Skip to content

Tools to configure support for various VOs

License

Apache-2.0 and 2 other licenses found

Licenses found

Apache-2.0
LICENSE-APACHE2
GPL-3.0
LICENSE-GPL
LGPL-3.0
LICENSE-LGPL
Notifications You must be signed in to change notification settings

NDPF/vo-support

Introduction to the vo-support package

The concept of organising users into Virtual Organisations (VOs) is well-established in the science grid community. VOs form the technical link between researchers across institutes, countries and supporting compute centres, by handing out secure membership tokens that may be used to acquire access to compute resources. This eases the burden on system administrators of establishing trust relationships with individual users for every research project, and helps to properly account resource use to the right project.

The remaining burden for system administrators is to set up several files that detail which VOs are supported, how membership tokens can be obtained and verified, and what user and group accounts should be used locally for users of these VOs.

The vo-support package implements several modules to help automate these tasks. The actual VO-specific data is provided by other packages, which either contain just a single VOs data, or for a whole bunch of VOs together. The vo-support package contains the helper functions for package maintainers to configure VO support in the post-install phase of the package management (for RPM and Debian based packages) and command-line tools to selectively turn on or off support for individual VOs.

Rationale

Configuring a Grid Site is not a trivial task. Not only because grid middleware is fairly complicated and less well known by system admistrators, but also because it has a more indirect idea about what ‘users’ are.

On traditional cluster systems, user accounts are kept either locally (/etc/passwd) or in some networked way extending throughout the organisation (such as Windows domains, LDAP, or NIS). For Grids this no longer works. As research organisations collaborate world-wide, their combined user base becomes too large to be ‘known’ by any individual site. That is why users are authenticated by membership of so-called Virtual Organisations.

The translation from this ‘membership card’ to a locally known entity involves a couple of technicalities and configuration details. The vo-support packages provide the structure to ease the installation and maintenance tasks of supporting VO users on local systems.

This structure is organised as a collection of system packages around a common set of scripts. The main reasons for this approach are:

  • package management is very robust and reliable,
  • it integrates well with typical administrative tasks.

The purpose is to make VO configuration as easy as installing the right packages and tweaking just a couple of configuration files.

Structure of Virtual Organisation support packages

The information per VO is kept in

/usr/share/vo-support/vos/<VO name>/

and the configuration of VOs locally is stored in:

/etc/vo-support/vos/<VO name>.conf

VOs that are configured but disabled have a configuration file that’s been renamed to

/etc/vo-support/vos/<VO name>.conf-disabled

The modules (individual scripts to tune one aspect of VO support) are installed in

/usr/share/vo-support/modules/

VO data files under usr/share/vo-support/vos

The data is stored in one directory per VO, and may have the following files:

AUPacceptable use policy
infogeneral information
{VOMS server hostname}.lscthe LSC file(s) for each VOMS server
{VO}.confexample configuration file
vomses/{VO name}-{VOMS server hostname}.chvomses data (needed to obtain VOMS proxies

The info file contains general information about the VO. There is currently no strict file format, but the vo-support-egi package generates info files from the XML data of the EGI operations portal in a specific format. Here’s the example for the ‘ops’ VO:

Name: ops
Last Change: 2012-12-07T10:27:45+0000
Validation Date: 2011-05-30T10:24:30+0000
Scope: Global
Support Procedure:
Discipline: Infrastructure
Enrollment URL:  https://lcg-voms.cern.ch:8443/vo/ops/vomrs
Homepage URL: https://wiki.egi.eu/wiki/OPS_vo
Description:
The goal of the VO is to facilitate the operations of the LCG/EGEE
Grid infrastructure, which includes running official monitoring, re-
certification and performance evaluation tools. Additionally the VO
will be used for interoperations with other grid infrastructures.

Configuration files

The site-specific details for VO support are expressed in configuration files, one per VO, in /etc/vo-support/vos/. These files are named <vo>.conf and are in INI file format, with sections for each Fully Qualified Domain Names (FQANS) that the VO uses.

The values in these files are used by specific modules (see below). The vo-config program can be used to retrieve configuration data.

Modules

The following modules are common VO-related configuration tasks. Some of them require additional, site-local configuration.

vomsdir

Each supported VO has a directory in /etc/grid-security/vomsdir, which contains the so-called LSC files. Each file contains the X.509 DNs of the host and (chain of) CA(s) of one of the VO’s VOMS servers. This data is required to verify the VOMS attributes which come with a user’s security token (the proof of membership). The LSC files are static, and provided by the individual VO packages. The module will copy these files from usr/share/vo-support/vos.

vomses

The /etc/vomses directory contain VOMS server connection data per VO, as used by the VOMS utilities (such as voms-proxy-init). This data is also static and provided by the individual VO packages. The module will copy these files from usr/share/vo-support/vos.

grid-mapfile

The /etc/grid-security directory contains a couple of files (voms-grid-mapfile and groupmapfile) that establish the mapping between the FQANs as found in user security tokens and the local user, pool account, and local group; these files are used by the LCMAPS and ARGUS frameworks.

The related settings are site-local and found in each individual VO configuration file, per FQAN section.

gridmapdir

Pool accounts are generic user accounts with a common prefix and a numeric suffix (e.g. ops042). Users that are mapped to a pool will be allotted a free account from the pool, and this fact is recorded in the gridmapdir by making a link between files named after the pool account and the user’s DN. These mappings are persistent so the same user will be mapped on the same pool account.

