Installing WebAppDIRAC
The first section describes the install procedure of the web framework. The configuration of the web app will be presented in the next sections. While not mandatory, NGINX (nginx.com) can be used to improve the performance of the web framework. The installation and configuration of NGINX will be presented in the last section.
Requirements
Please follow the Requirements instructions to setup the machine. In principle there is no magic to install the web portal. It has to be installed as another DIRAC component. When the machine is ready you can start to install of the web portal. But before that you need the install_site.sh script and a minimal configuration file.
Getting the install script
You can find the instructions for getting the install_site.sh script at the end of the Requirements section.
Configuration file
You can use a standard configuration file, for example from the Primary server installation. Please make sure that the following lines are present in the configuration file:
Extensions = WebApp
WebApp = yes
Installation configuration:
LocalInstallation
{
# These are options for the installation of the DIRAC software
#
# DIRAC release version (this is an example, you should find out the current
# production release)
Release = v7r2p8
# To install the Server version of DIRAC (the default is client)
InstallType = server
# The directory of the DIRAC software installation
TargetPath = /opt/dirac
# DIRAC extension to be installed
# (WebApp is required if you are installing the Portal on this server).
# Only modules not defined as default to install in their projects need to be defined here:
# i.e. LHCb, LHCbWeb for LHCb for example: Extensions = WebAppDIRAC,LHCb,LHCbWeb
Extensions = WebApp
Project = DIRAC
WebPortal = yes
WebApp = yes
# Note: This service is only needed, if does not exist on the machine used to install the WebApp
Services = Framework/SystemAdministrator
UseServerCertificate = yes
SkipCADownload = yes
Setup = your setup # for example: LHCb-Certification
ConfigurationMaster = no
ConfigurationServer = your configuration service
}
Before you start the installation please make sure that you have the host certificate in the /opt/dirac/etc directory. More info in the Server Certificates section in Requirements.
Create the configuration file and copy the lines above the this file:
vim /home/dirac/DIRAC/install.cfg
Download and run the installation script (use -v key for specifying a version, look at the help output):
cd /home/dirac/DIRAC
curl -O https://raw.githubusercontent.com/DIRACGrid/management/master/install_site.sh
chmod +x install_site.sh
./install_site.sh install.cfg
source /opt/dirac/bashrc
Note: If you do not have the /home/dirac/DIRAC directory, please have a look the instructions given in the Requirements section.
Checks to be done after the installation
If the installation is successful, you will see the following lines:
Status of installed components:
Name Runit Uptime PID
====================================================
1 Web_WebApp Run 6 19887
2 Framework_SystemAdministrator Run 2 19941
Make sure that the portal is listening in the correct port.
Without NGinx:
tail -200f /opt/dirac/runit/Web/WebApp/log/current
2016-06-02 12:44:18 UTC WebApp/Web INFO: Configuring in developer mode...
2016-06-02 12:44:18 UTC WebApp/Web NOTICE: Configuring HTTP on port 8080
2016-06-02 12:44:18 UTC WebApp/Web NOTICE: Configuring HTTPS on port 8443
2016-06-02 12:44:19 UTC WebApp/Web ALWAYS: Listening on https://0.0.0.0:8443/DIRAC/ and http://0.0.0.0:8080/DIRAC/
Using Nginx:
tail -200f /opt/dirac/runit/Web/WebApp/log/current
2016-06-02 12:35:46 UTC WebApp/Web NOTICE: Configuring HTTP on port 8000
2016-06-02 12:35:46 UTC WebApp/Web ALWAYS: Listening on http://0.0.0.0:8000/DIRAC/
If you are not using NGINX and the web server is listening on 8000, please edit configuration to add /WebApp/Balancer=None. Make sure that the configuration /opt/dirac/pro/etc/dirac.cfg file is correct. It contains Extensions=WebApp. For example:
DIRAC
{
Setup = LHCb-Certification
Configuration
{
Servers =
}
Security
{
}
Extensions = WebApp
Setups
{
LHCb-Certification
{
Configuration = LHCb-Certification
Framework = LHCb-Certification
}
}
}
Update using dirac-admin-sysadmin-cli.
