New machine for Globus-Box Connector testing

[benfulton]

Can we get a machine set up for testing the Globus/Box connector? We can set up the Globus parts given the following prerequisites (https://docs.globus.org/globus-connect-server-v5-installation-guide/ )

• Red Hat Enterprise Linux 7
• Sudo for me
• Your system must be running ntpd or another daemon for synchronizing with standard time servers.
• Internet-accessible system
• Fully qualified domain name (FQDN)
• External DNS resolution
• Open TCP ports Ports 50000—​51000 inbound and outbound to/from ANY Port 443 inbound from ANY Port 443 outbound to ANY

Thanks!

[agopu]

@rperigo and I met with @benfulton briefly. This is for testing and temporary -- eventually ReStore will upgrade Globus Connect which they operate and also add the Box connector plugin. No ePHI concerns.

Ben is on PTO the next couple of weeks. We will give him a VM (with hostname or CNAME: globus-test.sca.iu.edu) in the first week of Jan which he expects to only need till the end of Jan 2020 or so.

The openings for ports listed on the ticket would only be needed for subnets like SciAPT/RADL VPN and Box subnets (or the like), not the entire world.

[rperigo]

@befulton - I have the VM up and running, and am at the point of installing the Globus Connect Server packages. We have a choice of 5.x releases, though my inclination would be to just install the most recent stable (5.2.x):

• Stable repo:

  • 5.0.13
  • 5.1.51
  • 5.2.61

• Testing repo:

  • 5.3.45

[benfulton]

That sounds good.

From: rperigo notifications@github.com Sent: Monday, January 6, 2020 11:49 AM To: IUSCA/sca-issues sca-issues@noreply.github.com Cc: Fulton, Ben befulton@iu.edu; Mention mention@noreply.github.com Subject: Re: [IUSCA/sca-issues] New machine for Globus-Box Connector testing (#31)

@befulton - I have the VM up and running, and am at the point of installing the Globus Connect Server packages. We have a choice of 5.x releases, though my inclination would be to just install the most recent stable (5.2.x):

• Stable repo:
• 5.0.13
• 5.1.51
• 5.2.61
• Testing repo:
• 5.3.45

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/IUSCA/sca-issues/issues/31?email_source=notifications&email_token=AAALIMFVO4SYEUNZBATIISDQ4NOHLA5CNFSM4JYPZ3IKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIGA27A#issuecomment-571215228, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAALIMFITWFCPPAA5B66QYTQ4NOHLANCNFSM4JYPZ3IA.

[rperigo]

Machine is running on globus-test.sca.iu.edu, sciapt accounts are in place with SSH keys per normal config. Globus 5.2 has been installed, but firewall rules and service configs are yet to be implemented. Will get that part handled today.

[rperigo]

@benfulton Per talk yesterday, basic firewall changes have been made that should allow access to the system and initial application setup. We'll need to work out which files you'll need access to etc.

[agopu]

@benfulton Any updates on this? Have you used the server to do the tests you had planned? Do you still need it? (you'd mentioned needing it till end of Jan, so I wanted to ask as we approach the end of the month).

[benfulton]

Definitely not finished with it. Maybe check back at the end of February :)

[benfulton]

Would you add accounts for scamicha, athota, and mkusz ? Thanks!

[rperigo]

This is done.

[benfulton]

I need to be able to edit /etc/globus-connect-server.conf

and run

sudo globus-connect-server-setup

Thanks!

[rperigo]

These changes are made

[benfulton]

I need to be able to run

sudo globus-connect-server-config

Please allow mkusz and athota to run this and also the prior items.

Please also

yum install globus-gridftp-server-box

from the Globus repository,

Thanks!

[rperigo]

You and Abhinav should be able to run both the server-config and server-setup binaries with sudo. Who is mkusz, by the way? I can add the same sudo perms, but we like to know who users are before giving them any sort of admin privileges.

[benfulton]

Matt Kusz, sits across from Abhinav sort of behind the monitor :)

-- Ben Fulton Research Applications and Deep Learning Research Technologies Indiana University E-Mail: befulton@iu.edumailto:befulton@iu.edu

From: rperigo notifications@github.com Sent: Thursday, February 6, 2020 10:52 AM To: IUSCA/sca-issues sca-issues@noreply.github.com Cc: Fulton, Ben befulton@iu.edu; Mention mention@noreply.github.com Subject: Re: [IUSCA/sca-issues] New machine for Globus-Box Connector testing (#31)

You and Abhinav should be able to run both the server-config and server-setup binaries with sudo. Who is mkusz, by the way? I can add the same sudo perms, but we like to know who users are before giving them any sort of admin privileges.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/IUSCA/sca-issues/issues/31?email_source=notifications&email_token=AAALIMFKA7NQQLRCB7OLNK3RBQW3XA5CNFSM4JYPZ3IKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEK7WZUY#issuecomment-582970579, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAALIMFJRE3GETFDCIX2FODRBQW3XANCNFSM4JYPZ3IA.

