This wiki is obsolete, see the NorduGrid web pages for up to date information.

Ldap migration

From NorduGrid
Jump to navigationJump to search

LDAP migration from ARC 0.6 to ARC 0.8

This page describes the differences of the old and new information system in detail. This page may be of use to you if you are debugging your installation. Most likely though, your nordugrid-arc-server installation should pull in the appropriate dependencies and start services that should just work out of the box unless you have some security configuration stopping you (SELinux / Apparmor). You may encounter this with the new information system even if you did not encounter it before. This is because we now use the system provided OpenLDAP which may ship with restrictive security profiles.

Background

Previous versions of ARC (v0.6x and earlier) used an information system based upon a very old version of a patched LDAP server which was distributed as part of the Globus packages. The local information system used the "GRIS" backend of Globus-LDAP while the index services relied on the "GIIS" backend of Globus-LDAP. Both of these backends were developed by Globus.

With the 0.8 release the LDAP-based information system of ARC got reimplemented in order to use a native LDAP server. For the local information server a solution based upon the BDII LDAP backend was developed while as an information index server a new shell-based LDAP backend was written (add ref to technical description of the system).

As an extra feature, the new local information server can publish its content in GLUE 1.2 schema as well (in addition to the NorduGrid schema).

The migration to native LDAP server based solution affects only internal components of ARC, no changes in the interfaces were introduced.

New dependencies: glite BDII and native LDAP

The local information server of the ARC 0.8 release have moved to using glite BDIIv4 and native system OpenLDAP instead of Globus MDS GRIS and the OpenLDAP provided by Globus. This affects you in the way that you need to install the gLite BDII package together with a distribution provided native LDAP server (specify version requirement).

The gLite BDIIv4 (technical document) consists of a set of Perl scripts that take care of populating the LDAP database with the information that will be available in the local LDAP information server. This is done by giving it a set of providers that will mine data from the system. The BDIIv4 runs two LDAP servers consecutively and while one LDAP server is populated, the other one is serving requests. Then when the new data has been entered, BDII uses its port-forward service to let the LDAP server with the new data service requests while the old one is repopulated with data.

To deploy the 0.8 ARC release you must fetch and install a BDIIv4 package. NorduGrid provides its own version of the BDIIv4 package, the bdii-ng. The nordgurid version comes with several improvements over the original gLite BDII (original BDII package in the gLite repository). We recommend to use the nordugrid version of BDII. Source and binary packages of the nordugrid BDII are available from the usual nordugrid download area and via the nordugrid repositories. 

nordugrid BDII package in the download area: http://download.nordugrid.org/software/bdii/

Since we are using the native OpenLDAP but setting things up ourselves, we don't need OpenLDAP to start as a stand alone service. This means that on for example Debian and Ubuntu where services are configured to start at boot by default, you can set: SLAPD_NO_START=1 in /etc/default/slapd unless the host is running slapd for anything else then ARC. This will stop an unnecessary service from running.

Obsoleted dependencies: Globus LDAP/MDS packages

With the 0.8 release there is no need for Globus MDS and Globus-LDAP packages any longer!

However, there are two minor bits from Globus MDS that have been kept and integrated into the ARC codebase (no need to install any Globus packages for them):

  • grid-info-soft-register: The information registration script has been modified and incorporated into ARC code base.
  • Globus MDS schema bits: Part of the Globus MDS LDAP Schema that mostly related to registrations has been updated to be a proper LDAP schema and moved into the NorduGrid LDAP namespace/schema

New ports

The new local information server uses two additional ports, the 2136 and the 2137. Make sure that iptables allows these in addition to the standard 2135 LDAP infosys port.

LDAP optimizations

If you find performance issues (very unlikely), you might want to try turning on some non-portable LDAP optimizations, stubs for this is available but commented out in the code/config files.

  • grid-info-soft-register tuning: In case you encounter many stale connections you can modify the "grid-info-soft-register" script and set:
 # set default network timeout to 30 seconds
 DEFAULT_NETWORK_TIMEOUT="-o nettimeout=30"

This requires your OpenLDAP to be newer than 2.3.x (the version in RHEL5 is known to not work with this setting.)

