Duncan,
ScotGrid at Glasgow (GUScotGrid) is well on the way to becoming part of
the NGS. Having done some of the paperwork, let me offer some comments.
There are several cases here
* does the user have other access to globus or are they relying on you to
provide it ?
* is it local users wanting access to remote NGS sites or is it remote NGS
users wanting access to your local site ?
We were told that the NGS do not insist on you providing a gsissh service
but they do strongly encourage it. My guess is that this really arises
from the nature of NGS. Unlike EGEE there doesn't seem to be any notion of
sgmXXXXX accounts and software is either installed by the sites
themselves or it is a DIY task. Without interactive access, getting
applications properly installed and working could be awkward.
gsissh comes in at least two varieties
* from a globus/VDT/gLite distribution
* from the GSI-SSHTerm java application for Windows or Linux
http://www.grid-support.ac.uk/content/view/81/195/
GSI-SSHTerm is rather nice - multiple windows, GUI gsisftp ....
but it does seem to seize up or break the connection occasionally.
There was concern at Glasgow that users might be tempted to maintain a
~/.globus/userkey.pem file on the UI. This might easily lead to their
private key being accessible over gsiftp:// via the CE if their proxy got
compromised somewhere on the Grid. OK it is protected by a passphrase but
losing the file is still bad.
One way to avoid the need for a UI copy of the user's key is to use
voms-proxy-init -voms XXX -cert $X509_USER_PROXY \
-key $X509_USER_PROXY
( http://wiki.ngs.ac.uk/index.php?title=VOMS_Client_Tools )
Only attempt this with a recent version of voms-proxy-init (>= 1.7.18)
otherwise the certificate chain will be in a strange order likely to cause
confusion.
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=3019
So - it would seem that providing a UI is a good thing - but there are
issues
On Thu, 13 Dec 2007, Duncan Rand wrote:
> Hi
>
> Could I continue the ngs discussion..... I understand that at Glasgow
> they use gsissh to login to the local UI from which they then use
> globus-job-run (or qsub?) to submit their job to the cluster. Does
> this mean we need to make a UI available at our site for ngs users to
> login to if we want to support them?
>
> Duncan
>
--
David Martin
Kelvin Building,
University of Glasgow,
Glasgow, G12 8QQ,
United Kingdom
tel: (0)141 330 4197 fax: (0)141 330 5881
email: [log in to unmask]
|