dorii_sa1_status_final.ppt

The DORII Infrastructure

Table of Contents

DORII Infrastructure - General Information

DORII applications require the integration of scientific instruments with computational and storage resources to facilitate data acquisition, storage and processing. Coordinated and secure access to instruments, data and computational resources is an important requirement for the effective remote usage of these instruments by the application and their users. To fulfil the above requirements the DORII project utilizes the capabilities of Grid infrastructures. The main principle is the use of existing e-Infrastructures in Europe adding the necessary components and services to facilitate remote instrumentation. The DORII eInfrastructure is mainly based on the EGEE (Enabling Grids for E-sciencE) [http://www.eu-egee.org] infrastructure and its middleware of choice gLite (http://glite.web.cern.ch/glite/). The middleware service dealing with the management of remote instrumentation is the Instrument Element (IE) that is being built by the DORII project. To deal with the interactivity requirements of the applications the DORII eInfrastructure deploys a selection of services built by the Interactive European Grid Project (int.eu.grid) [http://www.interactive-grid.eu]. The first version of the DORII e-Infrastructure is comprised of resource centres (sites) that are distributed among the partners of the project in several countries such as Germany, Greece, Italy, Poland and Spain. Several of them belong to the EGEE infrastructure while others are new sites operated by the DORII partners and supportinging the DORII Virtual Organizations. Initial deployment of the applications is being done inside the Catch-All vo.dorii.eu VO. It is envisaged that some applications will continue to use this Catch-All VO while some of them will migrate to their own VOs. In total, 10 resource centres are already available in the DORII infrastructure in its first version, providing more than 2300 non-dedicated CPUs and several Terabytes of storage.

Instrument Resources

Community Partner Application Long Name Application Short Name Instruments
Earthquake EUCENTRE Network-centric seismic simulations NCSS Actuators,sensors: Actuators are devices applying forces to the specimen, while a sensor network is used to monitor the specimen's reaction.
EUCENTREEarthquake early warning system EEWS seismic sensors
EnvironmentalOGS Oceanographic and coastal observation and modeling Mediterranean Ocean Observing NetworkFLOATFloat: Lagrangian (passively following the current) instrument
GLIDERSGlider: Autonomous Underwater Vehicle (AUV)
OPATM-BFM
UC Oceanographic and coastal observation and modeling using imaging HORUS Digital Cameras, Pressure sensors, temperature sensors
ECOHYDROS Simulation and Monitoring System for inland waters and reservoirs<UN-NAMED>CTD, optical sensors
Experimental ScienceELETTRAOn-line data analysis in experimental science SAXS SAXS: Small Angle X-ray Scattering
ELETTRA XRD XRD: BeamLine
ELETTRA SYRMEP SYRMEP: SYnchrotron Radiation for MEdical Physics
Demonstration ELETTRA LEGO Robot Exploitation LEGO Robot Exploitation LEGO Mindstorm
ELETTRA Robocam Robocam Digital Camera

Virtual Organizations

VO Name Applications User Registration
vo.dorii.eu Catch all DORII VO https://voms.grid.auth.gr:8443/voms/vo.dorii.eu/
ihydra HORUS https://i2g-voms.lip.pt:8443/voms/ihidra
ienvmod ECOHYDROS https://i2g-voms.lip.pt:8443/voms/ienvmod
gridats On-line data analysis in experimental science https://voms01.grid.elettra.trieste.it:8443/voms/gridats/
lights.infn.it On-line data analysis in experimental science https://voms2.cnaf.infn.it:8443/voms/lights.infn.it/

Sites

Country Partner Name Site Name CPUs(Cores)Storage (TB)IE Core Services
Poland PSNC PSNC 1068 16
Spain CSIC IFCA-CSIC 372 107
IFCA-I2G* 372* 107*
Italy ELETTRA ELETTRA 6 0.1 Yes WMS, BDII, LFC VCR
Greece GRNET HG-01-GRNET 64 4.78 WMS, BDII
HG-02-IASA 118 3.14
HG-03-AUTH 120 3.13 WMS, BDII
HG-04-CTI-CEID 114 2.87
HG-05-FORTH 120 2.33
HG-06-EKT 228 7.76 WMS, BDII

* IFCA-CSIC and IFCA-I2G sites share the same resources.

Operational Tools

Information for users

User Registration

User registration in the DORII infrastructure involves all the steps and procedures of user’s registration to any grid infrastructure. The following sections provide the details of user registration. These details can be summarised in the following steps.

  1. The user has to obtain a digitally signed certificate that is compatible with a valid Grid Policy Management Authority
  2. The user has to apply for VO membership to one of the DORII related VOs via the VOMS Admin registration web interface
  3. The user has to apply for membership to one of the Virtual Control Room (VCR) instances that are supported by the DORII project based on the VO that he belongs to.

Getting Access to the Virtual Control Room (VCR)

The official user interface of the DORII Infrastructure is the Virtual Control Room (VCR). A VCR for the Catch-All DORII VO (vo.dorii.eu) has been installed in ELETTRA and is available to users via the following URL:

https:////dorii-vcr.grid.elettra.trieste.it/gridsphere/gridsphere//

By following the above URL via a browser that has the user’s digital certificate installed, the users can request an account to use the VCR. When permissions are granted the users can start using the VCR to get access to instrument, computational and storage resources available to the vo.dorii.eu. Other VOs deployed and used in the DORII infrastructure have or will install their own VCR to provide access to their users.

Information for Site administrators

Adding Support for vo.dorii.eu to sites.

GridAUTH VOMS server certificate installation

It is necessary to install the dorii VOMS server certificate in your service nodes (ie CE) to ensure correct functionality of the VO. Worker Nodes do not need it.

The rpm containing the dorii VOMS server certificate is located at http://rpm.grid.auth.gr/apt/HellasGrid/SL/3.x/RPMS.production/GridAUTH-vomscert-1.2-5.noarch.rpm

You can also install it manually by downloading it from http://www.grid.auth.gr/services/voms/voms.grid.auth.gr.171 and copying to /etc/grid-security/vomsdir

Attention: voms.grid.auth.gr certificate expires on July 30th. It will be replaced on July 28th. The new certificate must be installed parallel to the new one no later than July 28th. The rpm containing the new certificate is at http://rpm.hellasgrid.gr/yum/HellasGrid/sl4/noarch/GridAUTH-vomscert-1.4-2.noarch.rpm

Detailed instructions are available at http://goc.grid.auth.gr/wiki/bin/view/AdminGuides/TransitionToNewVOMSCertificate

site-info.def configuration

Add “vo.dorii.eu” to the VOS variable:

VOS=“ops dteam vo.dorii.eu”

And dorii to QUEUES variable:

QUEUES=“ops dteam dorii”

Finally enable the QUEUE to the VO Roles:

DORII_GROUP_ENABLE=“vo.dorii.eu /VO=vo.dorii.eu/GROUP=/vo.dorii.eu/ROLE=lcgadmin”

vo.d directory configuration

Under the vo.d directory create a file with filename vo.dorii.eu and add the following lines:

SW_DIR=$VO_SW_DIR/dorii

DEFAULT_SE=$DPM_HOST

QUEUES=“dorii”

VOMS_SERVERS=“vomss:voms.grid.auth.gr:8443/voms/vo.dorii.eu?/vo.dorii.eu”

VOMSES=”'vo.dorii.eu voms.grid.auth.gr 15130 /C=GR/O=HellasGrid/OU=auth.gr/CN=voms.grid.auth.gr vo.dorii.eu'”

If you are using a classic SE you may also want to include the following line

VO_DORII_STORAGE_DIR=$CLASSIC_STORAGE_DIR/dorii

groups.conf configuration

”/VO=vo.dorii.eu/GROUP=/vo.dorii.eu/ROLE=lcgadmin”:::sgm: ”/VO=vo.dorii.eu/GROUP=/vo.dorii.eu”:::: ”/VO=vo.dorii.eu/GROUP=/vo.dorii.eu/*”::::

users.conf configuration

Typically within the users.conf file you need to add a few sgm pool accounts and a few more regular pool accounts. A sample configuration for 200 regular pool accounts is the following one

40001:dorii001:40000:dorii:vo.dorii.eu::

40002:dorii002:40000:dorii:vo.dorii.eu::

40200:dorii200:40000:dorii:vo.dorii.eu::

Similarly for 20 sgm pool accounts the configuration of the users.conf file should be similar to the following.

