Alexander Gutkin, Sushmith Hiremath
US
Revision: 1.0
Contents
- 1. About this Document
- 2. Configuration Overview
- 3. Troubleshooting
- 4. Automatic Creation of the Home Directory on the Intel® Xeon Phi™ Coprocessor uOS
- 5. Additional Considerations for LDAP users of the Coprocessor Offload Interface (COI)
List of Tables
Table 1 Conventions and Symbols used in this Document
1. About this Document
This paper highlights an important new feature of the Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.2 – support for the Lightweight Directory Access Protocol (LDAP) on the Intel® Xeon Phi™ coprocessor. The release can be found on http://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss. We illustrate all the steps needed to set up LDAP support on the Intel® MPSS host, set up a static bridge and configure Intel® Xeon Phi™ coprocessor cards to allow SSH login to the card by an LDAP user. In addition, we demonstrate how to configure the Intel® Xeon Phi™ coprocessor for the LDAP users of the Coprocessor Offload Interface (COI) applications with an optional authentication of the offload user.
1.1 Intended Audience
The intended audience of this paper are system administrators of Linux* hosts containing Intel® Xeon Phi™ coprocessors.
1.2 Conventions and Symbols
The following conventions are used in this document.
Table 1 Conventions and Symbols used in this Document
Italics Indicates a file or directory name. CourierIndicates an element of syntax, reserved word, keyword, filename, computer output, or part of a program example. The text appears in lowercase unless uppercase is significant. Courier (Bold)Emphasizes the relevant or changed lines when printing a larger configuration file. A single # at the beginning of a line denotes commands entered with administrative privileges; $ indicates standard user rights.
"Card" refers to the Intel® Xeon Phi™ coprocessor PCIe card.
"uOS" refers to the Linux* micro Operating System running on an Intel® Xeon Phi™ coprocessor.
Alice, Bob, etc. are assumed to be LDAP users, i.e. the users specified in the LDAP directory, but not on the host /etc/password file.1.3 About the Authors
Alexander Gutkin and Sushmith Hiremath are part of Intel Corporation's Technical Computing Group and specialize in security and system configuration for the Intel® Xeon Phi™ coprocessor platform.
2. Configuration Overview
We will not illustrate how to set up an LDAP server in this paper. We will assume that the LDAP server is already up and running, and both LDAP server and the compute nodes (hosts) are part of the same corporate network. For illustration purposes, LDAP server's IP is 10.110.0.103 and the network domain is called MICDOMAIN.COM. Also, will assume that hosts are running Red Hat* Enterprise Linux* 6 (RHEL6) operating system. In our example, we will use eth1 as our default Ethernet device on the host.
A high-level view of the task of configuring LDAP on the Intel® Xeon Phi™ coprocessors looks like the following:
Step 1. Enable LDAP on a host
Step 2. Bridge Intel® Xeon Phi™ coprocessors
Step 3. Enable LDAP on the Intel® Xeon Phi™ coprocessors- Tip: A word of warning: It is possible to create a situation when the local host users (those that are listed in /etc/passwd) and LDAP users will have overlapping UIDs. Such overlap may lead to "interesting" cases when LDAP users may access home directory of the local users, leading to data privacy issues. By default, many Linux* distributions start with base uid 500 and create additional user increments from that base. To avoid overlap, many versions of LDAP server start from base uid = 1000. System administrators must be ever vigilant to avoid UID conflicts.
2.1 Step 1: Enabling LDAP on a Host
To enable LDAP on a host, we'll need to install several RPMs. For RHEL, these RPMs are:
- nss-pam-ldapd.x86_64
- openldap.x86_64
- openldap-clients.x86_64
- pam_ldap.x86_64
After installing the RPMs, we will use the authconfig tool to enable LDAP authentication for the host and to supply the location of the LDAP server./p>
# authconfig --enableldap --enableldapauth --enablemkhomedir
--ldapserver=10.110.0.103 --ldapbasedn="dc=micdomain,dc=com"
–updateThe authconfig tool should modify several configuration files on the host.
1. In /etc/sysconfig/authconfig : FORCELEGACY=yes ## for those who would want to enable LDAP authentication without TLS
2. In /etc/pam.d/system-auth :
authsufficientpam_ldap.so use_first_pass ## this specifies that pam_ldap should use the first password provided in the authentication stack.The sample file is shown below :
# cat /etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.authrequiredpam_env.soauthsufficientpam_fprintd.soauthsufficientpam_unix.so nullok try_first_passauthrequisitepam_succeed_if.so uid >= 500 quietauthsufficientpam_ldap.so use_first_passauthrequiredpam_deny.soaccountrequiredpam_unix.so broken_shadowaccountsufficientpam_localuser.soaccountsufficientpam_succeed_if.so uid < 500 quietaccount[default=bad success=ok user_unknown=ignore]pam_ldap.soaccountrequiredpam_permit.sopasswordrequisitepam_cracklib.so try_first_pass retry=3 type=passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtokpasswordsufficientpam_ldap.so use_authtokpasswordrequiredpam_deny.sosessionoptionalpam_keyinit.so revokesessionrequiredpam_limits.sosessionoptionalpam_oddjob_mkhomedir.sosession[success=1 default=ignore]pam_succeed_if.so service in crond quiet use_uidsessionrequiredpam_unix.sosessionoptionalpam_ldap.so3. # cat /etc/pam_ldap.conf
uri ldap://10.110.0.103/ ## ip ADDRESS OF THE LDAP SERVER OR HOSTNAME OF THE SERVER, WITH DNS ENABLED.
base dc=micdomain,dc=com4. # cat /etc/nsswitch.conf ## This file specifies order in which name lookups are listed on each line, i.e. in this case local files 1st followed by an LDAP
passwd:files ldapshadow:files ldapgroup:files ldapautomount:files ldap5. # cat /etc/openldap/ldap.conf
URI ldap://10.110.0.103/
BASE dc=micdomain,dc=com
TLS_CACERTDIR /etc/openldap/cacerts6. To create home directory for LDAP users include the following line in the /etc/pam.d/sshd :
sessionrequiredpam_mkhomedir.so skel=/etc/skel umask=00777. vi /etc/ssh/sshd_config
check if "UsePAM yes"Optionally, to increase performance of the name lookup we will start name service cache daemon (nscd ):
chkconfig nscd on
/etc/init.d/nscd startNext, make sure host firewall does not block connection to Directory Service Agent (by default – TCP port 389).
To verify that host can connect to the LDAP server, issue the following command:# ldapsearch -xb "dc=micdomain,dc=com"- If that command succeeded, you should see the LDAP users' profiles stored on the server.
2.2 Step 2: Bridging Intel® Xeon Phi™ Coprocessors
1) First, create the bridge:
$ micctrl --addbridge=br0 --type=external --ip=10.110.0.1102) Change the network settings of the card to be part of this bridge and give a new ip address for the card as part of the bridge:
$ micctrl --network=static --bridge=br0 --ip=10.110.0.1113) Manually modify ifcfg-eth1 to use bridge network to connect to the LDAP server. Optionally, increase the MTU size to 9000 as follows:
$ micctrl --modbridge --mtu=9000 command.
(For more information on bridging and MTU modification refer to the MPSS User's guide.)4) The files will look something like this:
1. # cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE="eth1"
NM_CONTROLLED="no"
TYPE="ethernet"
BRIDGE=br0
MTU=90002. # cat /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
DELAY=0
NM_CONTROLLED="no"
BOOTPROTO=static
IPADDR=10.110.0.110
NETMASK=255.255.0.0
MTU=90003. # cat /etc/sysconfig/network-scripts/ifcfg-mic0
DEVICE=mic0
ONBOOT=yes
NM_CONTROLLED="no"
BRIDGE=br0
MTU=90005) Restart the network service to make sure that network adapters start properly.
# service network restart6) With the bridge enabled, micctrl --config will resemble the following:
[root@localhost rpm_ldap]# micctrl --config
mic0:
=============================================================
Config Version: 1.1Linux Kernel: /usr/share/mpss/boot/bzImage-knightscorner
BootOnStart: Enabled
Shutdowntimeout: 300 seconds
ExtraCommandLine: highres=off
PowerManagment: cpufreq_on;corec6_on;pc3_on;pc6_onRoot Device: Dynamic Ram Filesystem /var/mpss/mic0.image.gz from:
Base: CPIO /usr/share/mpss/boot/initramfs-knightscorner.cpio.gz
CommonDir: Directory /var/mpss/common
Micdir: Directory /var/mpss/mic0
Network: Static bridge br0
MIC IP: 10.110.0.111
Host IP: 10.110.0.110
Net Bits: 24
NetMask: 255.255.0.0
MtuSize: 9000
Hostname: mic0.local. . .2.3 Step 3: Enabling LDAP on the Intel® Xeon Phi™ Coprocessors
Intel supplies LDAP and pam RPMs compiled for the Intel® Xeon Phi™ coprocessor (k1om format) in a tarball mpss.3.2-k1om.tar, which is available from the Intel® MPSS download page. In order to enable LDAP support on the card, perform the following steps.
1) Extract the 2 RPMs related to k1om LDAP setup from the aforementioned tarball: nss-ldap-265-r0.k1om.rpm and pam-ldap-186-r0.k1om.rpm to a default MPSS download directory, for example:
$ /home/mic/Downloads/rpm_ldap2) Make sure mpss service is stopped. Point micctrl to the default location for the k1om RPMs:
# micctrl --rpmdir='/home/mic/Downloads/rpm_ldap/'Make sure to specify trailing forward slash.
3) Point micctrl to the URI of the LDAP server:
# micctrl --ldap=10.110.0.103 --base=micdomain.comThis command will create all the necessary configuration files for the card.
