Globus Toolkit 4 (GT4) 完全安装手册

前端之家收集整理的这篇文章主要介绍了Globus Toolkit 4 (GT4) 完全安装手册前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

文章仅供大家参考,所有评论,错误报告其他信息以及批评请邮寄到 Jeffery.Lee AT gmail.com 或者访问我的个人blog同我交流( http://ibuddie.spaces.live.com/ )。本文遵从GNU 的自由文档许可证(Free Document License)的条款,欢迎转载,如若修改、散布,请注明文章原始出处和来源。


Globus Toolkit 4GT4)安装手册

Version. 0.1

Jeffery Lee@SEU

更新日期 2007-01-22

前言

本手册内主要参考Globus Toolkit(以下简称GT)安装包中的“quick start”一文,并在Debian 3.1r4 (Sarge) X86平台上面完成GT4.03的安装。文章仅供大家参考,所有评论,错误报告,其他信息以及批评,请邮寄到 Jeffery.Lee AT gmail.com 或者访问我的个人主页同我交流( http://jeffery.lee.googlepages.com/ )。本文遵从GNU 的自由文档许可证(Free Document License)的条款,欢迎转载,如若修改、散布,请注明文章原始出处和来源。

安装配置第一台机器

先期准备

1. 安装Debian 3.1(Sarge)

Debian的安装过程不在本文讨论范围内,你可以去http://debian.cn99.com/获得关于Debian的一切资源。本文写作时最新发布的是Debian 3.1r4,建议下载binary-1的镜像刻盘安装。具体安装过程这里略过,可以参考以下链接获得更多信息:

Debian手册
Debian Sarge 安装手册(中文)
Debian的官方安装手册
《Debian无痛起步法》v2
《Debian无痛起步法》v1
The Debian GNU/Linux FAQ
Debian 安全手册
Debian 参考手册(网络最新版)
Debian新维护人员手册
dselect初学者指南
APT HOW TO

2.编译环境搭建

Globus官方网站提供了许多平台的GT4安装包,我们可以根据自己的实际情况选择相应的安装包,那样无疑更方便和快捷。而这里我打算编译GT4.03代码来实现Globus的安装,所以首先必须仔细检查当前系统的编译环境是否满足编译要求。软件环境要求如下:

· Globus Toolkit installer,from Globus Toolkit 4.0 download page

· J2SE 1.4.2+ SDK from Sun,IBM,HP,or BEA (do not use GCJ).

· Ant 1.6+ (@L_404_20@ if using Java 1.5). If you are using the ant shipped with Fedora Core or RedHat,please see the “Fedora Core”

· The above two requirements suffice for the Core-only download. However,the rest of this guide does not apply to that download. Please see the Java WS Core Admin Guide if you are using a core-only source/binary downlaod.

· C compiler. If gcc,avoid version 3.2. 3.2.1 and 2.95.x are okay. gcc 4.1 has a bug that will trigger during the build of WS C (bug 4315). You can recompile the globus_js package from the advisories page,then run make again.

· C++ compiler. Use the version corresponding to your C compiler from the prevIoUs bullet.

· GNU tar

· GNU sed

· zlib 1.1.4+

· GNU Make

· Perl 5.005 or newer

· sudo

· JDBC compliant database. For instance,PostgreSQL 7.1+

· gpt-3.2autotools2004 (shipped with the installers,but required if building standalone GPT bundles/packages)

首先,我检查用作GSI-OpenSSHzlib开发库是否安装:

 
  
  jeffery% dpkg --list | grep zlib
ii zlib-bin 1.2.2-4.sarge. compression library - sample programs
  
  
ii zlib1g 1.2.2-4.sarge. compression library - runtime
  
  
ii zlib1g-dev 1.2.2-4.sarge. compression library - development
  
  

我这里已经默认安装了zlib,可以编译GSI-OpenSSH。如果你的系统没有安装,请通过APT来安装相应内容。例如:apt-get install zlib1g-dev

Note

Debian系统的包名可能不同,例如RPM相应包的名字是zlib-devel

接下来,我们安装Java,即J2SE SDK

root@jeffery:/usr/java# ./j2sdk-1_4_2_12-linux-i586.bin 
   
Sun Microsystems,Inc. 
 
  
 Binary Code License Agreement 
 
  
 for the 
 
  
JAVATM 2 SOFTWARE DEVELOPMENT KIT (J2SDK),STANDARD EDITION,
... 
 
  
Creating j2sdk1.4.2_12/jre/lib/plugin.jar 
 
  
Creating j2sdk1.4.2_12/jre/javaws/javaws.jar 
 
  
Done. 
 
