SEE-GRID VOMS backup

From EGEE-see WIki

Jump to: navigation, search

This page describes a procedure for setting up a backup VOMS server. SEE-GRID backup VOMS uses MySQL replication to retrieve data from the primary VOMS server. Replication connection is secured using openvpn because MySQL 4.0 doesn't support SSL.

Contents

Master

  • Configure openvpn (/etc/openvpn/server.conf): 
port 1194
proto udp
dev tun
tls-server
ca client.ca
cert /etc/grid-security/hostcert.pem
key /etc/grid-security/hostkey.pem
dh server.dh
tls-remote /C=GR/O=HellasGrid/OU=auth.gr/CN=voms.grid.auth.gr
tls-auth server.key 0
ifconfig 192.168.0.1 192.168.0.2
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 3
  • Start openvpn: 
# /etc/init.d/openvpn start
Starting openvpn:           [ OK ]
  • Configure the firewall to only allow tunnel access from the backup VOMS (/etc/sysconfig/iptables): 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -i tun0 -s 192.168.0.2 -d 192.168.0.1 -j ACCEPT
  • Load the new firewall rules: 
# /etc/init.d/iptables restart
  • Configure MySQL (/etc/my.cnf): 
[mysqld]
server-id=1
# create replication log
log-bin
# but only for this database
binlog-do-db=voms_seegrid
  • Restart MySQL.
  • Create replication user: 
GRANT REPLICATION SLAVE ON *.* TO 'seegrid_rep'@'192.169.0.2' IDENTIFIED BY '16_char_password';
  • Dump the database: 
mysql> USE voms_seegrid;
mysql> FLUSH TABLES WITH READ LOCK;
shell> mysqldump --databases voms_seegrid -p > db.dump
mysql> SHOW MASTER STATUS;
+-----------------+----------+--------------+------------------+
| File            | Position | Binlog_do_db | Binlog_ignore_db |
+-----------------+----------+--------------+------------------+
| voms-bin.002    | 79       | voms_seegrid |                  |
+-----------------+----------+--------------+------------------+
mysql> UNLOCK TABLES;
  • Send the replication username/password, database dump and master status to backup server admin.

Slave

  • Configure openvpn (/etc/openvpn/client.conf): 
proto udp
dev tun
remote voms.irb.hr 1194
nobind
tls-client
ca server.ca
cert /etc/grid-security/hostcert.pem
key /etc/grid-security/hostkey.pem
tls-remote /C=HR/O=edu/OU=irb/CN=host/voms.irb.hr
tls-auth server.key 1
ifconfig 192.168.0.2 192.168.0.1
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 3
  • Start openvpn: 
# /etc/init.d/openvpn start
Starting openvpn:           [ OK ]
  • Configure MySQL (/etc/my.cnf): 
[mysqld]
server-id=2

# replicate all tables
replicate-wild-do-table=voms_seegrid.%

# except automatic ones
replicate-ignore-table=voms_seegrid.seqnumber
replicate-ignore-table=voms_seegrid.realtime
  • Restart MySQL.
  • Load the database: 
mysql -p < db.dump
  • Start slave: 
CHANGE MASTER TO MASTER_HOST='192.168.0.1', MASTER_PORT=3306,
                 MASTER_USER='seegrid_rep', MASTER_PASSWORD='16_char_password',
                 MASTER_LOG_FILE='voms-bin.002', MASTER_LOG_POS=79;
SLAVE START;
  • Create VOMS database user: 
GRANT SELECT ON voms_seegrid.* TO seegrid_que IDENTIFIED BY 'some_password';
GRANT SELECT ON voms_seegrid.* TO seegrid_que@localhost IDENTIFIED BY 'some_password';
GRANT LOCK TABLES ON voms_seegrid.* TO seegrid_que IDENTIFIED BY 'some_password';
GRANT LOCK TABLES ON voms_seegrid.* TO seegrid_que@localhost IDENTIFIED BY 'some_password';
GRANT UPDATE ON voms_seegrid.seqnumber TO seegrid_que IDENTIFIED BY 'some_password';
GRANT UPDATE ON voms_seegrid.seqnumber TO seegrid_que@localhost IDENTIFIED BY 'some_password';
FLUSH PRIVILEGES;
  • Configure VOMS (/opt/edg/etc/voms/seegrid/voms.conf): 
--vo=seegrid
--port=15010
--dbname=voms_seegrid
--username=seegrid_que
--passfile=/opt/edg/etc/voms/seegrid/voms.pass
--logfile=/opt/edg/var/log/voms.seegrid
  • Put the seegrid_que password ('some_password') in /opt/edg/etc/voms/seegrid/voms.pass.

New line has to be present after the password. File needs to be mode 640 and owned by the user running VOMS daemon.

  • Start VOMS daemon.

Troubleshooting

  • In case of multiple replicated databases, replicate-do-db option might not work (data arrives from master but is then ignored by the slave). Replacing it with replicate-wild-do-table seems to help: 
# backup for see
replicate-wild-do-table=voms_see.%
replicate-ignore-table=voms_see.seqnumber

# backup for sgdemo
replicate-wild-do-table=voms_sgdemo.%
replicate-ignore-table=voms_sgdemo.seqnumber
  • /var/log/messages
  • SHOW MASTER STATUS;
  • SHOW PROCESSLIST;
  • SHOW SLAVE STATUS;
  • /opt/edg/var/log/voms.seegrid

Reference

  • /opt/edg/sbin/voms_install_replica (from voms-server_gcc3_2_2 package)
Retrieved from "http://wiki.egee-see.org/index.php/SEE-GRID_VOMS_backup"
Personal tools