Web configuration
To configure the web framework use WebApp configuration section. It also contains the schema of the menu under Schema section, which is used by the users. Section has the following structure:
WebApp
{
# Set if need to use balancer, [nginx] in case you have installed nginx
Balancer = None
#NumProcesses = 1
# [PROTOCOL_SSLv2, PROTOCOL_SSLv23, PROTOCOL_SSLv3, PROTOCOL_TLSv1] in case you do not want to use the default protocol
#SSLProtocol = ""
# Theme of the web portal: [tabs] or [desktop]
Theme = tabs
Schema
{
Help = link|http://dirac.readthedocs.io/en/latest/UserGuide/index.html
Tools
{
Application Wizard = DIRAC.ApplicationWizard
Job Launchpad = DIRAC.JobLaunchpad
Notepad = DIRAC.Notepad
Proxy Upload = DIRAC.ProxyUpload
}
Applications
{
Accounting = DIRAC.Accounting
Activity Monitor = DIRAC.ActivityMonitor
Component History = DIRAC.ComponentHistory
Configuration Manager = DIRAC.ConfigurationManager
Downtimes = DIRAC.Downtimes
File Catalog = DIRAC.FileCatalog
Job Monitor = DIRAC.JobMonitor
Job Summary = DIRAC.JobSummary
Pilot Monitor = DIRAC.PilotMonitor
Pilot Summary = DIRAC.PilotSummary
Proxy Manager = DIRAC.ProxyManager
Public State Manager = DIRAC.PublicStateManager
Registry Manager = DIRAC.RegistryManager
Request Monitor = DIRAC.RequestMonitor
Resource Summary = DIRAC.ResourceSummary
Site Summary = DIRAC.SiteSummary
Space Occupancy = DIRAC.SpaceOccupancy
System Administration = DIRAC.SystemAdministration
Transformation Monitor = DIRAC.TransformationMonitor
#ExampleApp = DIRAC.ExampleApp
}
DIRAC = link|http://diracgrid.org
}
}
Define external links:
Web
{
Lemon Host Monitor
{
volhcb01 = link|https://lemonweb.cern.ch/lemon-web/info.php?entity=lbvobox01&detailed=yes
}
}
The example of the configuration which provided by the developer present in /opt/dirac/pro/WebAppDIRAC/WebApp/web.cfg location.
Note: To use the web portal, please fill in the configuration, namely the WebApp section, according to the example above.
Running multiple web instances
If you want to run more than one instance, you have to use NGIX. The configuration of NGINX is described in the next section.
You can define the number of processes in the configuration:
# the number of instances, you want to run (by default the NumProcesses is 1). The processes will listen on 8000, 8001, ... 800n.
NumProcesses = 4
Balancer = nginx
You can check the number of instances in the log file (runit/Web/WebApp/log/current):
2018-05-09 13:48:28 UTC WebApp/Web NOTICE: Configuring HTTP on port 8000
2018-05-09 13:48:28 UTC WebApp/Web NOTICE: Configuring HTTP on port 8001
2018-05-09 13:48:28 UTC WebApp/Web NOTICE: Configuring HTTP on port 8002
2018-05-09 13:48:28 UTC WebApp/Web NOTICE: Configuring HTTP on port 8003
2018-05-09 13:48:28 UTC WebApp/Web ALWAYS: Listening on http://0.0.0.0:8002/DIRAC/
2018-05-09 13:48:28 UTC WebApp/Web ALWAYS: Listening on http://0.0.0.0:8000/DIRAC/
2018-05-09 13:48:28 UTC WebApp/Web ALWAYS: Listening on http://0.0.0.0:8001/DIRAC/
2018-05-09 13:48:28 UTC WebApp/Web ALWAYS: Listening on http://0.0.0.0:8003/DIRAC/
You have to configure NGINX to forward the requests to that ports:
upstream tornadoserver {
# One for every tornado instance you're running that you want to balance
server 127.0.0.1:8000;
server 127.0.0.1:8001;
server 127.0.0.1:8002;
server 127.0.0.1:8003;
}
Note: you can run NGINX in a separate machine.
