Setting up LDAP Support for Intel® Xeon Phi™ Coprocessors

Alexander Gutkin, Sushmith Hiremath

US

Revision: 1.0

Contents

  1. 1. About this Document
    1. 1.1 Intended Audience
    2. 1.2 Conventions and Symbols
    3. 1.3 About the Authors
  2. 2. Configuration Overview
    1. 2.1 Step 1: Enabling LDAP on a Host
    2. 2.2 Step 2: Bridging Intel® Xeon Phi™ Coprocessors
    3. 2.3 Step 3: Enabling LDAP on the Intel® Xeon Phi™ Coprocessors
  3. 3. Troubleshooting
  4. 4. Automatic Creation of the Home Directory on the Intel® Xeon Phi™ Coprocessor uOS
  5. 5. Additional Considerations for LDAP users of the Coprocessor Offload Interface (COI)

List of Tables

Table 1 Conventions and Symbols used in this Document

  1. 1. About this Document

    This paper highlights an important new feature of the Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.2 – support for the Lightweight Directory Access Protocol (LDAP) on the Intel® Xeon Phi™ coprocessor. The release can be found on http://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss. We illustrate all the steps needed to set up LDAP support on the Intel® MPSS host, set up a static bridge and configure Intel® Xeon Phi™ coprocessor cards to allow SSH login to the card by an LDAP user. In addition, we demonstrate how to configure the Intel® Xeon Phi™ coprocessor for the LDAP users of the Coprocessor Offload Interface (COI) applications with an optional authentication of the offload user.

    1. 1.1 Intended Audience

      The intended audience of this paper are system administrators of Linux* hosts containing Intel® Xeon Phi™ coprocessors.

    2. 1.2 Conventions and Symbols

      The following conventions are used in this document.

      Table 1 Conventions and Symbols used in this Document

      Italics Indicates a file or directory name.
      Courier Indicates an element of syntax, reserved word, keyword, filename, computer output, or part of a program example. The text appears in lowercase unless uppercase is significant.
      Courier (Bold) Emphasizes the relevant or changed lines when printing a larger configuration file.

      A single # at the beginning of a line denotes commands entered with administrative privileges; $ indicates standard user rights.

      "Card" refers to the Intel® Xeon Phi™ coprocessor PCIe card.

      "uOS" refers to the Linux* micro Operating System running on an Intel® Xeon Phi™ coprocessor.

      Alice, Bob, etc. are assumed to be LDAP users, i.e. the users specified in the LDAP directory, but not on the host /etc/password file.

    3. 1.3 About the Authors

      Alexander Gutkin and Sushmith Hiremath are part of Intel Corporation's Technical Computing Group and specialize in security and system configuration for the Intel® Xeon Phi™ coprocessor platform.

  2. 2. Configuration Overview

    We will not illustrate how to set up an LDAP server in this paper. We will assume that the LDAP server is already up and running, and both LDAP server and the compute nodes (hosts) are part of the same corporate network. For illustration purposes, LDAP server's IP is 10.110.0.103 and the network domain is called MICDOMAIN.COM. Also, will assume that hosts are running Red Hat* Enterprise Linux* 6 (RHEL6) operating system. In our example, we will use eth1 as our default Ethernet device on the host.

    A high-level view of the task of configuring LDAP on the Intel® Xeon Phi™  coprocessors looks like the following:

    Step 1. Enable LDAP on a host

    Step 2. Bridge Intel® Xeon Phi™ coprocessors

    Step 3. Enable LDAP on the Intel® Xeon Phi™ coprocessors

    • Tip: A word of warning: It is possible to create a situation when the local host users (those that are listed in /etc/passwd) and LDAP users will have overlapping UIDs. Such overlap may lead to "interesting" cases when LDAP users may access home directory of the local users, leading to data privacy issues. By default, many Linux* distributions start with base uid 500 and create additional user increments from that base. To avoid overlap, many versions of LDAP server start from base uid = 1000. System administrators must be ever vigilant to avoid UID conflicts.