The use of pool accounts is a site-local matter, and relates to the grid-mapfile; the amount of pool accounts to use and the pool prefix is set in the local configuration files.

VO configuration and FQANs

The site-specific details for VO support are expressed in configuration files, one per VO, in /etc/vo-support/vos/. These files are named <vo>.conf and are in INI file format, with sections for each FQAN. Settings that are global to the VO go in the top section called [DEFAULT], but this section header may be omitted. Any settings preceding the first FQAN is considered to be in the [DEFAULT] section.

# example configuration file for pvier
SoftwareDir = /data/esia/pvier
DefaultSE = tbn18.nikhef.nl

:

[/pvier]
poolaccounts = 30
poolprefix = pvier
groupmapping = pvier

:

[/pvier/Role=lcgadmin]
poolprefix = pvsgm
poolaccounts = 10

Utilities

The vo-support package features two utilities, vo-config and vo-support.

vo-config

This utility interacts with the configuration files in /etc/vo-config. There are two functions currently implemented:

  • get-fqans; this function retrieves the fqans for a VO;
  • get-vo-params; this funtion retrieves a configuration value for a given VO and FQAN.

vo-support

This utility implements the following functions:

  • list-vos; lists VOs on the system (from /usr/share/vo-support);
  • list-modules; list the installed modules (from /usr/share/vo-support/modules);
  • run-module; run a module for a given VO;
  • configure-vo and deconfigure-vo; these functions are meant to be used by package maintainer scripts for packages that install VO data
  • add-module and remove-module; these functions are meant to be used by package maintainer scripts for packages that install modules.

Package maintenance scripts

Packages that install new VO data and/or VO support modules will have to deal with configuration on installation and removal of the package.

In short, when a new VO is installed, the currently active modules must be run for this VO. On removal of a VO, the modules must be run before removal.

Likewise, new modules need to be run for every VO on the system on installation and removal.

There are some subtleties, however, when dealing with configuration of VOs. As a rule, the maintainer scripts must not overwrite the manual configuration changes done by the system administrator.

The packager of a new VO should consider whether installing the package should automatically enable the VO, if no configuration for the VO is present. For packages for a single VO, this is probably alright, as that would be the single purpose of the packages. But when packaging bundles of VOs, consider leaving the choice to the administrator.

Helper script

postinst snippet for a VO package

For RPM packaging, the following code snippet can be used as part of the %post section:

if [ $1 -ge 1 ]; then
  if [ -f %{sysconfdir}/vo-support/%{vo}.conf ]; then
    if [ -f /usr/share/vo-support/scriptlets/maintainerscript-helpers.sh ]; then
      . /usr/share/vo-support/scriptlets/maintainerscript-helpers.sh
      configure_vo %{myvo}
    fi
  fi
fi

For Debian packaging, the code is similar.

case "$1" in
    configure)
    if [ -f /etc/vo-support/${vo}.conf ]; then
        if [ -f /usr/lib/vo-support/scriptlets/maintainerscript-helpers.sh ]; then
            . /usr/lib/vo-support/dpkg-maintainer-script-helpers.sh
            configure_vo ${vo}
        fi
    fi
    abort-upgrade|abort-remove|abort-deconfigure)
    ;;
    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

postinst for a vo-support module

A new module should but something like this in the %post scriptlet:

if [ $1 -ge 1 ]; then
   if [ -f /usr/share/vo-support/scriptlets/maintainerscript-helpers.sh ]; then
      . /usr/share/vo-support/scriptlets/maintainerscript-helpers.sh
      add_module %{mymodule}
   fi
fi

For Debian, this is the equivalent:

case "$1" in
    configure)
        if [ -f /usr/share/vo-support/scriptlets/maintainerscript-helpers.sh ]; then
            . /usr/share/vo-support/scriptlets/maintainerscript-helpers.sh
            add_module ${mymodule}
        fi
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
        ;;
    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
        ;;
esac

For removal, examples can be found in the maintainerscript-helpers.sh file.

Installation

To install the package, simply typing

make install

should suffice.

Dependencies

The vo-config and vo-support scripts are written in Perl, and depend on the perl module Site::Configuration::VO.

Getting the VO ID Card as XML

Downloading the EGI VO info can be done through the portal; visit https://operations-portal.egi.eu/vo/search and click on the action menu button on the right to download the voIDCard (called XML feed). To get all the VO information, use this URL. This is not advertised so it may change or disappear in the future.

Licensing and copyright

This software is Copyright 2012, 2013 De Stichting voor Fundamenteel Onderzoek der Materie (FOM), the Netherlands, and was written by Dennis van Dok <[email protected]> at FOM/Nikhef, with the exception of the shunit2 shell script, which is Copyright 2008 Kate Ward.

This is free software. For the license terms of this software, see the full text of the licence files in this package. All files are licensed under the Apache License, Version 2.0 with the exception of shunit2, which is licensed under the GNU Lesser General Public License.

This README is licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Tools to configure support for various VOs

Resources

License

Apache-2.0 and 2 other licenses found

Licenses found

Apache-2.0
LICENSE-APACHE2
GPL-3.0
LICENSE-GPL
LGPL-3.0
LICENSE-LGPL

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published