  

下面我们安装anthttp://apache.justdn.org/ant/binaries/apache-ant-1.6.5-bin.tar.gz:

root@jeffery:/usr/local# tar xzf apache-ant-1.6.5-bin.tar.gz 
 
  
root@jeffery:/usr/local# ls apache-ant-1.6.5 
   
bin INSTALL LICENSE LICENSE.xerces TODO 
 
  
docs KEYS LICENSE.dom NOTICE welcome.html 
 
  
etc lib LICENSE.sax README WHATSNEW 
 
  

Note

以上过程在我的Debian上面运行无误,因为之前并没有安装ant。大多数RedHatFedora Core却已经包含了ant,但它被配置成用来适用gcj,而我们并不想用gcj!对于这种情况,我们查找一下是否有一个/etc/ant.conf文件,如果有的话,把它重命名/etc/ant.conf.orig文件看能否解决问题。

我的系统当前已经有C/C++编译器

jeffery % gcc --version 
   
gcc (GCC) 3.3.5 (Debian 1:3.3.5-13) 
 
  
Copyright (C) 2003 Free Software Foundation,0);">This is free software; see the source for copying conditions. There is NO 
 
  
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
 
  

  
  
     
  
jeffery % g++ --version 
   
g++ (GCC) 3.3.5 (Debian 1:3.3.5-13) 
 
  
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
 
  

tar/make/sedGNU 版本:

jeffery % tar --version 
 
  
tar (GNU tar) 1.14 
 
  
Copyright (C) 2004 Free Software Foundation,0);">This program comes with NO WARRANTY,to the extent permitted by law. 
 
  
You may redistribute it under the terms of the GNU General Public License; 
 
  
see the file named COPYING for details. 
 
  
Written by John Gilmore and Jay Fenlason. 
 
  

  
  
     
  
jeffery % sed --version 
   
GNU sed version 4.1.2 
 
  
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE,0);">to the extent permitted by law. 
 
  

  
  
     
  
jeffery % make --version 
   
GNU Make 3.80 
 
  
Copyright (C) 2002 Free Software Foundation,0);">This is free software; see the source for copying conditions. 
 
  
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
 
  
PARTICULAR PURPOSE. 
 
  
 
 
  
     
  
jeffery % perl --version 
   
This is perl,v5.8.4 built for i386-linux-thread-multi 
 
  
 
 
  
     
  
Copyright 1987-2004,Larry Wall 
 
  
Perl may be copied only under the terms of either the Artistic License or the 
 
  
GNU General Public License,which may be found in the Perl 5 source kit. 
 
  
Complete documentation for Perl,including FAQ lists,should be found on 
 
  
this system using `man perl' or `perldoc perl'. If you have access to the 
 
  
Internet,point your browser at http://www.perl.com/,the Perl Home Page. 
 
  

确定可以使用sudo:

jeffery % sudo -V 
   
Sudo version 1.6.8p7 
 
  

(没有的话,运行apt-get install sudo安装)

检查一下postgres安装情况:

jeffery % dpkg --list | grep postgres 
   
ii postgresql-cli 7.4.7-6sarge1 front-end programs for Postgresql 
 
  
jeffery % dpkg --list | grep psql 
   
jeffery % 
 
  

postgresql-cli只是前台程序,并非postgresql的服务端程序。在Debian中我们可以很方便的安装它

root@jeffery:/usr/local# apt-get install postgresql 
   
Reading Package Lists... Done 
 
  
Building Dependency Tree... Done 
 
  
Suggested packages: 
 
  
 libpg-perl libpgjava libpgtcl postgresql-doc postgresql-dev 
 
  
 postgresql-contrib pidentd ident-server pgdocs pgaccess 
 
  
The following NEW packages will be installed: 
 
  
 postgresql 
 
  
... 
 
  

  
  
     
  
安装成功后,数据库服务端应该会自动运行。如果没有,你也可以通过下面的方法运行它。 
   
 /etc/init.d/postgresql start 
 
  

稍后我们在涉及RFT时再编译相应的数据库配置文件,现在安装成功就足够了。

为了保持完整,我也将同时安装IODBC,作为RLS的一个可选前提要求。

root@jeffery:/root# apt-get install libiodbc2 libiodbc2-dev 
   
 libiodbc2 libiodbc2-dev 
 
  
Setting up libiodbc2 (3.52.2-3) ... 
 
  
Setting up libiodbc2-dev (3.52.2-3) ... 
 
  
root@jeffery:/root# 
 
  

编译Globus Toolkit

完成先期准备工作后,我们终于可以下载并编译源代码包了。这部分最详细的讲解请参见Installing Admin Guide.

root@cognito:~#adduser globus
Adding user `globus'...
  
  
Adding new group `globus' (1023).
  
  
Adding new user `globus' (1023) with group `globus'.
  
  
Creating home directory `/home/globus'.
  