    1. 2.1 Step 1: Enabling LDAP on a Host

      To enable LDAP on a host, we'll need to install several RPMs. For RHEL, these RPMs are:

      • nss-pam-ldapd.x86_64
      • openldap.x86_64
      • openldap-clients.x86_64
      • pam_ldap.x86_64

      After installing the RPMs, we will use the authconfig tool to enable LDAP authentication for the host and to supply the location of the LDAP server./p>

      # authconfig --enableldap --enableldapauth --enablemkhomedir

      --ldapserver=10.110.0.103 --ldapbasedn="dc=micdomain,dc=com"

      –update

      The authconfig tool should modify several configuration files on the host.

      1. In /etc/sysconfig/authconfig : FORCELEGACY=yes ## for those who would want to enable LDAP authentication without TLS

      2. In /etc/pam.d/system-auth :

      auth sufficient pam_ldap.so use_first_pass ## this specifies that pam_ldap should use the first password provided in the authentication stack.

      The sample file is shown below :

      # cat /etc/pam.d/system-auth

      #%PAM-1.0

      # This file is auto-generated.

      # User changes will be destroyed the next time authconfig is run.

      auth required pam_env.so
      auth sufficient pam_fprintd.so
      auth sufficient pam_unix.so nullok try_first_pass
      auth requisite pam_succeed_if.so uid >= 500 quiet
      auth sufficient pam_ldap.so use_first_pass
      auth required pam_deny.so
      account required pam_unix.so broken_shadow
      account sufficient pam_localuser.so
      account sufficient pam_succeed_if.so uid < 500 quiet
      account [default=bad success=ok user_unknown=ignore] pam_ldap.so
      account required pam_permit.so
      password requisite pam_cracklib.so try_first_pass retry=3 type=
      password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
      password sufficient pam_ldap.so use_authtok
      password required pam_deny.so
      session optional pam_keyinit.so revoke
      session required pam_limits.so
      session optional pam_oddjob_mkhomedir.so
      session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
      session required pam_unix.so
      session optional pam_ldap.so

      3. # cat /etc/pam_ldap.conf

      uri ldap://10.110.0.103/   ## ip ADDRESS OF THE LDAP SERVER OR HOSTNAME OF THE SERVER, WITH DNS ENABLED.

      base dc=micdomain,dc=com

      4. # cat /etc/nsswitch.conf ## This file specifies order in which name lookups are listed on each line, i.e. in this case local files 1st followed by an LDAP

      passwd: files ldap
      shadow: files ldap
      group: files ldap
      automount: files ldap

      5. # cat /etc/openldap/ldap.conf

      URI ldap://10.110.0.103/

      BASE dc=micdomain,dc=com

      TLS_CACERTDIR /etc/openldap/cacerts

      6. To create home directory for LDAP users include the following line in the /etc/pam.d/sshd :


      session required pam_mkhomedir.so skel=/etc/skel umask=0077

      7. vi /etc/ssh/sshd_config

      check if "UsePAM yes"

      Optionally, to increase performance of the name lookup we will start name service cache daemon (nscd ):

      chkconfig nscd on

      /etc/init.d/nscd start

      Next, make sure host firewall does not block connection to Directory Service Agent (by default – TCP port 389).

      To verify that host can connect to the LDAP server, issue the following command:

      # ldapsearch -xb "dc=micdomain,dc=com"

    2. If that command succeeded, you should see the LDAP users' profiles stored on the server.


    3. 2.2 Step 2: Bridging Intel® Xeon Phi™ Coprocessors

      1) First, create the bridge:

      $ micctrl --addbridge=br0 --type=external --ip=10.110.0.110

      2) Change the network settings of the card to be part of this bridge and give a new ip address for the card as part of the bridge:

      $ micctrl --network=static --bridge=br0 --ip=10.110.0.111

      3) Manually modify ifcfg-eth1 to use  bridge network to connect to the LDAP server. Optionally, increase the MTU size to 9000 as follows:

      $ micctrl --modbridge --mtu=9000 command.

      (For more information on bridging and MTU modification refer to the MPSS User's guide.)

