Mac OS X Information

Useful Tips

NFS

If your NFS server is running Linux (e.g. Red Hat 9) you may experience a reproducable kernel panic when you attempt to access the automounted directory. This is caused by Mac OS X 10.3 attempting to use an insecure port (>1024) to contact the NFS server. You will see a line of the form:

kernel: nfsd: request from insecure port (******:*****)

To resolve this issue, make sure to include the export option insecure in your NFS server setup for your 10.3 clients or add the "-P" option when setting up the automount in netconfig.

Printing to LPD print servers

In Panther, the CUPS printing system no longer uses a reserved port when connecting to a remote lpd, and some lpd servers require that inbound connections come from a reserved port. To configure Panther to use a reserved port:

1. In the "Printer Setup Utility" on Panther, hold down the option key as you click the 'Add' button.
2. Select the 'Advanced' item from the pull down at the top.
3. Select 'LPD/LPR Host or Printer' from the next pull down
4. Enter the name you want for the printer in device name
5. The URL will have four parts, all smushed together with no spaces and appropriate slashes:
   • The text lpd://
   • The name or IP address of your printer/host
   • The name of the queue on the remote end
   • The string ?reserve=yes

DDD

A Mac OS X precompiled version of DDD is avaliable but watch out for the LessTif/Motif conflict with Matlab below.

Matlab

The installed on the Student R13 CD does not work on Panther. A patched installer is available from Mathworks.

Matlab installs its own version of motif in /Applications/MATLAB_SV13/sys/os/mac which can conflict with other versions of libXm.dylib installed. To fix this edit the file /Applications/MATLAB_SV13/bin/LaunchMATLAB.app/Contents/launch_matlab.sh and add the line

export DYLD_LIBRARY_PATH=/Applications/MATLAB_SV13/sys/os/mac

Making Mail.app Behave Like Mutt

Alexei Kosut has written a few AppleScript files to make Mail behave more like mutt. I use two of them with minor modifications: Go To Mailbox and Save To Mailbox

To use these scripts, save them into the directory ~/Library/Scripts/Mail Scripts/

Useful OS X Links

• What is Mac OS X? is a nice introduction to some of the low level issues with OS X.
• Getting Mac OS X 10.3 to Behave Almost Like my Linux Boxes
• Integrating Mac OS X in an NIS network
• How to change user ID
• Setting up IMAPD with SSL

Getting the Mac Mail.app to Work with DOEGrids Certificates

These instructions are based on Sam Finn's original instructions provided "as is, without warranty implied or explicit" with one minor change to allow the Mail.app to access the users private key.

1. This works only with Mac OS 10.3 and above. You must have already obtained your certificate using, e.g., Netscape: you can't request and retrieve a cert using either Safari or Internet Explorer on the Mac. The following only works if the e-mail address that you send e-mail with is the same as the e-mail address associated with your cert. Capitalization is important.
2. Save your cert to disk
   1. From Netscape preferences, go to Privacy & Security
   2. Select Certificates
   3. Click on Manage Certificates
   4. Highlight your Certificate
   5. Click on Backup, follow prompts and save to the desktop
   6. Quit netscape: you won't need it anymore
3. Add your cert to your keychain by double-clicking on the cert you just saved to disk. Keychain should open and you will be asked "Do you want to add certificate(s) from the file ...". If offered a drop-down menu, select the Keychain whose name is your (mac) username or select "login". You will need to enter the password you used to encode the certificates when you saved them to disk in the last step.
4. Allow the Mail.app access to your private key. Click on the private key you just added in Keychain and select the "Access Control" tab. Under "Always allow access by these applications" click "Add" and the browse to the Mail application. Add it to the list.
5. Get the DOEGrids CA and ESNet CA certs. Using Safari go to http://www.doegrids.org/pages/Fingerprints.htm and download the PEM encoded ESnet Root CA 1 Certificate by option-clicking on the link. You should get a file named d1b603c3.0. Move it to the desktop if it is not already there. Download the PEM encoded DOEGrids Root CA 1 Certificate by option-clicking on the link. You should get a file named 1c3f2ca8.0. Move it to the desktop if it is not already there.
6. Modify your system X509Anchors. In this step you will inform your system that it should trust the CA that signed your certs. Make a copy of your system X509Anchors:

   sudo cp /System/Library/Keychains/X509Anchors /System/Library/Keychains/X509Anchors.orig

