iRODS 4.1.8 installation and setup notes
205 views
Skip to first unread message
Tamas Kazinczy
Jul 22, 2016, 1:11:14 PM7/22/16
to irod...@googlegroups.com
Dear All,
I've just completed a fresh 4.1.8 installation intended for
production use. I had some troubles along the way and am still
a bit confused. Details are below.
Installing the iCAT server went just fine, though I have no
clue if some of the config options (that the setup script
had not asked about) are right, e.g. (in server_config.json):
"icat_host": "localhost"
I even see an error message in rodsLog complaining about this:
############################################################
Jul 22 17:11:40 pid:6699 ERROR: server_control_executor - icat_host_name
is localhost, not a fqdn
############################################################
I got one cert for my two servers (iCAT and iResc) from a CA.
Installed CAs cert in /etc/ssl/certs.
Everything looked fine: verification (openssl verify -x509_strict)
was OK for my chain.pem
(Btw. do I have to have the same dhparams file on my servers?)
Adjusted service account config to have the necessary items:
* irods_ssl_certificate_chain_file
* irods_ssl_certificate_key_file
* irods_ssl_dh_params_file
Modified core.re as well to require use of SSL:
################################################################################
acPreConnect(*OUT) { *OUT="CS_NEG_REQUIRE"; }
################################################################################
After finishing with the configuration of my iCAT I installed my
resource server.
I did not change the Vault. I thought I'd get rid of the defaults
after everything is up and running.
...and then ... setup failed...
Validations were all fine but:
################################################################################
Install problem:
Cannot start iRODS server.
Found 0 processes:
There are no iRODS servers running.
################################################################################
OK, no problem. I've made quite a few changes in configuration that
were not part of the setup.
Done everything I thought to be done.
No success.
Edited /etc/irods/hosts_config.json.
(Btw. what is the difference between the "local" and "remote" address
types?)
At the moment my hosts_config.json looks like (values replaced):
################################################################################
{
"host_entries": [
{
"address_type" : "local",
"addresses" : [
{"address" : "<IPv4 address of my resource server>"},
{"address" : "<FQDN of my resource server>"}
]
},
{
"address_type" : "remote",
"addresses" : [
{"address" : "<IPv4 address of my iCAT server>"},
{"address" : "<FQDN of my iCAT server>"}
]
}
]
}
################################################################################
This is for my resource server. At my iCAT, the iCAT is set local and
the resource server is set remote.
Noticed that I have not yet changed core.re so I edited that as well to
have the acPreConnect rule.
At this point I was able to start my resource server but only if
I set "cert" instead of "hostname" for "irods_ssl_verify_server"
in "irods_environment.json".
Another thing that is a bit strange for me is that
'irods-grid status --all' returns different result.
On the resource server it returns both the iCAT and itself.
On the iCAT it only returns the iCAT.
Noticed that for my resource server I have a probably
auto generated default resource name:
################################################################################
"irods_default_resource": "<resource server name>Resource"
################################################################################
...but ilsresc shows nothing but the default resource (demoResc) of
the iCAT. This looks the same on both servers.
I'd appreciate some help. :)
Cheers,
Tamás
I've just completed a fresh 4.1.8 installation intended for
production use. I had some troubles along the way and am still
a bit confused. Details are below.
Installing the iCAT server went just fine, though I have no
clue if some of the config options (that the setup script
had not asked about) are right, e.g. (in server_config.json):
"icat_host": "localhost"
I even see an error message in rodsLog complaining about this:
############################################################
Jul 22 17:11:40 pid:6699 ERROR: server_control_executor - icat_host_name
is localhost, not a fqdn
############################################################
I got one cert for my two servers (iCAT and iResc) from a CA.
Installed CAs cert in /etc/ssl/certs.
Everything looked fine: verification (openssl verify -x509_strict)
was OK for my chain.pem
(Btw. do I have to have the same dhparams file on my servers?)
Adjusted service account config to have the necessary items:
* irods_ssl_certificate_chain_file
* irods_ssl_certificate_key_file
* irods_ssl_dh_params_file
Modified core.re as well to require use of SSL:
################################################################################
acPreConnect(*OUT) { *OUT="CS_NEG_REQUIRE"; }
################################################################################
After finishing with the configuration of my iCAT I installed my
resource server.
