B. Installation on DCE/DFS

Introduction

Installing LSF in DCE/DFS involves running the lsfsetup program from the main LSF distribution, and then installing the additional LSF DCE distribution.

Pre-Installation

Before installing, you need to choose the primary LSF administrator, and decide where to store the LSF configuration and executable files.

Choosing the LSF Administrator

The root account cannot be used as the primary LSF administrator if the LSF configuration files are to be stored in DFS, because in this case, the primary LSF administrator must be defined in DCE.

LSF Installation Directory

The master batch daemon needs read/write access to the working directories under LSB_SHAREDIR, which contain the LSF Batch log files. Since the daemon is not authenticated to DCE, you must not define LSB_SHAREDIR to be in DFS when running lsfsetup. The other configuration files are accessed read-only by the LSF daemons and thus can be defined in DFS if the ACL for these directories contains any_other:r-----. Similarly, the LSF executables can be stored in DFS if the ACL contains any_other:r-x---.

Additional Notes

You must not define LSF_RES_ACCTDIR and LSF_LOGDIR to be in DFS because the files in this directory are always written by the root user ID.

Installing LSF

Follow the instructions in `Default Installation' on page 13 or `Custom Installation' on page 23 to install the main LSF distribution. If some of your directories are defined in DFS, you must dce_login as the primary LSF administrator before running lsfsetup.

You may use either installation procedure to install LSF before installing the additional LSF DCE distribution.

After Installing LSF

At this point, you can create @sys symbolic links so that LSF_BINDIR, LSF_LIBDIR, and LSF_SERVERDIR access the corresponding architecture directories.

Installing the LSF DCE Distribution

This distribution is named depending on the LSF version and host type, for example lsf3.2_solaris_dce.tar.Z.

1. Get the LSF DCE tar distribution file from tape or from downloaded from Platform Computing's WWW or FTP sites. Uncompress the compressed distribution file.
2. Copy the following executables from the LSF DCE distribution directory to the LSF_SERVERDIR directory:

   daemons.wrap (res sbatchd)
   These executables are compiled with DCE/DFS support. After copying them to the LSF_SERVERDIR directory, rename the original files and make the following links:
   # mv res res.real
   # mv sbatchd sbatchd.real
   # ln -s daemons.wrap res
   # ln -s daemons.wrap sbatchd

   getcrd putcrd

   getcrd gets the DCE credentials from the credential cache and outputs the tokens to standard output. putcrd reads from the standard input the AFS token(s) in the format generated by getcrd, and sets the credentials for the invoker.

   esub eexec

   These are shell scripts invoked by LSF to support credential forwarding from the submission host to the execution host. Sites can modify these scripts to further customize credential processing (for example, using site-specific encryption software).

3. If privileged port authentication is used (i.e., LSF_AUTH is not defined in your lsf.conf file when you run lsfsetup), and LSF_BINDIR is defined in DFS, you will need to change the ownership of the setuid executables in LSF_BINDIR to root. First, find all the binaries in LSF_BINDIR that are installed with the setuid bit on:

   % ls -l | grep rws

Then dce_login to the primary LSF administrator, and use the command cm setsetuid:

% cm setsetuid -path setuid_binaries -state on

Credential Encryption

By default, the DCE esub and eexec scripts do not use encryption when transferring the DCE credentials between the submission and execution hosts. A site can modify these scripts to add site-specific encryption. The esub and eexec scripts in the LSF DCE distribution give an example of how to use PGP for encryption. To configure LSF to use PGP, follow the instructions in `AFS Token Encryption' on page 101.