Worker Node RPM Installation

The OSG Worker Node packages include basic Globus commands and utilities for your compute nodes. These are only useful if your compute nodes have external Internet access, either directly or via NAT. This is currently not a requirement for SURAgrid resources, but may be needed if you are going to support other VO's.

Prerequisites

• A Compute Element - Compute Element RPM Installation
• Mirror the OSG repo. Recommended.
• Internet access from your compute nodes. Optional. Not needed if you have a local repo accessible by the compute nodes.
• How are you going to manage CA certificates and certificate revocation lists?

Installation

Important: umask 022 - to ensure that everything is installed with proper permissions.

We refer you to the OSG Worker Node Installation Instructions. The process involves just a few steps and is pretty simple. However, you will need to replicate the process on all of your compute nodes.

To deal with scaling issues on installing and maintaining the Worker Node packages on your compute nodes, please see OSG Installation Best Practices. In particular, you will probably want to create a local repository for the OSG packages for your OS and architecture. On your webserver,

mkdir -p /var/www/html/osg/el5/osg-release/x86_64
rsync -art  --delete-after --exclude="*.i386.rpm" \
rsync://repo.grid.iu.edu/osg/3.0/el5/osg-release/x86_64/ \
/var/www/html/osg/el5/osg-release/x86_64


Replace el5 with el6 if you're running RHEL6 (or derivative). Adjust the top level web directory as necessary. Place the rsync command into a cron script that runs daily on your webserver.

CA Certificates and CRLs

Next, you will need to decide how to handle installation and updates of CA certificates and revocation lists (CRLs). CA's will periodically publish certificates that have been revoked, so your CE and its compute nodes will need to know about these.

• Install locally on every compute node. This requires full Internet access, and a Squid server is strongly recommended to cache the downloads. For this, you will install the osg-ca-certs packages and define your Squid server in http_proxy in /etc/fetch-crl3.conf (RHEL5) or /etc/fetch-crl.conf (RHEL6). You'll enable periodic updates of the CRL's with

chkconfig fetch-crl3-cron on; service fetch-crl3-cron start (RHEL5)
chkconfig fetch-crl-cron on; service fetch-crl-cron start (RHEL6)


• Install one copy in a NFS directory and symlink to it on the compute nodes. For this option install the empty-ca-certs package on the compute nodes. A symlink is created on each compute node: /etc/grid-security/certificates -> /nfs/grid-security/certificates. If your CE is running fetch-crl3 or fetch-crl and has access to write to /nfs/grid-security/certificates, you can have a cron script rsync its /etc/grid-security/certificates directory to /nfs/grid-security/certificates. Here's a sample to be stored in /etc/cron.daily/sync_certs on your CE:

#!/bin/bash
exec rsync -a --delete-after /etc/grid-security/certificates/ /nfs/grid-security/certificates