Version 33 (modified by zequi, 4 years ago) (diff)


ESGF Local Node Deployment Tutorial

This page shows how to deploy an ESGF Node that provides data, index and idp services and belongs to the esgf-test federation. The purpose of this node is to test the process of publication in the ESGF.

This page assumes that command are executed by the root user (not sudo).


  1. Prerequisites
  2. Previous installation clean up
  3. Installation from scratch
  4. Configuration for publication
  5. Publish the test dataset
  6. Publish CORDEX datasets
  7. Known issues
  8. References

0. Prerequisites

  1. You have to create a globus account -

1. Previous installation clean up

Execute /usr/local/bin/esg-node stop in order to stop the current ESGF services (in case they are running).

[root@spock ~]# /usr/local/bin/esg-node stop

  E::::::::::::::::::::E SS:::::::::::::::S     GGG::::::::::::GF::::::::::::::::::::F
  E::::::::::::::::::::ES:::::SSSSSS::::::S   GG:::::::::::::::GF::::::::::::::::::::F
  EE::::::EEEEEEEEE::::ES:::::S     SSSSSSS  G:::::GGGGGGGG::::GFF::::::FFFFFFFFF::::F
    E:::::E       EEEEEES:::::S             G:::::G       GGGGGG  F:::::F       FFFFFF
    E:::::E             S:::::S            G:::::G                F:::::F
    E::::::EEEEEEEEEE    S::::SSSS         G:::::G                F::::::FFFFFFFFFF
    E:::::::::::::::E     SS::::::SSSSS    G:::::G    GGGGGGGGGG  F:::::::::::::::F
    E:::::::::::::::E       SSS::::::::SS  G:::::G    G::::::::G  F:::::::::::::::F
    E::::::EEEEEEEEEE          SSSSSS::::S G:::::G    GGGGG::::G  F::::::FFFFFFFFFF
    E:::::E                         S:::::SG:::::G        G::::G  F:::::F
    E:::::E       EEEEEE            S:::::S G:::::G       G::::G  F:::::F
  EE::::::EEEEEEEE:::::ESSSSSSS     S:::::S  G:::::GGGGGGGG::::GFF:::::::FF
  E::::::::::::::::::::ES::::::SSSSSS:::::S   GG:::::::::::::::GF::::::::FF
  E::::::::::::::::::::ES:::::::::::::::SS      GGG::::::GGG:::GF::::::::FF

Checking that you have root privs on [OK]
Checking requisites... 

Using IP:
Stopping search services...
Using solr_workdir=/usr/local/src/esgf/workbench/esg/solr-5.5.3
Using solr_install_dir=/usr/local/solr-home/slave-8983
Using solr_data_dir=/esg/solr-index/slave-8983
Using solr_server_dir=/usr/local/solr
Using solr_logs_dir=/esg/solr-logs
Using esg_dist_url=
sudo: source: command not found
Sending stop command to Solr running on port 8983 ... waiting 5 seconds to allow Jetty process 16339 to stop gracefully.
Sending stop command to Solr running on port 8984 ... waiting 5 seconds to allow Jetty process 16554 to stop gracefully.
Stopping Globus Services for Data-Node... (GridFTP) stop_globus_services for datanode
globus-gridftp-server: unrecognized service
Stopping Globus Services for Index-Node... (MyProxy server) stop_globus_services for gateway
Stopping myproxy-server:                                   [  OK  ]
No MyProxy Process Currently Running...
Tomcat (jsvc) process is running... 

stop tomcat: /usr/local/tomcat/bin/jsvc -pidfile /var/run/ -stop org.apache.catalina.startup.Bootstrap
(please wait)
postmaster (pid  16024) is running...
Stopping postgresql service:                               [  OK  ]
Stopping httpd:                                            [  OK  ]
Running shutdown hooks...

Running Node Services... 
node type: [ data index idp compute ] (60) 

Execute source /usr/local/bin/ && esg-purge all

2. Installation from scratch

Change directory to /usr/local/bin/

[root@spock ~]# cd /usr/local/bin/

[root@spock bin]# wget -O esg-bootstrap --no-check-certificate
[root@spock bin]# chmod 555 ./esg-bootstrap
[root@spock bin]# ./esg-bootstrap

Your directory should look like this:

[root@spock bin]# ls
esg-bootstrap  esg-functions  esg-init  esg-node  jar_security_scan  setup-autoinstall

Check your node's version:

[root@spock bin]# ./esg-node --version
Version: v2.4.24-master-release
Release: Bifrost
Earth Systems Grid Federation (
ESGF Node Installation Script

