Globus Connect Server 4 to 5 Transition
This page is archived!
At the end of CY23, Globus HQ ended support for Globus Connect Server 4. At that time, existing installations of Globus Connect Server 4 stopped working, and cannot be migrated to Globus Connect Server 5. This page remains as a reference, and for archival purposes.
Conceptual Changes
With Globus Connect Server 4, the term Endpoint meant one of three things:
-
A Globus Connect Personal Endpoint, which runs on a single-user machine (a desktop or laptop, for example).
-
A Globus Connect Server Endpoint, which run on a multi-user system, and which allows users to authenticate and access files as themselves.
-
A Shared Endpoint, which runs on top of one of the other two endpoints, and which allows non-local users access to files belonging to a local user.
Starting with version 5, some new terms are introduced:
-
A Collection is—appropriately—a collection of files and directories, all of which live under a common path. Each collection can have its own set of authorized users. Collections may be accessed using GridFTP, or (new in version 5) over HTTPS.
-
A Storage Gateway is an abstract term used to represent the type of filesystem where the collections live. For example, if a collection exists as a directory on a local (ext4, xfs, …) or network-attached (NFS, GPFS, …) file system, then that collection will be accessed through a “POSIX Gateway”. If the collection exists on Google Drive, then the collection will be accessed through a Google Drive storage gateway.
Storage gateways are implemented using Connectors. The Google Drive connector was introduced in Globus Connect Server version 5.0, and the POSIX connector in version 5.1.
-
Endpoint now refers to a grouping of one or more storage gateways under a single name.
-
Data Transfer Node refers to a physical machine, which is running one instance of the Globus Connect Server software, and one instance of the appropriate connector software for each storage gateway used on the endpoint.
The following diagram from Globus puts all of those terms together:
PIC
For existing Globus Connect Server 4 environments, upgrading to version 5 means making a new endpoint, which will have one storage gateway (a POSIX gateway). Then, you will create a new collection for each directory tree that local users are able to access. Your users will then create additional collections, as they make shared endpoints.
TBD
The MyProxy and MyProxy OAuth authentication methods are not supported!
To be clear: If you are not using the CILogon authentication method, then you can not upgrade to Globus Connect Server 5. Upgrading to 5 is only possible if you are willing to switch to the CILogon authentication method at the same time.
The procedural part of this document is divided into three sections:
-
Preparatory work that can be done before a downtime.
-
Disruptive work, which must be done during a downtime.
-
Cleanup work, which must be done after the downtime.
The preparatory work involves firewall changes, so if your server is behind a network firewall, you should perform the pre-downtime changes several days before your scheduled downtime.
Pre-Downtime Changes
The first thing you need to do, before making any changes, is to locate all of the documents where your existing endpoint is mentioned. Your endpoint’s identity is going to change, so you should know where it is referenced. You should not (nor can you) make any documentation changes now, but you should know where all of the documents are located.
You should also let your entire userbase know that the Globus endpoints will be unavailable. During the downtime, all in-progress transfers will be cancelled, so users should hold on on transferring data, until the downtime is complete.
You should also notify everyone who has shared endpoints, because all shared endpoints will need to be re-created after the downtime. SRCC can help identify the shared endpoint owners.
Globus Connect Server 5 makes some changes to the ports that it uses, so you may need to add an inbound rule:
-
From any IP address (in the
untrust
zone), to TCP port443
.If you are running a MyProxy OAuth server, then you may have already had this port open.
The port is now used for three things:
-
Globus management traffic.
-
GridFTP control traffic (used to coordinate transfers).
-
HTTPS endpoint access.
-
If you firewall outbound traffic, and you plan on using the Google Drive
connector, then you will need to allow all outbound traffic to TCP port
443
. This is because Google does not have a published list of IP ranges for
Google Drive.
Disruptive Changes
Delete and reinstall!
Stop MyProxy and GridFTP. Also, if you used the MyProxy OAuth authentication method, also stop Apache.
service globus-gridftp-server stop service myproxy-server stop service httpd stop
Uninstall all Globus packages:
apt-get purge globus-connect-server apt-get autoremove
yum remove globus-connect-server yum autoremove
NOTE: Pay careful attention to the packages that your package manager wants to auto-remove. For
example, if Apache was installed as part of the original Globus Connect Server
installation, and you have started using Apache for other things, then you will
want to keep the apache2
(on Debian/Ubuntu) or httpd
(on CentOS) package.
On RHEL/CentOS: Install the yum-utils
package. For each top-level package
that you know you want to keep, run yumdb set reason user PACKAGE_NAME
.
Then, try yum autoremove
again.
On Debian/Ubuntu: Run apt-mark manual PACKAGE_NAME
. Then, try apt-get
autoremove
again.
Make sure old Globus configuration has been removed:
rm /etc/globus-connect-server.conf rm -r /etc/grid-security /var/lib/globus /var/lib/globus-connect-server
If you previously used the MyProxy OAuth authentication method, you shoudl also delete the custom logo and CSS files:
rm /etc/globus-myproxy-oauth-logo.png /etc/globus-myproxy-oauth-stylesheet.css
TBD
Post-Downtime Changes
Once Globus Connect Server 5 is up and running, there is some final cleanup work for you to do. First, there is a firewall rule to remove.
You should have a firewall rule in place which allows traffic from
54.237.254.192/29
to connect to your server on TCP ports 2811
and 7512
.
This firewall rule should be removed. GridFTP control traffic—which used to
use port 2811—now lives on port 443. Also, MyProxy—which used to use port
7512—is no longer used.
Finally, if this was the last endpoint associated with your Globus ID, you should email srcc-support@stanford.edu, to report that you are no longer using your Globus ID. SRCC will assist you in deleting your Globus ID from Globus.