UMD HEP T3 Computing ClusterUsing grid-mapfile with OSG
Archived on 2011/10/09. Be aware that this guide will no longer be kept up to date. It is highly recommended that you consult the linked OSG guides, rather than following this guide explicitly.
Configure the grid-mapfile service:
| Description | Install the service which maps a user's distinguished name in their certificate to an account on your cluster. |
| Dependencies | - OSG CE configured - note that the default configuration provided on the current guide is for GUMS. Use this archived config.ini to see the settings specific for grid-mapfile. |
| Notes | These are only additional notes, follow the official OSG release docs, consulting our notes for details. OSG strongly recommends the use of GUMS. |
| Guides | - OSG release docs for grid mapfile service - Accepting jobs from specific VOs - Mapping specific distinguished names to specific user accounts |
- Be sure to enable the gridmap service (as root on the GN):
vdt-control --enable edg-mkgridmap - The sudo-example.txt file is located in both $VDT_LOCATION/monitoring and $VDT_LOCATION/osg/etc.
- To edit /etc/sudoers:
visudo
a
Copy and paste changes, being careful to replace symlinks with full paths.
Esc
:wq!
- The VOs we support can be limited by editing the file $VDT_LOCATION/edg/etc/edg-mkgridmap.conf and removing all lines but those for the mis, uscms01, and ops users. This file can be overwritten on future pacman updates, so check it each time.
- The accounts for each supported VO need to be made. On the HN as root (su -):
useradd -c "Monitoring information service" -n mis -s /bin/true
useradd -c "CMS grid jobs" -n uscms01 -s /bin/true
useradd -c "Monitoring from ops" -n ops -s /bin/true
ssh-agent $SHELL
ssh-add
rocks sync config
rocks sync users
Setting their shell to true is a security measure, as these user accounts should never actually ssh in. - The grid mapfile file can be remade at any time by executing:
$VDT_LOCATION/edg/sbin/edg-mkgridmap - The http cert will be used by the CE to gather information. It needs to be mapped to a user account following these instructions. Specifically, add to the end of $VDT_LOCATION/edg/etc/edg-mkgridmap.conf:
#### GMF_LOCAL: gmf_local grid-mapfile-local
gmf_local /etc/grid-security/grid-mapfile-local
Then create the file /etc/grid-security/grid-mapfile-local and add the DN->user mapping:
"/DC=org/DC=doegrids/OU=Services/CN=http/hepcms-0.umd.edu" uscms01 - The RSV cert will also be used:
"/DC=org/DC=doegrids/OU=Services/CN=rsv/hepcms-0.umd.edu" rsvuser - If the CMSSW environment is ready and you wish to have Bockjoo perform automatic installs, map his DNs to the cmssoft account:
"/DC=org/DC=doegrids/OU=People/CN=Bockjoo Kim (UFlorida T2 Service) 606361" cmssoft
"/DC=org/DC=doegrids/OU=People/CN=Bockjoo Kim 740786" cmssoft
(these DNs were found by doing a grep on the existing grid-mapfile) - We map local users with certificates to their own new grid accounts (username_g). Since grid accounts shouldn't be login accounts, it is not advised to map grid jobs from local users to regular accounts. On the HN as root:
useradd -c "Full Name Grid Account" -n username_g -s /bin/true
ssh-agent $SHELL
ssh-add
rocks sync config
rocks sync users
And on the GN as root, add the appropriate lines to /etc/grid-security/grid-mapfile-local (get their DN by calling grep "Some portion of their name" /etc/grid-security/grid-mapfile), e.g.:
"/DC=org/DC=doegrids/OU=People/CN=Local User 0123456789" username_g