Setting up a site 3.2 BDII from scratch
This refers to glite-BDII_site
version 3.2.10-1.sl5.
(0) Make sure user and group 'ldap' are defined
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
(1) Get the repositories
cd /etc/yum.repos.d
wget http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-BDII_site.repo
(2) Install the software
yum install glite-BDII_site
(3) Open ports/hosts.allow
2170 is now open by default: -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2170 -j ACCEPT
slapd: ALL needs to be added to /etc/hosts.allow
(4) Configure it using yaim
Link to the siteinfo.def configuration variables.
mkdir /opt/glite/yaim/siteinfo
chmod 600 /opt/glite/yaim/siteinfo
Here is my siteinfo.def (hidden
behind a password, but if you ask me nicely I
will give it to you :-).
The default bdii password is hidden in
/opt/glite/yaim/defaults/site-info.pre:BDII_PASSWD="bdiidbpassword"
You might want to override it.
/opt/glite/yaim/bin/yaim -c -s site-info-bdii01.def -n BDII_site
(5) Round Robin Alias
When hiding two BDIIs behind an alias (in our case bdii02.grid and bdii03.grid
are behind bdii.grid.hep.ph.ic.ac.uk), then the site bdii host needs in the
siteinfo.def needs to be set to the alias, not the machine name itself:
SITE_BDII_HOST=bdii.grid.hep.ph.ic.ac.uk
BDII_BDII_URL="ldap://bdii.grid.hep.ph.ic.ac.uk:2170/mds-vo-name=resource,o=grid"
(6) Is it working ?
ldapsearch -x -H ldap://bdii02.grid.hep.ph.ic.ac.uk:2170 -b
mds-vo-name=UKI-LT2-IC-HEP,o=grid
and the alias
ldapsearch -x -H ldap://bdii.grid.hep.ph.ic.ac.uk:2170 -b
mds-vo-name=UKI-LT2-IC-HEP,o=grid
(in nicer formatting:
ldapsearch -x -H ldap://bdii.grid.hep.ph.ic.ac.uk:2170 -b
mds-vo-name=UKI-LT2-IC-HEP,o=grid | perl -00pe 's/\r*\n //g' )
To check the bdii freshness, I need the 'modifyTimestamp':
/usr/bin/ldapsearch -x -H ldap://bdii03.grid.hep.ph.ic.ac.uk:2170 -b mds-vo-name=UKI-LT2-IC-HEP,o=grid + '*'
(7) su vs sudo
Like a lot of people who spend too much time around grid software, I like to run
cron jobs that restart it occasionally (especially Saturday might when the site
tends to run unwatched for a bit). Now in this version all the 'su' in the bdii
start up scripts have been replaced by 'sudo'. So far so good, but of course
now if you want to run it as a cron job you either have to comment out "Defaults
requiretty" in /etc/sudoers or put the 'su' back in. Sigh. I am sure it's all
well meant.
(8) Hacking by hand
/etc/glite-info-static/site/site.cfg
These instructions refer to the 'old' node type, where top and site bdii are
contained in the same repository
Link
to the bdii glite release.
The current version is 3.2.6-0.
(1) Get the repositories
cd /etc/yum.repos.d
wget
http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-BDII.repo
wget
http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/lcg-CA.repo
(2) Install the software
yum install lcg-CA
yum install glite-BDII
(3) Open ports
Add
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2170 -j ACCEPT
to /etc/sysconfig/iptables.
(4) Configure it using yaim
Link to the siteinfo.def configuration variables.
mkdir /opt/glite/yaim/siteinfo
chmod 600 /opt/glite/yaim/siteinfo
The siteinfo.def.
Finding the node type is always a pleasure:
Try here.
/opt/glite/yaim/bin/yaim -c -s site-info-bdii01.def -n BDII_site
Note: There is now also a node type called glite-BDII_site - this is something
different !!
(5) Problems
(a) The SELinux permission problem is still not fixed in the bdii code.
Symptom:
Starting SLAPD: SLAPD failed to start [FAILED]
Fix:
semanage fcontext -a -t slapd_db_t "/var/bdii(/.*)?"; restorecon -vR /var/bdii/
rerun yaim
(I recently saw the same error after a power cut, closer inspection (the error
in the audit log read:[...] avc: denied {
name_bind }[...]) revealed
that ypbind was stopped:
[root@topbdii00 ~]# /etc/rc.d/init.d/ypbind start
Turning on allow_ypbind SELinux boolean
[snip]
fixed the problem.)
(b) Despite port 2170 open, bdii is only visible internally.
Symptom:
[linappserv1]%~> ldapsearch -x -H ldap://bdii01.hep.ph.ic.ac.uk:2170 -b mds-vo-name=UKI-LT2-IC-HEP,o=grid
ldap_bind: Can't contact LDAP server
Fix:
slapd: ALL needs to be added to /etc/hosts.allow
This has changed wrt 3.1:
3.1
[root@bdii00 ~]# ps -ef | grep slap
edguser 22859 1 0 10:45 ? 00:00:00 /usr/sbin/slapd -f
/opt/bdii/var/2171/bdii-slapd.conf -h ldap://localhost:2171 -u edguser
edguser 22993 1 0 10:46 ? 00:00:00 /usr/sbin/slapd -f
/opt/bdii/var/2172/bdii-slapd.conf -h ldap://localhost:2172 -u edguser
3.2
[root@bdii01 ~]# ps -ef | grep slap
edguser 18798 1 0 Mar25 ? 00:01:39 /usr/sbin/slapd -f
/opt/bdii/etc/bdii-slapd.conf -h ldap://bdii01.hep.ph.ic.ac.uk:2170 -u
edguser
(6) Round Robin Alias
When hiding two BDIIs behind an alias (in our case bdii02.grid and bdii03.grid
are behind bdii.grid.hep.ph.ic.ac.uk), then the site bdii host needs in the
siteinfo.def needs to be set to the alias, not the machine name itself:
SITE_BDII_HOST=bdii.grid.hep.ph.ic.ac.uk
BDII_BDII_URL="ldap://bdii.grid.hep.ph.ic.ac.uk:2170/mds-vo-name=resource,o=grid"
3.1 BDII
Setting up a site BDII from scratch
To check up on the current state of the BDII in SAM click
here
If the machine dies, to the GOCDB, click on "View home
site info" (at least if you are me ;-) and change the GIIS URL to our other bdii.
For completeness here are the official instructions
and bits of the yaim guide and
the yaim
configuration variables are also relevant.
Unfortunately I managed to delete my logfile part way through, so bits of this
are written from memory.
[root@bdii01 ~]# uname -a
Linux bdii01.hep.ph.ic.ac.uk 2.6.18-92.1.22.el5xen #1 SMP Tue Dec 16 12:26:32
EST 2008 x86_64 x86_64 x86_64 GNU/Linux
There is no 64 bit version of this software yet, so I am going to use the 32 bit
version.