| Version 27 (modified by carlos, 8 years ago) (diff) |
|---|
Table of Contents
This installation guide will provide instructions about how to install an ESGF data/compute node. In order to do it, the VM should have 1 core, 2GB of RAM memory and 20GB of Hard Disk.
For the installation process, it is highly recommendable to provide more than 1 core
Pre-requisites
TCP and UDP ports firewall configuration
Corporate Firewall
| Port | Direction | Type | Application | Description |
| 80 | in | tcp | Tomcat | Web server access |
| 443 | in | tcp | Tomcat | SSL - Secure Web Server Access. |
| 5432 | in | tcp | Postgres | Postgres Access. (not external: by default bound ONLY TO LOCAL INTERFACE) |
| 2811 | in | tcp | GridFTP | user-configured GridFTP Server control channel |
| (60000-61000) | in/out | tcp | GridFTP | user-configured GridFTP Server data channel (or as defined in the global variable GLOBUS_TCP_PORT_RANGE) |
| 2812 | in | tcp | GridFTP | BDM-configured GridFTP Server control channel. May run together with the user-configured one though not recommended - system resource intensive! |
| (60000-61000) | in/out | tcp | GridFTP | BDM-configured GridFTP Server data channel. May run together with the user-configured one though not recommended - system resource intensive! |
| 7512 | out | tcp | MyProxy | MyProxy client access to the certificate repository |
| 8984 | - | tcp | esgf-search (Tomcat) | local connection to the Solr master instance (not external!) |
| 8983 | in/out | tcp | esgf-search (Tomcat) | Connection to remotes Solr slave instance. Used in distributed search (shard). |
| 80 | out | tcp | esg-publisher | Local connection to THREDDS server (e.g., to check catalogs) and other nodes (node-manager) |
| 443 | out | tcp | esg-publisher | Local secure connection to THREDDS server (e.g., to restart the application) and to the idp |
IPTables configuration
Add the rules below to the IPTables configuration file, i.e. /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 2811 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 2812 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 8984 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 8983 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 60000:61000 -j ACCEPT
then, restart the IPTables services
$ services iptables restart
Install RPM packages
First, install the sourceforge RPM repository for the *ExtUtils* packages:
$ rpm -iv http://dag.wieers.com/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.x86_64.rpm
after that, the ESGF required RPM packages :
$ yum install autoconf automake bison file flex gcc gcc-c++ gettext-devel libtool libuuid-devel libxml2 libxml2-devel libxslt libxslt-devel lsof make openssl-devel pam-devel pax readline-devel tk-devel wget zlib-devel perl-Archive-Tar perl-XML-Parser libX11-devel libtool-ltdl-devel e2fsprogs-devel.x86_64 gcc-gfortran libicu-devel.x86_64 libgtextutils-devel.x86_64 perl-ExtUtils-AutoInstall.noarch perl-ExtUtils-Depends.noarch perl-ExtUtils-CBuilder.x86_64 perl-ExtUtils-CChecker.x86_64 perl-ExtUtils-Config.noarch perl-ExtUtils-DynaGlue.noarch perl-ExtUtils-Embed.x86_64 perl-ExtUtils-F77.noarch perl-ExtUtils-FakeConfig.noarch perl-ExtUtils-FindFunctions.noarch perl-ExtUtils-H2PM.noarch perl-ExtUtils-Helpers.noarch perl-ExtUtils-InstallPaths.noarch perl-ExtUtils-MakeMaker.x86_64 perl-ExtUtils-MakeMaker-Coverage.noarch perl-ExtUtils-ParseXS.x86_64 perl-ExtUtils-PerlPP.noarch perl-ExtUtils-PkgConfig.noarch perl-ExtUtils-TBone.noarch perl-ExtUtils-XSBuilder.noarch
Please make sure that the ntp package is installed $ rpm -qa | grep ntp, otherwise instal it $ yum install ntp
ESGF user configuration
Fist, add a esgf user:
$ adduser esgf
...
After that, change the password:
$ passwd esgf
...
To finish, configure the esgf user with sudoers privileges. Add the following line to /etc/sudoers file:
esgf ALL=(ALL) ALL
Install the ESGF data/compute node
The instructions have been provided by the IPSL1.
Do it as esgf user
$ whoami esgf $ cd /usr/local/bin $ wget -O esg-bootstrap http://198.128.245.140/dist/esgf-installer/esg-bootstrap $ diff <(md5sum esg-bootstrap | tr -s " " | cut -d " " -f 1) <(curl -s http://198.128.245.140/dist/esgf-installer/esg-bootstrap.md5 | tr -s " " | cut -d " " -f 1) $ chmod 555 esg-bootstrap $ esg-bootstrap --devel
In our case, we are going to configure only data and compute types:
$ sudo ./esg-node --type data compute --install
-------------------------------------------------------
During the installation, you will have to fill in several questionnaires:
Welcome to the ESGF Node installation program! :-) What is the fully qualified domain name of this node? [vesgdev-data.ipsl.jussieu.fr]: data.meteo.unican.es What is the admin password to use for this installation? (alpha-numeric only) []: ******* Please re-enter password: ******** What is the name of your organization? [jussieu]: unican Please give this node a "short" name: []: data-unican Please give this node a more descriptive "long" name []: data-unican What is the namespace to use for this node? (set to your reverse fqdn - Ex: "gov.llnl") [fr.jussieu.ipsl]: es.unican.meteo What peer group(s) will this node participate in? (if not sure, use default) [esgf-test]: esgf-test What is the default peer to this node? [esgf-node1.llnl.gov]: data.meteo.unican.es What is the hostname of the node do you plan to publish to? [esgf-node1.llnl.gov]: vesgdev-idx.ipsl.jussieu.fr What email address should notifications be sent as? []: meteo@unican.es Is the database external to this node? [y/N]: Please enter the database connection string... (form: postgresql://[username]@[host]:[port]/esgcet) What is the database connection string? [postgresql://dbsuper@localhost:5432/esgcet]: postgresql:// entered: postgresql://dbsuper@localhost:5432/esgcet What is the (low priv) db account for publisher? [esgcet]: esgcet What is the db password for publisher user (esgcet)? []: *****
/usr/local/pgsql/bin/createuser -U postgres -P -s -e dbsuper
Enter password for new role:
Enter it again:
Questionnaire interactif 3
Would you like a "system" or "user" publisher configuration:
-------------------------------------------
*[1] : System
[2] : User
-------------------------------------------
[C] : (Custom)
-------------------------------------------
Looking for keystore [/esg/config/tomcat/keystore-tomcat]... (don't see one)...
Keystore setup:
Launching Java's keytool:
store_password = ******
Would you like to use the DN: (OU=ESGF.ORG, O=ESGF) ? [Y/n]: Y
Using keystore DN = CN=vesgdev-data.ipsl.jussieu.fr, OU=ESGF.ORG, O=ESGF
Enter key password for <my_esgf_node>
(RETURN if same as keystore password):
Do you wish to generate a Certificate Signing Request at this time? [Y/n] Y
Please enter the password for this keystore : Please re-enter the password for this keystore:
Create user credentials Please enter username for tomcat [dnode_user]: dnode_user Please enter password for user, "dnode_user" [********]: 73769edbd97410aacfb3560ebb817f882d141517 Would you like to add another user? [y/N]:
Please Enter the IP address of this host [134.157.179.48]:>
Using IP: 134.157.179.48
Please select the IDP Peer for this node:
-------------------------------------------
*[1] : ESGF-PCMDI-9 -> pcmdi9.llnl.gov
[2] : ESGF-PCMDI -> pcmdi3.llnl.gov
[3] : ESGF-JPL -> esg-gateway.jpl.nasa.gov
[4] : ESGF-ORNL -> esg2-gw.ccs.ornl.gov
[5] : ESGF-BADC -> cmip-gw.badc.rl.ac.uk
[6] : ESGF-DKRZ -> ipcc-ar5.dkrz.de
[7] : ESGF-PNNL -> esg1-gw.pnl.gov
[8] : ESGF-ANL -> dev.esg.anl.gov
[9] : ESGF-PCMDI-TEST3 -> esgf-node3.llnl.gov
-------------------------------------------
[C] : (Manual Entry)
-------------------------------------------
select [1] > C
Please enter the IDP Peer's name [ESGF-PCMDI-9] ESGF-TEST
Please enter the IDP Peer's hostname [pcmdi9.llnl.gov] data.meteo.unican.es
You have selected: (Manual Entry)
ESGF-TEST -> data.meteo.unican.es
Is this correct? [Y/n] Y
Loading KeyStore /esg/config/tomcat/esg-truststore.ts... Opening connection to vesgdev-idx.ipsl.fr:443... Starting SSL handshake... Do not currently have this certificate Server sent 2 certificate(s): 1 Subject CN=vesgdev-idx.ipsl.fr, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid Issuer CN=Globus Simple CA, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid sha1 cf f9 20 2b ce a6 bc b0 5d b4 a7 bb 0c 08 18 99 14 47 a6 86 md5 bd 6d ab cb 0b 75 58 fb 54 52 89 60 8e 1b 44 b8 2 Subject CN=Globus Simple CA, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid Issuer CN=Globus Simple CA, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid sha1 06 09 9b cc b6 70 6f 3e 59 00 34 b9 fa 0a ba 87 0b f1 16 10 md5 0b b0 a3 56 f6 a7 c7 32 7e 35 b5 b9 e3 bb cd 26 Enter certificate to add to trusted keystore or 'q' to quit: [1] > Y