Set node's type:

[root@spock bin]# ./esg-node --set-type data idp index
node type set to: [ index data idp ] (28) 

Install the node:

[root@spock bin]# ./esg-node --install
Please select the ESGF distribution mirror for this installation (fastest to slowest): 
select [1] > 1
Are you ready to begin the installation? [Y/n] 
Configured host IP address does not match available IPs...
Detected multiple IP addresses bound to this host...
Please select the IP address to use for this installation
        [0] :
        [1] :
select [] > (select the one that fits your case)
Welcome to the ESGF Node installation program! :-)

What is the fully qualified domain name of this node? []: 
What is the admin password to use for this installation? (alpha-numeric only) []: 
Please re-enter password: 
What is the name of your organization? [unican]: 
Please give this node a "short" name: []: unican
Please give this node a more descriptive "long" name []: unican
What is the namespace to use for this node? (set to your reverse fqdn - Ex: "gov.llnl") [es.unican.meteo]: 
What peer group(s) will this node participate in? (esgf-test|esgf-prod) [esgf-test]: 
What is the default peer to this node? []: 
What is the hostname of the node do you plan to publish to? []: 
What email address should notifications be sent as? []: 
Is the database external to this node? [y/N]: 
Please enter the database connection string...
 (form: postgresql://[username]@[host]:[port]/esgcet)
What is the database connection string? [postgresql://dbsuper@localhost:5432/esgcet]: postgresql://
entered: postgresql://dbsuper@localhost:5432/esgcet
What is the (low priv) db account for publisher? [esgcet]: 
What is the db password for publisher user (esgcet)? []: 
Enter password for postgres user dbsuper: 
Re-enter password for postgres user dbsuper: 
Please Enter PostgreSQL port number [5432]:> 
Would you like a "system" or "user" publisher configuration: 
        *[1] : System
         [2] : User
         [C] : (Custom)
select [1] > 

You have selected: 1
Publisher configuration file -> [/esg/config/esgcet/esg.ini]

Is this correct? [Y/n] 
Your publisher configuration file will be: /esg/config/esgcet/esg.ini
What is your organization's id? [unican]: 
Would you like to use the DN: (OU=ESGF.ORG, O=ESGF) ? [Y/n]:
Please enter the password for this keystore   : 
Enter a single ip address which would be cleared to access admin restricted pages.
You will be prompted if you want to enter more ip-addresses

Do you wish to allow further ips? y/n
Create user credentials
Please enter username for tomcat [dnode_user]:  
Please enter password for user, "dnode_user" [********]:
Would you like to add another user? [y/N]: 
Please Enter the public (i.e. routable) IP address of this host []:> 
Do you wish to use an external IDP peer?(N/y):
Do you want to continue with the Globus installation and setup? [Y/n] : 
Do you want to register the MyProxy server with Globus? [Y/n]: 
Please provide a Globus username []: YOUR-GLOBUS-USER
Globus password []: 

When finished, you should see something like this:

Running Node Services... 
node type: [ data index idp ] (29) 
myproxy-s 23071     root    5u  IPv4 1526752      0t0  TCP *:7512 (LISTEN)
java      26088     solr   28u  IPv6 1591850      0t0  TCP (LISTEN)
java      26088     solr   92u  IPv6 1591986      0t0  TCP *:8983 (LISTEN)
java      26257     solr   28u  IPv6 1592730      0t0  TCP (LISTEN)
java      26257     solr   92u  IPv6 1593098      0t0  TCP *:8984 (LISTEN)
postmaste 29509 postgres    3u  IPv6 1449862      0t0  TCP [::1]:5432 (LISTEN)
postmaste 29509 postgres    4u  IPv4 1449863      0t0  TCP (LISTEN)
httpd     12706     root    4u  IPv6 1512235      0t0  TCP *:80 (LISTEN)

In order to see if this node has been installed properly you may direct your browser to:

Your peer group membership -- : [esgf-test]
Your specified "default" peer : []
Your specified "index" peer - : [] (url =
Your specified "idp" peer --- : [] (name = SPOCK.METEO.UNICAN.ES)
Your temporary certificates have been placed in /etc/tempcerts
You can install them by executing this : esg-node --install-keypair /etc/tempcerts/hostcert.pem /etc/tempcerts/hostkey.pem
When promped for the chainfile, specify: /etc/tempcerts/cacert.pem

[Note: Use UNIX group permissions on /esg/content/thredds/esgcet to enable users to be able to publish thredds catalogs from data therein]
 %> chgrp -R <appropriate unix group for publishing users> /esg/content/thredds

        Administrators of this node should subscribe to the by sending email to:
        with the body: subscribe esgf-node-admins


Writing additional settings to db. If these settings already exist, psql will report an error, but ok to disregard.
ERROR:  insert or update on table "permission" violates foreign key constraint "permission_user_id_fkey"
DETAIL:  Key (user_id)=(1) is not present in table "user".
Node installation is complete.

