VI-SEEM iRODS Deployment

From VI-SEEM Wiki
Jump to: navigation, search

iRODS deployment for VI-SEEM

This guide is prepared for Ubuntu 14.04 LTS.

Part 1: Preparation and iCAT server installation

It is assumed that PostgreSQL is in place.

Preparations on the machine hosting PostgreSQL

Install the PostgreSQL repo
sudo su -
  
  cd /etc/apt/sources.list.d/
  
  vim ./pgdg.list
  
  wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
  
  apt-get install postgresql-9.5 postgresql-contrib-9.5

Content of /etc/apt/sources.list.d/pgdg.list

deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main
Configure PostgreSQL
Default data directory 
data_directory = '/var/lib/postgresql/9.5/main'
It is advisable to change this to a dir where you have plenty of space.
Default listen address 
listen_addresses = 'localhost'
Change this as appropriate (comma-separated list of IP address(es) to listen on; use '*' for all).
Example
Create dedicated storage space for PostgreSQL on XFS on LVM on /dev/vdb
Required packages 
lvm2, xfsprogs
sudo pvcreate /dev/vdb
sudo vgcreate pgdb_data_vg /dev/vdb
sudo lvcreate -n pgdb_data_lv_001 -l 100%VG pgdb_data_vg
sudo mkfs.xfs -L pgdb-data-fs /dev/pgdb_data_vg/pgdb_data_lv_001
Access/Mount/fstab
sudo mkdir /path/to/mount/point
sudo chmod 700 /path/to/mount/point
sudo mount /dev/pgdb_data_vg/pgdb_data_lv_001 /path/to/mount/point
sudo chown postgres:postgres /path/to/mount/point
sudo su - postgres
cd /path/to/mount/point
umask 0022
mkdir 9.5
umask 0077
mkdir main
sudo vim /etc/fstab
Content of /etc/fstab:
...
LABEL=pgdb-data-fs      /path/to/mount/point xfs defaults        0 0
Stopping PostgreSQL; modifying data_directory
sudo -u postgres /usr/lib/postgresql/9.5/bin/pg_ctl stop \
-D /var/lib/postgresql/9.5/main -m fast
sudo vim /etc/postgresql/9.5/main/postgresql.conf
cd /usr/lib/postgresql/9.5/bin/
sudo su postgres
./pg_ctl -D /path/to/mount/point/9.5/main initdb
exit
sudo service postgresql start
Changed data directory in /etc/postgresql/9.5/main/postgresql.conf
data_directory = '/path/to/mount/point/9.5/main'
Note: It is considered best-practice to use a directory under the mount point rather than the mount point itself.
Preparation for iRODS on PostgreSQL side
sudo su postgres

psql

CREATE USER irods WITH PASSWORD '<pwd was here>';
CREATE DATABASE "ICAT";
GRANT ALL PRIVILEGES ON DATABASE "ICAT" TO irods;
PostgreSQL auth
sudo -u postgres vim /etc/postgresql/9.5/main/pg_hba.conf
Example (if your iCAT server is in 192.168.1.0/27):
# Allow connections from private subnet to ICAT
host    ICAT            irods           192.168.1.0/27         md5


Preparations on the machine hosting iCAT

iCAT installation

Required packages (you could download them at http://irods.org/download/):

  • irods-icat-4.1.8-ubuntu14-x86_64.deb
  • irods-database-plugin-postgres-1.8-ubuntu14-x86_64.deb

There may be some missing dependencies. To resolve this, do:

sudo apt-get -f install

This will get you everything you need.

Then you have to run /var/lib/irods/packaging/setup_irods.sh

For documentation purposes you may do this like:

sudo /var/lib/irods/packaging/setup_irods.sh | tee ./iRODS-setup-$(date +%Y%m%d-%Hh%M)

...and answer all questions:

- iRODS service account name (default: irods)
- iRODS service group name (default: irods)
  (these for running iRODS)

- iRODS server's zone name (default: tempZone)
- iRODS server's port (default: 1247)
- iRODS port range (begin) (default: 20000)
- iRODS port range (end) (default: 20199)

- iRODS Vault directory (default: /var/lib/irods/iRODS/Vault)

- iRODS server's zone_key (default: TEMPORARY_zone_key)
  (This will be shared amongst federation members.)
- iRODS server's negotiation_key (default: TEMPORARY_32byte_negotiation_key)
  (This will also be shared amongst federation members.)