  
Copying files from `/etc/skel'
  
  
Enter new UNIX password:
  
  ********
Retype new UNIX password:
  
  ********
passwd: password updated successfully
  
  
Changing the user information for globus
  
  
Enter the new value,or press ENTER for the default
  
  
Full Name []: Globus
  
  
Room Number []:
  
  
Work Phone []:
  
  
Home Phone []:
  
  
Other []:
  
  
Is the information correct? [y/N] 
  
  y
root@jeffery:/etc/init.d#mkdir /usr/local/globus-4.0.3/
root@jeffery:/etc/init.d#chown globus:globus /usr/local/globus-4.0.3/

好了,我们成功创建了一个globus用户

globus@database-group:~$tar xzf gt4.0.3-all-source-installer.tar.gz
globus@database-group:~$cd gt4.0.3-all-source-installer
globus@database-group:~/gt4.0.3-all-source-installer$./configure --prefix=/usr/local/globus-4.0.3/ /

  
   --with-iodbc=/usr/lib
checking build system type... i686-pc-linux-gnu
  
  
checking for javac... no
  
  
configure: WARNING: A Java compiler is needed for some parts of the toolkit  
      
      
     
  
  
configure: WARNING: This message can be ignored if you are only building the C parts of the toolkit
  
  
checking for ant... no
  
  
configure: WARNING: ant is needed for some parts of the toolkit
  
  
configure: WARNING: If you know you will not need one
  
  
configure: creating ./config.status
  
  
config.status: creating Makefile
  
  

晕,我居然忘记配置两个重要的环境变量JAVA_HOMEANT_HOME ,难怪无法编译呢。重新配置JAVA环境如下:

globus@jeffery:~/gt4.0.3-all-source-installer$export ANT_HOME=/usr/local/apache-ant-1.6.5
globus@jeffery:~/gt4.0.3-all-source-installer$export JAVA_HOME=/usr/java/j2sdk1.4.2_12/
globus@jeffery:~/gt4.0.3-all-source-installer$export PATH=$ANT_HOME/bin:$JAVA_HOME/bin:$PATH
globus@jeffery:~/gt4.0.3-all-source-installer$./configure --prefix=/usr/local/globus-4.0.3/ /
 
  
  --with-iodbc=/usr/lib
checking for javac... /usr/java/j2sdk1.4.2_12//bin/javac
  
  
checking for ant... /usr/local/apache-ant-1.6.5/bin/ant
  
  
config.status: creating Makefile
  
  

问题解决了。

终于到了build GT4的激动人心的一刻了

globus@jeffery:~/gt4.0.3-all-source-installer$make | tee installer.log
cd gpt-3.2autotools2004 && OBJECT_MODE=32 ./build_gpt
  
  
build_gpt ====> installing GPT into /usr/local/globus-4.0.3/
  
  
...
  
  

现在你可以出去吃个饭或者打场球,因为build的时间是比较漫长的,究竟有多长取决于你机器的配置情况。

……

直到出现“Your build completed successfully. Please run make install”。恭喜你build GT4成功,下面可以安装了。
  
  
globus@jeffery:~/gt4.0.3-all-source-installer$make install
/usr/local/globus-4.0.3//sbin/gpt-postinstall
  
  
...
  
  
..Done
  
  

  
  
     
  
globus@jeffery:~/gt4.0.3-all-source-installer$

在第一台机器上进行安全配置

完成GT4的安装后,机器还需要完成安全认证的工作。对机器而言需要hostcerts,对用户而言需要usercert。我们可以利用随toolkit一起发布的SimpleCA来完成这些工作。一下就是建立认证的过程。(参见SimpleCA Admin的介绍)

globus@database-group:~$export GLOBUS_LOCATION=/usr/local/globus-4.0.3
globus@database-group:~$source $GLOBUS_LOCATION/etc/globus-user-env.sh
globus@database-group:~$$GLOBUS_LOCATION/setup/globus/setup-simple-ca
WARNING: GPT_LOCATION not set,assuming:
  
  
 GPT_LOCATION=/usr/local/globus-4.0.3
  
  
 
  
  
 C e r t i f i c a t e A u t h o r i t y S e t u p
  
  
This script will setup a Certificate Authority for signing Globus
  
  
users certificates. It will also generate a simple CA package
  
  
that can be distributed to the users of the CA.
  
  
The CA information about the certificates it distributes will
  
  
be kept in:
  
  
/home/globus/.globus/simpleCA/
  
  
The unique subject name for this CA is:
  
  
cn=Globus Simple CA,ou=simpleCA-database-group.seu.edu.cn,ou=GlobusTest,o=Grid
  
  
Do you want to keep this as the CA subject (y/n) [y]:
  
  
y
Enter the email of the CA (this is the email where certificate
  
  
requests will be sent to be signed by the CA): 
  
  Jeffery.Lee@gmail.com
The CA certificate has an expiration date. Keep in mind that 
  
  
once the CA certificate has expired,all the certificates 
  
  
signed by that CA become invalid. A CA should regenerate 
  
  
the CA certificate and start re-issuing ca-setup packages 
  
  
before the actual CA certificate expires. This can be done 
  
  
by re-running this setup script. Enter the number of DAYS 
  
  
the CA certificate should last before it expires.
  
