Install and Configure condor_annex

About this Document

condor_annex is a Perl-based script that utilizes the Amazon Web Services (AWS) command-line interface (CLI) and other AWS services to orchestrate the delivery of HTCondor execute nodes to an HTCondor pool. This document describes how to install, configure, and run condor_annex successfully from your own local HTCondor pool.

This document follows the general Open Science Grid (OSG) documentation conventions:

1. A User Command Line is illustrated by a green box that displays a prompt:

    [user@client ~]$ 

2. A Root Command Line is illustrated by a red box that displays the root prompt:

    [root@client ~]$ 

3. Lines in a file are illustrated by a yellow box that displays the desired lines in a file:

    priorities=1 

Definitions

Hostnames:

• SUBMIT is the hostname of the HTCondor submit node, where users submit their jobs to your local pool.
• CENTRAL_MANAGER is the hostname of the HTCondor central manager of your local pool, which collects and matches job and machine class ads.
• EXECUTE is the hostname of an HTCondor execute node in your local pool.
• ANNEX is the hostname (or IP address) of an AWS-based instance configured as an condor_annex execute node.

Usernames:

• BOSCO_USER is the username of the user on the BOSCO_HOST that has access to the BOSCO resource's local batch queue; e.g., cmsbosco
• FACTORY_ADMIN_USER is the username of the user on the FACTORY_HOST used for all non-root administrative tasks; e.g., gfactory
• FACTORY_VO_USER is the username of the user on the FACTORY_HOST from which glideins are submitted to the BOST_HOST; e.g., fecmsglobal
• FRONTEND_USER is the username of the user on the FRONTEND_HOST that submits requests for glideins to the FACTORY_HOST; e.g., frontend

Requirements

• An HTCondor pool
• An Amazon Web Services Account

Install and Configure an HTCondor Pool

If you do not already have your own HTCondor Pool, you may want to first start by installing your own personal HTCondor pool to experiment with condor_annex. Please consult the HTCondor Manual and/or Wiki for more information:

• http://research.cs.wisc.edu/htcondor/manual/v8.4/ref.html
• https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki

Obtain an Amazon Web Services Account

In order to use condor_annex, you must already have an AWS account. You may establish an AWS account under the UC-wide agreement by following the instructions provided by Blink:

• https://blink.ucsd.edu/technology/cloud/aws/

Obtain Your AWS Account Credentials

condor_annex issues programmatic requests to AWS services via the AWS command-line interface (CLI). In order to issues these requests, the AWS CLI must sign them using your AWS account credentials. These credentials consist of an Access Key ID and a Secret Access Key. If you do not have these access keys, you may create them using the AWS Management Console. AWS recommends that you use Identity and Access Management (IAM) access keys instead of your root account access keys.

To create access keys, you must have permissions to perform the required IAM actions.

1. Open the IAM console.
2. In the navigation pane, choose Users.
3. If you do not already have an IAM username, then select Create New Users. Each new user is issued Security Credentials when their IAM username is created.
4. If you already have an IAM username, then choose your IAM username (not the check box).
5. Next, select the Security Credentials tab and then choose Create Access Key.
6. To see your access key, choose Show User Security Credentials. Your credentials will look something like this:
   • Access Key ID: AKIAIOSFODNN7EXAMPLE?
   • Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
7. Choose Download Credentials, and store the keys in a secure location. Your secret key will no longer be available through the AWS Management Console; you will have the only copy. Keep it confidential in order to protect your account, and never email it. Do not share it outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.

If you need more information about AWS Security Credentials, please consult the AWS documentation at:

• http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html

Select an Amazon Region for Your Annex

Generate an Amazon EC2 Key Pair

Create an condor_annex-compatible Amazon Machine Image (AMI)

Configure your HTCondor Pool to Use a Password Authentication

Install and configure AWS CLI on HTCondor submit node.

Install and configure condor annex on HTCondor submit node.

http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

1. Login to the FRONTEND_HOST via ssh as the FRONTEND_USER. NOTE it is important to log in with -A, this assumes you already have your personal public key access to the BOSCO_HOST. The bosco_cluster --add command will use this login to copy the bosco credentials over to the node.

    [user@client ~]$ ssh -A FRONTEND_USER@FRONTEND_HOST

2. Download the BOSCO installer tarball in the FRONTEND_USER home directory.

    [FRONTEND_USER@FRONTEND_HOST ~]$ wget ftp://ftp.cs.wisc.edu/condor/bosco/1.2/boscoinstaller.tar.gz 

3. Unzip and untar the BOSCO installer in the FRONTEND_USER home directory.

    [FRONTEND_USER@FRONTEND_HOST ~]$ tar -xzf boscoinstaller.tar.gz 

4. Run the boscoinstaller script to install BOSCO on the FRONTEND_HOST.

   [FRONTEND_USER@FRONTEND_HOST ~]$ python boscoinstaller 

5. Generate a passwordless rsa key, just press enter twice with no password when it prompts for one. Note it is important to name the key bosco_key.rsa:

    [FRONTEND_USER@FRONTEND_HOST ~]$ ssh-keygen -t rsa -f ~/.ssh/bosco_key.rsa

-- MartinKandes - 2016/11/01