6.32 Installing Moab Accounting Manager

This topic contains instructions on how to install, configure, and start Moab Accounting Manager (MAM).

Perform the following:

Plan Your Installation
Confirm Requirements
Open Necessary Ports
Install Dependencies, Packages, or Clients
Install MAM Server
Configure the MAM GUI
Access the MAM GUI
Configure Moab Workload Manager to use Moab Accounting Manager
Initialize Moab Accounting Manager

6.32.1 Plan Your Installation

The first step is determining the number of different hosts (physical machines) required for your MAM installation.

Your MAM installation includes:

MAM Server
MAM Database
MAM GUI (optional)
MAM Clients (possibly several hosts)

Each of these components can be installed on their own hosts (meaning the actual physical machine) or can be combined on same hosts. For example, the MAM Database can be installed on the same host as the MAM Server. Or the MAM Server may be installed on the same host you installed the Moab Server.

If your configuration will have the MAM PostgresSQL database on the same host as the Insight PostgreSQL database, the MAM PostgreSQL database must be same version as the Insight PostgreSQL database. See 6.32 Installing Moab Accounting Manager for supported database versions.

Once you have determined which components are installed on which hosts, complete the rest of the instructions for the MAM installation.

The instructions that follow in this topic will use the term Host after each component to reflect installing on a host (again, meaning the physical machine). For example, MAM Server Host and MAM Database Host. Depending on your configuration, Host may refer to as installed on its own machine or installed on the same machine as another component.

6.32.2 Confirm Requirements

In this section:

6.32.2.A Hardware Requirements
6.32.2.B Supported Operating Systems
6.32.2.C Supported Databases

6.32.2.A Hardware Requirements

Dual or Quad core Intel/AMD x86-64 processor
At least 8 GB of RAM
1-2 TB disk space

MAM is commonly installed on the same host as Moab; however, in some cases you might obtain better performance by installing them on different hosts.

6.32.2.B Supported Operating Systems

MAM has been tested on the following variants of Linux:

CentOS (6.x, 7.x)
RHEL (6.x, 7.x)
Scientific Linux (6.x, 7.x)
SLES (12)

6.32.2.C Supported Databases

MAM uses an RDBMS as a back end.

PostgreSQL 7.2 or higher

Adaptive Computing recommends that the database used by MAM does not reside on the same host as the database used by Insight. However, if you choose to install the MAM PostgreSQL database on the same host where the Insight PostgreSQL database, then the MAM PostgreSQL database must be same version as the Insight PostgreSQL database. See 6.32 Installing Moab Accounting Manager for supported database versions.

6.32.3 Open Necessary Ports

If your site is running firewall software on its hosts, you will need to configure the firewall to allow connections to the necessary ports.

Do the following as needed.

If you will be installing the MAM Server on a different host from where you installed the Moab Server or you will be installing the MAM Clients on other hosts, then on the MAM Server Host, open the MAM Server port (7112) in the firewall.

[root]# iptables-save > /tmp/iptables.mod

[root]# vi /tmp/iptables.mod

# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 7112 -j ACCEPT

[root]# iptables-restore < /tmp/iptables.mod

[root]# service iptables save

[root]# firewall-cmd --add-port=7112/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="7112"

[root]# service SuSEfirewall2 restart

If using the MAM GUI, then on the MAM GUI Host, open the https port in the firewall for secure browser communication.

[root]# iptables-save > /tmp/iptables.mod

[root]# vi /tmp/iptables.mod

# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 443 -j ACCEPT

[root]# iptables-restore < /tmp/iptables.mod

[root]# service iptables save

[root]# firewall-cmd --add-port=https/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="443"

[root]# service SuSEfirewall2 restart

If you will be installing the MAM Database on a different host from the MAM Server, then on the MAM Database Host, open the postgres port (5432) in the firewall.