4) Update compressed CPIO image for the card:
# micctrl --updateramfs5) Start the service and SSH to the card and make sure you can switch to an LDAP user:
# service mpss start
# su alice
$ ssh alice@mic0That's all there is to it.
3. Troubleshooting
In case something doesn't quite work as expected, check the following files on the host filesystem. Additionally, for those who prefer to write their own configuration scripts instead of using micctrl, this is a comprehensive list of the files modified by micctrl for LDAP configuration.
# cat /var/mpss/mic0/etc/ldap.conf URI ldap://10.110.0.103 BASE dc=micdomain,dc=com bind_policy soft ## This setting helps to improve responsiveness of the card by not trying to access LDAP server before MIC link is up. # cat /var/mpss/mic0/etc/ssh/sshd_config Protocol 2 UsePAM yes UsePrivilegeSeparation yes Compression no ClientAliveInterval 15 ClientAliveCountMax 4 Subsystem sftp /usr/libexec/sftp-server # cat /var/mpss/mic0/etc/pam.d/common-auth auth sufficient pam_ldap.so auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so # cat /var/mpss/mic0/etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns # cat /etc/mpss/mic0.conf Version 1 1 # Include configuration common to all MIC cards Include default.conf # Include all additional functionality configuration files by default Include "conf.d/*.conf" # Unique per card files for embedded Linux file system MicDir /var/mpss/mic0 # Hostname to assign to MIC card Hostname "mic0.local" # MAC address configuration MacAddrs "Serial" Network class=StaticBridge bridge=br0 micip=10.110.0.111 modhost=yes modcard=yes # Boot MIC card when MPSS stack is started BootOnStart Enabled # Root device for MIC card RootDevice ramfs /var/mpss/mic0.image.gz K1omRpms /home/mic/Downloads/rpm_ldap/ Overlay RPM /home/mic/Downloads/rpm_ldap/pam-ldap-186-r0.k1om.rpm on Overlay RPM /home/mic/Downloads/rpm_ldap/nss-ldap-265-r0.k1om.rpm on4. Automatic Creation of the Home Directory on the Intel® Xeon Phi™ Coprocessor uOS
To automatically create home directories when LDAP users login:
1) Extract pam-plugin-mkhomedir-1.1.5-r3.k1om.rpm from the tarballmpss.3.2-k1om.tar
2) Add the path of the pam-plugin-mkhomedir-1.1.5-r3.k1om.rpm to >/etc/mpss/mic0.conf, for example:>
Overlay RPM /home/mic/Downloads/rpm_ldap/pam-plugin-mkhomedir-1.1.5-r3.k1om.rpm on3) Include the following line:
session required pam_mkhomedir.so skel=/etc/skel umask=0077in /var/mpss/common/etc/pam.d/common-session and /var/mpss/common/etc/pam.d/sshd.The common-session file allows for home directory creation when switching to LDAP user via the su command, while sshd file allows for directory creation when users SSH to the card.
5 Additional Considerations for LDAP users of the Coprocessor Offload Interface (COI)
Using Coprocessor offload with default setting for the coi_daemon,
--coiuser=micuserdoes not require any additional configuration on the card side to use LDAP. In that mode, offload jobs on the card use a "generic" micuser account for the process ownership as well as location of the temporary files. This option works well when the job scheduler can guarantee that offload jobs run from one host user at a time, and the Intel® Xeon Phi™ coprocessor uOS is rebooted between the jobs. However, MPSS release 3.1 introduced another option to start COI daemon,--coiuser=_Authorized. With this option, coi_daemon supports a mode that allows system administrators to configure the coi_daemon to spawn processes as the same user on the host. This mode allows for enhanced data privacy even when several host users share the Intel® Xeon Phi™ coprocessor for offload jobs at the same time.LDAP users cannot use COI with the
--coiuser=_Authorizedsetting by default because LDAP users don't have a home directory on the card (per default pam-ldap settings). So, to get it working, administrators must perform the following steps:1) To enable
--coiuser=_Authorizedsetting, create a coi.conf file for the card filesystem at location /etc/coi.conf (at host location /var/mpss/common/etc/coi.conf or /var/mpss/mic0/etc/coi.conf ) with the following line:coiparams='--coiuser=_Authorized'2) Perform steps as set forth by the section "Automatic Creation of the Home Directory on the Intel® Xeon Phi™ Coprocessor uOS" to set up a home directory for the LDAP user.
3) To create a home directory for the LDAP user, SSH to the card as LDAP user. The LDAP user's home directory will be created on the card. Then, log off the card by issuing the exit command.
4) Run the COI application on the host as LDAP user.
Note: Failure to perform step 3 above will trigger the following error message on the host terminal window when attempting to run an offload application:
$ offload error: cannot offload to MIC - device is not availableIn future releases of MPSS, Step 3, above, may no longer be necessary.