- Control Plane port (default: 1248)
  (This for zone-wide administrative tasks.)
- Control Plane key (default: TEMPORARY__32byte_ctrl_plane_key)

- Schema Validation Base URI (or 'off') (default: https://schemas.irods.org/configuration)

- iRODS server's administrator username (default: rods)
- iRODS server's administrator password

- Database server's hostname or IP address 
- Database server's port (default: 5432)
- Database name (default: ICAT; see "Preparation for iRODS on PostgreSQL side")
- Database username (default: irods; see "Preparation for iRODS on PostgreSQL side")
- Database password (as configured in step "Preparation for iRODS on PostgreSQL side")

Notes:

- zone_name --> max. 63 characters; validating regexp: "^[A-Za-z0-9_\\.]+$"
- zone_key --> max. 49 characters; validating regexp: "^[A-Za-z0-9_]+$"
- negotiation_key --> 32 characters; string (no restrictions)
- server_control_plane_port --> integer
- server_control_plane_key --> 32 characters; string (no restrictions)

From iRODS documentation:

- "zone_key should be a unique and arbitrary string ... one for your whole zone"
- "This allows the resource servers to verify the identity of the iCAT server 
   beyond just relying on DNS."
- "Between Two Zones
   ...
   The zone_key should be a unique and arbitrary string, one for each zone.
   The negotiation_key should be a shared key only for this pairing of two zones."
- Control Plane --> "The irods-grid command is purely within the control of a 
  data-grid administrator. For this reason we decided to secure this 
  side-channel communication with symmetric grid-wide keys. This way the only 
  way a grid may be paused, shutdown or queried is by an administrator with the 
  proper credentials."

The installation will create a default resource (demoResc) for you at the directory of your choice ("iRODS Vault directory"; see above). This is not intended for production so another resource should be created (either on the iCAT server or on a separate resource server).

iCAT configuration

Hosts

Be sure that your hostnames could be resolved!
Edit your /etc/hosts (IPs you will use and localhosts as well) as appropriate.
E.g.:
127.0.0.1 localhost my-vi-seem-db

192.168.1.2  my-vi-seem-db
192.168.1.3  myresc01 vi-seem-irods-resource-01
192.168.1.4  myicat vi-seem-icat

SSL

For SSL you should get a proper cert.
You will need:
  • cert key file
e.g.: myicat.key
  • cert chain including the root CA itself
If you have separate cert files this could be as simple as
cat myicat.crt myCA.crt > mycertchain.pem
  • a Diffie-Hellman parameters file
    openssl dhparam -2 -out dhparams.pem 2048
  • all (cert key, cert chain, DH params file) accessible by the iRODS service account
(Of course the private key should NOT be readable by others!)
  • to modify the service account config (~/.irods/irods_environment.json);
params needed:
  • irods_ssl_certificate_chain_file
  • irods_ssl_certificate_key_file
  • irods_ssl_dh_params_file
e.g.:
    ...
    "irods_ssl_certificate_chain_file": "/etc/irods/ssl/mycertchain.pem",
    "irods_ssl_certificate_key_file": "/etc/irods/ssl/myicat.key",
    "irods_ssl_dh_params_file": "/etc/irods/ssl/dhparams.pem"
In a federation the irods_environment.json of your service account should have client properties as well, e.g.:
  • irods_ssl_ca_certificate_file
  • irods_ssl_verify_server
irods_ssl_verify_server controls the level of server certificate based authentication.
The default setting is to validate the certificate and to verify that the irods_host's
FQDN matches either the common name or one of the subjectAltNames of the certificate.
To verify only certificate validity set this to 'cert'.
If you want to force SSL, you should modify /etc/irods/core.re as well:
acPreConnect(*OUT) { *OUT="CS_NEG_REQUIRE"; }

Part 2: Resource server deployment

Assumptions:

  • iCAT server already deployed
  • iCAT config is tweaked to have SSL in place; this includes:
    • SSL related parameters in service account config (irods_environment.json)
    • acPreConnect rule in the default Rule Base (core.re)

Required packages (you could download them at http://irods.org/download/):

  • irods-resource-4.1.8-ubuntu14-x86_64.deb

Resource server installation

This is basically the same as in case of the iCAT server; you have to intall the downloaded package (irods-resource-4.1.8-ubuntu14-x86_64.deb).

If you had unmet dependencies, do as in case of iCAT server:

sudo apt-get -f install

This will get you everything you need.

Resource server configuration

Before running /var/lib/irods/packaging/setup_irods.sh you may consider tweaking some parts of the config. That way you may not get error messages.

