VL-e Proof-of-Concept Quickstart

PoC Home

For Users
Quickstart
VL-e Resource Guide
Getting Help
Authentication
Download & manual
Release 1 content
Release 2 content
Release 3 content
Release 3.1 content
Central facilities

For Administrators
Getting installed
Installation help
Authentication
Web Hosting

Certification
Software engineering
Release planning
Rules for contributing
Process a la Card

Events
PoC R2 Induction 2007

Tutorial
PoC events
GANG events
Grid m/w tutorials

Related
VL-e
VL-eForge
VLeIT home
VLeIT documents
VL-e intranet
DutchGrid Platform
GridForum Nederland
P4 partners

switch to print layout

Virtual Laboratory for e-Science
HOWTO: Start using the grid, a quickstart tutorial

by Silvia D. Olabarriaga (silvia@science.uva.nl) and Dennis H. van Dok (dennisvd@nikhef.nl)

Last Update: $Date: 2009-01-30 10:00:56 $

Introduction

This HOWTO document outlines the necessary steps to get access to the grid resources offered by the VL-e Proof-Of-Concept environment. Although it is somewhat tailored for vlemed, it is generally applicable for all wannabee grid users. Please help us keep this guide useful by sending your comments, corrections, updates, etc., to the P4 mailing list ( vle-pfour-team@lists.vl-e.nl ).

If you need more information on which resources are actually available within VL-e, consult the VL-e Resource Guide.

This is a step-by-step guide to get pole position on the grid. You can follow this guide blindly, which will be the fastest way to get started. If you get confused and/or need more details, you can always select "Show more info" to get in-depth background information, explanations, and references to relevant websites.

See? This text just became visible because you selected the above link. If you didn't see the link and didn't do anything to see this text, that's ok too - it just means that javascript is disabled in your browser and all the extra information is visible by default.

If javascript works, the link functions as a toggle. The purpose of all this is merely to keep the view from becoming cluttered by a lot of complex and potentially confusing information. So maybe you'd be better off without reading all the extras, in case you become even more befuddled!

Step 1: Obtain a grid certificate

A grid certificate is a "passport" for using grid resources.

Are you sure you want to be reading this paragraph? I explained in the previous "extra info" block that it may do more harm than good. So unless you absolutely, definitely, really need to know everything about grid certificates you should probably skip this section.

A grid certificate is a personal electronic document that testifies your true identity, much like a passport. Let's see how they compare.

A passport is created for you and signed by the government. A grid certificate is created by yourself, but signed by the Certificate Authority (CA).
A passport has your photograph in it so people can check that you are the passport holder. A grid certificate has a private counterpart that is a cryptographic match for the public information.
A passport is a single document. A certificate consists of two parts:
- a private part (file userkey.pem), that you should keep private at all times, and
- a public part (file usercert.pem), that anyone can see and which has your name written on it.
You keep your passport safe at all times; the same goes for the private part of a certificate.
It is hard to counterfeit a passport. It is easy to create a false certificate, but very hard to falsify the CA signature.
A passport has a limited validity of several years. A grid certificate has no such limit, but the CA signature has a limited validity of about one year.

Before the CA can sign your certificate, your true identity has to be checked. That means that you will have to

fill out a paper form with your personal information
personally meet with a Registration Authority (RA) subsidiary to the CA and show a copy of your passport or driver's license. This will be a person from (or near to) your institution. The RA will sign the form
Mail of fax the form and the copy of your ID to the CA.

Identity checking and signing is done with mathematical sorcery called public key cryptography. The gist of it is that someone holding the public key of your certificate can challenge you to prove your identity by asking a question that only the holder of the private key is able to answer. To prevent identity theft, you should never hand over your private key to anyone, not even to the CA.

Digital signing is the other way around: your certificate is signed vith the CA's private key. The CA's public key can be used to 'decrypt' the signature to verify that

the signature matches your certificate and
the signature was made by the CA.

Since the CA's certificate is publicly available, anyone can check the validity of your certificate.

Even more information:

The Globus Toolkit 4 Programmer's Tutorial, Certificates and certificate authorities

Get a grid certificate from the DutchGrid certificate authority, by going to http://www.dutchgrid.nl/ca/request/ and filling out the web form:

Ask for a "Users (personal certificates)" certificate;
Choose
- Organization: vu, Unit: vumc or
- Organisation: uva, Unit: amc
from the select boxes.
Select Certification level: "Medium security".

You'll will be asked to follow a sequence of steps including

downloading and running a script on your machine. You should create a new directory for that and call it .globus.

This script automates the creation of your key and the certificate request to send to the CA. We advice to create a clean directory to run this script. You should also remember the location of this directory for future use. In the end, this directory will contain your private key.
filling in a paper form which you then need to have signed by the indicated person.

Note that the CA will not sign the certificate until this paper form is received. The person that should sign the form is the Registration Authority (RA) subsidiary to the CA.
choosing a passphrase. Remember this well, since this is the password that you'll have to type every single time that you'll access grid resources (for example, to access data or run jobs).