   Add the ESNet cert to X509Anchors:

   sudo certtool i ~/Desktop/d1b603c3.0 v k=/System/Library/Keychains/X509Anchors
   sudo certtool i ~/Desktop/1c3f2ca8.0 v k=/System/Library/Keychains/X509Anchors

   You should get, in both cases, the message "...certificate successfully imported."

You're done! (Re)Start mail. Open a compose window. You should see, in the area on the far right just below the subject text box, an icon that looks like a 10 pointed star. It is clickable. If "depressed" then your message will be signed with your cert; if not, it will not be signed.

When you receive a signed e-mail, the mac mail app should recognize the signature as valid because it knows to trust the DOEGrids CA.

When you are sending mail to someone whose cert is in your keychain, you will have a second clickable box next to the signature "star". That box will look like a padlock. If you click on it, then the message you send will be encrypted to them.

Grid Tools on Mac OS X 10.3

These instructions describe how I installed some components of the LSC DataGrid server on a Mac running OS X 10.3 (Panther). I managed to get Globus, GSI enabled openssh (incoming and outgoing), Condor and pyGlobus and LSCdataFind installed, as well as a grid FTP server and a Globus job manager for Condor.

Installing Globus

Installing Globus on Panther is really easy thanks to Sam Meder at ANL who maintains a Port of GT2 for OS X. To install Globus, I did the following:

1. Open a terminal and log in as root using sudo su -
2. Make a directory to work in. I used /var/root/globus/globus-build
3. Download Sam's GT2 install script from http://www-unix.mcs.anl.gov/~meder/osx/panther-build.sh to /var/root/globus
4. Edit the install script to change the install environment variables. I used

   BUILDDIR=/var/root/globus/globus-build
   INSTALLDIR=/opt/globus
   GLOBUS_LOCATION=/opt/globus
   GPT_LOCATION=/opt/gpt
   VERSION=2.4
   FLAVOR=gcc32dbg

5. Now just run the script with sh panther-build.sh and wait a while... It will fetch the mac patched sources, build and install all the components of gpt and globus that you need.
6. Add the lines

   GLOBUS_LOCATION="/opt/globus"
   export GLOBUS_LOCATION

   to /etc/profile (set GLOBUS_LOCATION to wherever you chose to install globus). Then you can add

   # use the globus tools
   if [ -f ${GLOBUS_LOCATION}/etc/globus-user-env.sh ] ; then
     source ${GLOBUS_LOCATION}/etc/globus-user-env.sh
   fi

   to your .bash_profile to access all the Globus tools.
7. The panther-build.sh script doesn't install the threaded version of globus needed for pyGlobus, so after the script completes you will need to cd into the BUILDDIR defined above and

   export GLOBUS_LOCATION=/opt/globus
   export GPT_LOCATION=/opt/gpt
   ${GPT_LOCATION}/sbin/gpt-build -verbose globus-data-management-sdk-2.4-src_bundle.tar.gz gcc32dbgpthr
   ${GPT_LOCATION}/sbin/gpt-build -verbose globus-resource-management-sdk-2.4-src_bundle.tar.gz gcc32dbgpthr
   ${GPT_LOCATION}/sbin/gpt-postinstall

8. Running gpt-postinstall will return the message

   Note: To complete setup of the GSI software you need to run the
   following script as root to configure your security configuration
   directory:
   
   /opt/globus/setup/globus/setup-gsi
   
   For further information on using the setup-gsi script, use the -help
   option.  The -nonroot can be used on systems where root access is 
   not available.

   Run the command /opt/globus/setup/globus/setup-gsi It will prompt you to overwite a file name something like

   /etc/grid-security/certificates//grid-security.conf.42864e48

   answer yes:

   Do you wish to continue (y/n) [y] : y

   Then at the next prompt answer q to save, configure the GSI and quit. Ignore the Base DN for user and host certificates, you will overwrite these with the correct values later.

   ========================================================================
   (q) save, configure the GSI and Quit
   (c) Cancel (exit without saving or configuring)
   (h) Help
   ========================================================================
   
   q
   Installing Globus CA certificate into trusted CA certificate directory...
   Installing Globus CA signing policy into trusted CA certificate directory...
   setup-gsi: Complete

   This will make the /etc/grid-security directory.
9. You will also need to install myProxy. I downloaded the GPT Package 1.14 version from NCSA and installed it with

   ${GPT_LOCATION}/sbin/gpt-build -verbose myproxy-1.14.tar.gz gcc32dbg
   ${GPT_LOCATION}/sbin/gpt-postinstall

Installing pyGlobus

1. Get and install SWIG. I downloaded 1.3.21 from www.swig.org and installed it in /usr/local/bin with

   ./configure && make && make install

   Make sure that the location of the SWIG executable is in your PATH.
2. Now get the pyGlobus source from the pyGlobus home page. Follow the link to the Download GTG Software page and download pyGlobus for gt-2.4.x. This should download a tar ball named pyGlobus-gt-2.4.x-1.0.2.tar.gz.
3. Untar the tarball and edit the file setup.py. At line 666 (after the line cv["OPT"] = opts and before the line if COMPILE_CC:) add the lines:

   if sys.platform[:6] == 'darwin':
       ld = cv['LDSHARED']
       ld += " -bundle_loader %s" % sys.executable
       cv['LDSHARED'] = ld

   so that the build will work on OS X.
4. Build and install with

   python setup.py install --run-swig --home=${GLOBUS_LOCATION}

   It will complain that it can't build the rlsClient, but just continue anyway.
5. You then need to edit ${GLOBUS_LOCATION}/etc/globus-user-env.sh (and optionally the .csh version) to add the pyGlobus python path. Add the lines

   #
   #  PyGlobus-Environment
   #
   PYTHONPATH="${GLOBUS_LOCATION}/lib/python:${PYTHONPATH}"
   export PYTHONPATH

   to the end of the file.

Installing LSCdataFind

1. Download the tarball ldg-server.tar.gz This contains the LSCdataFind program and library. The name of the python executable in the env line has been changed to from python2 to python.
2. export LDG_SERVER_LOCATION=/opt/ldg-server or some other directory of your chosing.
3. mkdir -p ${LDG_SERVER_LOCATION}
4. tar -C ${LDG_SERVER_LOCATION} -zxvf ldg-server.tar.gz
5. Add the lines

   LDG_SERVER_LOCATION="/opt/ldg-server"
   export LDG_SERVER_LOCATION

   to your /etc/profile
6. Add the lines

   # use anything in lsc datagrid server
   if [ -f ${LDG_SERVER_LOCATION}/etc/setup.sh ] ; then
     source ${LDG_SERVER_LOCATION}/etc/setup.sh
   fi

   to your .bash_profile and optionally

   LSC_DATAFIND_SERVER=dataserver.phys.uwm.edu
   export LSC_DATAFIND_SERVER

Set up GSI and get the certificates

1. Download a the tarball certs.tar.gz which contains the signing policies for certificates.
2. Untar this with tar -zxvpPf certs.tar.gz It should uncompress into /etc/grid-security/certificates
3. cd /etc/grid-security/
4. Link the correct certificates for DOEgrids:

   ln -sf /etc/grid-security/certificates/globus-host-ssl.conf.1c3f2ca8 globus-host-ssl.conf 
   ln -sf /etc/grid-security/certificates/globus-user-ssl.conf.1c3f2ca8 globus-user-ssl.conf 
   ln -sf /etc/grid-security/certificates/grid-security.conf.1c3f2ca8 grid-security.conf

5. Get a server host certificate by following the instructions on the LSC Data Grid pages. Step 3 says to configure your environment. Do this by

   source /opt/globus/etc/globus-user-env.sh

   rather than sourcing the LSC DataGrid setup.sh file. I only got a host cert, I didn't bother with ldap.

