/09/2007 07:26 GMT
Current job state: Failed
Destroying job...Done.
globusrun-ws: Job failed: Error code: 200
Sudo is misconfigured to run the globus-job-manager-script.pl script for user zx.
如果出现,上面这种情况,那么说明,肯定是sudo文件错误了,你必须仔细检查。
核对文件,之后,我们再次执行,发现任务已经可以完成了。
[zx@xx1 ~]$ globusrun-ws -submit -c /bin/true
Submitting job...Done.
Job ID: uuid:e50b6f20-2d24-11dc-954c-000ae66aa0b9
Termination time: 07/09/2007 07:28 GMT
Current job state: Active
Current job state: CleanUp
Current job state: Done
Destroying job...Done.
同时,在Globus Container的终端上,有输出显示命令运行成功了。他的JobID与上面是相同的
2007-07-08 15:29:03,799 INFO exec.StateMachine [RunQueueThread_13,logJobSucceeded:3204] Job e50b6f20-2d24-11dc-954c-000ae66aa0b9 finished successfully
下面,我们拷贝一个文件看看
[zx@xx1 ~]$ globus-url-copy file:///tmp/rft.xfr gsiftp://xx1.com/home/zx/test.copy
哈哈,有了吧,我们还可以把xx1.com换成211.67.141.181,测试一下,看看能不成成功。
[zx@xx1 ~]$ ls
Desktop test.copy
到这里,我们的主机节点就配置完毕了。
在这里,我采用了本机+虚拟机的安装方式,把本机作为主节点,虚拟机作为子节点。这里的IP地址是我直接从实验室拷贝过来的。
我们就是要确保主机的名称不是默认的localhost.localdomain localhost
本机[xx1.com]:
ip:211.67.141.181
mask:255.255.255.0
gateway:211.67.141.1
虚拟机[xx2.com]:
ip:211.67.141.189
mask:255.255.255.0
gateway:211.67.141.1
我们首先查看一下本机:
# vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=xx1.com
这个主机名字,大家最好修改一下,把这两个节点弄成一个域下面的。
例如:我在实验室用的是
gridnodeone.hnufe.edu.cn
gridnodetwo.hnufe.edu.cn
这里的xx1.com和xx2.com是随便填写的,这样会比较麻烦,尤其是用gridftp进行文件拷贝的时候。
[这一小段大家可能暂时看不明白什么意思,可以跳过]
当大家使用如下命令,进行文件拷贝的时候
globus-url-copy gsiftp://xx1.com/etc/group gsiftp:///xx2.com/test.copy
,可能解析不到域名,或者提示域名跟IP地址不对应,应该就是这里出问题了,大概解决思路就是这个方向。
我也没有利用DNS服务[因为我不懂],后来我一个同学告诉我,直接利用/etc/hosts文件就可以了。
所以我把/etc/hosts文件修改如下:
# more /etc/hosts
127.0.0.1 localhost.localdomain localhost
211.67.141.181 xx1.com xx1
211.67.141.189 xx2.com xx2
然后,我在查看主机名称是不是正确
# more /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=xx1.com
修改主机名称之后,我们可以安装SimpleCA了
切换到如下目录
[globus@xx1 globus]$ pwd
/usr/local/globus/setup/globus
运行安装程序,如果出了下列提示,说明GLOBUS_LOCATION没有设置
[globus@xx1 globus]$ ./setup-simple-ca
WARNING: GLOBUS_LOCATION not set, assuming:
GLOBUS_LOCATION=/usr/local/globus/setup/globus//setup-simple-ca
WARNING: GPT_LOCATION not set, assuming:
GPT_LOCATION=/usr/local/globus/setup/globus//setup-simple-ca
ERROR: Your globus install has not been setup correctly
/usr/local/globus/setup/globus//setup-simple-ca/libexec/globus-script-initializer not found
You most likely need to run gpt-postinstall for this globus install
我建议把GLOBUS_LOCATION写入/etc/profile,因为以后调试容器需要这个变量,每次都用export命令到处,特别麻烦。
这里我们直接导出
[globus@xx1 globus]$ export GLOBUS_LOCATION=/usr/local/globus/
再次运行命令:
[globus@xx1 globus]$ ./setup-simple-ca
WARNING: GPT_LOCATION not set, assuming:
GPT_LOCATION=/usr/local/globus/
C e r t i f i c a t e A u t h o r i t y S e t u p
This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.