Anyway you have to go through the setup at some time. Again, for documentation purposes you may do this like:

sudo /var/lib/irods/packaging/setup_irods.sh | tee ./iRODS-setup-$(date +%Y%m%d-%Hh%M)

You need to answer all questions you are already familiar with:

- iRODS service account name (default: irods)
- iRODS service group name (default: irods)
  (these for running iRODS)

- iRODS server's port (default: 1247)
- iRODS port range (begin) (default: 20000)
- iRODS port range (end) (default: 20199)

- iRODS Vault directory (default: /var/lib/irods/iRODS/Vault)

- iRODS server's zone_key (default: TEMPORARY_zone_key)
  (This will be shared amongst federation members.)
- iRODS server's negotiation_key (default: TEMPORARY_32byte_negotiation_key)
  (This will also be shared amongst federation members.)

- Control Plane port (default: 1248)
  (This for zone-wide administrative tasks.)
- Control Plane key (default: TEMPORARY__32byte_ctrl_plane_key)

- Schema Validation Base URI (or 'off') (default: https://schemas.irods.org/configuration)

- iRODS server's administrator username (default: rods)

- iCAT server's hostname
- iCAT server's ZoneName

- iCAT server's admin username
- iCAT server's admin password

The installation will try to create a default resource (<resource server name>Resource) for you at the directory of your choice ("iRODS Vault directory"; see above).

If the assumptions (see above) are true and you do not tweak config on the resource server before running setup_irods.sh you should see an error message in the end:

...
Step 3 of 3:  Configuring iRODS user and starting server...
    Updating iRODS user's ~/.irods/irods_environment.json...
    Starting iRODS server...
Could not start iRODS server.
    Starting iRODS server...
Validating [/var/lib/irods/.irods/irods_environment.json]... Success
Validating [/etc/irods/server_config.json]... Success
Validating [/etc/irods/hosts_config.json]... Success
Validating [/etc/irods/host_access_control_config.json]... Success
iRODS server failed to start.


Install problem:
    Cannot start iRODS server.
Found 0 processes:
        There are no iRODS servers running.

Abort.

That is because you have SSL already in place on iCAT and require its use in the default Rule Base but things are not done yet on the resource server.

This also means (as the resource server could not connect to the iCAT) that the default resource is not created for your resource server in iCAT.

What you need to do now is:

  • set up SSL just like the way you did it on the iCAT server
  • modify corresponding config files
  • remove default_resource_directory and default_resource_name from the service account config (irods_environment.json) as they are optional and only meant for the setup phase
  • prepare your actual storage and the corresponding Vault directory
  • start your resource server
  • create your new resource

Creating your new resource

According to iRODS documentation it is considered best practice "to use a passthru resource as the root node of the Zone's default resource. By doing this, administrative changes to disks, server names, and resources can be handled out of view of the users and without the users needing to change any configuration in their client(s)."

Example of creating your resource hierarchy would look like:

irods@myicat:~$ iadmin mkresc myResc passthru
Creating resource:
Name:		"myResc"
Type:		"passthru"
Host:		""
Path:		""
Context:	""
irods@myicat:~$ iadmin mkresc myxfs01 unixfilesystem myiresc01.example.org:/path/to/my/Vault
Creating resource:
Name:		"myxfs01"
Type:		"unixfilesystem"
Host:		"myiresc01.example.org"
Path:		"/path/to/my/Vault"
Context:	""
irods@myicat:~$ 
irods@myicat:~$ iadmin addchildtoresc myResc myxfs01
niifirods@niificat:~$ ilsresc --tree
demoResc
myResc:passthru
└── myxfs01

Checking the status of your Zone

Now that you have your new resource created on iCAT, you may check the status of your Zone (either on your iCAT or on your resource server) by:

irods-grid status --all

(This has to be done by your iRODS service account.)

Example (how it would look like):

irods@myicat:~$ irods-grid status --all
{
    "hosts": [
        {
            "agents": [
                {
                    "agent_pid": 12345,
                    "age": 0
                }
            ],
            "status": "server_state_running",
            "xmsg_server_pid": 0,
            "hostname": "myiresc01.example.org",
            "irods_server_pid": 13579,
            "re_server_pid": 0
        },
        {
            "hostname": "myicat.example.org",
            "re_server_pid": 9876,
            "irods_server_pid": 9875,
            "status": "server_state_running",
            "xmsg_server_pid": 0,
            "agents": [
                {
                    "agent_pid": 9321,
                    "age": 1
                }
            ]
        }
    ]
}
irods@myicat:~$