Set up Grid FTP and the Globus Job Manager

1. Download the files gsiftp and gsigatekeeper into /etc/xinetd.d/
2. Edit these file and make sure the paths are set correctly if you installed Globus somewhere strange (you don't need to change anything if you used /opt/globus as above.)
3. Send xinetd a HUP: kill -HUP `cat /var/run/xinetd.pid`

There is no need to modify /etc/services as gsiftp and the gsigatekeeper are already in there.

GSI Enabled Open SSH

The official distribution Globus patched OpenSSH disribution is hosted at NCSA, but I has some minor difficulties getting this to install as Darwin has a broken getaddrinfo() but the configure script seems to think that it works (or ignores the issue) in Panther. I got around this by editing the configure.ac in the OpenSSH source to always define BROKEN_GETADDRINFO and then running autoconf to remake configure. I have rebundled the source into a GPT source bundle with the patch. Follow the instructions below to install OpenSSH.

1. Download the patched bundle gsi_openssh_bundle-3.2-src.tar.gz
2. Follow the install instructions at NCSA. You can ignore steps 1, 2 and 3 as OS X takes care of 1 and you've already done 2 and 3. In step 4, the correct build-time configure options for Panther are GSI_OPENSSH_GPTMACRO="--with-tcp-wrappers --without-rsh" Make sure you install the compat bundle (available from the downloads page) in step 5.4 to create the simlinks from ssh to gsissh, etc. In step 5.3 the flavor should be gcc32dbg
3. Skip step 7 (Install the GSI-OpenSSH Server) as OS X doesn't use System V style init scripts. To get GSIsshd to start up
4. Make sure the Mac OS X incoming sshd is turned off (go to "System Preferences", "Sharing" and make sure "Remote Login" is unchecked in the "Services" tab.
5. Download the tarball GSIsshd.tar.gz which contains the OS X startup files for the ssh server.
6. Untar this in the directory /System/Library/StartupItems/
7. Note that the Mac OS X /bin/sh really is sh (not bash), so the default Globus initialization scripts will not work when run under it. Download globus-script-initializer and globus-sh-tools.sh and replace /opt/globus/libexec/globus-script-initializer and /opt/globus/libexec/globus-sh-tools.sh with these files. These deal with empty variables correctly under Bourne shell (which is more picky than bash).
8. The GSI enables sshd should start up at the next boot.
9. If you use the Mac termial app to ssh around, then add

   # use localhost at the display if not set
   if [ -z "${DISPLAY}" ] ; then
     export DISPLAY=localhost:0.0
   fi

   to your ~/.bash_profile so that it will look for the local X server. If you add the X11 server to you Startup Items (under "System Preferences", "Accounts") then ssh will be able to negotiate tunneling of X and if you run an X11 app on a remote machine it will appear on your Mac. You might want to click "Hide" when you add it to the Startup Item so it doesn't bother you on login.