The CA information about the certificates it distributes will
be kept in:
/home/globus/.globus/simpleCA/
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-xx1.com, ou=GlobusTest, o=Grid
Do you want to keep this as the CA subject (y/n) [y]:
大家可以看到,本机作为主节点,ou=simpleCA-xx1.com,这就对应了上边让大家修改主机名称的作用。
直接回车键即可,然后又提示让电邮,这里可以随便填写,这是让别人向你索取证书的地址。
Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):
接着,就是证书过期日期,默认五年,直接回车:
The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid. A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires. This can be done
by re-running this setup script. Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:
又提示给打开证书提供一个密码,并且确认
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
接着,又是一堆输出,我们可以看到公钥和私玥放在什么地方了,还有分发包放在那里[分发包可以用来配置自节点]:
-------------------------------------------------------------------
The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in
/home/globus/.globus/simpleCA//globus_simple_ca_b62cb8c1_setup-0.19.tar.gz
This file must be distributed to any host wishing to request
certificates from this CA.
CA setup complete.
The following commands will now be run to setup the security
configuration files for this CA:
$GLOBUS_LOCATION/sbin/gpt-build /home/globus/.globus/simpleCA//globus_simple_ca_b62cb8c1_setup-0.19.tar.gz
$GLOBUS_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------
最后,终于完成了,SimpleCA生成了,但是我们也得到提示,还有一步:
Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:
/usr/local/globus//setup/globus_simple_ca_b62cb8c1_setup/setup-gsi
For further information on using the setup-gsi script, use the -help
option. The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.
***************************************************************************
setup-ssl-utils: Complete
我们查看一下,是不是真的生成了分发包:
[globus@xx1 globus]$ ls ~/.globus/simpleCA/
cacert.pem crl grid-ca-ssl.conf newcerts serial
certs globus_simple_ca_b62cb8c1_setup-0.19.tar.gz index.txt private
接下来,我们要让我们的本机[xx1.com],信任我们的globus的证书,那么我们要切换到root
[globus@xx1 globus]$ su - root
口令:
执行最后一步命令
# export GLOBUS_LOCATION=/usr/local/globus/
# /usr/local/globus/setup/globus_simple_ca_b62cb8c1_setup/setup-gsi -default
setup-gsi: Configuring GSI security
Making /etc/grid-security...
mkdir /etc/grid-security
Making trusted certs directory: /etc/grid-security/certificates/
mkdir /etc/grid-security/certificates/
Installing /etc/grid-security/certificates//grid-security.conf.b62cb8c1...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete
根据上面的输出,我们看看相应的目录下面是不是多了什么。
# ls /etc/grid-security/certificates/
b62cb8c1.0 globus-host-ssl.conf.b62cb8c1 grid-security.conf.b62cb8c1
b62cb8c1.signing_policy globus-user-ssl.conf.b62cb8c1
# ls /etc/grid-security/
certificates globus-host-ssl.conf globus-user-ssl.conf grid-security.conf
这些都是SimpleCA的配置文件,它们的具体总用,可以参考相应的文档。
现在,我们需要让本机请求证书并得到SimpleCA的认证。
如果你自己配置,需要把xx1.com改成你自己主节点的名称
# ./grid-cert-request -host xx1.com
Generating a 1024 bit RSA private key
.++++++
..........................++++++
writing new private key to '/etc/grid-security/hostkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-xx1.com]:Name (e.g., John M. Smith) []:
A private host key and a certificate request has been generated
with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/CN=host/xx1.com
----------------------------------------------------------
The private key is stored in /etc/grid-security/hostkey.pem
The request is stored in /etc/grid-security/hostcert_request.pem
Please e-mail the request to the Globus Simple CA cy_xiaoxiao@yahoo.com.cn
You may use a command similar to the following:
cat /etc/grid-security/hostcert_request.pem | mail cy_xiaoxiao@yahoo.com.cn
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at cy_xiaoxiao@yahoo.com.cn
# pwd
/etc/grid-security
运行完成后会产生以下几个文件:
/etc/grid-security/hostkey.pem
/etc/grid-security/hostcert_request.pem
/etc/grid-security/hostcert.pem (空文件)
我们查看一下,是不是这样
# ls -la *pem
-rw-r--r-- 1 root root 0 07-04 23:16 hostcert.pem
-rw-r--r-- 1 root root 1377 07-04 23:16 hostcert_request.pem
-r-------- 1 root root 887 07-04 23:16 hostkey.pem
下一步,我们要做的,就是转换为SimpleCA的角色,签署一下我们本机的认证请求。
我们首先拷贝请求文件到/usr/local/globus/bin下
# cp /etc/grid-security/hostcert_request.pem /usr/local/globus/bin/
转换到globus下,因为我们本机是用globus用户产生的SimpleCA
# su - globus
[globus@xx1 ~]$ cd /usr/local/globus/bin
签署证书
[globus@xx1 bin]$ ./grid-ca-sign -in hostcert_request.pem -out hostcert.pem
To sign the request
please enter the password for the CA key:
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
把签署过的证书复制回去,覆盖原来的空文件
[globus@xx1 bin]$ su - root
口令:
# cp /usr/local/globus/bin/hostcert.pem /etc/grid-security/
cp:是否覆盖“/etc/grid-security/hostcert.pem”? yes
看一下,已经没有空文件了
# ls /etc/grid-security/*pem -la
-rw-r--r-- 1 root root 2632 07-04 23:32 /etc/grid-security/hostcert.pem
-rw-r--r-- 1 root root 1377 07-04 23:16 /etc/grid-security/hostcert_request.pem
-r-------- 1 root root 887 07-04 23:16 /etc/grid-security/hostkey.pem
这三个文件属主都是root,但是我们的gridftp要用到它们,并且我们要采用globus用户启动web容器,所以我们就得有
两套认证的证书,一套归root使用,另一套归globus
# cp hostcert.pem containercert.pem
# cp hostkey.pem containerkey.pem
# chown globus.globus container*.pem
# ls -la *pem
-rw-r--r-- 1 globus globus 2632 07-04 23:38 containercert.pem
-rw-r--r-- 1 globus globus 887 07-04 23:38 containerkey.pem
-rw-r--r-- 1 root root 2632 07-04 23:32 hostcert.pem
-rw-r--r-- 1 root root 1377 07-04 23:16 hostcert_request.pem
-r-------- 1 root root 887 07-04 23:16 hostkey.pem
下面我们用来给一个普通的可以提交作业的用户签署证书,该过程和给网格容器签署证书类似
# tail /etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
beaglidx:x:58:58:User for Beagle indexing:/var/cache/beagle:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
zx:x:500:500::/home/zx:/bin/bash
globus:x:501:501::/home/globus:/bin/bash
首先查看GLOBUS_LOCATION环境变量是否已经设置
[zx@xx1 ~]$ $GLOBUS_LOCATION
-bash: /usr/local/globus: is a directory
切换到相应目录
[zx@xx1 ~]$ cd /usr/local/globus/bin
执行相应的命令,请求生成一个认证证书
[zx@xx1 bin]$ ./grid-cert-request
Enter your name, e.g., John Smith: zx
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.
Generating a 1024 bit RSA private key
..++++++
............++++++
writing new private key to '/home/zx/.globus/userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-xx1.com]:Level 2 Organizational Unit [com]:Name (e.g., John M. Smith) []:
A private key and a certificate request has been generated with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/OU=com/CN=zx
If the CN=zx is not appropriate, rerun this
script with the -force -cn "Common Name" options.
