Configures VOMS clients in particular /etc/vomses/* and /etc/grid-security/vomsdir/*
Puppet Augeas Ruby
Switch branches/tags
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

cernops-voms puppet module

This module manages VOMS resources for VOMS clients, VOMS core and VOMS Admin.

VOMS is the Virtual Organization Membership Service, in use by gLite, EMI, and other grid computing projects.


Client Examples

Create files for the voms-proxy-init and voms-proxy-validate.

    vo       => 'MyVO',
    servers  => [{server => '',
                  port   => '15009',
                  dn     => '/DC=ch/DC=cern/OU=computers/',
                  ca_dn  => '/DC=ch/DC=cern/CN=CERN Trusted Certification Authority'
                 {server => '',
                  port   => '15009',
                   dn    => '/DC=ch/DC=cern/OU=computers/',
                   ca_dn => '/DC=ch/DC=cern/CN=CERN Trusted Certification Authority'

The above declaration will create the files:




For some VOs, you can probably find a predefined class to enable a VO easily which does all the required setup without any additional configuration e.g:


Additions of new VOs will be accepted, please submit pull requests however zero validation of parameters will be made.

A VOMS Core Example

VOMS core is the main voms service and responds to voms-proxy-init requests. To configure a VOMS core services for two VOs.

 # Configure defaults.
     issuer => '',
     sqlpwd => 12345,
     sqlhost => ''
 # Configure VOs.
 voms::core{'special.vo': port => 10000}
 voms::core{'very.special.vo': port => 10001}

For full list of available parameters see voms::core definition.

A VOMS Admin Example

VOMS admin is the tomcat hosted webservice for managing a Virtual Organisation. To configure a few VOMS admin for a number of VOs.

 # Configure defaults.
    sqlpwd => 12345,
    sqlhost => ''
    port => 10000,
    mailfrom => ''
    port     => 10001,
    mailfrom => '',
    config_hash => {'voms.cafiles.period' => 2000,
                  'voms.notification.smtp-server' => ''

For full list of available paramters see voms::admin definition.

The voms::admin definition will not update or load database schemas however scripts are generated within /etc/voms-admin-puppet to allow this to be done. e.g:


will create a schema for the 'very.special.vo'

Database Configuration

VOMS admin and voms core require a database per VO. At this time this puppet module only supports mysql. A mysql server can be configured using puppetlabs-mysql module. The Mysql users and access grants are exported as puppet resources from the above voms::admin and voms::core declarations. Assuming default database names of _db for each VO the following manifest will install and configure mysql with all grant tables suitable for VOMS and VOMS-Admin services to connect to.

 class{'mysql::server': }
       vo_dbs => ['special.vo_db','very.special.vo_db']

This assumes your puppet service is configured to support export resources.


Configure tomcat and trustmanager outside this VOMS module so other services can use it.

Use the existing EMI yum repo puppet module rather than manage myself.

Add some validation of items that are passed to voms admin with config hash, currently they will be blindly added to the files.


CERN IT/GT/DMS, Ricardo Rocha CERN IT/PS/PES, Steve Traylen Bugs, Comments, Pull requests -