Adding a New Frontend

Contents

Required Preliminary Info

Required from Frontend admin:

• security_name - Agree on a name with the Frontend admin before proceeding. The security_name should contain the VO name and optionally a geographic location or abbreviated institution name if there is any chance in the future more than one frontend will serve the same VO.
• Frontend host cert DN - provided by Frontend admin
• Note, it may be useful to point new Frontend Admins to this twiki:
  http://www.t2.ucsd.edu/twiki2/bin/view/UCSDTier2/OSGgfactory

Decided by Factory admin:

• username - The UNIX username the frontend will be mapped to in the factory. By convention, start username with “fe”
• Frontend identity - The identity the frontend will be mapped to in the WMS Collector. This does not need to be the same as the UNIX username but it can be.
• vo_name - Name to be specified in the GLIDEIN_Supported_VOs list in each entry authorized for the Frontend to use. This is usually simply the VO name but is arbitrary. It must be given to the Frontend admin to complete the process.

Like security_name, if multiple frontends serve the VO it may be useful to have geographic or institutional info in the username and identity name.

Registration Procedure

Perform the following steps as root:

1. Create new user and put them in the gwms group (note: on CERN factories, prefix username and group with an _):

   /usr/sbin/useradd username

2. Add user to /etc/condor/privsep_config:

   valid-target-uids = feuser1 : feuser2 : … : username
   valid-target-gids = feuser1 : feuser2 : … : username

3. Authenticate with Condor:

   /root/glideinwms/install/glidecondor_addDN -daemon 'add comment here' "frontend_DN" identity 

   Include in the comment the Frontend name, admin name, and admin's email address. This shows up in the condor config file.
4. Reconfigure Condor:

   service condor restart

Perform the following steps as gfactory:

1. add new Frontend to glideinWMS.xml

   <frontends>
    ...
    <frontend name="security_name" comment="Contact: add list of admins and contact email addresses here" identity="identity@gfactory-1.t2.ucsd.edu">
    <security_classes>
    <security_class name="frontend" username="username"/>
    </security_classes>
    </frontend>
    ...
   </frontends> 

2. Reconfigure and restart the Factory

Notify Frontend Admin

Email the frontend admin when it is finished:

Hi admin_name,

We have finished registering your frontend to our factory. Here is the relevant info you need to complete your frontend configuration:

In your frontend security section please set:  security_name="security_name"

In factory collector section use the following: DN="/DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=Services/CN=gfactory-1.t2.ucsd.edu" factory_identity="gfactory@gfactory-1.t2.ucsd.edu" my_identity="identity@gfactory-1.t2.ucsd.edu" node="gfactory-1.t2.ucsd.edu"

In the pilot proxy section please use:  security_class="frontend"

Please also add stringListMember("vo_name",GLIDEIN_Supported_VOs) to your factory query_expr.

For the next step, please let us know a single site you would like to submit to, so we can test the configuration. Ideally it is a site you also have admin rights to. Once we confirm everything is working you can either supply us a full list of desired sites or we can provide a list of sites for you to choose from that claim to support your VO, whichever you prefer.

Thanks,
your_name
OSG Glidein Factory Operations

Whitlisting Entries for Frontend

Add the vo_name to the GLIDEIN_Supported_VOs list to each entry the frontend wants to use.

NOTE We have a tool that can generate a list of sites claiming to support a given VO. Details on how to use this will be added here later.

Authors

-- JeffreyDost - 2012/09/25