Hi Kashif,
With high probability we think that we've pinpointed the problem. In short
the gLExec didn't seemed to have performed the actual in-process account switch.
>From your send lcmap{s}-suexec.db and combining it with the provided
glexec.db file we'd like to strip down the lcmaps-suexec.db for your
CREAM-CE to that was send in the previous email.
This means you'll be reducing the 67 lines of lcmaps-suexec.db file down to
about 30 lines, including the commented part :-)
I stated high probability because I'm making the assumption that the
glexec.conf file did not have the line with "lcmaps_get_account_policy".
This line can be removed if you're using my previously supplied
configuration to the lcmaps-suexec.db file. The line might even be in the
way if present in my configuration.
In the old configuration file it was needed. By ommiting that configuration
file it started executing the wrong LCMAPS execution policy.
Please try the configuration of the previous message and potentially remove
the line with "lcmaps_get_account_policy" from the glexec.conf file and retry.
cheers,
Oscar
Kashif Mohammad wrote:
> Hi Oscar
> Thanks for looking into it. I am attaching lcmap-suexec.db.
> Cheers
> Kashif
>
> -----Original Message-----
> From: LHC Computer Grid - Rollout [mailto:[log in to unmask]] On
> Behalf Of Oscar Koeroo
> Sent: 11 January 2010 14:13
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] Scas server for creamce
>
> Hi Kashif,
>
> We're looking into your problem for a few minutes here and try to
> understand what went wrong.
>
>
> Could you attach the complete lcmaps-suexec.db for debugging? We mis a
> bunch of lines which might influence the process.
>
>
> After that, could you change the lcmaps-suexec.db to the following:
>
> BEGINFILE
>
> # Warning: RedHat 64 bit specific default path for the modules path =
> /opt/glite/lib64/modules
>
> # Plugin definitions:
> posix_enf = "lcmaps_posix_enf.mod"
> " -maxuid 1"
> " -maxpgid 1"
> " -maxsgid 32"
>
> proxycheck = "lcmaps_verify_proxy.mod"
> "-certdir /etc/grid-security/certificates"
>
> scasclient = "lcmaps_scas_client.mod"
> " -capath /etc/grid-security/certificates"
> " -cert /etc/grid-security/tomcathostcert.pem"
> " -key /etc/grid-security/tomcathostkey.pem"
> " -endpoint https://t2scas01.physics.ox.ac.uk:8443"
> " -resourcetype ce"
> " -actiontype execute-now"
>
> glexec_get_account:
> proxycheck -> scasclient
> scasclient -> posix_enf
>
> # Commented the following:
> # glexec_get_account:
> # vomslocalgroup -> vomspoolaccount | poolaccount # vomspoolaccount ->
> good | vomslocalaccount # vomslocalaccount -> good | poolaccount #
> poolaccount -> good | localaccount
>
> ENDFILE
>
>
> I've also written (a to be extended) gLExec FAQ sub page which might be
> of use:
> https://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/GLExec#Debugg
> ing_hints_and_answers_to_FAQ
>
>
> May we also (please send privately! to us: [log in to unmask])
> have an inside look of the LCMAPS output? Given your configuration that
> should be quite a noticeable contribution to your logfile output.
>
>
>
> kind regards,
>
> Oscar
>
>
>
> Kashif Mohammad wrote:
>> HI Dug
>> Yes it is already owned by tomcat
>> -rw-r--r-- 1 tomcat tomcat 2196 Dec 18 16:19 tomcathostcert.pem
>> -r-------- 1 tomcat tomcat 1891 Dec 18 16:19 tomcathostkey.pem
>>
>> Thanks
>> Kashif
>>
>> ________________________________
>>
>> From: LHC Computer Grid - Rollout [mailto:[log in to unmask]]
>> On Behalf Of Douglas McNab
>> Sent: 11 January 2010 13:20
>> To: [log in to unmask]
>> Subject: Re: [LCG-ROLLOUT] Scas server for creamce
>>
>>
>> Hi Kashif,
>>
>> Have you checked that the hostcert and key are owned by tomcat?
>> I had to copy the ones owned by root to the tomcat user.