IMPORTANT: choose a strong passphrase!
Strong passphrases consist of a combination of letters, digits and other symbols and are at least 12 characters long. Avoid using common words. Since spaces are allowed, some example passphrases are:
```
!Doct0r Jone$$ likes 2 cut ### patients
X-raying 34% of the 20+ PEOPLE? (...)
```
but I'm sure you can think of something better. Just mind that you should be able to memorize it, because writing it down on a sticky note makes the whole thing pointless.

IMPORTANT: your private key will be stored by the script in the file "userkey.pem". There are three golden rules:

DON'T lose this file, or your certificate becomes worthless.
DON'T forget your passphrase, for the same reason.
NEVER give this file to anyone, or make it readable for anyone. You risk identity theft.

After your request has been processed, you'll receive a message from the CA. Simply follow the instructions in the message, and save it into a file usercert.pem in the same directory as userkey.pem. You can also see your Distinguished Name (DN) and the validity of your grid certificate in this message, which will look like this:

Subject:    O=dutchgrid, O=users, O=uva, OU=wins, CN=Silvia Delgado Olabarriaga 
Valid till: Feb 14 16:37:19 2007 GMT

The message received from the CA contains the content of the public part of your certificate. This can also be downloaded from http://ca.dutchgrid.nl/medium/query. A certificate has to be renewed before its expiration date, otherwise the whole procedure (with personal authentication) has to be repeated. Go to http://ca.dutchgrid.nl/info/rekey to renew your certificate.

Finally, you have to "install" your certificate in all computers used to access the grid. This means that the directory where the files mentioned above were stored must be copied into your HOME directory in all the computers you'll be using to access grid resources. Configuraton of your environment becomes easier if this directory is named ".globus".

This directory contains essentially 2 files:

userkey.pem: the private key generated by the script above
usercert.pem: file received by e-mail when your certificate is approved by the Certification Authority (CA).

Note: the access properties of these files are very important, but sometimes they are affected by ftp. They should look like this:

$ ls -la ~/.globus/user*
-rw-r--r--    1 silvia   silvia       6659 Feb 15 11:53 usercert.pem
-r--------    1 silvia   silvia        963 Feb 13 14:37 userkey.pem

(which means that no one can read the private key file other than the owner.) The best is to use zip or tar to copy the complete ".globus" directory into the computers you'll use.

Step 2a: Obtain an account on SRB

To get an SRB account, send an e-mail to grid.support@sara.nl.

indicate that you belong to VL-e Medical (SP 1.3)
add in the e-mail your Distingui'shed Name (DN)

The request will be processed manually and confirmed via e-mail. You'll get an e-mail containing your user name and a password.

SRB (Storage Resource Broker) is used for data storage and sharing; see http://www.sdsc.edu/srb.
A user name gives you access to write/read one directory on vl-e home.
The data will be stored at SARA.
NOTE: this is a research platform, so make sure to keep your own backups.
You can later change the password with a command-line utility (Spasswd). See also below Configuring your account at the UI.
The Distinguished Name is the certificate's "Subject:". It is the unique identifier by which you are known on the grid. For example:
```
O=dutchgrid,O=users,O=nikhef,CN=Dennis van Dok
```
Instructions about how to access the files (configuration, upload, download) are given in http://poc.vl-e.nl/srb/

Step 2b: Register with the VleMedical VO

This is necessary to associate your certificate to one "virtual organization" (= group of people that have access to shared grid resources).

To do this, you need to load your certificate into your browser. Here is a page explaining how.

To register, follow the instructions on https://voms.grid.sara.nl:8443/vomses.
Choose vlemed and follow New User Registration.

You'll get back an e-mail confirming your registration to the grid and VO.

You may think that this step is superfluous after having gone through all the trouble getting a grid certificate. But you should realise that while a certificate helps to establish your identity, it does not give you the right to use any resources. Those rights are usually handed down through virtual organisations, and that is why you need to register your affiliation.

Note that loading your certificate in your browser adds to the risk of having your identity stolen from you. You should be aware of all the places where your private key is stored and used, and never ever load your certificate in a browser that is not under your control, such as on a public terminal, in an internet cafe, or on a friend's laptop.

Step 2c: Obtain account at SARA user interface

Send an e-mail to grid.support@sara.nl asking for an account at the "UI" machine
You'll get back an e-mail containing your user name and a password. You can later change the password with a command-line utility (passwd). See also below Configuring your account at the UI

ui.grid.sara.nl is the User Interface (UI) machine used to access the grid resources.
From this machine, it is possible to run jobs on the clusters available to the VleMedical Virtual Organization.