Install NGINX
Note: you can run NGINX in a separate machine.
The official site of NGINX is the following: http://nginx.org/ The required NGINX version has to be grater than 1.4.
Install Nginx using your package manager of your operating system. At this point, you should be able to install the pre-built Nginx package with dynamic module support:
yum update -y
yum install nginx -y
systemctl enable nginx
systemctl start nginx
If it is successful installed:
Verifying: nginx-1.16.1-1.el6.ngx.x86_64 1/1
Installed:
nginx.x86_64 0:1.16.1-1.el6.ngx
Configure NGINX
You have to find the nginx.conf file. You can see which configuration is used in /etc/init.d/nginx. For example:
vim /etc/nginx/nginx.conf
Make sure there is a line ‘include /etc/nginx/conf.d/*.conf;’, then create a site.conf under /etc/nginx/conf.d/. Example content of the site.conf (please modify it for your own installation!):
upstream tornadoserver {
# One for every tornado instance you're running that you want to balance
server 127.0.0.1:8000;
}
server {
# Use always HTTPS
listen 80 default_server;
listen [::]:80 default_server;
# Your server name if you have weird network config. Otherwise leave commented
#server_name your.server.domain;
return 301 https://$host$request_uri;
}
server {
# Enabling HTTP/2
listen 443 ssl http2 default_server; # For IPv4
listen [::]:443 ssl http2 default_server; # For IPv6
server_name your.server.domain; # Server domain name
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
# Certs that will be shown to the user connecting to the web.
# Preferably NOT grid certs. Use something that the user cert will not complain about
ssl_certificate /opt/dirac/etc/grid-security/hostcert.pem;
ssl_certificate_key /opt/dirac/etc/grid-security/hostkey.pem;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# Generate your DH parameters with OpenSSL:
# ~ cd /etc/nginx/ssl
# ~ openssl dhparam -out dhparam.pem 4096
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# To secure NGINX from Click-jacking attack
add_header X-Frame-Options SAMEORIGIN always;
# OCSP Stapling --- fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# DNS resolver for stapling so that the resolver defaults to Google’s DNS
resolver 8.8.4.4 8.8.8.8;
ssl_client_certificate /opt/dirac/pro/etc/grid-security/cas.pem;
# ssl_crl /opt/dirac/pro/etc/grid-security/allRevokedCerts.pem;
ssl_verify_client optional;
ssl_verify_depth 10;
ssl_session_cache shared:SSL:10m;
root /opt/dirac/pro;
location ~ ^/[a-zA-Z]+/(s:.*/g:.*/)?static/(.+\.(jpg|jpeg|gif|png|bmp|ico|pdf))$ {
alias /opt/dirac/webRoot/resources/;
# Add one more for every static path. For instance for LHCbWebDIRAC:
# try_files LHCbWebDIRAC/$2 WebAppDIRAC/$2 /;
try_files WebAppDIRAC/$2 DIRACWebAppResources/$2 /;
# Prior to v7r3 this should be slightly different:
# alias /opt/dirac/pro/;
# try_files WebAppDIRAC/WebApp/static/$2 /;
# The new-style is mandatory for Python 3 based installations/
expires 10d;
gzip_static on;
gzip_disable "MSIE [1-6]\.";
add_header Cache-Control public;
break;
}
location ~ ^/[a-zA-Z]+/(s:.*/g:.*/)?static/(.+)$ {
alias /opt/dirac/webRoot/resources/;
# Add one more for every static path. For instance for LHCbWebDIRAC:
# try_files LHCbWebDIRAC/$2 WebAppDIRAC/$2 /;
try_files WebAppDIRAC/$2 DIRACWebAppResources/$2 /;
# Prior to v7r3 this should be slightly different:
# alias /opt/dirac/pro/;
# try_files WebAppDIRAC/WebApp/static/$2 /;
# The new-style is mandatory for Python 3 based installations/
expires 1d;
gzip_static on;
gzip_disable "MSIE [1-6]\.";
add_header Cache-Control public;
break;
}
location ~ /DIRAC/ {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://tornadoserver;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_set_header X-Ssl_client_verify $ssl_client_verify;
proxy_set_header X-Ssl_client_s_dn $ssl_client_s_dn;
proxy_set_header X-Ssl_client_i_dn $ssl_client_i_dn;
# pass escaped certificate pem to DIRAC
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
gzip on;
gzip_proxied any;
gzip_comp_level 9;
gzip_types text/plain text/css application/javascript application/xml application/json;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
break;
}
location / {
rewrite ^ https://$host/DIRAC/ permanent;
}
}
You can start NGINX now
Start, Stop and restart nginx:
/etc/init.d/nginx start|stop|restart
You have to add to the /WebApp section the following lines in order to use NGINX:
DevelopMode = False
StaticResourceLinkDir = /opt/dirac/webRoot/resources
Balancer = nginx
NumProcesses = 1
In that case one process will be used and this process is listening on 8000 port. You can try to use the web portal. For example: http://your.server.domain/DIRAC/.
