exactly executes the instructions, some notes are following.
1. sudo
# Comment out this line, if it is in your /etc/sudoers file (RHEL5+)
#Defaults requiretty
Cmnd_Alias SRM_CMD = /bin/rm, /bin/mkdir, /bin/rmdir, /bin/mv, /bin/ls
Runas_Alias SRM_USR = ALL, !root
daemon ALL=(SRM_USR) NOPASSWD: SRM_CMD
查看了一下CE的/etc/sudoers文件也有一段这么类似的东西
Runas_Alias GLOBUSUSERS = ALL, !root
daemon ALL=(GLOBUSUSERS) /
NOPASSWD: /opt/osg-1.0.0/globus/libexec/globus-gridmap-and-execute /
-g /etc/grid-security/grid-mapfile /
/opt/osg-1.0.0/globus/libexec/globus-job-manager-script.pl *
daemon ALL=(GLOBUSUSERS) /
NOPASSWD: /opt/osg-1.0.0/globus/libexec/globus-gridmap-and-execute /
-g /etc/grid-security/grid-mapfile /
/opt/osg-1.0.0/globus/libexec/globus-gram-local-proxy-tool *
关于上述脚本的语义可参考:http://blog.chinaunix.net/u1/35601/showart_330589.html
这个好像更有参考价值:http://eduvnet.yesky.com/os/397/7569397_2.shtml
关于权限chmod的用法:http://www.phpip.com/os/2008/0505/article_11783.html,
数字表示的属性的含义:0表示没有权限,1表示可执行权限,2表示可写权限,4表示可读权限,然后将其相加。所以数字属性的格式应为3个从0到7的八进制数,其顺序是(u)(g)(o)。
2.关于证书。
1)先把证书去掉密码(好像只能去掉key的密码,certificate应该没密码?但anand说有)
openssl rsa 。。。
2)查看证书
openssl x509 -in /etc/grid-security/hostcert.pem -noout -text
查看代理信息(主要看一下代理的生命周期,一般是12小时5分)
openssl x509 -in /tmp/x509_u0 -noout -text (主机证书)
openssl x509 -in /tmp/x509_u550 -noout -text (个人证书)
3)代理的生成
主机代理:
[root@osg ~]# grid-proxy-init -cert /etc/grid-security/hostcert.pem -key /etc/grid-security/hostkey.pem
Your identity: /DC=org/DC=doegrids/OU=Services/CN=osg.cnic.cn
Creating proxy ...................................................... Done
Your proxy is valid until: Sun Mar 14 09:45:56 2010
个人代理:
[zhxue@osg root]$ grid-proxy-init
3.如果你不是用gums,请不要执行下列(在gridftp Configuration中)
cp $VDT_LOCATION/post-install/prima-authz.conf /etc/grid-security
cp $VDT_LOCATION/post-install/gsi-authz.conf /etc/grid-security
4.对文件的操作有两种方式,需要在配置文件中修改 vi $vdt_Location/bestman/conf/bestman.rc
## checkSizeWithFS and checkSizeWithGsiftp only works in GATEWAY MODE
checkSizeWithFS=true
checkSizeWithGsiftp=true
If you are running your BeStMan-Gateway on the node that doesn’t have an access to your file system, you will have to modify the following attributes in $VDT_LOCATION/bestman/conf/bestman.rc configuration file:
checkSizeWithFS=false
checkSizeWithGsiftp=true
//好像把FS设成false老不行,还得继续研究
5. 由于grid-map是自动更新的(不断覆盖以前的),而官方的列表里没有我,需要加进去。
$GLOBUS_LOCATION/sbin/grid-mapfile-add-entry -dn "/DC=CN/DC=Grid/DC=SDG/CN=Zhenghua Xue (zhxue@cnic.cn)" -ln zhxue
6. I found that SE is inactive in OIM
Prompted by OIM, it listens the port 8443, while our SE set 10443 as security port. I modifed it as 8443, and public port as 8080, now it works.
You can use nmap se.osg.cnic.cn to see the opened ports. If 8443 is not shown, it may be blocked by firewall. Maybe, you can use telnet se.osg.cnic.cn 8443 to test if the ports is opened. If it quickly return back with connection refused, the port is not opened.
If you are sure that the firewall opened the port, please see if the port has been opened by startging certain service using the following command:
[root@se ~]# netstat -anp --tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4423/hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:833 0.0.0.0:* LISTEN 10829/rpc.rquotad
tcp 0 0 0.0.0.0:11111 0.0.0.0:* LISTEN 4813/ricci
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4026/portmap
tcp 0 0 0.0.0.0:16851 0.0.0.0:* LISTEN 4736/modclusterd
tcp 0 0 0.0.0.0:44823 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4450/cupsd
tcp 0 0 0.0.0.0:920 0.0.0.0:* LISTEN 10917/rpc.mountd
tcp 0 0 0.0.0.0:2811 0.0.0.0:* LISTEN 24956/xinetd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4428/python
tcp 0 0 159.226.13.50:34061 159.226.13.53:22 ESTABLISHED 7798/ssh
tcp 0 0 :::8080 :::* LISTEN 25053/java
tcp 0 0 :::22 :::* LISTEN 4441/sshd
tcp 0 0 :::8443 :::* LISTEN 25053/java