Hi Oscar
Thanks for looking into it. I am attaching lcmap-suexec.db.
Cheers
Kashif
-----Original Message-----
From: LHC Computer Grid - Rollout [mailto:[log in to unmask]] On
Behalf Of Oscar Koeroo
Sent: 11 January 2010 14:13
To: [log in to unmask]
Subject: Re: [LCG-ROLLOUT] Scas server for creamce
Hi Kashif,
We're looking into your problem for a few minutes here and try to
understand what went wrong.
Could you attach the complete lcmaps-suexec.db for debugging? We mis a
bunch of lines which might influence the process.
After that, could you change the lcmaps-suexec.db to the following:
BEGINFILE
# Warning: RedHat 64 bit specific default path for the modules path =
/opt/glite/lib64/modules
# Plugin definitions:
posix_enf = "lcmaps_posix_enf.mod"
" -maxuid 1"
" -maxpgid 1"
" -maxsgid 32"
proxycheck = "lcmaps_verify_proxy.mod"
"-certdir /etc/grid-security/certificates"
scasclient = "lcmaps_scas_client.mod"
" -capath /etc/grid-security/certificates"
" -cert /etc/grid-security/tomcathostcert.pem"
" -key /etc/grid-security/tomcathostkey.pem"
" -endpoint https://t2scas01.physics.ox.ac.uk:8443"
" -resourcetype ce"
" -actiontype execute-now"
glexec_get_account:
proxycheck -> scasclient
scasclient -> posix_enf
# Commented the following:
# glexec_get_account:
# vomslocalgroup -> vomspoolaccount | poolaccount # vomspoolaccount ->
good | vomslocalaccount # vomslocalaccount -> good | poolaccount #
poolaccount -> good | localaccount
ENDFILE
I've also written (a to be extended) gLExec FAQ sub page which might be
of use:
https://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/GLExec#Debugg
ing_hints_and_answers_to_FAQ
May we also (please send privately! to us: [log in to unmask])
have an inside look of the LCMAPS output? Given your configuration that
should be quite a noticeable contribution to your logfile output.
kind regards,
Oscar
Kashif Mohammad wrote:
> HI Dug
> Yes it is already owned by tomcat
> -rw-r--r-- 1 tomcat tomcat 2196 Dec 18 16:19 tomcathostcert.pem
> -r-------- 1 tomcat tomcat 1891 Dec 18 16:19 tomcathostkey.pem
>
> Thanks
> Kashif
>
> ________________________________
>
> From: LHC Computer Grid - Rollout [mailto:[log in to unmask]]
> On Behalf Of Douglas McNab
> Sent: 11 January 2010 13:20
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] Scas server for creamce
>
>
> Hi Kashif,
>
> Have you checked that the hostcert and key are owned by tomcat?
> I had to copy the ones owned by root to the tomcat user.
> Since CREAM uses the Tomcat user for identity switching.
>
> -rw-r--r-- 1 tomcat tomcat 2187 Dec 4 10:44 tomcathostcert.pem
> -r-------- 1 tomcat tomcat 1863 Dec 4 10:44 tomcathostkey.pem
> Regards,
>
> Dug
>
>
> 2010/1/11 Kashif Mohammad <[log in to unmask]>
>
>
> Hi
> I am setting up a scas server for a creamce. Scas server was
setup
> correctly. I am sharing gridmapdir with lcg-ce. Creamce is
working
> perfectly without scas. I edited lcmap-suexec.db with
>
> proxycheck = "lcmaps_verify_proxy.mod"
> "-certdir /etc/grid-security/certificates"
>
> scasclient = "lcmaps_scas_client.mod"
> " -capath /etc/grid-security/certificates"
> " -cert /etc/grid-security/tomcathostcert.pem"
> " -key /etc/grid-security/tomcathostkey.pem"
> " -endpoint https://t2scas01.physics.ox.ac.uk:8443"
> " -resourcetype ce"
> " -actiontype execute-now"
> glexec_get_account:
> proxycheck -> scasclient
> scasclient -> posix_enf
> vomslocalgroup -> vomspoolaccount | poolaccount
> vomspoolaccount -> good | vomslocalaccount
> vomslocalaccount -> good | poolaccount
> poolaccount -> good | localaccount
>
>
> Content of glexec.conf is
>
> [glexec]
> linger = no
>
> lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-suexec.db
> lcmaps_log_file = /opt/glite/var/log/glexec_lcas_lcmaps.log
> lcmaps_debug_level = 5
> lcmaps_log_level = 5
>
> lcas_db_file = /opt/glite/etc/lcas/lcas-suexec.db
> lcas_log_file = /opt/glite/var/log/glexec_lcas_lcmaps.log
> lcas_debug_level = 0
> lcas_log_level = 1
>
> log_level = 5
> user_white_list = tomcat
> user_identity_switch_by = lcmaps
> omission_private_key_white_list = tomcat
> preserve_env_variables =
> silent_logging = no
> log_destination = syslog
>
>
> Now when I submit job from ui, I get this error
>
> glite-ce-job-submit -a -r
> t2ce02.physics.ox.ac.uk:8443/cream-pbs-express test.jdl
> 2010-01-11 12:43:56,086 WARN - No configuration file suitable
for
> loading. Using built-in configuration
> 2010-01-11 12:43:59,809 FATAL - MethodName=[jobRegister]
> Timestamp=[Mon
> 11 Jan 2010 12:44:47] ErrorCode=[0] Description=[system error]
> FaultCause=[cannot create the job's working directory! The
problem
> seems
> to be related to glexec [error = Glexec policy violation: see
glexec
> log
> for more details. (ExitCode = 202)]]
>
>
> Relevent lines in /var/log/message is
>
> Jan 11 12:58:08 t2ce02 glexec[10580]: uid: (dteam174/dteam174)
> gid:
> (dteam/dteam
> ) cmd: /opt/glite/bin/glite-cream-createsandboxdir
> Jan 11 12:58:08 t2ce02 glexec[10580]: Something is wrong with
the
> configuration;
> I should not be root anymore
> Jan 11 12:58:08 t2ce02 glexec[10580]: Found key
> 'glexec:user_identity_switch_by'
> with value 'lcmaps'.
> Jan 11 12:58:08 t2ce02 glexec[10580]: gLExec has been
> configured to
> let LCMAPS
> do the idenitiy switch and possibly the posix_enf plugin did
not run
> Jan 11 12:58:08 t2ce02 glexec[10580]: Couldn't drop
> privileges.
> Perhaps gLExec
> doesn't have sufficient privileges to drop.
>
>
> Any hint, Please.
>
> Regards
> Kashif
>
>
>
>
>
|