Your private key is stored in /home/zx/.globus/userkey.pem
Your request is stored in /home/zx/.globus/usercert_request.pem
Please e-mail the request to the Globus Simple CA cy_xiaoxiao@yahoo.com.cn
You may use a command similar to the following:
cat /home/zx/.globus/usercert_request.pem | mail cy_xiaoxiao@yahoo.com.cn
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at cy_xiaoxiao@yahoo.com.cn
我们从上面可以看到,私钥的存储位置为/home/zx/.globus/userkey.pem
请求证书放在/home/zx/.globus/usercert_request.pem
接下来,我们给签署这个普通用户zx的证书,所以,我们把用户的请求证书文件拷贝到/usr/local/globus/bin
# cp /home/zx/.globus/usercert_request.pem /usr/local/globus/bin
然后,切换到globus用户下面,签署证书
[globus@xx1 ~]$ cd /usr/local/globus/bin
[globus@xx1 bin]$ ./grid-ca-sign -in usercert_request.pem -out usercert.pem
To sign the request
please enter the password for the CA key:
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem
然后,以root用户把生成的认证文件拷贝回去,覆盖那个空的文件。
[globus@xx1 bin]$ su - root
口令:
# cp /usr/local/globus/bin/usercert.pem /home/zx/.globus/
cp:是否覆盖“/home/zx/.globus/usercert.pem”? y
然后,切换回普通用户zx,执行生成证书的脚本
[zx@xx1 bin]$ ./grid-proxy-init -valid 24000:0
./grid-proxy-init: error while loading shared libraries: libglobus_gsi_proxy_core_gcc32.so.0: cannot open shared object file: No such file or directory
显然,上面报错了,我们就需要再执行一个环境变量的脚本
[zx@xx1 bin]$ source /usr/local/globus/etc/globus-user-env.sh
再次执行,我加上一个参数valid,就是因为刚开始每次这个作业用户的证书都是一天过期,后来发现忘记带参数了。具体使用方法大家可以看脚本的帮助
[zx@xx1 bin]$ ./grid-proxy-init -valid 24000:0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/OU=com/CN=zx
Enter GRID pass phrase for this identity:
Creating proxy .................................................... Done
Warning: your certificate and proxy will expire Fri Jul 4 11:20:07 2008
which is within the requested lifetime of the proxy
下面我们生成一个映射文件,他的作用就是将远端的证书映射到本地用户,远端拥有该证书的用户提交的信息可以由本地映射的用户代为提交
# cd /etc/grid-security/
# vi grid-mapfile
# cat grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-xx1.com/OU=com/CN=zx" zx
其中的grid-mapfile文件中的前一部分,就是刚才我们请求证书的Your identity信息。
这样,主节点[也就是我们的本机]上面的globus tookit 就安装完成了,运行
/usr/local/globus/bin/globus-start-container 可启动启动容器
我们发现,容器能够启动,但是报错了。这是因为我们没有安装ReliableFileTransferFTP的原因。
[globus@xx1 ~]$ /usr/local/globus/bin/globus-start-container
2007-07-05 11:39:19,111 ERROR monitoring.SchedulerEventGenerator [Thread-2,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 11:39:19,562 ERROR monitoring.SchedulerEventGenerator [Thread-5,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 11:39:21,467 ERROR service.ReliableFileTransferImpl [main,<init>:69] Unable to setup database driver with pooling.Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
2007-07-05 11:39:22,543 WARN service.ReliableFileTransferHome [main,initialize:97] All RFT requests will fail and all GRAM jobs that require file staging will fail.Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
Starting SOAP server at: https://211.67.141.181:8443/wsrf/services/
With the following services:
[1]: https://211.67.141.181:8443/wsrf/services/AdminService
[2]: https://211.67.141.181:8443/wsrf/services/AuthzCalloutTestService
[3]: https://211.67.141.181:8443/wsrf/services/CASService
[4]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryEntryService
[5]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryService
[6]: https://211.67.141.181:8443/wsrf/services/CounterService
[7]: https://211.67.141.181:8443/wsrf/services/DefaultIndexService
[8]: https://211.67.141.181:8443/wsrf/services/DefaultIndexServiceEntry
[9]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerService
[10]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerServiceEntry
[11]: https://211.67.141.181:8443/wsrf/services/DelegationFactoryService
[12]: https://211.67.141.181:8443/wsrf/services/DelegationService
[13]: https://211.67.141.181:8443/wsrf/services/DelegationTestService
[14]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroup
[15]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupEntry
[16]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupFactory
[17]: https://211.67.141.181:8443/wsrf/services/IndexFactoryService
[18]: https://211.67.141.181:8443/wsrf/services/IndexService
[19]: https://211.67.141.181:8443/wsrf/services/IndexServiceEntry
[20]: https://211.67.141.181:8443/wsrf/services/ManagedExecutableJobService
[21]: https://211.67.141.181:8443/wsrf/services/ManagedJobFactoryService
[22]: https://211.67.141.181:8443/wsrf/services/ManagedMultiJobService
[23]: https://211.67.141.181:8443/wsrf/services/ManagementService
[24]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerFactoryService
[25]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerService
[26]: https://211.67.141.181:8443/wsrf/services/NotificationTestService
[27]: https://211.67.141.181:8443/wsrf/services/PersistenceTestSubscriptionManager
[28]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferFactoryService
[29]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferService
[30]: https://211.67.141.181:8443/wsrf/services/RendezvousFactoryService
[31]: https://211.67.141.181:8443/wsrf/services/SampleAuthzService
[32]: https://211.67.141.181:8443/wsrf/services/SecureCounterService
[33]: https://211.67.141.181:8443/wsrf/services/SecurityTestService
[34]: https://211.67.141.181:8443/wsrf/services/ShutdownService
[35]: https://211.67.141.181:8443/wsrf/services/SubscriptionManagerService
[36]: https://211.67.141.181:8443/wsrf/services/TestAuthzService
[37]: https://211.67.141.181:8443/wsrf/services/TestRPCService
[38]: https://211.67.141.181:8443/wsrf/services/TestService
[39]: https://211.67.141.181:8443/wsrf/services/TestServiceRequest
[40]: https://211.67.141.181:8443/wsrf/services/TestServiceWrongWSDL
[41]: https://211.67.141.181:8443/wsrf/services/TriggerFactoryService
[42]: https://211.67.141.181:8443/wsrf/services/TriggerService
[43]: https://211.67.141.181:8443/wsrf/services/TriggerServiceEntry
[44]: https://211.67.141.181:8443/wsrf/services/Version
[45]: https://211.67.141.181:8443/wsrf/services/WidgetNotificationService
[46]: https://211.67.141.181:8443/wsrf/services/WidgetService
[47]: https://211.67.141.181:8443/wsrf/services/gsi/AuthenticationService
[48]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexService
[49]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexServiceEntry
[50]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexService
[51]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexServiceEntry
所以,我们必须安装postgreSQL
首先添加一个postgre用户,用来启动数据库
# adduser postgre -p mypostgre
# cp /mnt/win/globus/postgresql-8.0.7.tar.gz /usr/local/
# cd /usr/local/
# tar -zxvf postgresql-8.0.7.tar.gz
# cd postgresql-8.0.7
# ls
aclocal.m4 configure contrib doc HISTORY Makefile src
config configure.in COPYRIGHT GNUmakefile.in INSTALL README
关于如何安装,我们可以查看一下INSTALL文件。这里,我按照自己喜欢的方式安装
# ./configure
./configure不加prefix参数,默认安装到/usr/local/pgsql目录下。
# mkdir /usr/local/pgsql/data
# chown postgre.postgre !$
chown postgre.postgre /usr/local/pgsql/data
# su - postgre
[postgre@xx1 ~]$ cd /usr/local/pgsql/
[postgre@xx1 pgsql]$ cd bin
[postgre@xx1 bin]$ ./initdb -D /usr/local/pgsql/data
The files belonging to this database system will be owned by user "postgre".
This user must also own the server process.
The database cluster will be initialized with locale zh_CN.UTF-8.
The default database encoding has accordingly been set to UNICODE.
fixing permissions on existing directory /usr/local/pgsql/data ... ok
creating directory /usr/local/pgsql/data/global ... ok
creating directory /usr/local/pgsql/data/pg_xlog ... ok
creating directory /usr/local/pgsql/data/pg_xlog/archive_status ... ok
creating directory /usr/local/pgsql/data/pg_clog ... ok
creating directory /usr/local/pgsql/data/pg_subtrans ... ok
creating directory /usr/local/pgsql/data/base ... ok
creating directory /usr/local/pgsql/data/base/1 ... ok
creating directory /usr/local/pgsql/data/pg_tblspc ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 1000
creating configuration files ... ok
creating template1 database in /usr/local/pgsql/data/base/1 ... ok
initializing pg_shadow ... ok
enabling unlimited row size for system tables ... ok
initializing pg_depend ... ok
creating system views ... ok
loading pg_description ... ok
creating conversions ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the -A option the
next time you run initdb.
Success. You can now start the database server using:
./postmaster -D /usr/local/pgsql/data
or
./pg_ctl -D /usr/local/pgsql/data -l logfile start
# su - postgre
[postgre@xx1 ~]$ cd /usr/local/pgsql/
[postgre@xx1 pgsql]$ bin/createuser globus
Shall the new user be allowed to create databases? (y/n) y
Shall the new user be allowed to create more new users? (y/n) y
CREATE USER
[postgre@xx1 pgsql]$ cd bin
[postgre@xx1 bin]$ ./createdb rftDatabase
CREATE DATABASE
[postgre@xx1 bin]$ ./psql -d rftDatabase -f $GLOBUS_LOCATION/share/globus_wsrf_rft/rft_schema.sql
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:6: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "requestid_pkey" for table "requestid"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:11: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "transferid_pkey" for table "transferid"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:30: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "request_pkey" for table "request"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:65: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "transfer_pkey" for table "transfer"
CREATE TABLE
psql:/usr/local/globus/share/globus_wsrf_rft/rft_schema.sql:71: NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "restart_pkey" for table "restart"
CREATE TABLE
CREATE TABLE
CREATE INDEX
首先启动postgresql
[postgre@xx1 bin]$ /usr/local/pgsql/bin/postmaster -i -D /usr/local/pgsql/data
然后,我们启动globus容器,切换到/usr/local/globus/bin下
[globus@xx1 bin]$ ./globus-start-container
2007-07-05 12:27:37,140 ERROR monitoring.SchedulerEventGenerator [Thread-2,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 12:27:38,248 ERROR monitoring.SchedulerEventGenerator [Thread-5,run:198] SEG Terminated with /usr/local/globus/libexec/globus-scheduler-event-generator: error while loading shared libraries: libglobus_scheduler_event_generator_gcc32.so.0: cannot open shared object file: No such file or directory
2007-07-05 12:27:40,660 ERROR service.ReliableFileTransferImpl [main,<init>:69] Unable to setup database driver with pooling.A connection error has occurred: FATAL: no pg_hba.conf entry for host "211.67.141.181", user "globus", database "rftDatabase"
2007-07-05 12:27:41,794 WARN service.ReliableFileTransferHome [main,initialize:97] All RFT requests will fail and all GRAM jobs that require file staging will fail.A connection error has occurred: FATAL: no pg_hba.conf entry for host "211.67.141.181", user "globus", database "rftDatabase"
Starting SOAP server at: https://211.67.141.181:8443/wsrf/services/
With the following services:
[1]: https://211.67.141.181:8443/wsrf/services/AdminService
...................................................................
...................................................................
...................................................................
...................................................................
这里首先报了两个错误,一个是找不到库文件,另一个是连接不到211.67.141.184也就是我们的主节点。
解决方法第一步:
[globus@xx1 bin]$ source /usr/local/globus/etc/globus-user-env.sh
能够帮助找到库文件
第二步
# pwd
/usr/local/pgsql/data
把本机添加到信任区域里面。
# tail pg_hba.conf
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# IPv4 local connections:
host all all 211.67.141.181/32 trust
再次启动容器,已经没有错误了。
[globus@xx1 bin]$ ./globus-start-container
Starting SOAP server at: https://211.67.141.181:8443/wsrf/services/
With the following services:
[1]: https://211.67.141.181:8443/wsrf/services/AdminService
[2]: https://211.67.141.181:8443/wsrf/services/AuthzCalloutTestService
[3]: https://211.67.141.181:8443/wsrf/services/CASService
[4]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryEntryService
[5]: https://211.67.141.181:8443/wsrf/services/ContainerRegistryService
[6]: https://211.67.141.181:8443/wsrf/services/CounterService
[7]: https://211.67.141.181:8443/wsrf/services/DefaultIndexService
[8]: https://211.67.141.181:8443/wsrf/services/DefaultIndexServiceEntry
[9]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerService
[10]: https://211.67.141.181:8443/wsrf/services/DefaultTriggerServiceEntry
[11]: https://211.67.141.181:8443/wsrf/services/DelegationFactoryService
[12]: https://211.67.141.181:8443/wsrf/services/DelegationService
[13]: https://211.67.141.181:8443/wsrf/services/DelegationTestService
[14]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroup
[15]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupEntry
[16]: https://211.67.141.181:8443/wsrf/services/InMemoryServiceGroupFactory
[17]: https://211.67.141.181:8443/wsrf/services/IndexFactoryService
[18]: https://211.67.141.181:8443/wsrf/services/IndexService
[19]: https://211.67.141.181:8443/wsrf/services/IndexServiceEntry
[20]: https://211.67.141.181:8443/wsrf/services/ManagedExecutableJobService
[21]: https://211.67.141.181:8443/wsrf/services/ManagedJobFactoryService
