Author: Arto Teräs
Status: Final, version 1.3
Date: 2006-02-22
This guide describes how users can start submitting grid jobs using the NorduGrid ARC middleware in the M-grid environment.
In the grid, both servers and users are identified and authenticated using X.509 certificates. The certificates need to be signed by a certification authority, which is NorduGrid CA in the case of M-grid. CSC acts as a registration authority, forwarding requests from Finnish grid users to NorduGrid CA signing them electronically so that NorduGrid CA can trust that the requests are valid and authentic. Obtaining the certificate usually takes a few days. You may want to read the Grid Certificate Mini How-to on the NorduGrid pages.
Each user needs a personal certificate. Log in to the M-grid cluster at your home site (CSC users should log in to sepeli.csc.fi) and generate a certificate request by typing the command
grid-cert-request -int
The command asks a few questions and generates a key and request. Remember to select a good passphrase for protecting the secret key and use your home institution email address. The OU value should be your domain, e.g. hut.fi or utu.fi. Please do not use the domain csc.fi unless you are a CSC employee. Also, if you have scandinavian or accented characters in your name (e.g. ä, ö, å, é) please replace them with the ASCII counterparts. The command generates three files in subdirectory .globus under your home directory:
~/.globus/usercert.pem ~/.globus/usercert_request.pem ~/.globus/userkey.pem
File usercert_request.pem is the certificate request. File userkey.pem is the secret key (encrypted with your passphrase) and usercert.pem is empty, the signed certificate should be copied over it later.
The text printed on the screen suggest sending the request to ca@nbi.dk, but please do not send it there directly. The request should be sent to grid-support@csc.fi in an email signed by the system administrator of the site. Contact your M-grid system administrator to do this, he/she can sign the request and send it to CSC. CSC will further send the request in a signed email to the NorduGrid CA. CSC will also add the user's grid identity (distinguished name, DN) to the grid access list of all M-grid clusters.
You will later receive the signed certificate by email. It should be saved to file ~/.globus/usercert.pem.
If you do not belong to any of the M-grid groups, contact grid-support@csc.fi directly. We'll email or call you back and give more detailed instructions. This procedure of getting a certificate is a temporary arrangement and will be replaced by a web based service later. However, already obtained certificates will remain valid.
One of the tasks of the Grid middleware is to map grid identities to local unix accounts at each connected resourcee. Locally, protections are implemented using normal unix file permissions. The grid middleware allows several grid users to be mapped on the same account. Local implementation choices are therefore important when data protection is a concern.
In M-grid, there is one grid account for participating group in each cluster. In addition, there is one group for CSC employees and one for all other CSC customers. All users from within each group are mapped to the same unix account during grid use.
The ARC middleware creates a randomized session directory for each grid job so users will not inadvertently see other users' files. However, the common disk area in each cluster is visible to computing nodes using the Network File System (NFS) where permissions are based on unix user ids (uids). Therefore it is possible for a malicious user to access files of other users within the same group. Due to this limitation, users are asked not to submit grid jobs which process confidential information. In the future data protection will be improved with one time accounts, which will be created and destroyed individually for each grid job.
Another factor to consider is the visibility of job submission related metadata. In the Grid Monitor on the NorduGrid web site anybody can take a look which users are on the grid and the names of the jobs being executed. Job input and output file contents is naturally not accessible through the monitor. Individual logins and showing only relevant information to each user in the monitor is not feasible with the current technology used in NorduGrid. A better solution is being looked for but probably not available in the near future.
Before starting grid use in M-grid you must consider if you are willing to accept the limitations described in this section. We believe they will not be a problem for most users but we want to be open so that everybody can make an informed decision about grid use. Local jobs (submitted directly to the N1 Grid Engine batch queueing system) in each cluster use normally users' personal unix accounts and are not affected by these features.
Here's a simple script and NorduGrid job file which can be used to test the installation:
Save these files to your home directory. Then log in to the Grid and submit the job:
$ grid-proxy-init $ ngsub -d 1 -f hellogrid.xrsl
To select a specific host, use the -c option, such as
$ ngsub -d 1 -f hellogrid.xrsl -c kivi.csc.fi
Ngsub should submit a job and give you a job id number. You can monitor the job status using command ngstat <job_id> (or ngstat -a to see all your jobs) and download the result files using ngget <job_id>. The <job_id> is the full string given by ngsub which begins with "gsiftp://".
You can also take a look at on the NorduGrid web site if the cluster can be seen in the Grid Monitor, and browse the information in the monitor. For more information, see the NorduGrid User Guide, documentation section on the website and tutorials.
Here is the material of the latest tutorial held at CSC, September 20, 2005: