== Verification of rocci-server.centos7.x86_64-1.1.9 and https://rt.egi.eu/rt/Ticket/Display.html?id=12122 == === Ticket assigned === * [https://rt.egi.eu/rt/Ticket/Display.html?id=13170] * [https://rt.egi.eu/rt/Ticket/Display.html?id=12122] === Install UMD4 repos === NOTE: EPEL already installed {{{ [root@fedcloud-services yum.repos.d]# pwd /etc/yum.repos.d [root@fedcloud-services yum.repos.d]# wget http://repository.egi.eu/sw/production/umd/4/repofiles/sl6/UMD-4-base.repo [root@fedcloud-services yum.repos.d]# wget http://repository.egi.eu/sw/production/umd/4/repofiles/sl6/UMD-4-updates.repo [root@fedcloud-services yum.repos.d]# wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo [root@fedcloud-services ~]# rpm --import http://download.nordugrid.org/RPM-GPG-KEY-nordugrid [root@fedcloud-services ~]# rpm --import http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY }}} === rocci-server and gridsite repos and instalation === (!) ensure SELINUX is disabled: {{{ [root@fedcloud-services ~]# grep SELINUX=disabled /etc/selinux/config SELINUX=disabled }}} As a requisite, you need both "epel" repo enabled and a repo for "passenger-devel" {{{ [root@fedcloud-services ~]# cat /etc/yum.repos.d/epel.repo [epel] [.....] enabled=1 [.....] [root@fedcloud-services ~]# curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo [root@fedcloud-services ~]# cat /etc/yum.repos.d/passenger.repo [passenger] name=passenger baseurl=https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packagecloud.io/gpg.key sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt [passenger-source] name=passenger-source baseurl=https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/SRPMS repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packagecloud.io/gpg.key sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt }}} Now the considered repos: {{{ [root@fedcloud-services yum.repos.d]# pwd /etc/yum.repos.d [root@fedcloud-services yum.repos.d]# wget http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.rocci-server.centos7.x86_64/1/1/9/repofiles/CESNET.rocci-server.centos7.x86_64.repo [root@fedcloud-services yum.repos.d]# cat CESNET.rocci-server.centos7.x86_64.repo # EGI Software Repository - REPO META (releaseId,repositoryId,repofileId) - (13170,2421,2376) [CESNET.rocci-server.centos7.x86_64] name=CESNET.rocci-server.centos7.x86_64 baseurl=http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.rocci-server.centos7.x86_64/1/1/9/ enabled=1 protect=1 priority=1 gpgcheck=1 gpgkey=http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY [root@fedcloud-services yum.repos.d]# wget http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.gridsite.centos7.x86_64/2/3/3/repofiles/CESNET.gridsite.centos7.x86_64.repo [root@fedcloud-services yum.repos.d]# cat CESNET.gridsite.centos7.x86_64.repo # EGI Software Repository - REPO META (releaseId,repositoryId,repofileId) - (12122,2238,2188) [CESNET.gridsite.centos7.x86_64] name=CESNET.gridsite.centos7.x86_64 baseurl=http://admin-repo.egi.eu/sw/unverified/cmd-one-1.cesnet.gridsite.centos7.x86_64/2/3/3/ enabled=1 protect=1 priority=1 gpgcheck=1 gpgkey=http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY }}} {{{ [root@fedcloud-services ~]# yum clean all; yum install occi-server gridsite Loaded plugins: fastestmirror CESNET.gridsite.centos7.x86_64 | 1.9 kB 00:00:00 CESNET.rocci-server.centos7.x86_64 | 1.9 kB 00:00:00 base | 3.6 kB 00:00:00 epel/x86_64/metalink | 24 kB 00:00:00 extras | 3.4 kB 00:00:00 passenger/7/x86_64/signature | 836 B 00:00:00 Retrieving key from https://packagecloud.io/gpg.key Importing GPG key 0xD59097AB: Userid : "packagecloud ops (production key) " Fingerprint: 418a 7f2f b0e1 e6e7 eabf 6fe8 c2e7 3424 d590 97ab From : https://packagecloud.io/gpg.key Is this ok [y/N]:y passenger/7/x86_64/signature | 1.0 kB 00:00:24 !!! passenger-source/7/signature | 836 B 00:00:00 Retrieving key from https://packagecloud.io/gpg.key Importing GPG key 0xD59097AB: Userid : "packagecloud ops (production key) " Fingerprint: 418a 7f2f b0e1 e6e7 eabf 6fe8 c2e7 3424 d590 97ab From : https://packagecloud.io/gpg.key Is this ok [y/N]: y passenger-source/7/signature | 1.0 kB 00:00:04 !!! updates | 3.4 kB 00:00:00 (1/2): passenger-source/7/primary | 6.1 kB 00:00:00 (2/2): passenger/7/x86_64/primary | 27 kB 00:00:00 Loading mirror speeds from cached hostfile * base: centos.uvigo.es * epel: mirror.airenetworks.es * extras: centos.uvigo.es * updates: centos.uvigo.es passenger 216/216 passenger-source 54/54 Resolving Dependencies [.....] Retrieving key from http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY Importing GPG key 0x96B71B07: Userid : "Kostas Koumantaros (UMD Release Manager) " Fingerprint: 32ad 8d80 fa5a 89b5 3dc5 de93 6799 de16 96b7 1b07 From : http://repository.egi.eu/sw/production/umd/UMD-RPM-PGP-KEY Is this ok [y/N]:y [.....] Complete! }}} === rocci-server configuration === (!) gridsite apache module must be enaabled {{{ [root@fedcloud-services ~]# cat /etc/httpd/conf.modules.d/90-gridsite.conf [.....] LoadModule gridsite_module modules/mod_gridsite.so [.....] }}} We must put the desired LSC files in '/etc/grid-security/vomsdir/'. A directory for each VO: {{{ [root@fedcloud-services ~]# ls /etc/grid-security/vomsdir/ alice earth.vo.ibergrid.eu mpi atlas eng.vo.ibergrid.eu ops auger fedcloud.egi.eu ops.vo.ibergrid.eu bing.vo.ibergrid.eu fusion pfound.vo.ibergrid.eu biomed geohazards.terradue.com phys.vo.ibergrid.eu cesga hpc.vo.ibergrid.eu social.vo.ibergrid.eu chem.vo.ibergrid.eu hydrology.terradue.com tut.vo.ibergrid.eu cms iber.vo.ibergrid.eu vo.access.egi.eu compchem ict.vo.ibergrid.eu vo.chain-project.eu d4science.org imath.cesga.es vo.emsodev.eu demo.fedcloud.egi.eu lhcb dteam life.vo.ibergrid.eu }}} Files '/etc/httpd/conf.d/occi-ssl.conf' and '/etc/httpd/conf.d/ssl.conf' must be edited. These are the diff's with the originals: {{{ [root@fedcloud-services conf.d]# diff occi-ssl.conf occi-ssl.conf.original 14c14 < SSLCertificateFile /etc/grid-security/hostcert-rocci.pem --- > SSLCertificateFile /etc/grid-security/hostcert.pem 17c17 < SSLCertificateKeyFile /etc/grid-security/hostkey-rocci.pem --- > SSLCertificateKeyFile /etc/grid-security/hostkey.pem 27,28c27,28 < #SSLVerifyClient optional < SSLVerifyClient require --- > SSLVerifyClient optional > #SSLVerifyClient require 38c38 < SetEnv SSL_CERT_DIR /etc/grid-security/certificates --- > #SetEnv SSL_CERT_DIR /etc/grid-security/certificates 44c44 < ServerName occi.fedcloud-services.egi.cesga.es --- > ServerName localhost 50c50 < GridSiteEnvs on --- > # GridSiteEnvs on 52c52 < GridSiteIndexes off --- > # GridSiteIndexes off 55c55 < GridSiteGSIProxyLimit 4 --- > # GridSiteGSIProxyLimit 4 58c58 < GridSiteMethods "" --- > # GridSiteMethods "" 77c77 < SetEnv ROCCI_SERVER_HOSTNAME fedcloud-services.egi.cesga.es --- > SetEnv ROCCI_SERVER_HOSTNAME localhost 79,80c79,80 < SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms x509" < SetEnv ROCCI_SERVER_HOOKS oneuser_autocreate --- > SetEnv ROCCI_SERVER_AUTHN_STRATEGIES "voms x509 basic" > SetEnv ROCCI_SERVER_HOOKS dummy 82c82 < SetEnv ROCCI_SERVER_BACKEND opennebula --- > SetEnv ROCCI_SERVER_BACKEND dummy 88c88 < SetEnv ROCCI_SERVER_LOG_LEVEL info --- > SetEnv ROCCI_SERVER_LOG_LEVEL warn 97c97 < SetEnv ROCCI_SERVER_AUTHN_VOMS_ROBOT_SUBPROXY_IDENTITY_ENABLE yes --- > SetEnv ROCCI_SERVER_AUTHN_VOMS_ROBOT_SUBPROXY_IDENTITY_ENABLE no 102c102 < SetEnv ROCCI_SERVER_ONEUSER_AUTOCREATE_HOOK_VO_NAMES "dteam ops" --- > #SetEnv ROCCI_SERVER_ONEUSER_AUTOCREATE_HOOK_VO_NAMES "dteam ops" 105c105 < SetEnv ROCCI_SERVER_ONE_XMLRPC http://fedcloud-one.egi.cesga.es:2633/RPC2 --- > SetEnv ROCCI_SERVER_ONE_XMLRPC http://localhost:2633/RPC2 107c107 < SetEnv ROCCI_SERVER_ONE_PASSWD XXXXXXXXXXXXXXXXXXXXXXXXXXX --- > SetEnv ROCCI_SERVER_ONE_PASSWD yourincrediblylonganddifficulttoguesspassword }}} {{{ [root@fedcloud-services conf.d]# diff ssl.conf ssl.conf.original 6d5 < Listen 11443 https }}} (!) A user for rOCCI (typically "rocci") must be created in the OpenNebula box. Its credential are the ones in 'occi-ssl.conf' We must ensure that service is enabled: {{{ [root@fedcloud-services conf.d]# chkconfig httpd on Nota: Reenviando peticiĆ³n a 'systemctl enable httpd.service'. Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@fedcloud-services conf.d]# service httpd start Redirecting to /bin/systemctl start httpd.service }}} Finally, the firewall rules, both in the rOCCI server (fedcloud-services) as in the OpenNebula box (fedcloud-one) {{{ [root@fedcloud-services ~]# firewall-cmd --zone=fedcloud --add-port=11443/tcp --permanent [root@fedcloud-services ~]# firewall-cmd --reload }}} {{{ [oneadmin@fedcloud-one ~]$ oneuser create rocci XXXXXXXXXXXXXXXXXXXXXXXXXXX --driver 'server_cipher' [oneadmin@fedcloud-one ~]$ oneuser chgrp rocci oneadmin }}} Also necessary some tuning in the OpenNebula box: {{{ [root@fedcloud-one auth]# hostname fedcloud-one.egi.cesga.es [root@fedcloud-one auth]# pwd /etc/one/auth [root@fedcloud-one auth]# diff x509_auth.conf x509_auth.conf.original 4c4 < :ca_dir: "/etc/grid-security/certificates" --- > #:ca_dir: "/etc/one/auth/certificates" }}} === rOCCI-server test === For example, from an UI: {{{ [rdiez@ui ~]$ voms-proxy-init -voms fedcloud.egi.eu --rfc Enter GRID pass phrase for this identity: Contacting voms1.grid.cesnet.cz:15002 [/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz] "fedcloud.egi.eu"... Remote VOMS server contacted succesfully. Created proxy in /tmp/x509up_u50003. Your proxy is valid until Sat Jul 08 01:44:26 CEST 2017 [rdiez@ui ~]$ /opt/occi-cli/bin/occi --endpoint "https://fedcloud-services.egi.cesga.es:11443" --action list --resource resource_tpl --auth x509 --user-cred /tmp/x509up_u50003 --voms http://fedcloud.egi.eu/occi/compute/flavour/1.0#mem_medium http://fedcloud.egi.eu/occi/compute/flavour/1.0#mem_large http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#extra_large http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#mem_extra_large_huge_disk http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#atlas http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#mem_medium_huge_disk http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#mammoth http://fedcloud.egi.eu/occi/compute/flavour/1.0#medium http://fedcloud.egi.eu/occi/compute/flavour/1.0#large http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#mem_extra_large http://fedcloud.egi.eu/occi/compute/flavour/1.0#mem_small http://fedcloud.egi.eu/occi/compute/flavour/1.0#small http://fedcloud.egi.eu/occi/infrastructure/resource_tpl#goliath }}} (!) Only appliances in the VO considered by the proxy are accessible. === Finding world-writable files in the packages contents === {{{ [root@fedcloud-services ~]# rpm -qalv | egrep "^[-d]([-r][-w][-xs]){2}[-r]w" drwxrwxrwt 2 root root 0 nov 5 2016 /tmp drwxrwxrwt 2 root root 0 nov 5 2016 /var/tmp }}}