[rperigo]

He can run those binaries as well, now.

[matthew-kusz]

Hi, I wanted to double check that globus-gridftp-server-box has been installed.

[rperigo]

That's correct.

Installed Packages
globus-gridftp-server-box.x86_64                                                    0.14-1.el7+gcs5                                                     @Globus-Connect-Server-5-Stable

[matthew-kusz]

I have been having problems trying to set up a guest collection to our endpoint. I keep timing out with a connect error. I tried to remove the guest collection and storage gateway and create a new one to try and fix the problem. Now, I have been receiving an error when trying to set up a guest collection with our endpoint. An unexpected error has occurred. Unable to load information from https://8bb421.e229.dn.glob.us/api/v1/policies.

[benfulton]

I think it might be that the ports need to be open to the world. Is that going to be an issue?

[agopu]

I think it might be that the ports need to be open to the world. Is that going to be an issue?

Let's confirm it's indeed a firewall/port issue (via iptables logs for dropped packets); and let's identify Globus/test IPs or subnets that we need to open ports to. Thanks.

[matthew-kusz]

I sent an email to Globus support and they responded with this:

The collection creation error is most-likely because the endpoint is not reachable on port 443.

Verify that the services are running: systemctl status gcs_manager httpd

Try to restart them if necessary:
systemctl restart gcs_manager httpd

If the service is running, verify that port 443 is not blocked by a firewall -- it needs to be able to accept connections from ANY address.

If you can send us the above verification, then please also send the following: Please also include the output of the following commands, run as root, from the server hosting the endpoint:

uname -a sestatus ifconfig ping $(hostname -f) cat /etc/os-release; cat /etc/redhat-release cat /etc/gridftp.d/* cat /etc/gridftp.conf cat /var/lib/globus-connect-server/endpoint-uuid.txt globus-gridftp-server --version grep -v "^$|^;|^ClientSecret|^Password" /etc/globus-connect-server.conf Any additional information you can provide is helpful.

[agopu]

Matt, thanks for sharing feedback from Globus support. Ray emailed you yesterday outside of the ticket (as a courtesy) - let me suggest that please review his note carefully and follow up on there or back on this ticket if you prefer.

[rperigo]

So, the gcs_manager service had failed on httpd, causing port 443 to be completely unavailable. I have restarted the service as well as added a wrapper script at /opt/sca/bin/gcs_manager_httpd when you can run with sudo to restart the service and check status. It takes one argument - the systemctl command to be issued to the service (e.g. start|stop|status|restart).

If we need to make further firewall adjustments, we can meet to discuss. Opening ports to the world on a dev system is generally not a good idea, due to the increased attack surface it creates.

[agopu]

@matthew-kusz could you confirm if things are working as expected? Thanks!

[benfulton]

Hi Arvind, we still think we need the globus.org server to talk to our server. But I want to meet with Scott so we can determine how to proceed.

[agopu]

@benfulton we will stay tuned. I assume you are referring to a different Globus server than the one Matt mentioned (i.e 8bb421.e229.dn.glob.us which is just a CNAME to our test server.)

[benfulton]

That is correct. Apparently the main server at Globus needs to contact our server. Currently Matt is getting

Command Failed: Error (connect) Endpoint: Globus Test (ae5ce2a5-07ff-450a-8235-2a75b3409ca2) Server: bc8065.27eb.dn.glob.us:443 Message: The operation timed out 

Globus says the collection creation error is most-likely because the endpoint is not reachable on port 443. 

[agopu]

Ray informed me he has a /29 CIDR that Globus uses.

~We assume their servers are based out of Argonne or UC. Could you get a list of IPs or subnets from where they will be connecting to our server?~

[benfulton]

I'm not clear on this. Is Ray setting things up to let the main Globus server through?

[agopu]

We probably will need to use a process of elimination to figure out what IPs/subnets are needed, we could start with the one we have.

[rperigo]

Is there any update on this from your end, @benfulton? I opened 443 to the CIDR globus provides for their services in the documentation last week. If Matt's still running into trouble we can continue from there.

[benfulton]

We've been pretty successful - Matt has been able to transfer files to Box using the server. We'll meet tomorrow 1PM, 350A to discuss if you are interested.

[rperigo]

Good to hear!

[agopu]

Checked in with Ben this morning via Slack - they are still running tests, and would like us to continue running this server for a bit longer.

[matthew-kusz]

Can you install nload or iftop on the VM? We want to look at the connections and data flow to and from the server while making Globus transfers.

[rperigo]

Why not both? nload and iftop should both be available.

Re-opening issue, pending feedback.

[rperigo]

Addendum - iftop requires sudo, however nload does not - try that first, @matthew-kusz. If it doesn't work for you, we can go from there.

[matthew-kusz]

nload did what we needed, thanks!

[agopu]

nload did what we needed, thanks!

Good to know!