[root]# iptables-save > /tmp/iptables.mod

[root]# vi /tmp/iptables.mod

# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 5432 -j ACCEPT

[root]# iptables-restore < /tmp/iptables.mod

[root]# service iptables save

[root]# firewall-cmd --add-port=postgres/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="5432"

[root]# service SuSEfirewall2 restart

6.32.4 Install Dependencies, Packages, or Clients

In this section:

6.32.4.A Install and Initialize PostgreSQL Server
6.32.4.B Install Perl ReadLine (Optional)

6.32.4.A Install and Initialize PostgreSQL Server

Moab Accounting Manager uses a database for transactions and data persistence.

The MAM PostgreSQL database may be installed on:

the same host as the MAM Server.
a separate PostgreSQL database host.
a separate shared PostgreSQL database host. If this shared database host will include the Insight PostgreSQL database, then the MAM PostgreSQL database must be same version as the Insight PostgreSQL database. See 6.32 Installing Moab Accounting Manager for supported database versions.

On the host where the MAM PostgreSQL database will reside, do the following:

These instructions assume you will be installing the MAM PostgreSQL database on a different host from where the Insight PostgreSQL database will reside.

If you wish to install both the MAM and the Insight PostgreSQL databases on the same host, different instructions are required. For example, you will need to enable the Insight-specific postgresql RPM repo by following the RPM instructions to prepare the host (see 6.31 Preparing the Host – Typical Method or 6.30 Preparing the Host – Offline Method) and you will need to modify the MAM PostgreSQL install instructions to reflect the different version of PostgreSQL required by Insight (see 6.36.2.C Install PostgreSQL for an example of how to install PostgreSQL for Insight).

Install and initialize PostgreSQL.

[root]# yum install postgresql-server
[root]# service postgresql initdb

[root]# yum install postgresql-server
[root]# postgresql-setup initdb

[root]# zypper install postgresql-server
[root]# systemctl start postgresql.service

Configure trusted connections.

Edit or add a "host" line in the pg_hba.conf file for the interface from which the MAM Server will be connecting to the database and ensure that it specifies a secure password-based authentication method (for example, md5).

[root]# vi /var/lib/pgsql/data/pg_hba.conf

# Replace 127.0.0.1 with the IP address of the MAM Server Host if the
# MAM PostgreSQL server is on a separate host from the MAM server.
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5

---

If the MAM Database Host is installed on a different host from where you will install the MAM Server, configure PostgreSQL to accept connections from the MAM Server Host.

[root]# vi /var/lib/pgsql/data/postgresql.conf

# Replace <mam-server-host> with the interface name from which the MAM server
# will be connecting to the database.
listen_addresses = '<mam-server-host>'

---

Start or restart the database.

[root]# chkconfig postgresql on

[root]# service postgresql restart

[root]# systemctl enable postgresql.service

[root]# systemctl restart postgresql.service

[root]# systemctl enable postgresql.service

[root]# systemctl restart postgresql.service

6.32.4.B Install Perl ReadLine (Optional)

Moab Accounting Manager can be optionally configured to provide command history editing functionality in the mam-shell command.

The perl-Term-ReadLine-Gnu package is recommended and is typically included in the standard repositories for the OS.

To install the perl-Term-ReadLine-Gnu package:

[root]# yum install perl-Term-ReadLine-Gnu

perl-Term-ReadLine-Gnu is not available from the standard repositories for the 7.0 release; however, it is available in the 7.1 release and later.

For the 7.0 release, you will need to install the RPM from a third-party RPM provider. Alternately, you can install the perl module from CPAN.

[root]# cpan Term::ReadLine::Gnu

[root]# zypper install perl-Term-ReadLine-Gnu

6.32.5 Install MAM Server

You must complete all the previous sections in this topic before installing MAM server. See the list of steps at the beginning of this topic.

On the MAM Server Host do the following:

If you are installing the MAM Server on its own host and not on the same host where you installed another server (such as Moab Server), verify you completed the steps to prepare the host. See 6.31 Preparing the Host – Typical Method or 6.30 Preparing the Host – Offline Method.

Install the MAM Server RPM.

yum install moab-accounting-manager

If installing on RHEL, some packages may not be found in the standard RHEL distribution repositories. If the packages are not found, you will need to install the missing dependencies from EPEL or other reputable repositories.

For example (for the current RHEL 7 repositories):

[root]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
[root]# yum install yum-utils
[root]# yum-config-manager --disable epel
[root]# yum install --enablerepo=epel,rhel-7-server-optional-rpms moab-accounting-manager

zypper install moab-accounting-manager

As the database user, create a database called mam and grant database privileges to the mam user.

PostgreSQL was installed and initialized earlier in this topic. See 6.32.4.A Install and Initialize PostgreSQL Server.
```
[root]# su - postgres
[postgres]$ psql

create database mam;
create user mam with password 'changeme!';
\q

[postgres]$ exit
```
The password you define must be synchronized with the database.password value in /opt/mam/etc/mam-server.conf.
```
[root]# vi /opt/mam/etc/mam-server.conf

database.password = changeme!
```
Run the hpc.sql script to populate the Moab Accounting Manager database with objects, actions, and attributes necessary to function as an Accounting Manager.

Start the mam service.

[root]# chkconfig --add mam
[root]# service mam start

[root]# systemctl enable mam.service
[root]# systemctl start mam.service

[root]# systemctl enable mam.service
[root]# systemctl start mam.service

6.32.6 Configure the MAM GUI

If you plan to use the web GUI, then on the MAM GUI Host, do the following:

As root, add or edit the SSL virtual host definition as appropriate for your environment. To do so, configure the cgi-bin directory in ssl.conf. Below the cgi-bin directory element, create an alias for /cgi-bin pointing to your cgi-bin directory. If you chose to install to a cgi-bin sub-directory, you might want to create an alias for that as well. Also, add index.cgi to the DirectoryIndex so you can use the shorter sub-directory name.

[root]# vi /etc/httpd/conf.d/ssl.conf

<Directory "/var/www/cgi-bin">
## Add these lines
  Options ExecCGI
  AddHandler cgi-script .cgi
  AllowOverride All
  Order allow,deny
  Allow from all
</Directory>

# Aliases for /cgi-bin
Alias /cgi-bin/ /var/www/cgi-bin/
Alias /mam /var/www/cgi-bin/mam/

# Make shorter sub-dir name available
DirectoryIndex index.cgi

[root]# a2enflag SSL
[root]# cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/mam-ssl.conf
[root]# vi /etc/apache2/vhosts.d/mam-ssl.conf

<Directory "/srv/www/cgi-bin">
  Options ExecCGI
  AddHandler cgi-script .cgi
  AllowOverride All
  Require all granted
</Directory>

# Aliases for /cgi-bin
Alias /cgi-bin/ /srv/www/cgi-bin/
Alias /mam /srv/www/cgi-bin/mam/

# Make shorter sub-dir name available
DirectoryIndex index.cgi

For Red Hat-based systems where Security Enhanced Linux (SELinux) is enforced, you may need to customize SELinux to allow the web server to make network connections, use setuid for authentication, and write to the log file.

Determine the current mode of SELinux.
```
[root]# getenforce

Enforcing
```

If the command returns a mode of Disabled or Permissive, or if the getenforce command is not found, you can skip the rest of this step.
If the command returns a mode of Enforcing, you can choose between options of customizing SELinux to allow the web GUI to perform its required functions or disabling SELinux on your system.

If you choose to customize SELinux, do the following:

SELinux can vary by version and architecture and that these instructions may not work in all possible environments.

If you used the --prefix=<prefix> configuration option when you configured Moab Accounting Manager, you must replace references to /opt/mam in the example below with the <prefix> you specified. See 6.19 Moab Accounting Manager Configuration Options.