  
[default: 5 years (1825 days)]:
  
  RETURN
Enter PEM pass phrase:
  
  ******
Verifying - Enter PEM pass phrase:
  
  ******
creating CA config package...
  
  
A self-signed certificate has been generated 
  
  
for the Certificate Authority with the subject: 
  
  
/O=Grid/OU=GlobusTest/OU= simpleCA-database-group.seu.edu.cn/CN=Globus Simple CA
  
  
If this is invalid,rerun this script 
  
  
/usr/local/globus-4.0.3/setup/globus/setup-simple-ca
  
  
and enter the appropriate fields.
  
  
-------------------------------------------------------------------
  
  
The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem
  
  
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
  
  
The distribution package built for this CA is stored in
  
  
/home/globus/.globus/simpleCA//globus_simple_ca_615e4021_setup-0.18.tar.gz
  
  
This file must be distributed to any host wishing to request
  
  
certificates from this CA.
  
  
CA setup complete.
  
  
The following commands will now be run to setup the security
  
  
configuration files for this CA:
  
  
$GLOBUS_LOCATION/sbin/gpt-build /
  
  
 /home/globus/.globus/simpleCA//globus_simple_ca_615e4021_setup-0.18.tar.gz
  
  
$GLOBUS_LOCATION/sbin/gpt-postinstall
  
  
setup-ssl-utils: Configuring ssl-utils package
  
  
Running setup-ssl-utils-sh-scripts...
  
  
***************************************************************************
  
  
Note: To complete setup of the GSI software you need to run the
  
  
following script as root to configure your security configuration
  
  
directory:
  
  
/usr/local/globus-4.0.3/setup/globus_simple_ca_615e4021_setup/setup-gsi
  
  
For further information on using the setup-gsi script,use the -help
  
  
option. The -default option sets this security configuration to be 
  
  
the default,and -nonroot can be used on systems where root access is 
  
  
not available.
  
  
setup-ssl-utils: Complete
  
  

  
  globus@database-group:~$ 

屏幕输入相当多的信息,那究竟发生了什么事情呢?我们不妨看看:

globus@database-group:~$ls ~/.globus/
simpleCA
  
  
globus@database-group:~$ls ~/.globus/simpleCA/
cacert.pem globus_simple_ca_615e4021_setup-0.18.tar.gz newcerts
  
  
certs grid-ca-ssl.conf private
  
  
crl index.txt serial
  
  

可见,.globus目录保存了已经创建好的simpleCA。现在我需要让我的机器对新的CA进去确认操作。以下操作将以root用户身份进行:

root@database-group:~#export GLOBUS_LOCATION=/usr/local/globus-4.0.3
root@database-group:~#$GLOBUS_LOCATION/setup/globus_simple_ca_615e4021_setup/setup-gsi -default
setup-gsi: Configuring GSI security
  
  
Making /etc/grid-security...
  
  
mkdir /etc/grid-security
  
  
Making trusted certs directory: /etc/grid-security/certificates/
  
  
mkdir /etc/grid-security/certificates/
  
  
Installing /etc/grid-security/certificates//grid-security.conf.615e4021...
  
  
Running grid-security-config...
  
  
Installing Globus CA certificate into trusted CA certificate directory...
  
  
Installing Globus CA signing policy into trusted CA certificate directory...
  
  
setup-gsi: Complete
  
  
root@database-group:~#ls /etc/grid-security/
certificates globus-host-ssl.conf globus-user-ssl.conf grid-security.conf
  
  
root@database-group:~#ls /etc/grid-security/certificates/
615e4021.0 globus-user-ssl.conf.615e4021
  
  
615e4021.signing_policy grid-security.conf.615e4021
  
  
globus-host-ssl.conf.615e4021
  
  

这些都是Globus Toolkit建立simpleCA信任的配置文件。注意哈希值615e4021与我的SimplceCA哈希值匹配。这些文件详细的说明参见Security Admin

现在我们已经创建一个CA并完成了认证,我们下面将获得到这台机器的hostcert

root@database-group:~#source $GLOBUS_LOCATION/etc/globus-user-env.sh
root@database-group:~#grid-cert-request -host `hostname`
Generating a 1024 bit RSA private key
  
  
..++++++
  
  
...................................................++++++
  
  
writing new private key to '/etc/grid-security/hostkey.pem'
  
  
..ho.
  
  
Your certificate will be mailed to you within two working days.
  
  
If you receive no response,contact Globus Simple CA at Jeffery.Lee@gmail.com
  
  

我们需要用globus用户自己的simpleCA来进行签证:

globus@database-group:~$grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pem
To sign the request
  
  
please enter the password for the CA key:
  
  ******
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
  
  

我们最后一步要做的就是复制那个认证过的证书到/etc目录下:

root@database-group:~#cp ~globus/hostsigned.pem /etc/grid-security/hostcert.pem 

hostcerthostkeyroot用户所有,它们将被GridFTP服务器使用。因为Web服务容器(webservices container)被非root用户运行,所以我们需要一个为globus用户拥有的证书。简而言之,我们需要一个root用户拥有的host certificate/key和一个globus用户拥有的host certificate/key。我们可以通过简单的文件拷贝实现以上需求:

root@database-group:/etc/grid-security#cp hostcert.pem containercert.pem
root@database-group:/etc/grid-security#cp hostkey.pem containerkey.pem
root@database-group:/etc/grid-security#chown globus:globus container*.pem
root@database-group:/etc/grid-security#ls -l *.pem
-r-------- 1 globus globus 887 2007-01-21 07:48 containerkey.pem
  
  
-rw-r--r-- 1 globus globus 2710 2007-01-21 07:48 containercert.pem
  
  
-rw-r--r-- 1 root root 2710 2007-01-21 07:47 hostcert.pem
  
  
-rw-r--r-- 1 root root 1404 2007-01-21 07:40 hostcert_request.pem
  
  
-r-------- 1 root root 887 2007-01-21 07:40 hostkey.pem
  
  

现在我们拥有了一个jeffery用户usercert,接下来这个例子我运行在tcsh,显示globus-user-env版本取决于当前的shell

jeffery% setenv GLOBUS_LOCATION /usr/local/globus-4.0.3/
jeffery% source $GLOBUS_LOCATION/etc/globus-user-env.csh
jeffery% grid-cert-request 
A certificate request and private key is being created.
  
  
You will be asked to enter a PEM pass phrase.
  
  
This pass phrase is akin to your account password,0);">and is used to protect your key file.
  
  
If you forget your pass phrase,you will need to
  
  
obtain a new certificate.
  
  
.........................................................++++++
  
  
.........................++++++
  
  
unable to write 'random state'
  
  
writing new private key to '/home/bacon/.globus/userkey.pem'
  
  
Enter PEM pass phrase: 
  
  ****
Verifying - Enter PEM pass phrase: 
  
  ****
-----
  
  
You are about to be asked to enter information that will be incorporated
  
  
into your certificate request.
  
  
What you are about to enter is what is called a Distinguished Name or a DN.
  
  
There are quite a few fields but you can leave some blank
  
  
Level 0 Organization [Grid]:
  
  
Level 0 Organizational Unit [GlobusTest]:
  
  
Level 1 Organizational Unit [simpleCA-jeffery.mcs.anl.gov]:
  
  
Level 2 Organizational Unit [mcs.anl.gov]:
  
  
Name (e.g.,John M. Smith) []:
  
  
A private key and a certificate request has been generated with the subject:
  
  
/O=Grid/OU=GlobusTest/OU=simpleCA-database-group.seu.edu.cn /OU=seu.edu.cn /CN= Jeffery Lee
  
  
If the CN=Jeffery Lee is not appropriate,rerun this
  
  
script with the -force -cn "Common Name" options.
  
  
Your private key is stored in /home/Jeffery/.globus/userkey.pem
  
  
Your request is stored in /home/jeffery/.globus/usercert_request.pem
  
  
Please e-mail the request to the Globus Simple CA Jeffery.Lee@gmail.com
  
  
You may use a command similar to the following:
  
  
 cat /home/bacon/.globus/usercert_request.pem | mail Jeffery.Lee@gmail.com
  
  
Only use the above if this machine can send AND receive e-mail. if not,please
  
  
mail using some other method.
  
  
现在我需要向globus用户提出证书请求,以求能够被认证,然后将认证过的证书发送给jeffery 
   

jeffery %cat /home/jeffery/.globus/usercert_request.pem | mail globus

这里由于是在一台机器上面进行认证,所以我利用Debian提供的Exim邮件服务器来在不同用户之间发送请求。globus用户利用mail命令可以查看jeffery用户发来的证书请求,并将其保存为request.pem,然后再对其进行认证操作:

globus@database-group:~$grid-ca-sign -in request.pem -out signed.pem

  
  
     
  
please enter the password for the CA key: 
  
  ******
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem
  
  
globus@database-group:~$cat signed.pem | mail jeffery

现在jeffery用户可以查看他的邮件,并且复制证书到它合适的位置:

如果邮件无法正确保存的话,其实更方便的办法是直接将globus生成signed.pem 文件root用户chown后复制到jeffery相应目录下 
   
jeffery %cp signed.pem ~/.globus/usercert.pem
jeffery %ls -l ~/.globus/
total 12
  
  
-rw-r--r-- 1 jeffery jeffery 895 2007-01-21 07:57 usercert.pem
  
  
-rw-r--r-- 1 jeffery jeffery 1426 2007-01-21 07:51 usercert_request.pem
  
  
-r-------- 1 jeffery jeffery 963 2007-01-21 07:51 userkey.pem
  
  

我们最后再以root用户创建一个grid-mapfile,方便以后授权服务:

root@database-group:/etc/grid-security#vim /etc/grid-security/grid-mapfile
root@database-group:/etc/grid-security#cat /etc/grid-security/grid-mapfile 
“/O=Grid/OU=GlobusTest/OU=simpleCA-database-group.seu.edu.cn/OU=seu.edu.cn/CN=Jeffery Lee”jeffery
  
  

Note

globus用户不需要进行用户认证!它只是一个被我们用来拥有GLOBUS_LOCATION的哑用户。当我们启动container时,它将使用containercert。只有真正的用户才需要user certs

搭建GridFTP

现在我们自己的安全认证机制已经准备就绪,我们启动一个服务。以下安装说明来GridFTP Admin Guide.

   
      
      
     
  
  root@database-group:/etc/grid-security#vim /etc/xinetd.d/gridftp
root@database-group:/etc/grid-security#cat /etc/xinetd.d/gridftp
service gsiftp
  
  
{
  
  
instances = 100
  
  
socket_type = stream
  
  
wait = no
  
  
user = root
  
  
env += GLOBUS_LOCATION=/usr/local/globus-4.0.1
  
  
env += LD_LIBRARY_PATH=/usr/local/globus-4.0.1/lib  
      
      
     
  
  
server = /usr/local/globus-4.0.1/sbin/globus-gridftp-server
  
  
server_args = -i
  
  
log_on_success += DURATION
  
  
nice = 10
  
  
disable = no
  
  
}
  
  
root@database-group:/etc/grid-security#vim /etc/services 
root@database-group:/etc/grid-security#tail /etc/services 
vBoxd 20012/udp
  
  
binkp 24554/tcp # binkp fidonet protocol
  
  
asp 27374/tcp # Address Search Protocol
  
  
asp 27374/udp
  
  
dircproxy 57000/tcp # Detachable IRC Proxy
  
  
tfido 60177/tcp # fidonet EMSI over telnet
  
  
fido 60179/tcp # fidonet EMSI over TCP
  
  
# Local services
  
  
gsiftp 2811/tcp
  
  
root@database-group:/etc/grid-security#/etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.
  
  
root@database-group:/etc/grid-security#netstat -an | grep 2811
tcp 0 0 0.0.0.0:2811 0.0.0.0:* LISTEN 
  
  

我之前已经安装了xinetd

jeffery@database-group:~$ dpkg --list xinetd

Desired=Unknown/Install/Remove/Purge/Hold

| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed

|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)

||/ Name Version Description

+++-==============-==============-============================================

ii xinetd 2.3.13-3 replacement for inetd with many enhancements

你可以用inetd代替,更多细节参见GridFTP xinetd/inetd examples,当然最简单的方法还是apt-get install xinetd.

现在gridftp服务器已经在等待请求了,于是我们启动一个客户端并且发送一个文件:

jeffery %grid-proxy-init -verify -debug
User Cert File: /home/bacon/.globus/usercert.pem
  
  
User Key File: /home/bacon/.globus/userkey.pem
  
  
Trusted CA Cert Dir: /etc/grid-security/certificates
  
  
Output File: /tmp/x509up_u1817
  
  
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-choate.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon
  
  
Enter GRID pass phrase for this identity: 
  
  ****
Creating proxy .....++++++++++++
  
  
..++++++++++++
  
  
 Done
  
  
Proxy Verify OK
  
  
Your proxy is valid until: Tue Nov 15 20:15:46 2005
  
  
jeffery% globus-url-copy gsiftp://database-group.seu.edu.cn/etc/group file:///tmp/jeffery.test.copy
jeffery% diff /tmp/jeffery.test.copy /etc/group
 
  
  jeffery% 

(TODO 我这里运行globus-url-copy gsiftp://database-group.seu.edu.cn/etc/group file:///tmp/jeffery.test.copy居然没有响应,可能2811端口已经被使用了)

如果无误的话,证明GridFTP已经运转正常。如果你遇到问题,参见GridFTP Troubleshooting。如果问题有关安全认证方面,请检查安全方面的文档Security Troubleshooting。下面我们将进入下一步,启动webservices container

启动Webservices Container

我们首先将安装把webservices container添加/etc/init.d。你可以从Container Admin Guide.获得更多关于container的细节。

globus@database-group:~$vim $GLOBUS_LOCATION/start-stop
globus@database-group:~$cat $GLOBUS_LOCATION/start-stop
#! /bin/sh
  
  
set -e
  
  
export GLOBUS_LOCATION=/usr/local/globus-4.0.3
  
  
export JAVA_HOME=/usr/java/j2sdk1.4.2_12/
  
  
export ANT_HOME=/usr/local/apache-ant-1.6.5
  
  
export GLOBUS_OPTIONS="-Xms256M -Xmx512M"  
      