40901:sgmdorii001:40090,40000:sgmdorii,dorii:vo.dorii.eu:sgm:

40902:sgmdorii002:40090,40000:sgmdorii,dorii:vo.dorii.eu:sgm:

40920:sgmdorii020:40090,40000:sgmdorii,dorii:vo.dorii.eu:sgm:

Environment variables (pre glite-3.1 only)

variables for DNS like VOs are not added to /etc/profile.d/lcgenv.sh so we create a new file /etc/profile.d/dorii.sh:

#!/bin/sh

if test “x${LCG_ENV_SET+x}” = x; then

export VO_VO_DORII_EU_DEFAULT_SE=se01.afroditi.hellasgrid.gr

export VO_VO_DORII_EU_SW_DIR=/opt/exp_soft/dorii

fi

Instrument Element Deployment

The following are the minimal steps and requirements to install the IE module in Apache Tomcat container.

Requirements:

  1. Java JDK 5 or above.
  2. Apache Ant 1.7.
  3. Apache Tomcat 5.5.*
  4. CATALINA_HOME, JAVA_HOME, ANT_HOME environment variables must be set.
  5. (Apache Axis is included with the IE.)

Enabling grid security (applies only to Linux systems, preferably RH Enterprise based, e.g. Scientific Linux). Host certificates must be installed on the machine that will run IE.

  1. Setup your yum/apt system to retrieve packages from the LCG repository, both lcg-CA and glite-UI. E.g.:

[glite-UI]

name=gLite 3.1 User Interface

baseurl=http:////linuxsoft.cern.ch/EGEE/gLite/R3.1/glite-UI/sl4/i386/// enabled=1 [CA] name=CAs baseurl=http://linuxsoft.cern.ch/LCG-CAs/current//

enabled=1

  1. Install fetch-crl and lcg-CA packages using yum/apt.
  2. Create a cron script to automatize clr-refreshing. E.g.:

/etc/cron.daily/fetch-crl.sh:

CRLDIR=${X509_CERT_DIR:-/etc/grid-security/certificates}

/usr/sbin/fetch-crl –loc ${CRLDIR} –out \

${CRLDIR} –no-check-certificate 2>&1 1>/dev/null

Remember to chmod (executable) the created file. It is recommendable to test-run the script immediately.

  1. Also, you must obtain the hostcert and the hostkey from a valid CA. Copy the cert and the key into the /etc/grid-security directory (created when doing the above operations) with the correct permissions (400 for the key, 644 for the cert.)
  2. Import the certificate from your VOMS server.

Configure, Compile and Deploy IE:

- Edit build.properties:

- Set the target folder for the compiled classes, created jars and generated javadocs (e.g. project.build=build).

- Set the name for the project (e.g. project.name=testIE) This is the name of both the project, of the webapp under which it will be deployed and it is part of the URL for the web-service.

- Set the host name (e.g. host.name=somehost.somedomain.)

- Set the port number on which the IE will run. (e.g. port.no=8080 for usecure-http or 8443 for secure-https). That is the same port number on which your Tomcat will run.

- Set security flag to enable/disable the grid security (e.g. security=true.) Port number must be set accordingly and if set to true, configure tomcat security.

- Set jms.provider.path pointing to the directory where your jms provider libraries reside.

  1. Edit config/jndi.properties to set your JMS configuration. (Sample configuration and basic instructions are included in the given file.)
  1. Run ant to see all the available tasks. Execute “ant deploy-all” to build the IE application and deploy it to Tomcat. If you wish to have javadocs, run “ant docs”. Generated javadocs may be seen in build/docs.

- Configure Tomcat to enable https by editing $CATALINA_HOME/conf/server.xml. Add the following:

 <!-- gLite https for IE delegation. -->
 <Connector  port="8443"
     maxThreads="150"
     minSpareThreads="25"
     maxSpareThreads="75"
     enableLookups="false"
     disableUploadTimeout="true"
     acceptCount="100"
     debug="0"
     scheme="https"
     secure="true"
     clientAuth="true"
     sslProtocol="TLS"
     sslCAFiles="/etc/grid-security/certificates/*.0"
     crlFiles="/etc/grid-security/certificates/*.r0"
     sslKey="$CATALINA_HOME/conf/hostkey.pem"
     sslCertFile="$CATALINA_HOME/conf/hostcert.pem"
     sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation" />

Beware that the sslKey and sslCertFile must be readable by the user that runs Tomcat. If possible, link (not symbolic!) the certificate and the key (see above, point 4 of security requirement) to the same-name files in $CATALINA_HOME/conf/. Set the correct ownership and permissions. It is advisable to disable http (non-secure) connections.

  1. (Re)Start your Tomcat server.
  1. You should register your IE in the VO's BDII or list it among the static resources of the VCR's mceinstruments module.
Back to top
DORII project receives funding from the EC's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° RI-211693.