[root]# cat > mamgui.te <<EOF
module mamgui 1.0;
require {
        type httpd_sys_script_t;
        type port_t;
        class capability setuid;
        class tcp_socket name_connect;
}
allow httpd_sys_script_t port_t:tcp_socket name_connect;
allow httpd_sys_script_t self:capability setuid;
EOF
[root]# checkmodule -M -m -o mamgui.mod mamgui.te
[root]# semodule_package -m mamgui.mod -o mamgui.pp
[root]# semodule -i mamgui.pp
[root]# setenforce 0
[root]# chcon -v -t httpd_sys_content_t /opt/mam/log
[root]# setenforce 1

[root]# yum install checkpolicy policycoreutils-python
[root]# cat > mamgui.te <<EOF
module mamgui 1.0;
require {
        type httpd_sys_script_t;
        type unreserved_port_t;
        class tcp_socket name_connect;
}
allow httpd_sys_script_t unreserved_port_t:tcp_socket name_connect;
EOF
[root]# checkmodule -M -m -o mamgui.mod mamgui.te
[root]# semodule_package -m mamgui.mod -o mamgui.pp
[root]# semodule -i mamgui.pp
[root]# setenforce 0
[root]# chcon -v -t httpd_sys_rw_content_t /opt/mam/log
[root]# setenforce 1

For the highest security, it is recommended that you install a public key certificate that has been signed by a certificate authority. The exact steps to do this are specific to your distribution and the chosen certificate authority. An overview of this process for CentOS 7 is documented here.
Alternatively, if your network domain can be secured from man-in-the-middle attacks, you could use a self-signed certificate. Often this does not require any additional steps since in many distributions, such as Red Hat, the Apache SSL configuration provides self-signed certificates by default.
If your configuration uses self-signed certificates, no action is required. RedHat 67 ships with ready-made certificates.
If your configuration uses self-signed certificates, do the following:
```
[root]# cd /etc/apache2
[root]# openssl genrsa -out ssl.key/server.key 1024
[root]# openssl req -new -key ssl.key/server.key -x509 -out ssl.crt/server.crt
```

Start or restart the HTTP server daemon.

[root]# chkconfig httpd on
[root]# service httpd restart

[root]# systemctl enable httpd.service
[root]# systemctl restart httpd.service

[root]# systemctl enable apache2.service
[root]# systemctl restart apache2.service

6.32.7 Access the MAM GUI

If you plan to use the web GUI, then on the MAM Server Host, do the following:

Create a password for the mam user to be used with the MAM Web GUI.
```
[root]# su - mam
[mam]$ mam-set-password
[mam]$ exit
```
Verify the connection.
1. Open a web browser and navigate to https://<mam-server-host>/mam.
2. Log in as the mam user with the password you set in step 1.

6.32.8 Configure Moab Workload Manager to use Moab Accounting Manager

Do the following, where applicable:

On the Moab Server Host, edit the Moab configuration file.
```
[root]# vi /opt/moab/etc/moab.cfg
AMCFG[mam] TYPE=MAM HOST=<mam_server_host>
```
1. Uncomment the AMCFG lines and customize as needed. See Accounting, Charging, and Allocation Management in the Moab Workload Manager Administrator Guide.
2. If the Moab Server and the MAM Server are on the same host, set HOST to 'localhost'; otherwise, set HOST to the host name for the MAM Server (MAM Server Host).
Configure Moab to authenticate with MAM using the MAM secret key.
1. On the MAM Server Host, copy the auto-generated secret key from the token.value value in the /opt/mam/etc/mam-site.conf file.
2. On the Moab Server Host, add the secret key to the moab-private.cfg file as the value of the CLIENTCFG KEY attribute.
```
[root]# vi /opt/moab/etc/moab-private.cfg

CLIENTCFG[AM:mam] KEY=<MAMSecretKey>
```

Restart Moab

[root]# service moab restart

[root]# systemctl restart moab.service

[root]# systemctl restart moab.service

6.32.9 Initialize Moab Accounting Manager

You will need to initialize Moab Accounting Manager to function in the way that is most applicable to the needs of your site. See Initial Setup in the Moab Accounting Manager Administrator Guide to set up Moab Accounting Manager for your desired accounting mode.