Whole site: How to enable a VO

Consider for example to enable the VO ”<voname>”.

You have to handle the following configuration files.

• Add <voname> to VOS variable in <your-site-info.def>. For example:

VOS="... <voname> ..."

• Check that the variable ALL_VOMS_VOS is aligned with the content deployed with the latest template version of ig-site-info.def. The most recently added VOs should be listed there.

• Add <voname> to the related queue settings inside the <QUEUE>_GROUP_ENABLE variable in <your-site-info.def>. For example (we suppose to use grid queue):

GRID_GROUP_ENABLE="... <voname> ..."

• Edit the other VO settings in one of the following ways:

Usually for these settings the default values placed at the end of <your-site-info.def> may be used:

VO_<VONAME>_SW_DIR=$VO_SW_DIR/<voname>
VO_<VONAME>_DEFAULT_SE=$CLOSE_SE_HOST
VO_<VONAME>_STORAGE_DIR=$CLASSIC_STORAGE_DIR/<voname> (needed only for SE Classic)
VO_<VONAME>_VOMS_SERVERS="vomss://<voms-server>.<voms-domain>:8443/voms/<voname>?/<voname>"
VO_<VONAME>_VOMSES="<voname> <voms-server>.<voms-domain> <voms-port> <voms-server-DN> <voname>"

• Create vo.d/<voname> file inside your site configuration directory (here called <confdir>/) copying it from /opt/glite/yaim/examples/siteinfo/vo.d/<voname> if it exists (now this approach is used only for new dns-like VO).

For example for enmr.eu VO (note that variable names don't contain the VO name):

$ cat <confdir>/vo.d/enmr.eu
SW_DIR=$VO_SW_DIR/enmr
DEFAULT_SE=$CLASSIC_HOST
STORAGE_DIR=$CLASSIC_STORAGE_DIR/enmr
VOMS_SERVERS="'vomss://voms2.cnaf.infn.it:8443/voms/enmr.eu?/enmr.eu' 'vomss://voms-02.pd.infn.it:8443/voms/enmr.eu?/enmr.eu'"
VOMSES="'enmr.eu voms2.cnaf.infn.it 15014 /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it enmr.eu' 'enmr.eu voms-02.pd.infn.it 15014 /C=IT/O=INFN/OU=Host/L=Padova/CN=voms-02.pd.infn.it enmr.eu'"
VOMS_CA_DN="'/C=IT/O=INFN/CN=INFN CA' '/C=IT/O=INFN/CN=INFN CA'"

• Add to <your-users.conf> the users for the ”<voname>” VO fitting your site's policy in users management (range of uid and gid). You may find an example of the needed rows in /opt/glite/yaim/examples/ig-users.conf.

Some useful informations are available in /opt/glite/yaim/examples/users.conf.README.

You may also use the information you find at ”Whole site: How to create local users.conf and configure users”.

For example for enmr.eu VO you could use:

46001:enmr001:46000:enmr:enmr.eu::
46002:enmr002:46000:enmr:enmr.eu::
46003:enmr003:46000:enmr:enmr.eu::
...
46901:sgmenmr001:46090,46000:sgmenmr,enmr:enmr.eu:sgm:
46902:sgmenmr002:46090,46000:sgmenmr,enmr:enmr.eu:sgm:
46903:sgmenmr003:46090,46000:sgmenmr,enmr:enmr.eu:sgm:
...
46921:sgmenmrbcbr001:46091,46000:sgmenmrbcbr,enmr:enmr.eu:sgmbcbr:
46922:sgmenmrbcbr002:46091,46000:sgmenmrbcbr,enmr:enmr.eu:sgmbcbr:
46923:sgmenmrbcbr003:46091,46000:sgmenmrbcbr,enmr:enmr.eu:sgmbcbr:
...
46941:sgmenmrbmrz001:46092,46000:sgmenmrbmrz,enmr:enmr.eu:sgmbmrz:
46942:sgmenmrbmrz002:46092,46000:sgmenmrbmrz,enmr:enmr.eu:sgmbmrz:
46943:sgmenmrbmrz003:46092,46000:sgmenmrbmrz,enmr:enmr.eu:sgmbmrz:
...
46961:sgmenmrcirmmp001:46093,46000:sgmenmrcirmmp,enmr:enmr.eu:sgmcirmmp:
46962:sgmenmrcirmmp002:46093,46000:sgmenmrcirmmp,enmr:enmr.eu:sgmcirmmp:
46963:sgmenmrcirmmp003:46093,46000:sgmenmrcirmmp,enmr:enmr.eu:sgmcirmmp:
...

• Add to <your-groups.conf> the VOMS FQANs for the ”<voname>” VO copying them from /opt/glite/yaim/examples/ig-groups.conf.

Some useful informations are available in /opt/glite/yaim/examples/groups.conf.README.

For example for enmr.eu VO:

"/enmr.eu/ROLE=SoftwareManager":::sgm:
"/enmr.eu"::::
"/enmr.eu/bcbr/ROLE=SoftwareManager":::sgmbcbr:
"/enmr.eu/bcbr"::::
"/enmr.eu/bmrz/ROLE=SoftwareManager":::sgmbmrz:
"/enmr.eu/bmrz"::::
"/enmr.eu/cirmmp/ROLE=SoftwareManager":::sgmcirmmp:
"/enmr.eu/cirmmp"::::

The ”enmr.eu” a particular structure is needed for sgm pool accounts, as you can see in ig-groups.conf and ig-users.conf template files. To fit these requirements some manual steps have to be performed in the software area exported to WNs. Assuming that the directory $VO_ENMR_EU_SW_DIR is already present with sgmenmr001.sgmenmr ownership:

mkdir $VO_ENMR_EU_SW_DIR/BCBR $VO_ENMR_EU_SW_DIR/BMRZ $VO_ENMR_EU_SW_DIR/CIRMMP
chown sgmenmrbcbr001.sgmenmrbcbr $VO_ENMR_EU_SW_DIR/BCBR
chown sgmenmrbmrz001.sgmenmrbmrz $VO_ENMR_EU_SW_DIR/BMRZ
chown sgmenmrcirmmp001.sgmenmrcirmmp $VO_ENMR_EU_SW_DIR/CIRMMP

In order to enable the ”<voname>” VO on your site you have to verify that:

• the voms server host certificate of the newly added ”<voname>” VO is installed in ”/etc/grid-security/vomsdir”

• the Certification Authority that released the voms server host certificate is installed on your hosts

In order to enable the newly added ”<voname>” VO on your site you have to run for each nodetype the function you find in the table below (please consider that we refer only to gLite 3.1 profiles). Naturally you can also complete reconfigure your nodetypes but this is a more expensive procedure.

For each nodetype you have to use the following command, properly replacing the profile and function's names:

/opt/glite/yaim/bin/ig_yaim -r -s <confdir>/<your-site-info.def> -n <profile> -f <function>

Note: this functions will be available with the next ig-yaim >= 4.0.5-4.