  • BDII tuning: if you want to speed up your LDAP server you can manipulate logging by doing one of the two options below depending on what version of BDB you have.

a) If you are using BDB < 4.3 set this flag in /opt/bdii/etc/DB_CONFIG: 

 set_flags DB_TXN_NOT_DURABLE

b) If you are using BDB >= 4.3 (true on CentOS5) set this flags in /opt/bdii/etc/DB_CONFIG 

 set_flags DB_LOG_INMEMORY
 set_lg_bsize            20485760

SELinux, Apparmor & LDAP

Since we now use the native system LDAP, we need to be wary of SELinux on for example CentOS and Apparmor on for example Ubuntu. The first thing that you need to do if you have any problems with LDAP server not starting is to check your system logs in /var/log if this is your problem. You need to allow the openldap server to access /opt/bdii, /var/run/nordugrid, /var/run/bdii, /var/tmp/bdii and it needs to have access to ports 2135, 2136 and 2137. 

 The easiest solution for apparmor is to remove /etc/apparmor.d/usr.sbin.slapd

Configuration in arc.conf

The existing arc.conf file (with respect to information system components) is fully compatible with the new system. An arc.conf from a 0.6.x installation should work out-of-the-box in a 0.8 deployment as well.

If you use a different version of bdii than bdii-ng, for example the gLite supplied bdii v4. Then you will need to set bdii_cmd and bdii_update_cmd. For example if you use the standard gLite bdii: 

 bdii_cmd=/etc/init.d/bdii
 bdii_update_cmd=/opt/bdii/sbin/bdii-update

A couple of new configuration parameters have been introduced as part of the LDAP migration. These parameters configure the BDII LDAP backend. All of these parameters come with decent defaults, normally there is no need to change them.

The new local infoserver comes with a new feature: it can publish its content through GLUE 1.2 schema as well in addition to the NorduGrid schema. This feature is optional and can be turned on by setting the following variables in arc.conf: 

 infosys_nordugrid=enable
 infosys_glue12=enable

If you do not set them then you will get the default behavior which is identical to 0.6, i.e. the same as nordugrid=enable and glue=disable. If GLUE is turned on, it will be added under "mds-vo-name=glue12,o=grid"

If you enable glue12, then you need to add a new section called [infosys/glue12] with these three variables (adjust to your geographical location): 

 [infosys/glue12]
 resource_location="myplace"
 resource_latitude="6.31"
 resource_longitude="44.23

The BDII LDAP backend can be fully configured from arc.conf; this however should not be necessary. More information can be found in the arc.conf documentation [1].

There is no change in the way how information index services and registrations are configured.

Migrating an 0.6 installation

Important: The new native-LDAP based infosystem is a complete replacement of the old/previous system. We don't recommend the two systems being deployed simultaneously on the same box.

In order to migrate from a Globus-MDS based 0.6 ARC system to a native LDAP-based 0.8 ARC system the following steps are necessary:

  • check your firewall settings (iptables, hosts.allow etc) so that the two additional ports 2136 and 2137 are allowed from localhost
  • check that SELinux allows the startup and running of the LDAP server
  • check that Apparmor allows the startup and running of the LDAP server (/etc/init.d/apparmor status shows misleading information, profiles may be loaded even if status says otherwise).
  • stop the information system (grid-infosys stop)
  • deploy the external dependencies required for building and installing ARC 0.8rc1. The critical dependencies for the infosystem are the gLite BDII and the native LDAP packages.
  • make sure non-portable LDAP optimizations are turned off
  • install ARC 0.8 from a binary repository or build and install ARC v0.8 from the source bundle following these instructions. The default configure will build and install all the necessary components needed for the native-LDAP based infosystem (both for the infoserver and infoindex)
  • the existing arc.conf configuration should work out of the box. However, you may optimize your arc.conf by using non-default values for LDAP parameters ( see here)
  • you may remove all the obsoleted Globus-MDS and Globus-LDAP packages
  • start up the infosys (grid-infosys start). The same startup script will launch the infoserver and the infoindex, depending on your arc.conf configuration.

The above instructions apply to both ordinary resources (e.g. clusters) and to Information Indexing services.

Retrieved from "https://wiki.nbi.ku.dk/w/index.php?title=Ldap_migration&oldid=4150"