Execute the following:

[root@spock bin]# ./esg-node --install-keypair /etc/tempcerts/hostcert.pem /etc/tempcerts/hostkey.pem
Please set the password for this keystore   : 
Please re-enter the password for this keystore: 
certfile> /etc/tempcerts/cacert.pem
Is the above information correct? [Y/n] 
Is the above information correct? [Y/n] 

Restart the node:

[root@spock bin]# ./esg-node restart

Check that everything works (

If the CoG portal does not work follow the instructions on

Now you should be able to log in the CoG portal using the openid "" and the password that you chose in the installation process.

Configuration for publishing

The installation process should have created a user in the postgres database, named rootAdmin. You can check it by running psql -U dbsuper -d esgcet (to access the postgres cli) and visualizing the table esgf_security.user.

esgcet=# select * from esgf_security.user;
 id | firstname | middlename |  lastname   |         email          | username  |              password              | dn |                         openid                          | organization | organization_type | city | state | country | status_code |          verificat
ion_token          | notification_code 
  1 | Admin     |            | User        | emailOfTheAdmin | rootAdmin | hashOfThePassword |    | https://domain/esgf-idp/openid/rootAdmin | Institution  |                   | City | State | Country |           1 | 79563dfc-ad55-4aa1
-b50e-d43692adc5e5 |

In order to test the publication, create a new user using the CoG web interface (https://[index_node_fqdn]). You should click on 'Create Account' and fill the form. Once the user is created using the CoG interface, it should be visible in the esgf_security.user table of the postgres database.

esgcet=# select * from esgf_security.user;
 id | firstname | middlename |  lastname   |         email          | username  |              password              | dn |                         openid                          | organization | organization_type | city | state | country | status_code |          verificat
ion_token          | notification_code 
  1 | Admin     |            | User        | emailOfTheAdmin         | rootAdmin | hashOfThePassword                  |    | https://domain/esgf-idp/openid/rootAdmin | Institution  |                   | City | State | Country |           1 | 79563dfc-ad55-4aa1
-b50e-d43692adc5e5 |                 0
  2 | zequi     |            | cimadevilla | emailOfZequi            | zequi     | hashOfThePassword                  |    | https://domain/esgf-idp/openid/zequi     | asdf         |                   | asdf | asdf  | asdf    |           1 | f187f706-b03c-467b-a570-c4ddc7afc70e | 

Once the user is created, create permissions and roles as follows:

(reference documentation -

esgcet=# select * from esgf_security.role;
 id |   name    |     description     
  1 | super     | Super User
  2 | none      | None
  3 | default   | Standard
  4 | publisher | Data Publisher
  5 | admin     | Group Administrator
  6 | user      | user role
(6 rows)

esgcet=# select * from;
 id |     name     |     description     | visible | automatic_approval 
  1 | wheel        | Administrator Group | t       | t
  2 | test_group   | test group          | t       | t
  3 | cordex_group | cordex group        | t       | t
(3 rows)

esgcet=# select * from esgf_security.permission;
 user_id | group_id | role_id | approved 
       2 |        2 |       4 | t
       2 |        2 |       6 | t
       2 |        3 |       6 | t
       2 |        3 |       4 | t
(4 rows)

Add the following elements to /esg/config/esgf_policies_local.xml

     <policy resource=".*test.*" attribute_type="test_group" attribute_value="user" action="Read"/>
     <policy resource=".*test.*" attribute_type="test_group" attribute_value="publisher" action="Write"/>
     <policy resource=".*cordex.*" attribute_type="cordex_group" attribute_value="user" action="Read"/>
     <policy resource=".*cordex.*" attribute_type="cordex_group" attribute_value="publisher" action="Write"/>

Add the following elements to /esg/config/esgf_ats_static.xml

        description="Test group for test data"

        description="Test group for cordex data"

Generate your credentials for publication - globus certificate

myproxy-logon [ -b ] -s <openid_server> -l <your_esgf_username> -p 7512 -t 72 -o $HOME/.globus/certificate-file

The certificate is valid for 72 hours when specified by -t. If you are publishing for the first time, you will need to mkdir $HOME/.globus and use -b to bootstrap its trustroots with the server. The esgf_username is the simply the username portion of your openid rather than the entire openid string, e.g. sashakames, not

Publish the test dataset

For esgprep and esgpublish to be available, execute source /etc/esg.env.

