Difference: CsGsiSupport (20 vs. 21)

Revision 212011-03-22 - andrec

Line: 1 to 1
 
META TOPICPARENT name="Restricted.ClosedCanarieProjectNEP52"
This page contains information on GSI support in the cloud scheduler.
Line: 8 to 8
 Enabling GSI support in the cloud scheduler will also put some restrictions on the VM which will only allow jobs from the owner of that VM to be started on it. In other words, jobs owned by user B will not be started on a VM owned by user A. The rationale behind this is to prevent access to a delegated proxy on a VM to other users.
Changed:
<
<

Requirements:

>
>

Requirements

 
  • A cloud scheduler codebase with GSI support
    • Warning, important if you want to renew your certificate via CDS, use the cloud scheduler codebase from the CDS branch
    • merged into dev branch on Sep 13, 2010
Line: 18 to 18
 
  • The user requires a valid grid certificate (x509)
  • The VM images must have a recent version of the condor startup scripts (with generic local condor config support)
Added:
>
>

A note about CA root cert hash values

Note that newest openssl libraries (1.0+) use a different algorithm to compute x509 cert hash values. This can cause some weird authentication failures if you have systems that use different versions of openssl, or some applications which are linked to different versions of openssl (i.e., condor statically linked to openssl 0.9 on a system with openssl 1.0 installed).

You can manually extract the old and new hash values from a CA root cert by using the openssl command as shown below. (You need to have openssl 1.0+ for this to work.)

$ openssl version
OpenSSL 1.0.0c 2 Dec 2010

$ openssl x509 -hash -noout < /etc/grid-security/certificates/5d674a88.0
5d674a88

$ openssl x509 -subject_hash_old -noout < /etc/grid-security/certificates/5d674a88.0
bffbd7d0

Install GridCanada root CA package

If you haven't done so yet, you will need to install the GridCanada CA root package on your Cloud Scheduler system. For example:

as user globus:

wget http://gridcanada.ca/ca/globus_simple_ca_bffbd7d0_setup-0.18.tar.gz
. $GLOBUS_LOCATION/etc/globus-user-env.sh
gpt-build globus_simple_ca_bffbd7d0_setup-0.18.tar.gz gcc64dbg
gpt-postinstall

as root:

$GLOBUS_LOCATION/setup/globus_simple_ca_bffbd7d0_setup/setup-gsi

It is also a good idea to install the GridCanada CA revocation list:

as root:

cd /etc/grid-security/certificates
wget http://gridcanada.ca/ca/bffbd7d0.r0

In order to avoid errors caused by x509 CA root cert hash inconsistencies, it is recommended that you create some simlinks for the new hash of the GridCanada CA root cert, as shown below:

as root:

cd /etc/grid-security/certificates
ln -s bffbd7d0.0 5d674a88.0
ln -s bffbd7d0.signing_policy 5d674a88.signing_policy
ln -s globus-host-ssl.conf.bffbd7d0 globus-host-ssl.conf.5d674a88
ln -s globus-user-ssl.conf.bffbd7d0 globus-user-ssl.conf.5d674a88
ln -s grid-security.conf.bffbd7d0 grid-security.conf.5d674a88
ln -s bffbd7d0.r0 5d674a88.r0
 

Install NEP-52 root CA package

Tip, idea If you already have your own CA that you can use to sign your own X509 certificates, you can install your CA package instead.
Line: 29 to 82
 # $GLOBUS_LOCATION/setup/globus_simple_ca_08b380b1_setup/setup-gsi
Changed:
<
<
old hash value for above CA cert: 63bbbd3b
>
>
IMPORTANT: Note that newest openssl libraries (1.0+) use a different algorithm to compute x509 cert hash values. This can cause some weird authentication failures if you have systems that use different versions of openssl, or some applications which are linked to different versions of openssl (i.e., condor statically linked to openssl 0.9 on a system with openssl 1.0 installed). In order to minimize the chance of running into these kind of errors, I suggest you create a set of symlinks as shown below.

In order to avoid errors caused by x509 CA root cert hash inconsistencies, it is recommended that you create some simlinks for the new hash of our CA root cert, as shown below:

cd /etc/grid-security/certificates
ln -s 08b380b1.0 63bbbd3b.0
ln -s 08b380b1.signing_policy 63bbbd3b.signing_policy
ln -s globus-host-ssl.conf.08b380b1 globus-host-ssl.conf.63bbbd3b
ln -s globus-user-ssl.conf.08b380b1 globus-user-ssl.conf.63bbbd3b
ln -s grid-security.conf.08b380b1 grid-security.conf.63bbbd3b
 

Request dummy host certificate for VM instances

For credential delegation to the worker nodes to work, they need to have a host certificate. Here we simply reuse a dummy host certificate on every VM that will be booted by the cloud scheduler.
Line: 86 to 151
 Then create a proxy and try the command again. The condor_q command should work now.

Configure CA roots in cloud scheduler

Changed:
<
<
We need to specify which CA root certificates and signing policy we need on our VMs. This is done by adding the following to the cloud scheduler config file:
>
>
We need to specify which CA root certificates and signing policy we need on our VMs. In our situation, we have 2: the GridCanada CA root, and our simple CA which is used to sign dummy VM host certs. Note that to avoid conflicts, we put both hash values for each CA root cert.

This is done by adding the following to the cloud scheduler config file:

 
Changed:
<
<
ca_root_certs: /etc/grid-security/certificates/bffbd7d0.0,/etc/grid-security/certificates/08b380b1.0 ca_signing_policies: /etc/grid-security/certificates/bffbd7d0.signing_policy,/etc/grid-security/certificates/08b380b1.signing_policy
>
>
ca_root_certs: /etc/grid-security/certificates/bffbd7d0.0,/etc/grid-security/certificates/5d674a88.0,/etc/grid-security/certificates/08b380b1.0,/etc/grid-security/certificates/63bbbd3b.0

ca_signing_policies: /etc/grid-security/certificates/bffbd7d0.signing_policy,/etc/grid-security/certificates/5d674a88.signing_policy,/etc/grid-security/certificates/08b380b1.signing_policy,/etc/grid-security/certificates/63bbbd3b.signing_policy

 

Configure VM dummy host certificate in cloud scheduler

Line: 277 to 345
  -- AndreCharbonneau - 2010-08-30
Deleted:
<
<
META FILEATTACHMENT attachment="globus_simple_ca_ebd3459c_setup-0.20.tar.gz" attr="" comment="(old CA root package... )" date="1283200693" name="globus_simple_ca_ebd3459c_setup-0.20.tar.gz" path="globus_simple_ca_ebd3459c_setup-0.20.tar.gz" size="214734" user="andrec" version="1"
 
META FILEATTACHMENT attachment="globus_simple_ca_08b380b1_setup-0.20.tar.gz" attr="" comment="NEP-52 CA package (root cert, signing policy, etc...)" date="1300456544" name="globus_simple_ca_08b380b1_setup-0.20.tar.gz" path="globus_simple_ca_08b380b1_setup-0.20.tar.gz" size="216213" user="andrec" version="1"
META TOPICMOVED by="andrec" date="1294867077" from="Restricted.CsGsiSupport" to="Main.CsGsiSupport"
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback