On Tue, Aug 02, 2005 at 04:22:34PM +0100, Greig A Cowan wrote:
> Does anyone know of a method to install only the LCG security stack onto a
> machine? I ask because I would like to add a gridftp door to the pool node
> of our SRM (dCache). Other than the required dCache components, the pool
> node does not have any other LCG software installed. The node is running
> RedHat Advanced Server 2.1 so I am unsure how it would respond to a yaim
> install of the complete LCG 2.6.0 middleware. However, the gridftp door
> will only operate if all of the certificate lists etc. are installed.
Here is what i did for our RHEL4 x86_64 pools:
# wget http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/LCG-2_6_0/sl3/en/i386/RPMS.lcg_sl3/edg-utils-system-1.7.0-1.noarch.rpm
# rpm -Uvh edg-utils-system-1.7.0-1.noarch.rpm
# echo "37 4,10,16,22 * * * root /opt/edg/etc/cron/edg-fetch-crl-cron >> /var/log/edg-fetch-crl-cron.log 2>&1" > /etc/cron.d/edg-fetch-crl
# chmod 755 /etc/cron.d/edg-fetch-crl
# echo "yum lcg2_CA http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/LCG_CA/en/i386/RPMS.lcg/" >> /etc/sysconfig/rhn/sources
# up2date-nox -u --nosig lcg-CA
I didn't want to install the mkgridmap software so i use the following to copy whatever the admin node uses.
# cat <<'EOM' > /etc/cron.hourly/getkpwd.sh
#!/bin/bash
#Quick hack to get dcache.kpwd files from the admin node
KPWDDIR="/opt/d-cache/etc"
KPWD="$KPWDDIR/dcache.kpwd"
KPWDOLD="$KPWDDIR/dcache.kpwd-old"
KPWDTMP=`mktemp -p "$KPWDDIR" dcache.kpwd-XXXXXX`
ADMINNODE="dcacheadmin.hep.ph.ic.ac.uk"
[ -z "$KPWDTMP" -a -r "$KPWDTMP" ] && exit
ssh -o PasswordAuthentication=no -n2akxe none -i /root/.ssh/id_dsa_dcache "$ADMINNODE" 2>/dev/null | egrep -v "(edginfo|$ADMINNODE)" > $KPWDTMP 2>/dev/null
if [ -f "$KPWDTMP" -a -s "$KPWDTMP" ]; then
# Need to check that the file is sane
/bin/mv -f "$KPWD" "$KPWDOLD"
/bin/mv -f "$KPWDTMP" "$KPWD"
else
# Failed
/bin/rm -f "$KPWDTMP"
fi
EOM
And in the admin server....
# cat .ssh/authorized_keys
from="apool.hep.ph.ic.ac.uk,anotherpool.hep.ph.ic.ac.uk",command="/bin/cat /opt/d-cache/etc/dcache.kpwd",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss ............
|