Step 3: Configuring your account at the UI

login at the Sara UI ui.grid.sara.nl
- on Windows, use your favourite SSH client (e.g. PuTTY) but remember to turn on X-forwarding.
- on linux/UNIX, use ssh -Y or ssh -X
  The distinction is that since ssh 3.8, X forwarding has become more secure; however, some applications can not deal with this and crash. If you suffer from crashing X11 applications (possible with BadWindow error codes), use -Y.
  - You need an X Server running on your machine, with X-tunnelling enabled.
  - You need the DISPLAY variable properly configured on your local machine.
```
export DISPLAY=:0
```
first change your password on the UI machine (utility passwd)
now install your grid certificates:
- copy your .globus directory from your desktop into your home (see above, at the end of step 1).
install SRB configuration files:
- Get and extract the srb-userenv.tar.gz file in your home directory. This will create a directory .srb.
  Typically with commands like these:
```
cd
tar xvfz srb-userenv.tar.gz
```
- edit the file $HOME/.srb/.MdasEnv and replace all occurences of YOUR-SRB-USERNAME by your real SRB username obtained in step 2a.
try out your certificate (create grid proxy):
- run voms-proxy-init --voms vlemed to create a grid proxy. You'll be asked to type your certificate passprase selected in step 1.
  
  A proxy is like a certificate, only shorter-lived. Also, it is not signed by a CA, but by your own private key. This is called delegation of your credentials. This way grid jobs can act on your behalf, without having access to your private key: there is a verifiable chain of signatures leading back to a trusted party: the CA.
  
  Grid proxies do carry temporary private keys, and anyone getting a hold of your proxy can act in your name. Although this is a security risk, it is limited by the fact that the signature on the proxy gives it a limited validity of only 12 hours.
  
  You can run voms-proxy-info -all to see the status of your proxy, and voms-proxy-destroy to remove it from the system.
  
  A proxy is just a file in the /tmp directory. So it will remain on the system even when you logout.
try out your SRB configuration:
- Create a grid proxy.
- run module load srb to set up the environment for running SRB tools.
- Run Sinit.
- Run Sls (this should show the list of files in your home directory at the SRB, which should be empty).
- Run Sput .bashrc (this will copy a file into your home directory at the SRB).
- Run Sls again.
- Your can also change the password (Spasswd).
- This SRB session will remain open until you logout. You can close it with Sexit.

This machine has all the environment necessary to access grid resources.

Globus Toolkit (grid certification/authentication): type grid-<tab><tab>
NOTE: <tab><tab> means that you have to type the character "tab" twice, and the names of all available utilities will be shown.
Scommands (command-line access to SRB): type S<tab><tab> See also http://www.sdsc.edu/srb/index.php/Scommand_Manpages
EGEE utilities (run jobs): type edg-job-<tab><tab>
For more info on the utilities, type man <utility>
This machine also has other packages installed, such as FSL and mricro (type fslview or startmricro). For more info on the installed packages, see the VL-e PoC Release 1 document.

Step 4: Running your first job on the grid

Goal: run a job that writes Hello vlemed user! into a file.

Get hello.jdl into your home directory.

Delegate your VOMS proxy to the WMS:

glite-wms-job-delegate-proxy -d dennis1234

This will return a delegation identifier, which will look this this:


Connecting to the service https://graszode.nikhef.nl:7443/glite_wms_wmproxy_server

================== glite-wms-job-delegate-proxy Success ==================

Your proxy has been successfully delegated to the WMProxy:
https://graszode.nikhef.nl:7443/glite_wms_wmproxy_server

with the delegation identifier: dennis1234

==========================================================================

Submit job to queue:

glite-wms-job-submit -d dennis1234 hello.jdl

This will display the job identifier (jobid), which will look like this:

https://grasveld.nikhef.nl:9000/eD7ha_9J7iuU7jnmyqVM_Q

This jobid should be used to check the job status and retrieve the generated files.

Get job status:

glite-wms-job-status https://grasveld.nikhef.nl:9000/eD7ha_9J7iuU7jnmyqVM_Q

The possible states are:

Ready: ready to be queued
Scheduled: waiting in one queue
Running: Running on a node
Done: Finished running
Aborted: removed from the queue because of a problem

Once the job is in state "Done", it is possible to obtain the generated files:

glite-wms-job-get-output -dir . \
  https://grasveld.nikhef.nl:9000/eD7ha_9J7iuU7jnmyqVM_Q

The output files (std.err, environmentOnNode.txt) will be stored in the given directory.

To see the output:

cat silvia_tWoc6ZfjIwU-c0ifAWowAg/environmentOnNode.txt

Another example: getenv_job.tar.gz. Retrieve and unpack the tar file.

glite-wms-job-submit -d dennis1234 getEnvironment.jdl

This will dump the environment on the computing node into the "environmentOnNode.txt" file. To be used as an illustration only.

Where to go from here.

If you followed all the steps in this 'quick start' tutorial, congratulations! You have taken the first difficult hurdles on the grid and you are now ready for the next challenge: to make optimal use of the available resources and to embed them seamlessly in your workflow.

Unfortunately, there is no easy, step-by-step guide to help you there, nor would it be possible to write such a guide. Every user has specific needs which cannot be addressed by generic solutions. So you have to gather bits and pieces of information from colleagues, websites, presentations and other sources to build up your knowledge and learn your way around.

Another unfortunate fact is that the available information – however plentyful – is scattered and sometimes hard to find. And when you do find it, it is often outdated because the grid is rapipdly maturing.

The VL-e Resource Guide could be a useful starting point when you are looking for information.

Comments to Dennis van Dok or Jan Just Keijser.

Virtual Laboratory for e-Science HOWTO: Start using the grid, a quickstart tutorial