SELinux rules
If you get 502 Bad Gateway error, you need to generate rules for SELinux. You can see the error in /var/log/nginx/error.log:
016/06/02 15:55:24 [crit] 20317#20317: *4 connect() to 127.0.0.1:8000 failed (13: Permission denied) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: your.server.domain, request: "GET /DIRAC/?view=tabs&theme=Grey&url_state=1| HTTP/1.1", upstream: "http://127.0.0.1:8000/DIRAC/?view=tabs&theme=Grey&url_state=1|", host: "your.server.domain"
Generate the rule:
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp
Refresh the page
WebDav
Optionally you can organize a file server to upload and download files.
Provide WebDav module
Install the required development tools of your operating system to be able to compile the WebDAV dynamic module for Nginx:
yum groupinstall "Development Tools" -y
yum install yum-utils pcre-devel zlib-devel libxslt-devel libxml2-devel -y
Download Nginx and the module source code. You need to determine which Nginx version is running on your server like this:
nginx -v
nginx version: nginx/1.16.1
Download the source code corresponding to the installed version:
wget http://nginx.org/download/nginx-1.16.1.tar.gz
Clone the module repository:
git clone https://github.com/arut/nginx-dav-ext-module
Change to the Nginx source code directory, compile the module, and copy it to the standard directory for the Nginx modules:
cd nginx-1.16.1
./configure --with-compat --with-http_dav_module --add-dynamic-module=../nginx-dav-ext-module/
make modules
cp objs/ngx_http_dav_ext_module.so /etc/nginx/modules/
Configure WebDav
To describe your WebDav server, please, add these locations to the NGINX configuration:
# The same directory must exist with 'rw' permissions for all
location /files {
# Access for GET requests without certificate
if ($request_method = GET) {
# Webdav sever
error_page 418 = @webdav;
return 418;
}
# For not GET requests access only with client certificate verification
if ($ssl_client_verify = NONE) {
return 403 'certificate not found';
}
if ($ssl_client_verify != SUCCESS) {
return 403 'certificate verify failed';
}
# Webdav sever
error_page 418 = @webdav;
return 418;
}
location @webdav {
satisfy any;
# Read access for all
limit_except GET {
# Here need to add hosts IPs that allowed to make requests, except GET
# First, need to add the IP host used by the master CS.
#allow XXX.XXX.XXX.XXX;
deny all;
}
client_max_body_size 1g;
root /opt/dirac/webRoot/www/;
# Access settings
dav_access group:rw all:rw;
# Allow all posible methods
dav_methods PUT DELETE MKCOL COPY MOVE;
# For webdav clients (Cyberduck and Monosnap)
dav_ext_methods PROPFIND OPTIONS;
# Clients can create paths
create_full_put_path on;
charset utf-8;
autoindex on;
break;
}
Make sure the directory exists with the necessary permissions:
mkdir /opt/dirac/webRoot/www/files
chmod 666 /opt/dirac/webRoot/www/files
chown dirac:dirac /opt/dirac/webRoot/www/files