Setting up a 3.2 top level BDII from scratch
Link
the bdii glite release.
This description refers to 3.2.9-1.sl5.
(0) System requirements
The machine needs at least 2GB of memory. Otherwise it might work, but is very
slow (i.e. several minutes response time).
(1) Get the repository
cd /etc/yum.repos.d
wget
http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-BDII_top.repo
(2) Install the software
yum install glite-BDII_top
(3) Open ports
Check if port 2170 is open. If not, add
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2170 -j ACCEPT
to /etc/sysconfig/iptables.
(4) Configure it using yaim
mkdir /opt/glite/yaim/siteinfo
chmod 600 /opt/glite/yaim/siteinfo
Here is a link to the siteinfo.def.
If makes life easier to fix the problem mentioned in (5) before running yaim.
/opt/glite/yaim/bin/yaim -c -s /opt/glite/yaim/siteinfo/site-info-bdii01.def -n BDII_top
(5) Problems
(a) Hidden in /opt/glite/yaim/defaults/site-info.pre is
BDII_PASSWD="bdiidbpassword"
This gets no mention in the documentation, but if you don't overwrite it, it's
possible to e.g. execute an ldapdelete on your bdii as basically anybody.
(b) Despite port 2170 open, bdii is only visible internally.
Symptom:
[linappserv1]%~> time ldapsearch -LLL -x -h topbdii01.grid.hep.ph.ic.ac.uk -p 2170 -b mds-vo-name=local,o=grid dn | wc -l
ldap_bind: Can't contact LDAP server
Fix:
slapd: ALL needs to be added to /etc/hosts.allow
(c)
in /var/log/bdii/bdii-update.log
mkdir /opt/glite/var/cache/gip/top-urls.conf: Permission denied at /opt/glite/libexec/glite-info-provider-ldap line 191
Fix:
chown ldap:ldap /opt/glite/var/cache/gip
(d) Make a cron jobs, that check every 20 min to see if the bdii is
still up:
[root@topbdii01 cron.d]# cat checkbdii
09,29,49 * * * * root /opt/glite/libexec/check_bdii.sh >> /var/log/check_bdii.log 2>&1
[root@topbdii01 cron.d]# cat /opt/glite/libexec/check_bdii.sh
#!/bin/sh
date
/etc/init.d/bdii status > /dev/null
if [ $? -ne 0 ]; then
echo "bdii dead"
/etc/init.d/bdii restart
else
echo "bdii good"
fi
(e)
in /etc/init.d/bdii replace
COMMAND="${SLAPD} -f ${SLAPD_CONF} -h ldap://(hostname -f):
${SLAPD_PORT} -u ${BDII_USER}"
with
COMMAND="${SLAPD} -f ${SLAPD_CONF} -h ldap://:${SLAPD_PORT} -u
${BDII_USER}"
otherwise it will only accept request to the host's primary address which
doesn't work in our setup.
(6) From the unintended side effects department
After the install the machine was very slow to respond to ldap queries (30 s vs
10 s previously). This was caused by a configuration chage labelled
"Relay DB to address performance issues "in bdii-top-slapd.conf. Simon has
hacked it back into shape: before, after (all passwords are fake).
Link
to the bdii glite release.
The bdii was originally setup 3.2.6-0, and is currently running 3.2.8-0.sl5.
(0) System requirements
The machine needs at least 2GB of memory. Otherwise it might work, but is very
slow (i.e. several minutes response time).
(1) Get the repositories
cd /etc/yum.repos.d
wget
http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-BDII.repo
wget
http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/lcg-CA.repo
(2) Install the software
yum install lcg-CA
yum install glite-BDII
(3) Open ports
Add
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2170 -j ACCEPT
to /etc/sysconfig/iptables.
(4) Configure it using yaim
Link
to the siteinfo.def configuration variables.
Note the comment about "BDII_PASSWD" in the "Problems" section.
mkdir /opt/glite/yaim/siteinfo
The siteinfo.def.
Note:
Finding the node type is always a pleasure:
Try here.
/opt/glite/yaim/bin/yaim -c -s site-info-bdii01.def -n BDII_top
(5) Problems
(a) The SELinux permission problem is still not fixed in the bdii code.
Symptom:
Starting SLAPD: SLAPD failed to start [FAILED]
Fix:
semanage fcontext -a -t slapd_db_t "/var/bdii(/.*)?"; restorecon -vR /var/bdii/
rerun yaim
(b) Hidden in /opt/glite/yaim/defaults/site-info.pre is
BDII_PASSWD="bdiidbpassword"
This gets no mention in the documentation, but if you don't overwrite it, it's
possible to e.g. execute an ldapdelete on your bdii as basically anybody.
(c) Despite port 2170 open, bdii is only visible internally.
Symptom:
[linappserv1]%~> time ldapsearch -LLL -x -h topbdii00.hep.ph.ic.ac.uk -p 2170 -b mds-vo-name=local,o=grid dn | wc -l
ldap_bind: Can't contact LDAP server
Fix:
slapd: ALL needs to be added to /etc/hosts.allow