Floating clients

In LSF, you can have both static client hosts and floating client hosts. LSF floating client hosts are hosts that are not all active at the same time.

For floating clients, an lsf_client license is shared among several client hosts at different times as it can also be assigned dynamically to any host that submits a request to LSF.

Licensing for client hosts

If you purchased an lsf_client license, the static client hosts must be listed in lsf.cluster.cluster_name. The license is fixed to the hosts specified in lsf.cluster.cluster_name and whenever client hosts change, you must update it with the new host list.

LSF floating client hosts are dynamic. They are not listed in lsf.cluster.cluster_name and since LSF does not take into account their host names, theys can change dynamically and licenses will be distributed to the clients that request to use LSF. When you submit a job from any unlicensed host, and if there are any static licenses free, the host will check out a license and submit your job to LSF. However, once a host checks out a static client license, it keeps that license for the rest of the day, until midnight. A host that becomes a floating client behaves like a fixed client all day, then at 12 midnight it releases the license. At that time, the host turns back into a normal, unlicensed host, and the static client license becomes available to any other host that needs it. Restarting mlim can also release the license for floating client hosts.

If you purchased an lsf_client license, the following behavior applies within each license distribution period (triggered when a new host is added into the cluster or some host status changes):

  • A static client has the highest priority to get a license from the license server

  • If there are still client licenses remaining on the license server, they can be used for floating clients

  • A number of remaining client licenses are reserved for floating clients according to the number configured for the FLOAT_CLIENT parameter

  • Unavailable server hosts cannot check out lsf_client licenses but can check out lsf_base licenses with a 1:1 ratio

If you did not purchase an lsf_client license, the following behavior applies:

  • Floating clients and static clients can check out an lsf_base license instead of an lsf_client license

  • If there are lsf_base licenses remaining after the server hosts check them out, unavailable server hosts will get the licenses first

  • If there are still lsf_base licenses available, static clients can check out licenses

  • Lastly, floating client hosts can check out remaining lsf_base licenses up to the number configured for the FLOAT_CLIENT parameter

Note:

If the license file contains an lsf_client license, static clients and floating clients cannot use lsf_base licenses.

FLOAT_CLIENT parameter

If you have floating client hosts, configure FLOAT_CLIENTS in the parameter section of the lsf.cluster.cluster_name file. This parameter represents the maximum number of floating clients that you expect to have.

Floating client hosts and host types/models

This differentiates between client hosts and floating client hosts in terms of the restrictions on host types or models.

For LSF static client hosts, you can list the host type and model in lsf.cluster.cluster_name and by default, restrict running applications on different host types.

For floating client hosts, host types and models are not included in the client information. By default, any job submissions made from floating client hosts are allowed dispatch to any host type or model.

In the same way as client and server hosts, you can specify a specific model or type when you submit a job from a floating client host.

For example:

bsub sleep

The command above is interpreted as:

  • -R "type==local" on a client host

  • -R "type==any" on a floating client host

Security issues with floating clients

If you have floating clients in your cluster, it is important that you read this section to inform yourself of the security issues. There are measures to compensate for these security issues.

With LSF static clients, when you list client hosts in lsf.cluster.cluster_name, there is a level of security defined since you specify the exact hosts that will be used by the LSF system. Host authentication is done in this way.

With LSF floating clients, you should be aware of the security issues:

  • Hosts that are not specified in lsf.cluster.cluster_name can submit requests. This means any host can submit requests.

  • Remote machines make it easier for users to submit commands with a fake user ID. As a result, if an authorized user uses the user ID lsfadmin, the user will be able to run commands that affect the entire cluster or shut it down and cause problems in the LSF system.

Configure security for LSF floating clients

To resolve these security issues, the LSF administrator can limit which client hosts submit requests in the cluster by adding a domain or a range of domains in lsf.cluster.cluster_name with the parameter FLOAT_CLIENTS_ADDR_RANGE.

FLOAT_CLIENTS_ADDR_RANGE parameter

This optional parameter specifies an IP address or range of addresses of domains from which floating client hosts can submit requests. Multiple ranges can be defined, separated by spaces. The IP address can have either a dotted quad notation (IPv4) or IP Next Generation (IPv6) format. LSF supports both formats; you do not have to map IPv4 addresses to an IPv6 format.