[root@spock ~]# esgprep mapfile --project test /esg/data/test/
Collecting files     : 1 files
Mapfile(s) generation: 100% |████████████████████████████████████████████████████████████| 1/1 files
Mapfile(s) generated : 1 (see /root/mapfiles)
[root@spock ~]# esgpublish --service fileservice --map mapfiles/ --project test --thredds --publish --offline
INFO       2017-06-02 14:59:48,405 Replacing files in dataset: test.test, version 1
INFO       2017-06-02 14:59:48,413 File /esg/data/test/ exists, skipping
INFO       2017-06-02 14:59:48,416 New dataset version = 2
INFO       2017-06-02 14:59:48,430 Adding file info to database
INFO       2017-06-02 14:59:48,469 Writing THREDDS catalog /esg/content/thredds/esgcet/1/test.test.v2.xml
INFO       2017-06-02 14:59:48,522 Writing THREDDS ESG master catalog /esg/content/thredds/esgcet/catalog.xml
INFO       2017-06-02 14:59:48,533 Reinitializing THREDDS server
INFO       2017-06-02 14:59:48,830 Publishing: test.test
INFO       2017-06-02 14:59:49,871   Result: SUCCESSFUL


  1. --map must point to the file generated by esgprep mapfile
  2. --thredds publish data to the data node
  3. --publish publish data to the index node
  4. --offline is required for publish the test dataset (Why?)
  5. This publication works out of the box because esgf installs by default the required /esg/config/esgcet/esg.test.ini file.

Publish CORDEX datasets

See CORDEXPublication

Known issues during installation

#error "Psycopg requires PostgreSQL client library (libpq) >= 9.1

This error occurs sometimes during installation but removing the node and installing it from scratch seems to solve it...

Traceback (most recent call last):
  File "", line 110, in <module>
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/distutils/", line 111, in setup
    _setup_distribution = dist = klass(attrs)
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/", line 239, in __init__
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/", line 263, in fetch_build_eggs
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/", line 568, in resolve
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/", line 806, in best_match
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/", line 818, in obtain
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/", line 313, in fetch_build_egg
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/command/", line 609, in easy_install
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/command/", line 639, in install_item
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/command/", line 825, in install_eggs
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/command/", line 1031, in build_and_install
  File "/usr/local/uvcdat/2.2.0/lib/python2.7/site-packages/setuptools-1.4-py2.7.egg/setuptools/command/", line 1019, in run_setup
distutils.errors.DistutilsError: Setup script exited with error: command 'gcc' failed with exit status 1

This action did not complete successfully
Please re-run this task until successful before continuing further

Also please review the installation FAQ it may assist you

Failed building wheel for Pillow

This error seems unavoidable but it also seems that it doesn't affect the esgf functionality.

Installing a custom certificate in the ESGF Node

You should own your certificate file (hostcert.crt) and your private key (hostkey.key). Your /etc/httpd/conf/esgf-httpd.conf must reference your certificate and key:

228         SSLVerifyClient optional
229         SSLVerifyDepth  10
230         SSLCertificateFile /etc/certs/hostcert.crt
231         #SSLCACertificateFile /etc/certs/esgf-ca-bundle.crt
232         SSLCertificateKeyFile /etc/certs/hostkey.key
233         #SSLCertificateChainFile /etc/certs/cachain.pem
234         SSLOptions +StdEnvVars +ExportCertData

Then you have to import your certificate and your key into your tomcat keystore (located in /esg/config/tomcat/ and named esg-truststore.ts and keystore-tomcat). They are configurated in /usr/local/tomcat/conf/server.xml.

  1. If the self-signed certificate is installed in keystore-tomcat, remove it with keytool -delete -alias ALIAS -keystore keystore-tomcat, where alias can be obtained with keytool -v -list -keystore keystore-tomcat.
  1. Execute # openssl pkcs12 -export -in /etc/certs/hostcert.crt -inkey /etc/certs/hostkey.key -out server.p12 -name my-esgf-node -CAfile /etc/certs/hostcert.crt -caname root and keytool -importkeystore -deststorepass PASSWORD -destkeypass PASSWORD -destkeystore keystore-tomcat -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias my-esgf-node
  1. Ensure it has been correctly installed with keytool -v -list -keystore keystore-tomcat.
  1. Restart the node: esg-node restart
  1. More info in Stackoverflow