LSF daemon startup control

The LSF daemon startup control feature allows you to specify a list of user accounts other than root that can start LSF daemons on UNIX hosts. This feature also enables UNIX and Windows users to bypass the additional login required to start res and sbatchd when the EGO Service Controller (EGOSC) is configured to control LSF daemons; bypassing the EGO administrator login enables the use of scripts to automate system startup.

Contents

  • About LSF daemon startup control

  • Scope

  • Configuration to enable LSF daemon startup control

  • LSF daemon startup control behavior

  • Configuration to modify LSF daemon startup control

  • LSF daemon startup control commands

About LSF daemon startup control

Startup by users other than root (UNIX only)

On UNIX hosts, by default only root can manually start LSF daemons. To manually start LSF daemons, a user runs the commands lsadmin and badmin, which have been installed as setuid root. The LSF daemon startup control feature allows you to specify a list of user accounts that are allowed to run the commands lsadmin and badmin to start LSF daemons. The list is defined in the file lsf.sudoers.

On Windows hosts, the Platform services admin group identifies the user accounts that can start and shut down LSF daemons.
Figure 1. Default behavior (feature not enabled)
Figure 2. With LSF daemon startup control enabled

EGO administrator login bypass

If the EGO Service Controller (EGOSC) is configured to control LSF daemons, EGO will automatically restart the res and sbatchd daemons unless a user has manually shut them down. When manually starting a res or sbatchd daemon that EGO has not yet started, the user who invokes lsadmin or badmin is prompted to enter EGO administrator credentials. You can configure LSF to bypass this step by specifying the EGO administrator credentials in the file lsf.sudoers.

In the following illustrations, an authorized user is either a UNIX user listed in the LSF_STARTUP_USERS parameter or a Windows user with membership in the Platform services admin group.
Figure 3. EGO administrator login bypass not enabled
Figure 4. With EGO administrator login bypass enabled

Scope


Applicability

Details

Operating system

  • UNIX hosts only within a UNIX-only or mixed UNIX/Windows cluster: Startup of LSF daemons by users other than root.

  • UNIX and Windows: EGO administrator login bypass.

Dependencies

  • For startup of LSF daemons by users other than root:
    • You must define both a list of users and the absolute path of the directory that contains the LSF daemon binary files.

    • The commands lsadmin and badmin must be installed as setuid root.

  • For EGO administrator login bypass, the default Admin EGO cluster administrator account must be defined.

Limitations

  • Startup of LSF daemons by users other than root applies only to the following lsadmin and badmin subcommands:
    • badmin hstartup

    • lsadmin limstartup

    • lsadmin resstartup


Configuration to enable LSF daemon startup control

Startup by users other than root (UNIX-only)

The LSF daemon startup control feature is enabled for UNIX hosts by defining the LSF_STARTUP_USERS and LSF_STARTUP_PATH parameters in the lsf.sudoers file. Permissions for lsf.sudoers must be set to 600. For Windows hosts, this feature is already enabled at installation when the Platform services admin group is defined.


Configuration file

Parameter and syntax

Default behavior

lsf.sudoers

LSF_STARTUP_USERS=all_admins

  • Enables LSF daemon startup by users other than root when LSF_STARTUP_PATH is also defined.

  • Allows all UNIX users defined as LSF administrators in the file lsf.cluster.cluster_name to start LSF daemons as root by running the lsadmin and badmin commands.

  • Not recommended due to the security risk of a non-root LSF administrator adding to the list of administrators in the lsf.cluster.cluster_name file.

  • Not required for Windows hosts because all users with membership in the Platform services admin group can start LSF daemons.

LSF_STARTUP_USERS="user_name1 user_name2 …"

LSF_STARTUP_USERS=user_name

  • Enables LSF daemon startup by users other than root when LSF_STARTUP_PATH is also defined.

  • Allows the specified user accounts to start LSF daemons as root by running the lsadmin and badmin commands.

