GRID storage access tools installation

Several sections in this page are deprecated or obsolete. In particular, users are advised to avoid SRM clients and globus client software and instead look into using the gfal client library and command line tools. SURF provides good documentation on usage of grid storage client software.

This page describes the procedure to set up the tools for working directly on the srm storage. You may want to consider using the staging and download services provided by Astron if you just want to retrieve data from the archive: http://www.lofar.org/wiki/doku.php?id=public:lta_howto.The following documentation was developed for the installation of a GRID tools and certificates on an Ubuntu 12.04 system using a bash shell (using .bashrc as a configuration script). We have not tested the installation using csh derivatives but it is to be expected that not all scripts will work. Thanks to Martin van den Akker for providing notes of his installation procedure.

Sites that provide packages and further information on installation of grid middleware on linux based systems:

• Software repository of the European Grid Infrastructure

NB We have tested the installation as described below only on Ubuntu 12 and CentOS 7. Please let us know if you have feedback or if you can contribute instructions on installations in different environments. You might also first need to obtain a GRID certificate.

Note: all installations require root permissions.

The file transfer tools from the Globus package are needed, most importantly globus-url-copy:

Ubuntu

sudo apt-get install globus-gass-copy-progs

CentOS

sudo yum install globus-gass-copy-progs

The VOMS tools for logging in and user account management:

Ubuntu

sudo apt-get install voms-clients

CentOS

sudo yum install voms-clients-cpp

Execute the following commands to install the certificates from the site of the European Grid Infrastructure (EGI) (root permissions are required).

Ubuntu

Note 2021-05-19: newer versions of Ubuntu require to first add the appropriate GPG key for the EGI repository:

wget -q -O - https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 | sudo apt-key add -

sudo add-apt-repository 'deb http://repository.egi.eu/sw/production/cas/1/current egi-igtf core'
sudo apt-get update
sudo apt-get install ca-policy-egi-core

CentOS

wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo
sudo mv EGI-trustanchors.repo /etc/yum.repos.d/
sudo yum install ca-policy-egi-core

The SRM tools are needed to communicate with the storage management system.

1. Download srmtools
   • srmclient-2.6.28.tar.gz (Java7, Java8)
   • srmclient-2.2.25.tar.gz (Java6)
2. Extract and install the srmtools, e.g. in /opt/
   This will create a subdirectory, e.g. srmclient-2.6.28, containing the required files.
   Note that the srm package may be installed anywhere (e.g. in your home directory).
3. Set the relevant environment path variables, e.g. in .bashrc (modify version number if applicable):
   export SRM_PATH=<Install Directory>/srmclient-2.6.28/usr/share/srm
export PATH=<Install Directory>/srmclient-2.6.28/usr/bin:$PATH

NB The srm client tools depend on JAVA. There is a known issue with openjava version 7. If you have this version of JAVA installed, or otherwise get JAVA exceptions when running an srm command, please install another JAVA VM. Java-7-oracle is known to work. It is possible to have multiple JAVA VM installations and it is thus not required to replace an existing installation: if the default VM installation does not work with srm, another VM may be configured to be used by setting the following environment parameter:

export JAVA_HOME=/usr/lib/jvm/java-7-oracle/jre

The JAVA VM used by default in Ubuntu and CentOS can be selected using the following command:

sudo update-alternatives --config java

The fetch-crl tool retrieves Certificate Revocation Lists.

Ubuntu

sudo apt-get install fetch-crl

CentOS

sudo yum install fetch-crl

NB This is not required unless you intend to allow others to access your system by providing their grid certificate.

Add the following string for the LOFAR Virtual Organization (VO) to the vomses file (any filename is fine).

"lofar" "voms.grid.sara.nl" "30019" "/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl" "lofar"

You can find this string also on the following website https://voms.grid.sara.nl:8443/voms/lofar/configuration/configuration.action in the text block under VOMSES string for this VO
The vomses file should be placed in one of the following default locations: /etc/vomses, $HOME/.voms/vomses, $HOME/.glite/vomses

Put the following strings:

/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl
/C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth

in the file (root permissions required):

/etc/grid-security/vomsdir/lofar/voms.grid.sara.nl.lsc

NB If this step is skipped or nor configured correctly voms-proxy-init will work but finish with warnings.

You may want to provide the following settings in .bashrc or another initialisation/startup script if the relevant files are not in the default locations (defaults provided below).

export X509_USER_CERT=$HOME/.globus/usercert.pem
export X509_USER_KEY=$HOME/.globus/userkey.pem
export X509_CERT_DIR=/etc/grid-security/certificates
export X509_VOMS_DIR=/etc/grid-security/vomsdir
export X509_USER_PROXY=$HOME/.proxy
export VOMS_USERCONF=$HOME/.glite

Note: For (t)csh, use *.csh init scripts and 'setenv <key> <value>' instead of 'export <key>=<value>'.

You may want to create a cron job to automatically retrieve certificate revocation lists (CRLs) by invoking the fetch-crl tool at regular intervals (at least once a year).

This creates a proxy (valid for 48 hours, increase if needed) in your home directory:

voms-proxy-init -valid 48:00 -voms lofar:/lofar/user -out ~/.proxy

You can test that everything works by copying this file from surfsara to your working directory:

srmcp -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file://`pwd`/file1M

If your firewall allows incoming connections to non-standard ports, you can try this command without the server_mode option which will enable utilization of multiple streams to increase performance.

If you have the gridftp client software installed and in your path, it provides superior performance as compared to the native JAVA gridftp client that is provided by srmcp. In order to utilize this, download lta-url-copy.sh.gz, unzip it and use the command:

srmcp -use_urlcopy_script=true -urlcopy=./lta-url-copy.sh -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file://`pwd`/file1M

Note: You may have to force the use of TLS, (export GLOBUS_GSSAPI_FORCE_TLS=1 or in /etc/grid-security/gsi.conf set FORCE_TLS=true) to make this work.