6.11 Installing Moab Accounting Manager

This topic contains instructions on how to install and start Moab Accounting Manager (MAM).

Perform the following in order:

Plan Your Installation
Open Necessary Ports
Install and Initialize the PostgreSQL Server
Install Dependencies, Packages, or Clients
(Optional) Build a Custom RPM
Install MAM Server
Configure the MAM GUI
Access the MAM GUI
Configure Moab Workload Manager to Use Moab Accounting Manager
Initialize Moab Accounting Manager

6.11.1 Plan Your Installation

The first step is determining the number of different hosts (physical machines) required for your MAM installation.

Your MAM installation includes:

MAM Server
MAM Database
MAM GUI (optional)
MAM Clients (possibly several hosts)

Each of these components can be installed on their own hosts (meaning the actual physical machine) or can be combined on same hosts. For example, the MAM Database can be installed on the same host as the MAM Server. Or the MAM Server may be installed on the same host you installed the Moab Server.

If your configuration will have the MAM PostgresSQL database on the same host as the Insight PostgreSQL database, the MAM PostgreSQL database must be same version as the Insight PostgreSQL database. See 6.11 Installing Moab Accounting Manager for supported database versions.

Once you have determined which components are installed on which hosts, complete the rest of the instructions for the MAM installation.

The instructions that follow in this topic will use the term Host after each component to reflect installing on a host (again, meaning the physical machine). For example, MAM Server Host and MAM Database Host. Depending on your configuration, Host may refer to as installed on its own machine or installed on the same machine as another component.

6.11.2 Open Necessary Ports

If your site is running firewall software on its hosts, you will need to configure the firewall to allow connections to the necessary ports.

Do the following as needed:

If you will be installing the MAM Server on a different host from where you installed the Moab Server or you will be installing the MAM Clients on other hosts, then on the MAM Server Host, open the MAM Server port (7112) in the firewall.

[root]# iptables-save > /tmp/iptables.mod

[root]# vi /tmp/iptables.mod
				
# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 7112 -j ACCEPT
				
[root]# iptables-restore < /tmp/iptables.mod
				
[root]# service iptables save

[root]# firewall-cmd --add-port=7112/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2
				
FW_SERVICES_EXT_TCP="7112"
				
[root]# service SuSEfirewall2_setup restart

[root]# vi /etc/sysconfig/SuSEfirewall2
				
FW_SERVICES_EXT_TCP="7112"
				
[root]# service SuSEfirewall2 restart

If using the MAM GUI, then on the MAM GUI Host, open the https port (443) in the firewall for secure browser communication.

[root]# iptables-save > /tmp/iptables.mod
				
[root]# vi /tmp/iptables.mod
				
# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 443 -j ACCEPT
				
[root]# iptables-restore < /tmp/iptables.mod
				
[root]# service iptables save

[root]# firewall-cmd --add-port=https/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="443"

[root]# service SuSEfirewall2_setup restart

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="443"

[root]# service SuSEfirewall2 restart

If you will be installing the MAM PostgreSQL Database on a different host from the MAM Server, then on the host where the MAM PostgreSQL Database Host will reside, open the postgres port (5432) in the firewall.

[root]# iptables-save > /tmp/iptables.mod

[root]# vi /tmp/iptables.mod

# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 5432 -j ACCEPT

[root]# iptables-restore < /tmp/iptables.mod

[root]# service iptables save

[root]# firewall-cmd --add-port=postgres/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="5432"

[root]# service SuSEfirewall2_setup restart

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="5432"

[root]# service SuSEfirewall2 restart

6.11.3 Install and Initialize the PostgreSQL Server

Moab Accounting Manager uses a database for transactions and data persistence.

The MAM PostgreSQL database may be installed on:

the same host as the MAM Server.
a separate PostgreSQL database host.
a separate shared PostgreSQL database host. If this shared database host will include the Insight PostgreSQL database, then the MAM PostgreSQL database must be same version as the Insight PostgreSQL database. See 6.11 Installing Moab Accounting Manager for supported database versions.

On the host where the MAM PostgreSQL database will reside, do the following:

These instructions assume you will be installing the MAM PostgreSQL database on a different host from where the Insight PostgreSQL database will reside.

If you wish to install both the MAM and the Insight PostgreSQL databases on the same host, different instructions are required. For example, you will need to enable the Insight-specific postgresql RPM repo by following the RPM instructions to prepare the host (see 6.31 Preparing the Host – Typical Method or 6.30 Preparing the Host – Offline Method) and you will need to modify the MAM PostgreSQL install instructions to reflect the different version of PostgreSQL required by Insight (see 6.36.2.C Install PostgreSQL for an example of how to install PostgreSQL for Insight).

Install and initialize the PostgreSQL Server.

[root]# yum install postgresql-server
[root]# service postgresql initdb

[root]# yum install postgresql-server
[root]# postgresql-setup initdb

[root]# zypper install postgresql-server
[root]# service postgresql start

[root]# zypper install postgresql-server
[root]# systemctl start postgresql.service

Configure trusted connections.

Edit or add a "host" line in the pg_hba.conf file for the interface from which the MAM Server will be connecting to the database and ensure that it specifies a secure password-based authentication method (for example, md5).

[root]# vi /var/lib/pgsql/data/pg_hba.conf

# Replace 127.0.0.1 with the IP address of the MAM Server Host if the
# MAM PostgreSQL server is on a separate host from the MAM server.
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5

---

If the MAM Database Host is installed on a different host from where you will install the MAM Server, configure PostgreSQL to accept connections from the MAM Server Host.

[root]# vi /var/lib/pgsql/data/postgresql.conf

# Replace <mam-server-host> with the interface name from which the MAM server
# will be connecting to the database.
listen_addresses = '<mam-server-host>'

---

Start or restart the database.

[root]# chkconfig postgresql on
[root]# service postgresql restart

[root]# chkconfig postgresql on
[root]# service postgresql restart

[root]# systemctl enable postgresql.service
[root]# systemctl restart postgresql.service

[root]# systemctl enable postgresql.service
[root]# systemctl restart postgresql.service

6.11.4 Install Dependencies, Packages, or Clients

Use the following instructions to install the required Moab Accounting Manager dependencies, packages, or clients.

Depending on your configuration, the MAM Server Host and the MAM GUI Host may be installed on the same host. The MAM Client Host is automatically installed on the same host as the MAM Server Host; however, you can also install the MAM Client Host on any other hosts on which you want to have the MAM client commands available to users or administrators.

On the MAM Server Host, the MAM GUI Host, and the MAM Client Hosts, do the following:

[root]# yum install gcc redhat-lsb-core perl rrdtool perl-Config-Tiny perl-Crypt-CBC perl-Crypt-DES perl-Crypt-DES_EDE3 perl-Digest-HMAC perl-Error perl-Log-Dispatch-FileRotate perl-Log-Log4perl perl-XML-LibXML

If installing on RHEL, some packages may not be found in the standard RHEL distribution repositories.

One way to overcome this problem is to install the missing dependencies from EPEL or other reputable repositories. For example (for the current RHEL 7 repositories):

[root]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm
[root]# yum install yum-utils
[root]# yum-config-manager --disable epel
[root]# yum install --enablerepo=epel,rhel-7-server-optional-rpms gcc redhat-lsb-core perl rrdtool perl-Config-Tiny perl-Crypt-CBC perl-Crypt-DES perl-Crypt-DES_EDE3 perl-Digest-HMAC perl-Error perl-Log-Dispatch-FileRotate perl-Log-Log4perl perl-XML-LibXML

Alternatively, you can install the available packages in the RHEL repository and then install the missing modules from CPAN.

[root]# yum install --skip-broken gcc redhat-lsb-core perl rrdtool perl-Config-Tiny perl-Crypt-CBC perl-Crypt-DES perl-Crypt-DES_EDE3 perl-Digest-HMAC perl-Error perl-Log-Dispatch-FileRotate perl-Log-Log4perl perl-XML-LibXML perl-CPAN
[root]# cpan YAML Config::Tiny Log::Log4perl Log::Dispatch::FileRotate Compress::Zlib

You may need to run the cpan command more than once for it to complete successfully.

[root]# zypper install gcc lsb-release perl-Config-Tiny perl-Crypt-CBC perl-Crypt-DES perl-Crypt-DES_EDE3 perl-Digest-HMAC perl-Error perl-Log-Log4perl perl-XML-LibXML perl-Params-Validate perl-YAML perl-Log-Dispatch perl-Log-Dispatch-FileRotate

On the MAM Server Host, do the following:

[root]# yum install postgresql postgresql-libs perl-DBD-Pg perl-Date-Manip perl-Time-HiRes perl-DBI

[root]# zypper install postgresql postgresql-libs perl-DBD-Pg perl-Date-Manip perl-DBI

[root]# zypper install postgresql postgresql-devel libpq5 perl-DBD-Pg perl-Date-Manip perl-DBI

perl-DBD-Pg is provided in the SLES 12 devel:languages:perl repository, but for some reason it is not included in the SLES 12 SP1 devel:languages:perl. So if you are installing on SLES 12 SP1, you can install it from the SLES 12 devel:languages:perl repository.

[root]# zypper --plus-repo http://download.opensuse.org/repositories/devel:/languages:/perl/SLE_12 install perl-DBD-Pg

On the MAM GUI Host, do the following:

[root]# yum install httpd mod_ssl perl-CGI perl-CGI-Session

[root]# zypper install apache2 perl-CGI perl-CGI-Session

On each of the MAM Client Hosts (including the MAM Server Host), do the following:

[root]# yum install perl-suidperl perl-Term-ReadLine-Gnu perl-TermReadKey

[root]# yum install perl-CPAN openssl-devel readline-devel ncurses-devel perl-TermReadKey perl-Term-ReadLine-Gnu

[root]# zypper install libopenssl-devel perl-TermReadLine-Gnu perl-TermReadKey
[root]# chmod 4755 /usr/bin/sperl*

[root]# zypper install libopenssl-devel perl-TermReadLine-Gnu perl-Term-ReadKey

If any of the Perl module packages fail to install or are unavailable for your system, you can install it from CPAN by running cpan MODULENAME where MODULENAME is the respective perl module name.

6.11.5 (Optional) Build a Custom RPM

If you want to build a custom RPM, do the following:

Install rpm-build.

[root]# yum install rpm-build

[root]# zypper install rpm-build

Download the latest MAM build (mam-<version>.tar.gz) from the Adaptive Computing Moab HPC Suite Download Center.
The variable marked <version> indicates the build's version.
Untar the downloaded package.
Change directories into the untarred directory.
Edit the ./mam.spec file for RPM customization.
Run ./rpm-build.
Locate the custom RPM in rpm/RPMS/x86_64.

6.11.6 Install MAM Server

On the MAM Server Host, do the following:

Create a user called mam and switch to that user.

[root]# useradd -m mam
[root]# su - mam
[mam]$ mkdir src
[mam]$ cd src

Download the latest MAM build (mam-<version>.tar.gz) from the Adaptive Computing Moab HPC Suite Download Center.
The variable marked <version> indicates the build's version.
Untar the MAM tarball.
```
[mam]$ tar -zxvf mam-9.0.3.tar.gz
```
Navigate to mam-9.0.3.
```
[mam]$ cd mam-9.0.3
```
Configure the software. For a list of all the configuration options, see 6.19 Moab Accounting Manager Configuration Options.
```
[mam]$ ./configure
```
Compile the software.
```
[mam]$ make
```
If you only need to install the clients on a particular system, replace make with make clients-only. If you only need to install the web GUI on a particular system, replace make with make gui-only.
Install the software.
```
[mam]$ exit
[root]# cd ~mam/src/mam-9.0.3
[root]# make install
```
If you only need to install the clients on a particular system, replace make install with make install-clients-only. If you only need to install the web GUI on a particular system, replace make install with make install-gui-only.
As the database user, create a database called mam and grant database privileges to the mam user.
PostgreSQL should have previously been installed using the instructions in 6.10 Preparing for Manual Installation.
```
[root]# su - postgres
[postgres]$ psql

create database mam;
create user mam with password 'changeme!';
\q

[postgres]$ exit
```
The password you define must be synchronized with the database.password value in /opt/mam/etc/mam-server.conf
```
[root]# vi /opt/mam/etc/mam-server.conf

database.password = changeme!
```
Run the hpc.sql script to populate the Moab Accounting Manager database with objects, actions, and attributes necessary to function as an Accounting Manager.
```
[root]# su - mam
[mam]$ cd src/mam-9.0.3
[mam]$ psql mam < hpc.sql
[mam]$ exit
```

Configure MAM to automatically start up at system boot; start the mam service.

[root]# chkconfig --add mam
[root]# service mam start

[root]# chkconfig --add mam
[root]# service mam start

[root]# systemctl enable mam.service
[root]# systemctl start mam.service

[root]# systemctl enable mam.service
[root]# systemctl start mam.service

6.11.7 Configure the MAM GUI

If you plan to use the web GUI, then on the MAM GUI Host, do the following:

As root, add or edit the SSL virtual host definition as appropriate for your environment. To do so, configure the cgi-bin directory in ssl.conf. Below the cgi-bin directory element, create an alias for /cgi-bin pointing to your cgi-bin directory. If you chose to install to a cgi-bin sub-directory, you might want to create an alias for that as well. Also, add index.cgi to the DirectoryIndex so you can use the shorter sub-directory name.

[root]# vi /etc/httpd/conf.d/ssl.conf

<Directory "/var/www/cgi-bin">
## Add these lines
  Options ExecCGI
  AddHandler cgi-script .cgi
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

# Aliases for /cgi-bin
Alias /cgi-bin/ /var/www/cgi-bin/
Alias /mam /var/www/cgi-bin/mam/

# Make shorter sub-dir name available
DirectoryIndex index.cgi

[root]# a2enflag SSL
[root]# cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/mam-ssl.conf
[root]# vi /etc/apache2/vhosts.d/mam-ssl.conf

<Directory "/srv/www/cgi-bin">
## Add these lines
  Options ExecCGI
  AddHandler cgi-script .cgi
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

# Aliases for /cgi-bin
Alias /cgi-bin/ /srv/www/cgi-bin/
Alias /mam /srv/www/cgi-bin/mam/

# Make shorter sub-dir name available
DirectoryIndex index.cgi

[root]# a2enflag SSL
[root]# cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/mam-ssl.conf
[root]# vi /etc/apache2/vhosts.d/mam-ssl.conf
				
<Directory "/srv/www/cgi-bin">
    Options ExecCGI
    AddHandler cgi-script .cgi
    AllowOverride All
    Require all granted
</Directory>

# Aliases for /cgi-bin
Alias /cgi-bin/ /srv/www/cgi-bin/
Alias /mam /srv/www/cgi-bin/mam/

# Make shorter sub-dir name available
DirectoryIndex index.cgi

If Security Enhanced Linux (SELinux) is enforced, you may need to customize SELinux to allow the web server to make network connections, use setuid for authentication, and write to the log file.

Determine the current mode of SELinux.
```
[root]# getenforce

Enforcing
```

If the command returns a mode of Disabled or Permissive, or if the getenforce command is not found, you can skip the rest of this step.
If the command returns a mode of Enforcing, you can choose between options of customizing SELinux to allow the web GUI to perform its required functions or disabling SELinux on your system.

If you choose to customize SELinux, do the following:

SELinux can vary by version and architecture and that these instructions may not work in all possible environments.

If you used the --prefix=<prefix> configuration option when you configured Moab Accounting Manager, you must replace references to /opt/mam in the example below with the <prefix> you specified. See 6.19 Moab Accounting Manager Configuration Options.

[root]# cat > mamgui.te <<EOF
module mamgui 1.0;
require {
        type httpd_sys_script_t;
        type port_t;
        class capability setuid;
        class tcp_socket name_connect;
}
allow httpd_sys_script_t port_t:tcp_socket name_connect;
allow httpd_sys_script_t self:capability setuid;
EOF
[root]# checkmodule -M -m -o mamgui.mod mamgui.te
[root]# semodule_package -m mamgui.mod -o mamgui.pp
[root]# semodule -i mamgui.pp
[root]# setenforce 0
[root]# chcon -v -t httpd_sys_content_t /opt/mam/log
[root]# setenforce 1

[root]# yum install checkpolicy policycoreutils-python
[root]# cat > mamgui.te <<EOF
module mamgui 1.0;
require {
        type httpd_sys_script_t;
        type unreserved_port_t;
        class tcp_socket name_connect;
}
allow httpd_sys_script_t unreserved_port_t:tcp_socket name_connect;
EOF
[root]# checkmodule -M -m -o mamgui.mod mamgui.te
[root]# semodule_package -m mamgui.mod -o mamgui.pp
[root]# semodule -i mamgui.pp
[root]# setenforce 0
[root]# chcon -v -t httpd_sys_rw_content_t /opt/mam/log
[root]# setenforce 1

For the highest security, it is recommended that you install a public key certificate that has been signed by a certificate authority. The exact steps to do this are specific to your distribution and the chosen certificate authority. An overview of this process for CentOS 7 is documented here.
Alternatively, if your network domain can be secured from man-in-the-middle attacks, you could use a self-signed certificate. Often this does not require any additional steps since in many distributions, such as Red Hat, the Apache SSL configuration provides self-signed certificates by default.
If your configuration uses self-signed certificates, no action is required; Red Hat ships with ready-made certificates.
If your configuration uses self-signed certificates, do the following:
```
[root]# cd /etc/apache2
[root]# openssl genrsa -out ssl.key/server.key 1024
[root]# openssl req -new -key ssl.key/server.key -x509 -out ssl.crt/server.crt
```

Start or restart the HTTP server daemon.

[root]# chkconfig httpd on
[root]# service httpd restart

[root]# systemctl enable httpd.service
[root]# systemctl restart httpd.service

[root]# chkconfig apache2 on
[root]# service apache2 restart

[root]# systemctl enable apache2.service
[root]# systemctl restart apache2.service

6.11.8 Access the MAM GUI

If you plan to use the web GUI, then on the MAM Server Host, do the following:

Create a password for the mam user to be used with the MAM Web GUI.
```
[root]# su - mam
[mam]$ mam-set-password
[mam]$ exit
```
Verify the connection.
1. Open a web browser and navigate to https://<mam-server-host>/cgi-bin/mam.
2. Log in as the mam user with the password you set in step 1.

6.11.9 Configure Moab Workload Manager to Use Moab Accounting Manager

Do the following:

Configure Moab to talk to MAM
Do one of the following:
- MAM Option. If you are will be using the MAM (direct network) accounting manager interface with Moab Workload Manager (this is the default), do the following:
- Native Option. If you are will be using the Native (custom script) accounting manager interface with Moab Workload Manager, do the following:

On the Moab Server Host, restart Moab.

service moab restart

service moab restart

systemctl restart moab.service

systemctl restart moab.service

6.11.10 Initialize Moab Accounting Manager

You will need to initialize Moab Accounting Manager to function in the way that is most applicable to the needs of your site. See Initial Setup in the Moab Accounting Manager Administrator Guide to set up Moab Accounting Manager for your desired accounting mode.