The lsf.sudoers file is an optional file to configure security mechanisms. It is not installed by default.
You use lsf.sudoers to set the parameter LSF_EAUTH_KEY to configure a key for eauth to encrypt and decrypt user authentication data.
On UNIX, you also use lsf.sudoers to grant permission to users other than root to perform certain operations as root in LSF, or as a specified user.
LSF daemon startup/shutdown
User ID for LSF authentication
User ID for LSF pre- and post-execution commands.
User ID for external LSF executables
If lsf.sudoers does not exist, only root can perform these operations in LSF on UNIX.
On UNIX, this file is located in /etc.
There is one lsf.sudoers file per host.
On Windows, this file is located in the directory specified by the parameter LSF_SECUREDIR in lsf.conf.
After making any changes to lsf.sudoers, run badmin reconfig to reload the configuration files.
In LSF, certain operations such as daemon startup can only be performed by root. The lsf.sudoers file grants root privileges to specific users or user groups to perform these operations.
lsf.sudoers must be located in /etc on each host.
lsf.sudoers must have permission 600 and be readable and writable only by root.
The lsf.sudoers file is shared over an NTFS network, not duplicated on every Windows host.
By default, LSF installs lsf.sudoers in the %SYSTEMROOT% directory.
The location of lsf.sudoers on Windows must be specified by LSF_SECUREDIR in lsf.conf. You must configure the LSF_SECUREDIR parameter in lsf.conf if using lsf.sudoers on Windows.
The owner of lsf.sudoers on Windows be Administrators. If not, eauth may not work.
The permissions on lsf.sudoers for Windows are:
Local Admins (W)
Everyone (R)
Domain Admins (W)
Everyone (R)
The format of lsf.sudoers is very similar to that of lsf.conf.
NAME=VALUE
NAME=
NAME= "STRING1 STRING2 ..."
The equal sign = must follow each NAME even if no value follows and there should be no space beside the equal sign.
NAME describes an authorized operation.
VALUE is a single string or multiple strings separated by spaces and enclosed in quotation marks.
Lines starting with a pound sign (#) are comments and are ignored. Do not use #if as this is reserved syntax for time-based configuration.
LSB_PRE_POST_EXEC_USER=user100LSF_STARTUP_PATH=/usr/share/lsf/etcLSF_STARTUP_USERS="user1 user10 user55"You can create and modify lsf.sudoers with a text editor.
After you modify lsf.sudoers, you must run badmin hrestart all to restart all sbatchds in the cluster with the updated configuration.
LSB_PRE_POST_EXEC_USER
LSF_EAUTH_KEY
LSF_EAUTH_USER
LSF_EEXEC_USER
LSF_EGO_ADMIN_PASSWD
LSF_EGO_ADMIN_USER
LSF_LOAD_PLUGINS
LSF_STARTUP_PATH
LSF_STARTUP_USERS
Specifies the UNIX user account under which pre- and post-execution commands run. This parameter affects host-based pre- and post-execution processing defined at the first level.
You can specify only one user account. If the pre-execution or post-execution commands perform privileged operations that require root permissions on UNIX hosts, specify a value of root.
If you configure this parameter as root, the LD_PRELOAD and LD_LIBRARY_PATH variables are removed from the pre-execution, post-execution, and eexec environments for security purposes.
Not defined. Pre-execution and post-execution commands run under the user account of the user who submits the job.
Applies to UNIX, Windows, and mixed UNIX/Windows clusters.
Specifies the key that eauth uses to encrypt and decrypt user authentication data. Defining this parameter enables increased security at your site. The key must contain at least six characters and must use only printable characters.
For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. For Windows, you must edit the shared lsf.sudoers file.
Not defined. The eauth executable encrypts and decrypts authentication data using an internal key.
UNIX only.
Specifies the UNIX user account under which the external authentication executable eauth runs.
Not defined. The eauth executable runs under the account of the primary LSF administrator.
LSF_EEXEC_USER=user_name
UNIX only.
Specifies the UNIX user account under which the external executable eexec runs.
Not defined. The eexec executable runs under root or the account of the user who submitted the job.
When the EGO Service Controller (EGOSC) is configured to control LSF daemons, enables UNIX and Windows users to bypass the additional login required to start res and sbatchd. Bypassing the EGO administrator login enables the use of scripts to automate system startup.
Specify the Admin EGO cluster administrator password as clear text. You must also define the LSF_EGO_ADMIN_USER parameter.
Not defined. With EGOSC daemon control enabled, the lsadmin and badmin startup subcommands invoke the egosh user logon command to prompt for the Admin EGO cluster administrator credentials.
When the EGO Service Controller (EGOSC) is configured to control LSF daemons, enables UNIX and Windows users to bypass the additional login required to start res and sbatchd. Bypassing the EGO administrator login enables the use of scripts to automate system startup.
Specify the Admin EGO cluster administrator account. You must also define the LSF_EGO_ADMIN_PASSWD parameter.
Not defined. With EGOSC daemon control enabled, the lsadmin and badmin startup subcommands invoke the egosh user logon command to prompt for the Admin EGO cluster administrator credentials.
If defined, LSF loads plugins from LSB_LSBDIR. Used for Kerberos authentication and to enable the LSF cpuset plugin for SGI.
Not defined. LSF does not load plugins.
UNIX only. Enables the LSF daemon startup control feature when LSF_STARTUP_USERS is also defined. Define both parameters when you want to allow users other than root to start LSF daemons.
For security reasons, you should move the LSF daemon binary files to a directory other than LSF_SERVERDIR or LSF_BINDIR. The user accounts specified by LSF_STARTUP_USERS can start any binary in the LSF_STARTUP_PATH.
Not defined. Only the root user account can start LSF daemons.
UNIX only. Enables the LSF daemon startup control feature when LSF_STARTUP_PATH is also defined. Define both parameters when you want to allow users other than root to start LSF daemons. On Windows, the services admin group is equivalent to LSF_STARTUP_USERS.
Allows all UNIX users defined as LSF administrators in the file lsf.cluster.cluster_name to start LSF daemons as root by running the lsadmin and badmin commands.
Not recommended due to the security risk of a non-root LSF administrator adding to the list of administrators in the lsf.cluster.cluster_name file.
Not required for Windows hosts because all users with membership in the services admin group can start LSF daemons.
Allows the specified user accounts to start LSF daemons by running the lsadmin and badmin commands.
Separate multiple user names with a space.
For a single user, do not use quotation marks.
Not defined. Only the root user account can start LSF daemons.
LSF_STARTUP_PATH