      4) The files will look something like this:

      1. # cat /etc/sysconfig/network-scripts/ifcfg-eth1

      DEVICE="eth1"

      NM_CONTROLLED="no"

      TYPE="ethernet"

      BRIDGE=br0

      MTU=9000
      2. # cat /etc/sysconfig/network-scripts/ifcfg-br0

      DEVICE=br0

      TYPE=Bridge

      ONBOOT=yes

      DELAY=0

      NM_CONTROLLED="no"

      BOOTPROTO=static

      IPADDR=10.110.0.110

      NETMASK=255.255.0.0

      MTU=9000
      3. # cat /etc/sysconfig/network-scripts/ifcfg-mic0

      DEVICE=mic0

      ONBOOT=yes

      NM_CONTROLLED="no"

      BRIDGE=br0

      MTU=9000

      5) Restart the network service to make sure that network adapters start properly.

      # service network restart

      6) With the bridge enabled,  micctrl --config will resemble the following:

      [root@localhost rpm_ldap]# micctrl --config

      mic0:

      =============================================================

      Config Version: 1.1

      Linux Kernel:   /usr/share/mpss/boot/bzImage-knightscorner

      BootOnStart:    Enabled

      Shutdowntimeout: 300 seconds     

      ExtraCommandLine: highres=off

      PowerManagment: cpufreq_on;corec6_on;pc3_on;pc6_on

      Root Device:   Dynamic Ram Filesystem /var/mpss/mic0.image.gz from:

      Base:      CPIO /usr/share/mpss/boot/initramfs-knightscorner.cpio.gz

      CommonDir: Directory /var/mpss/common

      Micdir:    Directory /var/mpss/mic0    

      Network:   Static bridge br0

      MIC IP:    10.110.0.111

      Host IP:   10.110.0.110

      Net Bits:  24

      NetMask:   255.255.0.0

      MtuSize:   9000

      Hostname:  mic0.local

      . . .



    4. 2.3 Step 3: Enabling LDAP on the Intel® Xeon Phi™ Coprocessors

      Intel supplies LDAP and pam RPMs compiled for the Intel® Xeon Phi™ coprocessor (k1om format) in a tarball mpss.3.2-k1om.tar, which is available from the Intel® MPSS download page.  In order to enable LDAP support on the card, perform the following steps.

      1) Extract  the 2 RPMs related to k1om LDAP setup from the aforementioned tarball: nss-ldap-265-r0.k1om.rpm and pam-ldap-186-r0.k1om.rpm to a default MPSS download directory, for example:

      $ /home/mic/Downloads/rpm_ldap

      2) Make sure mpss service is stopped. Point micctrl to the default location for the k1om RPMs:

      # micctrl --rpmdir='/home/mic/Downloads/rpm_ldap/'

      Make sure to specify trailing forward slash.

      3) Point micctrl to the URI of the LDAP server:

      # micctrl --ldap=10.110.0.103 --base=micdomain.com

      This command will create all the necessary configuration files for the card.

      4) Update compressed CPIO image for the card:

      # micctrl --updateramfs

      5) Start the service and SSH to the card and make sure you can switch to an LDAP user:

      # service mpss start

      # su alice

      $ ssh alice@mic0

      That's all there is to it.

  3. 3. Troubleshooting

    In case something doesn't quite work as expected, check the following files on the host filesystem. Additionally, for those who prefer to write their own configuration scripts instead of using micctrl, this is a comprehensive list of the files modified by micctrl for LDAP configuration.

    
    # cat /var/mpss/mic0/etc/ldap.conf
          URI ldap://10.110.0.103
          BASE dc=micdomain,dc=com
          bind_policy soft  ## This setting  helps to improve responsiveness of the card by not trying to access LDAP server before MIC link is up.
            	
    # cat /var/mpss/mic0/etc/ssh/sshd_config 
          Protocol 2
          UsePAM yes
          UsePrivilegeSeparation yes
          Compression no
          ClientAliveInterval 15
          ClientAliveCountMax 4
          Subsystem	sftp	/usr/libexec/sftp-server
    
    # cat /var/mpss/mic0/etc/pam.d/common-auth 
          auth	sufficient			pam_ldap.so
          auth	[success=1 default=ignore]	pam_unix.so nullok_secure
          auth	requisite			pam_deny.so
          auth	required			pam_permit.so
    # cat /var/mpss/mic0/etc/nsswitch.conf 
          passwd:	files ldap
          shadow:	files ldap
          group:	files ldap
          hosts:	files dns
      