  • Specify only cluster administrator accounts; if you add a non-administrative user, the user can start—but not shut down—LSF daemons.

  • Separate multiple user names with a space.

  • For a single user, do not use quotation marks.

LSF_STARTUP_PATH=path

  • Enables LSF daemon startup by users other than root when LSF_STARTUP_USERS is also defined.

  • Specifies the directory that contains the LSF daemon binary files.

  • LSF daemons are usually installed in the path specified by the LSF_SERVERDIR parameter defined in the cshrc.lsf, profile.lsf, or lsf.conf files.
    Important:

    For security reasons, you should move the LSF daemon binary files to a directory other than LSF_SERVERDIR or LSF_BINDIR. The user accounts specified by LSF_STARTUP_USERS can start any binary in the LSF_STARTUP_PATH.


EGO administrator login bypass

For both UNIX and Windows hosts, you can bypass the EGO administrator login for res and sbatchd by defining the parameters LSF_EGO_ADMIN_USER and LSF_EGO_ADMIN_PASSWORD in the lsf.sudoers file.


Configuration file

Parameter and syntax

Default behavior

lsf.sudoers

LSF_EGO_ADMIN_USER=Admin

  • Enables a user or script to bypass the EGO administrator login prompt when LSF_EGO_ADMIN_PASSWD is also defined.

  • Applies only to startup of res or sbatchd.

  • Specify the Admin EGO cluster administrator account.

LSF_EGO_ADMIN_PASSWD=password

  • Enables a user or script to bypass the EGO administrator login prompt when LSF_EGO_ADMIN_USER is also defined.

  • Applies only to startup of res or sbatchd.

  • Specify the password for the Admin EGO cluster administrator account.


LSF daemon startup control behavior

This example illustrates how LSF daemon startup control works when configured for UNIX hosts in a cluster with the following characteristics:
  • The cluster contains both UNIX and Windows hosts

  • The UNIX account user1 is mapped to the Windows account BUSINESS\user1 by enabling the UNIX/Windows user account mapping feature

  • The account BUSINESS\user1 is a member of the Platform services admin group

  • In the file lsf.sudoers:
    LSF_STARTUP_USERS="user1 user2 user3"
    LSF_STARTUP_PATH=LSF_TOP/7.0/linux2.4-glibc2.3-x86/etc
    LSF_EGO_ADMIN_USER=Admin
    LSF_EGO_ADMIN_PASSWD=Admin
    Note:

    You should change the Admin user password immediately after installation using the command egosh user modify.

Figure 5. Example of LSF daemon startup control

Configuration to modify LSF daemon startup control

Not applicable: There are no parameters that modify the behavior of this feature.

LSF daemon startup control commands

Commands for submission


Command

Description

N/A

  • This feature does not directly relate to job submission.


Commands to monitor


Command

Description

bhosts

  • Displays the host status of all hosts, specific hosts, or specific host groups.

lsload

  • Displays host status and load information.


Commands to control


Command

Description

badmin hstartup

  • Starts the sbatchd daemon on specific hosts or all hosts. Only root and users listed in the LSF_STARTUP_USERS parameter can successfully run this command.

lsadmin limstartup

  • Starts the lim daemon on specific hosts or all hosts in the cluster. Only root and users listed in the LSF_STARTUP_USERS parameter can successfully run this command.

lsadmin resstartup

  • Starts the res daemon on specific hosts or all hosts in the cluster. Only root and users listed in the LSF_STARTUP_USERS parameter can successfully run this command.


Commands to display configuration


Command

Description

badmin showconf

  • Displays all configured parameters and their values set in lsf.conf or ego.conf that affect mbatchd and sbatchd.

    Use a text editor to view other parameters in the lsf.conf or ego.conf configuration files.

  • In a MultiCluster environment, badmin showconf only displays the parameters of daemons on the local cluster.


Use a text editor to view the lsf.sudoers configuration file.