I did not change the Vault. I thought I'd get rid of the defaults
after everything is up and running.
...and then ... setup failed...
Validations were all fine but:
################################################################################
Install problem:
Cannot start iRODS server.
Found 0 processes:
There are no iRODS servers running.
################################################################################
OK, no problem. I've made quite a few changes in configuration that
were not part of the setup.
Done everything I thought to be done.
No success.
Edited /etc/irods/hosts_config.json.
(Btw. what is the difference between the "local" and "remote" address
types?)
At the moment my hosts_config.json looks like (values replaced):
################################################################################
{
"host_entries": [
{
"address_type" : "local",
"addresses" : [
{"address" : "<IPv4 address of my resource server>"},
{"address" : "<FQDN of my resource server>"}
]
},
{
"address_type" : "remote",
"addresses" : [
{"address" : "<IPv4 address of my iCAT server>"},
{"address" : "<FQDN of my iCAT server>"}
]
}
]
}
################################################################################
This is for my resource server. At my iCAT, the iCAT is set local and
the resource server is set remote.
Noticed that I have not yet changed core.re so I edited that as well to
have the acPreConnect rule.
At this point I was able to start my resource server but only if
I set "cert" instead of "hostname" for "irods_ssl_verify_server"
in "irods_environment.json".
Another thing that is a bit strange for me is that
'irods-grid status --all' returns different result.
On the resource server it returns both the iCAT and itself.
On the iCAT it only returns the iCAT.
Noticed that for my resource server I have a probably
auto generated default resource name:
################################################################################
"irods_default_resource": "<resource server name>Resource"
################################################################################
...but ilsresc shows nothing but the default resource (demoResc) of
the iCAT. This looks the same on both servers.
I'd appreciate some help. :)
Cheers,
Tamás
Tamas Kazinczy
Jul 26, 2016, 4:08:30 AM7/26/16
to irod...@googlegroups.com
Dear All,
On 2016-07-22 19:11, Tamas Kazinczy wrote:
>
> Installing the iCAT server went just fine, though I have no
> clue if some of the config options (that the setup script
> had not asked about) are right, e.g. (in server_config.json):
> "icat_host": "localhost"
I've replaced "localhost" with the proper FQDN.
Seems OK, no more complaints on startup.
> (Btw. do I have to have the same dhparams file on my servers?)
What is the proper way? (I have the same cert for all my servers in the
zone.)
> Edited /etc/irods/hosts_config.json.
> (Btw. what is the difference between the "local" and "remote" address
> types?)
Is "local" the same as "localhost" was back in the days of
$IRODS_HOME/server/config/irodsHost?
> Another thing that is a bit strange for me is that
> 'irods-grid status --all' returns different result.
>
> On the resource server it returns both the iCAT and itself.
> On the iCAT it only returns the iCAT.
Managed to solve this by creating a new resource on my resource server.
> Noticed that for my resource server I have a probably
> auto generated default resource name:
> ################################################################################
>
> "irods_default_resource": "<resource server name>Resource"
> ################################################################################
Removed this from config as it is optional and probably matters only at
the time of setup.
Am I right if I say that the standard way should have been:
1) Install
2) Edit configuration files (including options only viable for setup)
3) Setup (sudo /var/lib/irods/packaging/setup_irods.sh)
?
Cheers,
Tamás
On 2016-07-22 19:11, Tamas Kazinczy wrote:
>
> Installing the iCAT server went just fine, though I have no
> clue if some of the config options (that the setup script
> had not asked about) are right, e.g. (in server_config.json):
> "icat_host": "localhost"
Seems OK, no more complaints on startup.
> (Btw. do I have to have the same dhparams file on my servers?)
zone.)
> Edited /etc/irods/hosts_config.json.
> (Btw. what is the difference between the "local" and "remote" address
> types?)
$IRODS_HOME/server/config/irodsHost?
> Another thing that is a bit strange for me is that
> 'irods-grid status --all' returns different result.
>
> On the resource server it returns both the iCAT and itself.
> On the iCAT it only returns the iCAT.
> Noticed that for my resource server I have a probably
> auto generated default resource name:
> ################################################################################
>
> "irods_default_resource": "<resource server name>Resource"
> ################################################################################
the time of setup.