Condor

1. Install of Condor is pretty simple. First open the "Accounts" tool from "System Preferences" and create an account for condor. Click "+" to create an account, set the name to "Condor" and make sure the Short Name is also "condor". Don't set a password. Ignore the warning message about not setting a password.
2. Download the Condor binaries and run the installer. Configure Condor as normal for a single machine install as described in the install instructions. I chose to install in /opt/condor as follows:
   • Untar the condor tarball and cd condor-6.6.5
   • Run the condor installer with ./condor_install
   • Answer the questions as follows (this assumes you don't have a previous condor install):
     1. Would you like to do a full installation of Condor? [yes] yes
     2. Are you planning to setup Condor on multiple machines? [yes] no
     3. Have you installed a release directory already? [no] no
     4. Where would you like to install the Condor release directory?
        [/usr/local/condor] /opt/condor
     5. That directory doesn't exist, should I create it now? [yes] yes
     6. If something goes wrong with Condor, who should get email about it?
        [root@baboon.phys.uwm.edu] Enter your email address here.
     7. What is the full path to a mail program that understands "-s" means
        you want to specify a subject? [/usr/bin/mail] hit return to accept this.
     8. Do all of the machines in your pool from your domain ("phys.uwm.edu")
        share a common filesystem? [no] yes
        It will give your domainname rather than phys.uwm.edu but ignore this.
     9. Do all of the users across all the machines in your domain have a unique
        UID (in other words, do they all share a common passwd file)? [no] yes
     10. In some cases, even if you have unique UIDs, you might not have all users
         listed in the password file on each machine.
         Is this the case at your site? [no] no
     11. Enable Java Universe support? [yes] no
     12. Shall I create links in some other directory? [yes] no
     13. What is the full hostname of the central manager?
         [baboon.phys.uwm.edu]
         It should prompt you with your hostname, not baboon; hit return to accept this.
     14. You have a "condor" user on this machine. Do you want to put all the
         Condor directories in /Users/condor? [yes] yes
     15. Should I put a "condor_config.local" file in /Users/condor?
         [yes] yes

     16. What name would you like to use for this pool?  This should be a
         short description (20 characters or so) that describes your site.
         For example, the name for the UW-Madison Computer Science Condor
         Pool is: "UW-Madison CS".  This value is stored in your central
         manager's local config file as "COLLECTOR_NAME", if you decide to
         change it later.  (This shouldn't include any " marks).

         Just pick some name that you like such as baboon and hit return
     17. Should I put in a soft link from /Users/condor/condor_config to
         /opt/condor/etc/condor_config [yes] yes
     18. It should then say

         ***************************************************************************
         Condor has been fully installed on this machine.
         ***************************************************************************

3. Condor doesn't seem to know how to figure out how much memory the machine has, so in /opt/condor/etc/condor_config uncomment the MEMORY line and set it to the amount of RAM you have in Mb.
4. Download the file Condor.tar.gz and uncompress it into the startup directory:

   cd /System/Library/StartupItems
   tar -zxvf Condor.tar.gz

   so that Condor will start on boot.
5. Add the lines

   # add condor to the path
   PATH="${PATH}:/opt/condor/bin"
   export PATH

   to you .bash_profile to access Condor.

Globus Job Manager for Condor

1. Make sure condor is in root's path by setting export PATH=${PATH}:/opt/condor/bin before you continue.
2. Get the tarballs globus_gram_job_manager_setup_condor-1.4.tar.gz, globus_gram_reporter-2.0.tar.gz and globus_gram_reporter_setup_condor-1.0.tar.gz
3. Install them with

   ${GPT_LOCATION}/sbin/gpt-build -verbose globus_gram_reporter-2.0.tar.gz gcc32dbg
   ${GPT_LOCATION}/sbin/gpt-build -verbose globus_gram_job_manager_setup_condor-1.4.tar.gz 
   ${GPT_LOCATION}/sbin/gpt-build -verbose globus_gram_reporter_setup_condor-1.0.tar.gz 
   ${GPT_LOCATION}/sbin/gpt-postinstall

4. Edit the file /opt/globus/etc/grid-services/jobmanager-condor and add -condor-arch PPC -condor-os OSX to the jobmanager configuration line (if it isn't already there. If the file has -condor-arch no -condor-os no change the no to PPC and OSX respectively).

After rebooting you can test both condor and the job manager with the command:

globusrun -o -r gorilla.phys.uwm.edu/jobmanager-condor '&(executable=/bin/date)'

Finally...

Reboot your machine. You should have GSI ssh, Condor and Grid FTP services running when it comes back up.