Creating directory /esg/content/thredds/esgcet INFO 2013-08-02 16:48:46,144 Writing THREDDS ESG master catalog /esg/content/thredds/esgcet/catalog.xml INFO 2013-08-02 16:48:46,173 Writing THREDDS root catalog /esg/content/thredds/catalog.xml THREDDS dataset root directories (option=thredds_dataset_roots) Each entry has the form 'path_identifier | absolute_directory_path': Current value is: esg_dataroot | /esg/data Enter lines, or <RETURN> to end Add new line:
# ESGF cronjob BEGIN ### 35 0,12 * * * ESG_USAGE_PARSER_CONF=/esg/config/gridftp/esg-bdm-usage-gridftp.conf /esg/tools/esg_usage_parser # ESGF cronjob END ### Is this ok ? [Y/n]Y
# ESGF cronjob BEGIN ### 35 0,12 * * * ESG_USAGE_PARSER_CONF=/esg/config/gridftp/esg-bdm-usage-gridftp.conf /esg/tools/esg_usage_parser 5 0,12 * * * ESG_USAGE_PARSER_CONF=/esg/config/gridftp/esg-server-usage-gridftp.conf /esg/tools/esg_usage_parser # ESGF cronjob END ### Is this ok ? [Y/n]Y
Server sent 2 certificate(s): 1 Subject CN=vesgdev-idx.ipsl.fr, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid Issuer CN=Globus Simple CA, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid sha1 cf f9 20 2b ce a6 bc b0 5d b4 a7 bb 0c 08 18 99 14 47 a6 86 md5 bd 6d ab cb 0b 75 58 fb 54 52 89 60 8e 1b 44 b8 2 Subject CN=Globus Simple CA, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid Issuer CN=Globus Simple CA, OU=simpleCA-vesgdev-idx.ipsl.fr, OU=GlobusTest, O=Grid sha1 06 09 9b cc b6 70 6f 3e 59 00 34 b9 fa 0a ba 87 0b f1 16 10 md5 0b b0 a3 56 f6 a7 c7 32 7e 35 b5 b9 e3 bb cd 26 Enter certificate to add to trusted keystore or 'q' to quit: [1] > 1
After that, you should restart the esg-node:
$ sudo ./esg-node restart
If you want to re-install it, you have to use the force option :
$ sudo ./esg-node --type data compute --install --force
Index peer configuration
Configure host certificate and CA public key
Do it as root user
First, you have to send the csr file located under /esg/config/tomcat/ directory to the CA.
$/esg/config/tomcat/data.meteo.unican.es-esg-node.csr
Then you should put the signed csr under the /etc/grid-security/ directory.
$ /etc/grid-security/data.meteo.unican.es-esg-node-globus.csr.signed
And, if the tomcat key is not in /etc/grid-security directory, copy it inside:
$ cd /etc/grid-security $ cp /esg/conf/tomcat/hostkey.pem ./
Install the key pair in tomcat. You will be prompted to enter the cacert file; enter the url to the index node cacert.pem:
$ esg-node --install-keypair data.meteo.unican.es-esg-node-globus.csr.signed hostkey.pem Please enter your Certificate Athority's certificate chain file(s): [enter each cert file/url press return, press return with blank entry when done] certfile> http://vesgint-idx.ipsl.jussieu.fr/cacert.pem ................................... ...................................
This process should fetch the CA cert to /etc/grid-security/certificates
Set auto fetch certs false, otherwise /etc/grid-security/certificates/* will be overwritten by esgf-prod peer groups certificates
$ esg-node --set-auto-fetch-certs false $ esg-node restart
Register connects to desired node, fetches and stores their certificate to enable ingress SSL connections
$ esg-node --register vesgint-idx.ipsl.jussieu.fr
Then rebuild the Tomcat's trustsore
$ esg-node --rebuild-truststore
Data Publishing
http://devel.esgf.org/wiki/ESGF_Data_Publishing
http://devel.esgf.org/wiki/ESGF_Project_Configuration
http://www2-pcmdi.llnl.gov/Members/bdrach/.personal/esg-publisher-configuration/
Attachments (8)
- esgcet_models_table.txt (424 bytes) - added by carlos 8 years ago.
- esg.ini (7.3 KB) - added by carlos 8 years ago.
- localopenssl.cnf (9.7 KB) - added by terryk 8 years ago.
- Datanodemgr-doc.pdf (213.7 KB) - added by terryk 8 years ago.
- chain.pem (4.7 KB) - added by terryk 7 years ago.
- ESGF_node_resource_estimate.pdf (446.3 KB) - added by antonio 7 years ago.
- geoiplookup0.2.sh (571 bytes) - added by terryk 7 years ago.
- is-enes2_statistics.txt (10.9 KB) - added by terryk 7 years ago.
Download all attachments as: .zip