    # cat /etc/mpss/mic0.conf
          Version 1 1
              
    # Include configuration common to all MIC cards
          Include default.conf
              
    # Include all additional functionality configuration files by default
          Include "conf.d/*.conf"
              
     # Unique per card files for embedded Linux file system
          MicDir /var/mpss/mic0		
     # Hostname to assign to MIC card
          Hostname "mic0.local"		
     # MAC address configuration
          MacAddrs "Serial"		
          Network class=StaticBridge bridge=br0 micip=10.110.0.111 modhost=yes modcard=yes
              
     # Boot MIC card when MPSS stack is started
          BootOnStart Enabled
              
    # Root device for MIC card
          RootDevice ramfs /var/mpss/mic0.image.gz
              
          K1omRpms /home/mic/Downloads/rpm_ldap/
          Overlay RPM /home/mic/Downloads/rpm_ldap/pam-ldap-186-r0.k1om.rpm on
          Overlay RPM /home/mic/Downloads/rpm_ldap/nss-ldap-265-r0.k1om.rpm on
    
        
  4. 4. Automatic Creation of the Home Directory on the Intel® Xeon Phi™ Coprocessor uOS

    To automatically create home directories when LDAP users login:

    1) Extract pam-plugin-mkhomedir-1.1.5-r3.k1om.rpm from the tarballmpss.3.2-k1om.tar

    2) Add the path of the pam-plugin-mkhomedir-1.1.5-r3.k1om.rpm to >/etc/mpss/mic0.conf, for example:>

    Overlay     RPM /home/mic/Downloads/rpm_ldap/pam-plugin-mkhomedir-1.1.5-r3.k1om.rpm on

    3) Include the following line:

    session     required     pam_mkhomedir.so skel=/etc/skel umask=0077

    in /var/mpss/common/etc/pam.d/common-session and /var/mpss/common/etc/pam.d/sshd.

    The common-session file allows for home directory creation when switching to LDAP user via the su command, while sshd file allows for directory creation when users SSH to the card.

  1. 5 Additional Considerations for LDAP users of the Coprocessor Offload Interface (COI)

    Using Coprocessor offload with default setting for the coi_daemon, --coiuser=micuser does not require any additional configuration on the card side to use LDAP.  In that mode, offload jobs on the card use a "generic" micuser account for the process ownership as well as location of the temporary files. This option works well when the job scheduler can guarantee that offload jobs run from one host user at a time, and the Intel® Xeon Phi™ coprocessor uOS is rebooted between the jobs. However, MPSS release 3.1 introduced another option to start COI daemon, --coiuser=_Authorized . With this option, coi_daemon supports a mode that allows system administrators to configure the coi_daemon to spawn processes as the same user on the host. This mode allows for enhanced data privacy even when several host users share the Intel® Xeon Phi™ coprocessor for offload jobs at the same time.

    LDAP users cannot use COI with the --coiuser=_Authorized setting by default because LDAP users don't have a home directory on the card (per default pam-ldap settings). So, to get it working, administrators must perform the following steps:

    1) To enable --coiuser=_Authorized setting, create a coi.conf file for the card filesystem at location /etc/coi.conf (at host location /var/mpss/common/etc/coi.conf or /var/mpss/mic0/etc/coi.conf ) with the following line:

    coiparams='--coiuser=_Authorized'

    2) Perform steps as set forth by the section "Automatic Creation of the Home Directory on the Intel® Xeon Phi™ Coprocessor uOS" to set up a home directory for the LDAP user.

    3) To create a home directory for the LDAP user, SSH to the card as LDAP user. The LDAP user's home directory will be created on the card. Then, log off the card by issuing the exit command.

    4) Run the COI application on the host as LDAP user.

    Note: Failure to perform step 3 above will trigger the following error message on the host terminal window when attempting to run an offload application: $ offload error: cannot offload to MIC - device is not available

    In future releases of MPSS, Step 3, above, may no longer be necessary.

Для получения подробной информации о возможностях оптимизации компилятора обратитесь к нашему Уведомлению об оптимизации.
Теги: