On 19.11.2013 23:23, Maarten Litmaath wrote:
> Hi Ionel,
>
Hi,
We have installed a single Argus server (argus.spacescience.ro) and we
have for the moment a single CE (grid03.spacescience.ro)
In the configuration files we have for:
- users.conf : user accounts for pilot jobs are defined like this:
62101:pilops01:46010,45000:opspil,ops:ops:pilot
62102:pilops02:46010,45000:opspil,ops:ops:pilot
....
62110:pilops03:46010,45000:opspil,ops:ops:pilot
- groups.conf :
"/ops/NGI/Romania":::sgm:
"/ops/ROLE=lcgadmin":::sgm:
"/ops/ROLE=pilot":::pilot:
"/ops/*"::::
"/ops"::::
- site-info.def:
ARGUS_HOST="argus.spacescience.ro"
USE_ARGUS=yes
ARGUS_PEPD_ENDPOINTS="https://argus.spacescience.ro:8154/authz"
CREAM_PEPC_RESOURCEID=urn:RO-13-ISS:argus:resource:ce
GENERAL_PEPC_RESOURCEID=urn:RO-13-ISS:argus:resource:other
CONFIG_PAP=yes
CONFIG_PDP=yes
CONFIG_PEP=yes
PAP_ENTITY_ID="http://${ARGUS_HOST}/pap"
PAP_ADMIN_DN="/DC=RO/DC=RomanianGRID/O=ISS/CN=Ionel STAN"
PAP_POLL_INTERVAL=3600
PAP_CONSISTENCY_CHECK=false
PAP_CONSISTENCY_CHECK_REPAIR=false
PDP_ENTITY_ID="http://${ARGUS_HOST}/pdp"
PDP_RETENTION_INTERVAL=60
PEP_ENTITY_ID="http://${ARGUS_HOST}/pepd"
GLEXEC_WN_SCAS_ENABLED="no"
GLEXEC_WN_ARGUS_ENABLED="yes"
GLEXEC_WN_OPMODE="setuid"
GLEXEC_WN_LOG_DESTINATION=file
GLEXEC_WN_LOG_FILE=/var/log/glexec/glexec_log
GLEXEC_WN_INPUT_LOCK=flock
GLEXEC_WN_TARGET_LOCK=flock
After a yaim configuration on CE, WNs and Argus we have the following :
- WN:
chown: cannot access `/etc/lcas/lcas-glexec.db': No
such file or directory
chmod: cannot access `/etc/lcas/lcas-glexec.db': No
such file or directory
- Argus:
[root@argus ~]# pap-admin list-policies
default (local):
resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
obligation "http://glite.org/xacml/obligation/local-environment-map" {
}
action "http://glite.org/xacml/action/execute" {
rule permit { pfqan="/alice/Role=lcgadmin/Capability=NULL" }
rule permit { pfqan="/alice/Role=lcgadmin" }
rule permit { pfqan="/alice/Role=production/Capability=NULL" }
rule permit { pfqan="/alice/Role=production" }
rule permit { pfqan="/alice/Role=pilot/Capability=NULL" }
rule permit { pfqan="/alice/Role=pilot" }
rule permit { fqan="/alice" }
rule permit { pfqan="/alice/Role=NULL/Capability=NULL" }
rule permit { pfqan="/alice" }
rule permit { pfqan="/dteam/Role=lcgadmin/Capability=NULL" }
rule permit { pfqan="/dteam/Role=lcgadmin" }
rule permit { pfqan="/dteam/Role=production/Capability=NULL" }
rule permit { pfqan="/dteam/Role=production" }
rule permit { fqan="/dteam" }
rule permit { pfqan="/dteam/Role=NULL/Capability=NULL" }
rule permit { pfqan="/dteam" }
rule permit { pfqan="/ops/NGI/Romania/Role=NULL/Capability=NULL" }
rule permit { pfqan="/ops/NGI/Romania" }
rule permit { pfqan="/ops/Role=lcgadmin/Capability=NULL" }
rule permit { pfqan="/ops/Role=lcgadmin" }
rule permit { pfqan="/ops/Role=pilot/Capability=NULL" }
rule permit { pfqan="/ops/Role=pilot" }
rule permit { fqan="/ops" }
rule permit { pfqan="/ops/Role=NULL/Capability=NULL" }
rule permit { pfqan="/ops" }
}
}
OPS test fail:
https://nagios.grid.ici.ro/nagios/cgi-bin/extinfo.cgi?type=2&host=grid03.spacescience.ro&service=org.sam.CREAMCE-JobState-ops
Failed to create a delegation id for job
https://wms304.cern.ch:9000/yuJBZFbFcXaXgBnfIjQ1ng: reason is
CN=Alexandru Stanciu,O=ICI,DC=RomanianGRID,DC=RO not authorized for
{http://www.gridsite.org/namespaces/delegation-2}getProxyReq
https://nagios.grid.ici.ro/nagios/cgi-bin/extinfo.cgi?type=2&host=argus.spacescience.ro&service=org.sam.glexec.CE-JobSubmit-%2Fops%2FRole%3Dpilot
CRITICAL: [Waiting->Cancelled [timeout/dropped]] 'BrokerHelper: no
compatible resources'. https://wms306.cern.ch:9000/nQ96YGAnoVrC0ciFv9NehQ
CRITICAL: [Waiting->Cancelled [timeout/dropped]] 'BrokerHelper: no
compatible resources'. https://wms306.cern.ch:9000/nQ96YGAnoVrC0ciFv9NehQ
Testing from: nagios.grid.ici.ro
DN: /DC=RO/DC=RomanianGRID/O=ICI/CN=Alexandru
Stanciu/CN=proxy/CN=proxy/CN=proxy/CN=proxy
VOMS FQANs: /ops/Role=pilot/Capability=NULL,
/ops/NGI/Role=NULL/Capability=NULL,
/ops/NGI/Romania/Role=NULL/Capability=NULL, /ops/Role=NULL/Capability=NULL
glite-wms-job-status https://wms306.cern.ch:9000/nQ96YGAnoVrC0ciFv9NehQ
How can we debug further to solve this problems?
Thanks!
Ionel
>> Which is the recommended Argus server installation for a site with
>> multiple CEs?
>> Can a site have multiple Argus servers (installed and configured with
>> CREAM-CEs)
>> or only one Argus server for multiple CREAM-CEs?
>
> Just install a single Argus server for all your CEs and gLExec on the WN.
>
> Otherwise, to prevent inconsistent mappings, the various instances would
> need to share the gridmapdir (and have the same configuration).
>
> Beware the Argus server needs special care, since it is a SPOF by design!
>
|