IBM® Spectrum LSF 10.1 Fix 566003 Readme File
Abstract
P103991. This fix ports the LSF Kerberos integration to Windows platforms.
Description
Readme documentation for IBM® Spectrum LSF 10.1 Fix 566003 including installation-related instructions, prerequisites and co-requisites, and list of fixes.
This fix introduces the following Kerberos features to Windows platforms:
1. TGT forwarding
TGT forwarding is the most commonly used. All of these features need to dynamically load krb5 libs( including krb5_64.dll, k5sprt64.dll, wshelp64.dll, comerr64.dll), which is set by the optional LSB_KRB_LIB_PATH parameter, which specifies the location where krb5 is installed. If not set, the default location is C:/Program Files/MIT/Kerberos/bin.
To enable TGT forwarding:
- Register the user principal in the KDC server (if not already done). Set LSB_KRB_TGT_FWD=Y in the lsf.conf file. This parameter serves as an overall switch that turns TGT forwarding on or off.
- Optional. Set the LSB_KRB_CHECK_INTERVAL parameter in the lsf.conf file. The parameter controls the time interval for TGT checking. If it is not set, the default value of 15 minutes is used.
- Optional. Set the LSB_KRB_RENEW_MARGIN parameter in the lsf.conf file. The parameter controls how much elapses before TGT is renewed. If it is not set, the default value of 1 hour is used.
- Optional. Set the LSB_KRB_TGT_DIR parameter in the lsf.conf file. This parameter is optional. It specifies where to store TGT on the execution host. If not set, it defaults to C:/Windows/Temp on the execution host.
- Restart LSF.
- Run kinit to obtain TGT for forwarding.
- Submit jobs as normal.
2. User eauth with krb5
To enable user eauth with krb5:
- Shut down the LSF cluster.
- Replace the eauth.exe in the $LSF_SERVERDIR directory with the eauth.krb5.exe file, which resides in the same directory.
- Set LSF_AUTH=eauth in the lsf.conf file. The value eauth is the default setting.
- Optional. Set LSB_EAUTH_DATA_REUSE=N in the lsf.conf file. This is required for the blaunch.exe and lsgrun.exe commands to work.
- Start up the LSF cluster.
- Run kinit to obtain TGT for Kerberos authentication.
Note:
The lsrun.exe command might behave inconsistently between running on local and remote hosts, because when an lsrun task is run on the local host, it does not go through eauth authorization.
3. Enhance query commands to be authenticated, which is the same as the bsub.exe command
Introduce a new LSF_AUTH_QUERY_COMMANDS parameter in the lsf.conf file. Use this parameter to control the authentication for query commands. When set to Y, enables query commands authentication. By default, this parameter is set to N (do not enable authentication for query commands). Use the LSF_AUTH parameter in the lsf.conf file to specify the external client to server authentication method that is used. If you want to enable authenticate for query commands, make sure that you apply this fix (or later fixes) to all the management, server, and client hosts in the LSF cluster. After defining or changing the value of the LSF_AUTH_QUERY_COMMANDS parameter, restart the LSF mbatchd and gpolicyd daemons for this parameter to take effect.
Since the default eauth executable use the LSF cluster name to generate a site-specific key, to enable authentication for query commands for multiple clusters, you must specify the same LSF_EAUTH_KEY value in the lsb.sudoers file for all LSF clusters.
Note:
After enabling authentication for query commands, old APIs and commands in the new server are rejected with an error message.
About adding Kerberos principals for LSF users
a. Create a Kerberos principal that is used by the LSF mbatchd daemon to communicate with user commands and other daemons. The principal’s name is lsf/cluster_name@realm_name.
b. Create a Kerberos principal for each LSF server host. The principal’s name is lsf/host_name@realm_name.
c. Add the above Kerberos principals to the keytab file and copy the keytab file to the location that is specified by the 'krb5.ini' file for each Windows host.
Readme File for: IBM® Spectrum LSF
Product/Component Release: 10.1
Update Name: Fix 566003
Fix ID: LSF-10.1-build566003
Publication Date: 22 Dec 2020
Last Modified Date: 22 Dec 2020
Contents
1. List of Fixes
2. Download Location
3. Product or Components Affected
4. System Requirements
5. Installation and Configuration
6. List of Files
7. Product Notifications
8. Copyright and Trademark Information
1. List of Fixes
P103991
2. Download Locations
Download Fix 566003 from the following location: http://www.ibm.com/eserver/support/fixes/
3. Product or Components Affected
Affected product or components include:
LSF/bhist.exe
LSF/blaunch.exe
LSF/bctrld.exe
LSF/bacct.exe
LSF/bparams.exe
LSF/bapp.exe
LSF/bclusters.exe
LSF/bgpinfo.exe
LSF/bhosts.exe
LSF/bhpart.exe
LSF/bjdepinfo.exe
LSF/bjgroup.exe
LSF/bjobs.exe
LSF/blimits.exe
LSF/bresources.exe
LSF/bugroup.exe
LSF/bmgroup.exe
LSF/bqueues.exe
LSF/brsvs.exe
LSF/bsla.exe
LSF/bslots.exe
LSF/busers.exe
LSF/tspeek.exe
LSF/badmin.exe
LSF/bkill.exe
LSF/bmod.exe
LSF/bsub.exe
LSF/bchkpnt.exe
LSF/bresume.exe
LSF/bstop.exe
LSF/bmig.exe
LSF/bswitch.exe
LSF/bpeek.exe
LSF/lsgrun.exe
LSF/mbatchd.exe
LSF/mbschd.exe
LSF/sbatchd.exe
LSF/res.exe
LSF/gpolicyd.exe
LSF/eauth.krb5.exe
LSF/krbrenewd.exe
LSF/nios.exe
LSF/libbat.lib
LSF/libbatw2k.lib
LSF/libbatw2k.dll
LSF/liblsf.lib
LSF/liblsfw2k.lib
LSF/liblsfw2k.dll
LSF/liblsbstream.dll
LSF/libsched.dll
LSF/lsf.h
LSF/lsbatch.h
LSF/lssched.h
4. System Requirements
win-x64
5. Installation and Configuration
5.1 Before installation
None.
5.2 Installation steps
1) Log on to the LSF master host as the LSF cluster administrator
2) Run badmin hclose all
3) Run badmin qinact all
4) Log on to the Windows host as administrator, install the Windows patch
5.3 After installation
1) Log on to the LSF master host as the LSF cluster administrator
2) Run lsadmin resrestart all
3) Run badmin hrestart all
4) badmin mbdrestart
5) Run badmin hopen all
6) Run badmin qact all
5.4 Uninstallation
1) Log on to the LSF master host as the LSF cluster administrator
2) Run badmin hclose all
3) Run badmin qinact all
4) Log on to the Windows host as administrator, remove the patch installation from the Windows control panel
5) Run lsadmin resrestart all
6) Run badmin hrestart all
7) badmin mbdrestart
8) Run badmin hopen all
9) Run badmin qact all
6. List of Files
bhist.exe
blaunch.exe
bctrld.exe
bacct.exe
bparams.exe
bapp.exe
bclusters.exe
bgpinfo.exe
bhosts.exe
bhpart.exe
bjdepinfo.exe
bjgroup.exe
bjobs.exe
blimits.exe
bresources.exe
bugroup.exe
bmgroup.exe
bqueues.exe
brsvs.exe
bsla.exe
bslots.exe
busers.exe
tspeek.exe
badmin.exe
bkill.exe
bmod.exe
bsub.exe
bchkpnt.exe
bresume.exe
bstop.exe
bmig.exe
bswitch.exe
bpeek.exe
lsgrun.exe
mbatchd.exe
mbschd.exe
sbatchd.exe
res.exe
gpolicyd.exe
eauth.krb5.exe
krbrenewd.exe
nios.exe
libbat.lib
libbatw2k.lib
libbatw2k.dll
liblsf.lib
liblsfw2k.lib
liblsfw2k.dll
liblsbstream.dll
libsched.dll
lsf.h
lsbatch.h
lssched.h
7. Product Notifications
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page ( www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
8. Copyright and Trademark Information
©Copyright IBM Corporation 2020
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.