Poster of Linux kernelThe best gift for a Linux geek


Section: University of Chicago (8) Updated: 12/01/2009
Local index Up


globus-gatekeeper - Authorize and execute a grid service on behalf of a user  


globus-gatekeeper [-help]
[-test] [-d | -debug]
{-inetd | -f}
[-p PORT | -port PORT]
[-home PATH] [-l LOGFILE | -logfile LOGFILE]
[-acctfile ACCTFILE]
[-launch_method {fork_and_exit | fork_and_wait | dont_fork}]
[-grid_services SERVICEDIR]
[-globusid GLOBUSID]
[-gridmap GRIDMAP]
[-x509_cert_dir TRUSTED_CERT_DIR]
[-x509_cert_file TRUSTED_CERT_FILE]
[-x509_user_cert CERT_PATH]
[-x509_user_key KEY_PATH]
[-x509_user_proxy PROXY_PATH]
[-globuskmap KMAP]


The globus-gatekeeper program is a meta-server similar to inetd or xinetd that starts other services after authenticating the TCP connection using GSSAPI.

The most common use for the globus-gatekeeper program is to start instances of the globus-job-manager(8) service. A single globus-gatekeeper deployment can handle multiple different service configurations by having entries in the grid-services directory.

Typically, users interact with the globus-gatekeeper program via client applications such as globusrun(1), globus-job-submit, or tools such as CoG jglobus or Condor-G.

The full set of command-line options to globus-gatekeeper consists of:


Display a help message to standard error and exit


Load configuration parameters from PARAMETER_FILE. The parameters in that file are treated as additional command-line options.


Parse the configuration file and print out the POSIX user id of the globus-gatekeeper process, service home directory, service execution directory, and X.509 subject name and then exits.

-d, -debug

Run the globus-gatekeeper process in the foreground.


Flag to indicate that the globus-gatekeeper process was started via inetd or a similar super-server. If this flag is set and the globus-gatekeeper was not started via inetd, a warning will be printed in the gatekeeper log.


Flag to indicate that the globus-gatekeeper process should run in the foreground. This flag has no effect when the globus-gatekeeper is started via inetd.

-p PORT, -port PORT

Listen for connections on the TCP/IP port PORT. This option has no effect if the globus-gatekeeper is started via inetd or a similar service. If not specified and the gatekeeper is running as root, the default of 754 is used. Otherwise, the gatekeeper defaults to an ephemeral port.

-home PATH

Sets the gatekeeper deployment directory to PATH. This is used to interpret relative paths for accounting files, libexecdir, certificate paths, and also to set the GLOBUS_LOCATION environment variable in the service environment. If not specified, the gatekeeper uses its working directory.

-l LOGFILE, -logfile LOGFILE

Write status log entries to LOGFILE

-acctfile ACCTFILE

Set the path to write accounting records to ACCTFILE. If not set, no accounting records will be written.


Look for service executables in LIBEXECDIR. If not specified, the default of HOME/libexec is used.

-launch_method fork_and_exit|fork_and_wait|dont_fork

Determine how to launch services. The method may be either fork_and_exit (the service runs completely independently of the gatekeeper, which exits after creating the new service process), fork_and_wait (the service is run in a separate process from the gatekeeper but the gatekeeper does not exit until the service terminates), or dont_fork, where the gatekeeper process becomes the service process via the exec() system call.

-grid_services SERVICEDIR

Look for service descriptions in SERVICEDIR. If this is a relative path, it is interpreted relative to the HOME value. If this is not specified, the default of HOME/etc/grid-services is used.

-globusid GLOBUSID

Sets the GLOBUSID environment variable to GLOBUSID. This variable is used to construct the gatekeeper contact string if it can not be parsed from the service credential.

-gridmap GRIDMAP

Use the file at GRIDMAP to map GSSAPI names to POSIX user names. If not specified, the default of HOME/etc/grid-mapfile is used.

-x509_cert_dir TRUSTED_CERT_DIR

Use the directory TRUSTED_CERT_DIR to locate trusted CA X.509 certificates. The gatekeeper sets the environment variable X509_CERT_DIR to this value.

-x509_cert_file TRUSTED_CERT_FILE


-x509_user_cert CERT_PATH

Read the service X.509 certificate from CERT_PATH. The gatekeeper sets the X509_USER_CERT environment variable to this value.

-x509_user_key KEY_PATH

Read the private key for the service from KEY_PATH. The gatekeeper sets the X509_USER_KEY environment variable to this value.

-x509_user_proxy PROXY_PATH

Read the X.509 proxy certificate from PROXY_PATH. The gatekeeper sets the X509_USER_PROXY environment variable to this value.


Assume authentication with Kerberos 5 GSSAPI instead of X.509 GSSAPI.

-globuskmap KMAP

Assume authentication with Kerberos 5 GSSAPI instead of X.509 GSSAPI and use KMAP as the path to the kerberos principal to POSIX user mapping file.


If the following variables affect the execution of globus-gatekeeper


Directory containing X.509 trust anchors and signing policy files.


Path to file containing an X.509 proxy.


Path to file containing an X.509 user certificate.


Path to file containing an X.509 user key.



Default path to gatekeeper configuration file.


Service configuration for SERVICENAME.


globusrun(1), globus-job-manager(8)




This document was created by man2html, using the manual pages.
Time: 22:01:42 GMT, April 16, 2011