>> Since CREAM uses the Tomcat user for identity switching.
>>
>> -rw-r--r-- 1 tomcat tomcat 2187 Dec 4 10:44 tomcathostcert.pem
>> -r-------- 1 tomcat tomcat 1863 Dec 4 10:44 tomcathostkey.pem
>> Regards,
>>
>> Dug
>>
>>
>> 2010/1/11 Kashif Mohammad <[log in to unmask]>
>>
>>
>> Hi
>> I am setting up a scas server for a creamce. Scas server was
> setup
>> correctly. I am sharing gridmapdir with lcg-ce. Creamce is
> working
>> perfectly without scas. I edited lcmap-suexec.db with
>>
>> proxycheck = "lcmaps_verify_proxy.mod"
>> "-certdir /etc/grid-security/certificates"
>>
>> scasclient = "lcmaps_scas_client.mod"
>> " -capath /etc/grid-security/certificates"
>> " -cert /etc/grid-security/tomcathostcert.pem"
>> " -key /etc/grid-security/tomcathostkey.pem"
>> " -endpoint https://t2scas01.physics.ox.ac.uk:8443"
>> " -resourcetype ce"
>> " -actiontype execute-now"
>> glexec_get_account:
>> proxycheck -> scasclient
>> scasclient -> posix_enf
>> vomslocalgroup -> vomspoolaccount | poolaccount
>> vomspoolaccount -> good | vomslocalaccount
>> vomslocalaccount -> good | poolaccount
>> poolaccount -> good | localaccount
>>
>>
>> Content of glexec.conf is
>>
>> [glexec]
>> linger = no
>>
>> lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-suexec.db
>> lcmaps_log_file = /opt/glite/var/log/glexec_lcas_lcmaps.log
>> lcmaps_debug_level = 5
>> lcmaps_log_level = 5
>>
>> lcas_db_file = /opt/glite/etc/lcas/lcas-suexec.db
>> lcas_log_file = /opt/glite/var/log/glexec_lcas_lcmaps.log
>> lcas_debug_level = 0
>> lcas_log_level = 1
>>
>> log_level = 5
>> user_white_list = tomcat
>> user_identity_switch_by = lcmaps
>> omission_private_key_white_list = tomcat
>> preserve_env_variables =
>> silent_logging = no
>> log_destination = syslog
>>
>>
>> Now when I submit job from ui, I get this error
>>
>> glite-ce-job-submit -a -r
>> t2ce02.physics.ox.ac.uk:8443/cream-pbs-express test.jdl
>> 2010-01-11 12:43:56,086 WARN - No configuration file suitable
> for
>> loading. Using built-in configuration
>> 2010-01-11 12:43:59,809 FATAL - MethodName=[jobRegister]
>> Timestamp=[Mon
>> 11 Jan 2010 12:44:47] ErrorCode=[0] Description=[system error]
>> FaultCause=[cannot create the job's working directory! The
> problem
>> seems
>> to be related to glexec [error = Glexec policy violation: see
> glexec
>> log
>> for more details. (ExitCode = 202)]]
>>
>>
>> Relevent lines in /var/log/message is
>>
>> Jan 11 12:58:08 t2ce02 glexec[10580]: uid: (dteam174/dteam174)
>> gid:
>> (dteam/dteam
>> ) cmd: /opt/glite/bin/glite-cream-createsandboxdir
>> Jan 11 12:58:08 t2ce02 glexec[10580]: Something is wrong with
> the
>> configuration;
>> I should not be root anymore
>> Jan 11 12:58:08 t2ce02 glexec[10580]: Found key
>> 'glexec:user_identity_switch_by'
>> with value 'lcmaps'.
>> Jan 11 12:58:08 t2ce02 glexec[10580]: gLExec has been
>> configured to
>> let LCMAPS
>> do the idenitiy switch and possibly the posix_enf plugin did
> not run
>> Jan 11 12:58:08 t2ce02 glexec[10580]: Couldn't drop
>> privileges.
>> Perhaps gLExec
>> doesn't have sufficient privileges to drop.
>>
>>
>> Any hint, Please.
>>
>> Regards
>> Kashif
>>
>>
>>
>>
>>
>
|