Note:

You must uncomment FLOAT_CLIENTS_ADDR_RANGE (remove the # symbol before the parameter) to have it take effect.

If the value of this parameter is undefined, there is no security and any host can be an LSF floating client.

If a value is defined, security is enabled. When this parameter is defined, client hosts that do not belong to the domain will be denied access. However, if there is an error in the configuration of this variable, by default, no host will be allowed to be an LSF floating client.

If a requesting host belongs to an IP address that falls in the specified range, the host will be accepted to become an LSF floating client.

Address ranges are validated at configuration time so they must conform to the required format. If any address range is not in the correct format, no host will be accepted as an LSF floating client and a error message will be logged in the LIM log.

Conventions

  • IP addresses are separated by spaces, and considered "OR" alternatives.

  • The * character indicates any value is allowed.

  • The - character indicates an explicit range of values. For example 1-4 indicates 1,2,3,4 are allowed.

  • Open ranges such as *-30, or 10-*, are allowed.

  • If a range is specified with less fields than an IP address such as 10.161, it is considered as 10.161.*.*.

  • This parameter is limited to 2048 characters.

Examples

FLOAT_CLIENTS_ADDR_RANGE=100

All IPv4 and IPv6 hosts with a domain address starting with 100 will be allowed access.
  • To specify only IPv4 hosts, set the value to 100.*

  • To specify only IPv6 hosts, set the value to 100:*

FLOAT_CLIENTS_ADDR_RANGE=100-110.34.1-10.4-56

All client hosts belonging to a domain with an address having the first number between 100 and 110, then 34, then a number between 1 and 10, then, a number between 4 and 56 will be allowed access. Example: 100.34.9.45, 100.34.1.4, 102.34.3.20, etc. No IPv6 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE=100.172.1.13 100.*.30-54 124.24-*.1.*-34

All client hosts belonging to a domain with the address 100.172.1.13 will be allowed access. All client hosts belonging to domains starting with 100, then any number, then a range of 30 to 54 will be allowed access. All client hosts belonging to domains starting with 124, then from 24 onward, then 1, then from 0 to 34 will be allowed access. No IPv6 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE=12.23.45.*

All client hosts belonging to domains starting with 12.23.45 are allowed. No IPv6 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE=100.*43

The * character can only be used to indicate any value. In this example, an error will be inserted in the LIM log and no hosts will be accepted to become LSF floating clients. No IPv6 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE=100.*43 100.172.1.13

Although one correct address range is specified, because *43 is not correct format, the entire line is considered not valid. An error will be inserted in the LIM log and no hosts will be accepted to become LSF floating clients. No IPv6 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE = 3ffe

All client IPv6 hosts with a domain address starting with 3ffe will be allowed access. No IPv4 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE = 3ffe:fffe::88bb:*

Expands to 3ffe:fffe:0:0:0:0:88bb:*. All IPv6 client hosts belonging to domains starting with 3ffe:fffe::88bb:* are allowed. No IPv4 hosts are allowed.

FLOAT_CLIENTS_ADDR_RANGE = 3ffe-4fff:fffe::88bb:aa-ff 12.23.45.*

All IPv6 client hosts belonging to domains starting with 3ffe up to 4fff, then fffe::88bb, and ending with aa up to ff are allowed. All IPv4 client hosts belonging to domains starting with 12.23.45 are allowed.

FLOAT_CLIENTS_ADDR_RANGE = 3ffe-*:fffe::88bb:*-ff

All IPv6 client hosts belonging to domains starting with 3ffe up to ffff and ending with 0 up to ff are allowed. No IPv4 hosts are allowed.

Check that security is enabled

Take this step after you have configured security. You are shown how to check that security has been configured properly.

After you configure FLOAT_CLIENTS_ADDR_RANGE, check the master LIM log file on the LSF master host (LSF_LOGDIR/lim.log.master_host_name) to make sure this parameter is correctly set. If this parameter is not set or is wrong, this will be indicated in the log file.

Administration commands

Since LSF floating client hosts are not listed in lsf.cluster.cluster_name, some administration commands will not work if issued from LSF floating client hosts. Always run administration commands from server hosts.