Installing LSF in DCE/DFS involves running the lsfsetup
program from the main LSF distribution, and then installing the additional LSF DCE distribution.
Before installing, you need to choose the primary LSF administrator, and decide where to store the LSF configuration and executable files.
The root
account cannot be used as the primary LSF administrator if the LSF configuration files are to be stored in DFS, because in this case, the primary LSF administrator must be defined in DCE.
The master batch daemon needs read/write access to the working directories under LSB_SHAREDIR
, which contain the LSF Batch log files. Since the daemon is not authenticated to DCE, you must not define LSB_SHAREDIR
to be in DFS when running lsfsetup
. The other configuration files are accessed read-only by the LSF daemons and thus can be defined in DFS if the ACL for these directories contains any_other:r-----
. Similarly, the LSF executables can be stored in DFS if the ACL contains any_other:r-x---
.
You must not define LSF_RES_ACCTDIR
and LSF_LOGDIR
to be in DFS because the files in this directory are always written by the root user ID.
Follow the instructions in `Default Installation' on page 13 or `Custom Installation' on page 23 to install the main LSF distribution. If some of your directories are defined in DFS, you must dce_login
as the primary LSF administrator before running lsfsetup
.
You may use either installation procedure to install LSF before installing the additional LSF DCE distribution.
At this point, you can create @sys symbolic links so that LSF_BINDIR
, LSF_LIBDIR
, and LSF_SERVERDIR
access the corresponding architecture directories.
This distribution is named depending on the LSF version and host type, for example lsf3.2_solaris_dce.tar.Z
.
LSF_SERVERDIR
directory:
daemons.wrap
(res
sbatchd
)
These executables are compiled with DCE/DFS support. After copying them
to the LSF_SERVERDIR
directory, rename the original files and
make the following links:
#
mv res res.real
#
mv sbatchd sbatchd.real
#
ln -s daemons.wrap res
#
ln -s daemons.wrap sbatchd
getcrd putcrd
getcrd
gets the DCE credentials from the credential cache
and outputs the tokens to standard output. putcrd
reads from
the standard input the AFS token(s) in the format generated by getcrd
,
and sets the credentials for the invoker.
esub eexec
These are shell scripts invoked by LSF to support credential forwarding from the submission host to the execution host. Sites can modify these scripts to further customize credential processing (for example, using site-specific encryption software).
LSF_AUTH
is
not defined in your lsf.conf
file when you run lsfsetup
),
and LSF_BINDIR is defined in DFS, you will need to change the ownership of
the setuid executables in LSF_BINDIR
to root. First, find all
the binaries in LSF_BINDIR
that are installed with the setuid
bit on:
%
ls -l | grep rws
Then
dce_login
to the primary LSF administrator, and use the commandcm setsetuid
:
%
cm setsetuid -path setuid_binaries -state on
By default, the DCE esub
and eexec
scripts do not use encryption when transferring the DCE credentials between
the submission and execution hosts. A site can modify these scripts to add site-specific
encryption. The esub
and eexec
scripts in the LSF
DCE distribution give an example of how to use PGP for encryption. To configure
LSF to use PGP, follow the instructions in `AFS
Token Encryption' on page 101.