      
     
  
  
. $GLOBUS_LOCATION/etc/globus-user-env.sh
  
  
cd $GLOBUS_LOCATION
  
  
case "$1" in
  
  
 start)
  
  
 $GLOBUS_LOCATION/sbin/globus-start-container-detached -p 8443
  
  
 ;;
  
  
 stop)
  
  
 $GLOBUS_LOCATION/sbin/globus-stop-container-detached
  
  
 *)
  
  
 echo "Usage: globus {start|stop}" >&2
  
  
 exit 1
  
  
esac
  
  
exit 0
  
  
 globus@database-group:~$chmod +x $GLOBUS_LOCATION/start-stop 
   

  
  
     
  
GLOBUS_OPTIONS 将被用来向JVM发送选项。这里我们可以按照Admin Guide的推荐来设置堆的大小。、 
   
现在以root用户登录,我们将创建一个/etc/init.d脚本去调用globus用户start-stop脚本。 
   
root@database-group:~#vim /etc/init.d/globus-4.0.3
root@database-group:~#cat /etc/init.d/globus-4.0.3 
#!/bin/sh -e
  
  
 su - globus /usr/local/globus-4.0.3/start-stop start
  
  
 su - globus /usr/local/globus-4.0.3/start-stop stop
  
  
 restart)
  
  
 $0 stop
  
  
 sleep 1
  
  
 $0 start
  
  
 printf "Usage: $0 {start|stop|restart}/n" >&2
  
  
root@database-group:~#chmod +x /etc/init.d/globus-4.0.3 
root@database-group:~#/etc/init.d/globus-4.0.3 start 
   
 
   
      
   
Note 
   

  
  如果运行出错,请查看$GLOBUS_LOCATION/var/container.log文件

2007-01-22 12:49:29,108 INFO exec.RunQueue [main,initialize:68] Starting state machine with 18 run queues.

2007-01-22 12:49:31,548 ERROR service.ReliableFileTransferImpl [main,<init>:68] Unable to setup database driver with pooling.A connection error has occurred: FATAL: no pg_hba.conf entry for host "10.3.5.48",user "globus",database "rftDatabase",SSL off

2007-01-22 12:49:32,718 WARN service.ReliableFileTransferHome [main,initialize:97] All RFT requests will fail and all GRAM jobs that require file staging will fail.A connection error has occurred: FATAL: no pg_hba.conf entry for host "10.3.5.48",0);">Starting SOAP server at: https://10.3.5.48:8443/wsrf/services/

With the following services:

[1]: https://10.3.5.48:8443/wsrf/services/AdminService

[2]: https://10.3.5.48:8443/wsrf/services/AuthzCalloutTestService

[3]: https://10.3.5.48:8443/wsrf/services/CASService

[4]: https://10.3.5.48:8443/wsrf/services/ContainerRegistryEntryService

[5]: https://10.3.5.48:8443/wsrf/services/ContainerRegistryService

[6]: https://10.3.5.48:8443/wsrf/services/CounterService

[7]: https://10.3.5.48:8443/wsrf/services/DefaultIndexService

[8]: https://10.3.5.48:8443/wsrf/services/DefaultIndexServiceEntry

[9]: https://10.3.5.48:8443/wsrf/services/DefaultTriggerService

[10]: https://10.3.5.48:8443/wsrf/services/DefaultTriggerServiceEntry

[11]: https://10.3.5.48:8443/wsrf/services/DelegationFactoryService

[12]: https://10.3.5.48:8443/wsrf/services/DelegationService

[13]: https://10.3.5.48:8443/wsrf/services/DelegationTestService

[14]: https://10.3.5.48:8443/wsrf/services/InMemoryServiceGroup

[15]: https://10.3.5.48:8443/wsrf/services/InMemoryServiceGroupEntry

[16]: https://10.3.5.48:8443/wsrf/services/InMemoryServiceGroupFactory

[17]: https://10.3.5.48:8443/wsrf/services/IndexFactoryService

[18]: https://10.3.5.48:8443/wsrf/services/IndexService

[19]: https://10.3.5.48:8443/wsrf/services/IndexServiceEntry

[20]: https://10.3.5.48:8443/wsrf/services/ManagedExecutableJobService

[21]: https://10.3.5.48:8443/wsrf/services/ManagedJobFactoryService

[22]: https://10.3.5.48:8443/wsrf/services/ManagedMultiJobService

[23]: https://10.3.5.48:8443/wsrf/services/ManagementService

[24]: https://10.3.5.48:8443/wsrf/services/NotificationConsumerFactoryService

[25]: https://10.3.5.48:8443/wsrf/services/NotificationConsumerService

[26]: https://10.3.5.48:8443/wsrf/services/NotificationTestService

[27]: https://10.3.5.48:8443/wsrf/services/PersistenceTestSubscriptionManager

[28]: https://10.3.5.48:8443/wsrf/services/ReliableFileTransferFactoryService

[29]: https://10.3.5.48:8443/wsrf/services/ReliableFileTransferService

[30]: https://10.3.5.48:8443/wsrf/services/RendezvousFactoryService

[31]: https://10.3.5.48:8443/wsrf/services/SampleAuthzService

[32]: https://10.3.5.48:8443/wsrf/services/SecureCounterService

[33]: https://10.3.5.48:8443/wsrf/services/SecurityTestService

[34]: https://10.3.5.48:8443/wsrf/services/ShutdownService

[35]: https://10.3.5.48:8443/wsrf/services/SubscriptionManagerService

[36]: https://10.3.5.48:8443/wsrf/services/TestAuthzService

[37]: https://10.3.5.48:8443/wsrf/services/TestRPCService

[38]: https://10.3.5.48:8443/wsrf/services/TestService

[39]: https://10.3.5.48:8443/wsrf/services/TestServiceRequest

[40]: https://10.3.5.48:8443/wsrf/services/TestServiceWrongWSDL

[41]: https://10.3.5.48:8443/wsrf/services/TriggerFactoryService

[42]: https://10.3.5.48:8443/wsrf/services/TriggerService

[43]: https://10.3.5.48:8443/wsrf/services/TriggerServiceEntry

[44]: https://10.3.5.48:8443/wsrf/services/Version

[45]: https://10.3.5.48:8443/wsrf/services/WidgetNotificationService

[46]: https://10.3.5.48:8443/wsrf/services/WidgetService

[47]: https://10.3.5.48:8443/wsrf/services/gsi/AuthenticationService

[48]: https://10.3.5.48:8443/wsrf/services/mds/test/execsource/IndexService

[49]: https://10.3.5.48:8443/wsrf/services/mds/test/execsource/IndexServiceEntry

[50]: https://10.3.5.48:8443/wsrf/services/mds/test/subsource/IndexService

[51]: https://10.3.5.48:8443/wsrf/services/mds/test/subsource/IndexServiceEntry

2007-01-22 12:49:59,920 INFO impl.DefaultIndexService [ServiceThread-10,processConfigFile:107] Reading default registration configuration from file: /usr/local/globus-4.0.3/etc/globus_wsrf_mds_index/hierarchy.xml

2007-01-22 12:50:01,234 ERROR impl.QueryAggregatorSource [Thread-12,pollGetMultiple:149] Exception Getting Multiple Resource Properties from https://10.3.5.48:8443/wsrf/services/ReliableFileTransferFactoryService: java.rmi.RemoteException: Failed to serialize resource property org.globus.transfer.reliable.service.factory.TotalNumberOfBytesTransferred@4f71a3; nested exception is:

org.apache.commons.dbcp.DbcpException: A connection error has occurred: FATAL: no pg_hba.conf entry for host "10.3.5.48",0);">2007-01-22 12:51:01,214 ERROR impl.QueryAggregatorSource [Thread-12,SSL off

RFT的警告是在预料之中的,因为我们还没有安装配置数据库,否则的话一切都会很完美的。

10.3.5.48是我的IP地址。如果你发现你那边显示的是“127.0.0.1”的话,你可以这样修改

编辑$GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsddclient-server-config.wsdd添加一行<parameter name="logicalHost" value="10.3.5.48 " /> <globalConfiguration>部分. 例如:

<globalConfiguration>
  
  
 <parameter name="logicalHost" value="10.3.5.48" />
  
  

你也可以通过以上方法为多个主机选择发布接口。参考Global Configuration可以获得关于容器配置的更多选项信息。

我门下面可以通过一个简单的clients/services来与容器进行交互操作。

jeffery% setenv JAVA_HOME /usr/java/j2sdk1.4.2_12/
jeffery% setenv ANT_HOME /usr/local/apache-ant-1.6.5/
jeffery% setenv PATH $ANT_HOME/bin:$JAVA_HOME/bin:$PATH
jeffery% counter-client –s https://database-group.seu.edu.cn:8443/wsrf/services/CounterService
Got notification with value: 3
  
  
Counter has value: 3
  
  
Got notification with value: 13
  
  

(TODO 提示找不到counter-client命令,未解决)

这正是我们期望的输出,所以可见container已经起来并且正在运行。接下来我们将为RFT配置数据库以便消除那些烦人的警告,并且我们现在可以使用GridFTP来放心的传送文件了。

(未完待续)

猜你在找的Postgre SQL相关文章