Am I right if I say that the standard way should have been:
1) Install
2) Edit configuration files (including options only viable for setup)
3) Setup (sudo /var/lib/irods/packaging/setup_irods.sh)
?
Cheers,
Tamás
Terrell Russell
Jul 26, 2016, 9:41:53 AM7/26/16
to irod...@googlegroups.com
Hi Tamás,
Sorry for the delay - you have answered most of your own initial questions.
The 'localhost' ERROR for the iCAT is a remnant of earlier installation procedures - it will get cleaned up as we move forward. The hostname management/resolution in iRODS has already been changed in the upcoming 4.2.0 release and is much more robust.
Yes, the change from irodsHost to hosts_config.json is a one-to-one. The 'local' designation is a direct translation from the earlier format. There is no functional change in how the configuration works, itself.
I'm not sure why you were seeing differing results from 'irods-grid status --all' - if you can reproduce this, you may have found a bug.
The default resource that is created for a new resource server install is only there for the 'test put' that is part of the setup. It can safely be removed, as you found.
I think it is too broad to suggest that everyone update configuration files before they run setup_irods.sh. In general, it will be better to get things up and running and *then* manipulate the configuration settings. But I understand that there may be particular network settings or other things that need to be tweaked before the system may be able to come online. I would still suggest, in general, that the order be:
1) Install
2) Setup
3) Edit configuration files
Thanks for the follow-up and how you fixed the issues,
Terrell
Cheers,
Tamás
--
--
"iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
--- You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kazinczy Tamás
Jul 26, 2016, 10:41:44 AM7/26/16
to irod...@googlegroups.com
Hi Terrell,
On 2016-07-26 15:41, Terrell Russell wrote:
>
> I'm not sure why you were seeing differing results from 'irods-grid status
> --all' - if you can reproduce this, you may have found a bug.
I think that was due to the fact the iCAT had already had a different
config than a basic setup, e.g.
- CS_NEG_REQUIRE for acPreConnect in core.re
- SSL related parameters in service account config
...and so it was like:
* resource server could not connect to iCAT
this caused
* after I'd configured the resource server
- it could connect and see the iCAT
(so there I saw both itself and the iCAT in
irods-grid status --all)
- there still was nothing about any other resource in the DB
(so the iCAT returned just itself in the status)
> But I understand that there may be particular network settings or other
> things that need to be tweaked before the system may be able to come
> online.
Yes, my case was much like when you already have a zone up and running
and you want to deploy an additional resource server.
Now I have only one question remaining:
>> (Btw. do I have to have the same dhparams file on my servers?)
>>>
>>
>> What is the proper way? (I have the same cert for all my servers in the
>> zone.)
Thanks,
Tamás
On 2016-07-26 15:41, Terrell Russell wrote:
>
> I'm not sure why you were seeing differing results from 'irods-grid status
> --all' - if you can reproduce this, you may have found a bug.
config than a basic setup, e.g.
- CS_NEG_REQUIRE for acPreConnect in core.re
- SSL related parameters in service account config
...and so it was like:
* resource server could not connect to iCAT
this caused
"Install problem:
Cannot start iRODS server.
Found 0 processes:
There are no iRODS servers running."
* therefore the default resource could not be created
Cannot start iRODS server.
Found 0 processes:
There are no iRODS servers running."
* after I'd configured the resource server
- it could connect and see the iCAT
(so there I saw both itself and the iCAT in
irods-grid status --all)
- there still was nothing about any other resource in the DB
(so the iCAT returned just itself in the status)
> But I understand that there may be particular network settings or other
> things that need to be tweaked before the system may be able to come
> online.
and you want to deploy an additional resource server.
Now I have only one question remaining:
>> (Btw. do I have to have the same dhparams file on my servers?)
>>>
>>
>> What is the proper way? (I have the same cert for all my servers in the
>> zone.)
Tamás
Terrell Russell
Jul 29, 2016, 3:41:55 PM7/29/16
to irod...@googlegroups.com
On Tue, Jul 26, 2016 at 10:41 AM, Kazinczy Tamás <ka...@niif.hu> wrote:
Now I have only one question remaining:
(Btw. do I have to have the same dhparams file on my servers?)
What is the proper way? (I have the same cert for all my servers in the
zone.)
As I understand it, you can share the dhparams across machines, but are not required to.
Terrell
Reply all
Reply to author
Forward
0 new messages