[22]: https://211.67.141.181:8443/wsrf/services/ManagedMultiJobService
[23]: https://211.67.141.181:8443/wsrf/services/ManagementService
[24]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerFactoryService
[25]: https://211.67.141.181:8443/wsrf/services/NotificationConsumerService
[26]: https://211.67.141.181:8443/wsrf/services/NotificationTestService
[27]: https://211.67.141.181:8443/wsrf/services/PersistenceTestSubscriptionManager
[28]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferFactoryService
[29]: https://211.67.141.181:8443/wsrf/services/ReliableFileTransferService
[30]: https://211.67.141.181:8443/wsrf/services/RendezvousFactoryService
[31]: https://211.67.141.181:8443/wsrf/services/SampleAuthzService
[32]: https://211.67.141.181:8443/wsrf/services/SecureCounterService
[33]: https://211.67.141.181:8443/wsrf/services/SecurityTestService
[34]: https://211.67.141.181:8443/wsrf/services/ShutdownService
[35]: https://211.67.141.181:8443/wsrf/services/SubscriptionManagerService
[36]: https://211.67.141.181:8443/wsrf/services/TestAuthzService
[37]: https://211.67.141.181:8443/wsrf/services/TestRPCService
[38]: https://211.67.141.181:8443/wsrf/services/TestService
[39]: https://211.67.141.181:8443/wsrf/services/TestServiceRequest
[40]: https://211.67.141.181:8443/wsrf/services/TestServiceWrongWSDL
[41]: https://211.67.141.181:8443/wsrf/services/TriggerFactoryService
[42]: https://211.67.141.181:8443/wsrf/services/TriggerService
[43]: https://211.67.141.181:8443/wsrf/services/TriggerServiceEntry
[44]: https://211.67.141.181:8443/wsrf/services/Version
[45]: https://211.67.141.181:8443/wsrf/services/WidgetNotificationService
[46]: https://211.67.141.181:8443/wsrf/services/WidgetService
[47]: https://211.67.141.181:8443/wsrf/services/gsi/AuthenticationService
[48]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexService
[49]: https://211.67.141.181:8443/wsrf/services/mds/test/execsource/IndexServiceEntry
[50]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexService
[51]: https://211.67.141.181:8443/wsrf/services/mds/test/subsource/IndexServiceEntry
2007-07-05 12:34:27,240 INFO impl.DefaultIndexService [ServiceThread-10,processConfigFile:107] Reading default registration configuration from file: /usr/local/globus/etc/globus_wsrf_mds_index/hierarchy.xml
现在我们配置GridFTP
首先,查询是不是安装了xinet
# rpm -aq | grep xinet
结果没有,我就从硬盘的镜像里面抠出来安装程序,安装一下
# rpm -ivh /mnt/win/xinetd-2.3.14-8.i386.rpm
warning: /mnt/win/xinetd-2.3.14-8.i386.rpm: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
Preparing... ########################################### [100%]
1:xinetd ########################################### [100%]
# vi gridftp
# cat gridftp
service gsiftp
{
instances = 100
socket_type = stream
wait = no
user = root
env += GLOBUS_LOCATION=/usr/local/globus
env += LD_LIBRARY_PATH=/usr/local/globus/lib
server = /usr/local/globus/sbin/globus-gridftp-server
server_args = -i
log_on_success += DURATION
nice = 10
disable = no
}
编辑/etc/services文件,给local下添加一个gsiftp
# vi /etc/services
# tail !$
tail /etc/services
nimhub 48002/tcp # Nimbus Hub
nimhub 48002/udp # Nimbus Hub
nimgtw 48003/tcp # Nimbus Gateway
nimgtw 48003/udp # Nimbus Gateway
com-bardac-dw 48556/tcp # com-bardac-dw
com-bardac-dw 48556/udp # com-bardac-dw
iqobject 48619/tcp # iqobject
iqobject 48619/udp # iqobject
# Local services
gsiftp 2811/tcp
让xinetd重新载入,出错了。
# /etc/init.d/xinetd reload
重新载入配置: [失败]
原来我还没有启动,现加入到服务里面再说,这样,我们就不用每次手动启动GridFTP了。
# cd /etc/init.d/
# chkconfig --add xinetd
# ./xinetd start
启动 xinetd: [确定]
看一下gsiftp起来没有
# netstat -at | grep gsiftp
tcp 0 0 *:gsiftp *:* LISTEN
呵呵,已经起来了。
下面,让我们看看GridFTP是不是真正的启动起来了。
# cp /usr/local/globus/share/globus_wsrf_rft_test/transfer.xfr /tmp/rft.xfr
# cat /tmp/rft.xfr
true
16000
16000
false
1
true
1
null
null
false
10
gsiftp://xx1.com:2811/etc/group
gsiftp://xx1.com:2811/tmp/rftTest_Done.tmp
对于这个rft.xfr文件,目前我还不是很懂,估计就是个传送任务文件,里面含有配置信息,据我实验的结果,应该就是把倒数第二行的文件传送到最后一行。
我用那个普通用户zx,来进行测验。
[zx@xx1 ~]$ rft -h xx1.com -f /tmp/rft.xfr
Number of transfers in this request: 1
Subscribed for overall status
Termination time to set: 60 minutes
Overall status of transfer:
Finished/Active/Failed/Retrying/Pending
0/1/0/0/0
Overall status of transfer:
Finished/Active/Failed/Retrying/Pending
1/0/0/0/0
All Transfers are completed
这说明,GridFTP不仅仅启动了,而且能够传送文件了。
我们查看一下,看看是不是传送过来了。
# ls /tmp/rft* -la
-rw-r--r-- 1 zx zx 649 07-08 14:53 /tmp/rftTest_Done.tmp
-rw-r--r-- 1 zx zx 126 07-08 14:53 /tmp/rft.xfr
下面,我们可以安装GRAM了。具体GRAM是来干什么的呢?下面,我引用文档中的资料:
The Globus Toolkit provides both a suite of web services and a "pre-web services" Unix server suite to submit, monitor,
and cancel jobs on Grid computing resources. Both systems are known under the moniker "GRAM", while "WS
GRAM" refers only to the web service implementation.
所以,我们首先来编辑sudo文件,在这里,我对sudo命令仍然不是十分了解,但是我通过man,知道应该是让一个用户切换到另一个用户去执行命令。
本来的这个配置文件在/etc/sudoers下面,但是我们用vi编辑的时候,会发现无法保存,出现以下信息:
E45: 'readonly' option is set (add ! to override)
因为这个文件十分重要,系统不允许你随意更改,就是怕你把格式些错了,所以要用visudo命令来修改
我们在最后,添加三行,一行注释,两行配置信息,注意啊,后两行很长,我把他们分开写了。
# Globus GRAM Entities
globus ALL=(zx) NOPASSWD: /usr/local/globus/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /usr/local/globus/libexec/globus-job-manager-script.pl *
globus ALL=(zx) NOPASSWD: /usr/local/globus/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /usr/local/globus/libexec/globus-gram-local-proxy-tool *
我们可以看到,上面配置信息,就是globus用户可以切换到zx用户的身份运行程序/usr/local/globus/libexec/globus- gridmap-and-execute,(后面的-g是个参数,-g之后跟的是网格安全配置文件的位置等参数),而无须输入密码
你也可以相应的修改参数,例如ALL=(zx,wz,xx)等,就是你希望globus用户可以切换到zx,wz,xx等下面。
如果大家不清楚可以参考文档man sudoers
我们提交下面这个命令,看看能否执行。
[zx@xx1 ~]$ globusrun-ws -submit -c /bin/true
Submitting job...Done.
Job ID: uuid:8877fe7c-2d24-11dc-9268-000ae66aa0b9
Termination time: 07/09/2007 07:26 GMT
Current job state: Failed
Destroying job...Done.
globusrun-ws: Job failed: Error code: 200
Sudo is misconfigured to run the globus-job-manager-script.pl script for user zx.
如果出现,上面这种情况,那么说明,肯定是sudo文件错误了,你必须仔细检查。
核对文件,之后,我们再次执行,发现任务已经可以完成了。
[zx@xx1 ~]$ globusrun-ws -submit -c /bin/true
Submitting job...Done.
Job ID: uuid:e50b6f20-2d24-11dc-954c-000ae66aa0b9
Termination time: 07/09/2007 07:28 GMT
Current job state: Active
Current job state: CleanUp
Current job state: Done
Destroying job...Done.
同时,在Globus Container的终端上,有输出显示命令运行成功了。他的JobID与上面是相同的
2007-07-08 15:29:03,799 INFO exec.StateMachine [RunQueueThread_13,logJobSucceeded:3204] Job e50b6f20-2d24-11dc-954c-000ae66aa0b9 finished successfully
下面,我们拷贝一个文件看看
[zx@xx1 ~]$ globus-url-copy file:///tmp/rft.xfr gsiftp://xx1.com/home/zx/test.copy
哈哈,有了吧,我们还可以把xx1.com换成211.67.141.181,测试一下,看看能不成成功。
[zx@xx1 ~]$ ls
Desktop test.copy
到这里,我们的主机节点就配置完毕了。
扫一扫
922
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
