This chapter provides details about the EnFuzion root configuration.
The most important aspect of the EnFuzion root configuration specifies how the root establishes the communication with EnFuzion nodes. This description of nodes is provided in the enfuzion.nodes file. This file is often the only configuration file that is required to run EnFuzion.
The EnFuzion root also contains several configuration options, which can be tuned for specific user environments in order to improve performance or security aspects of EnFuzion operation. These options are provided in the root.options file. This file is optional for running EnFuzion and can contain only options that are relevant for a particular EnFuzion installation.
Several configuration files describe how EnFuzion deals with users. These files are: users, which specifies how user identities are assigned from user identification strings that are provided by the submit computers; groups, which specifies groups membership for users; admins, which contains a list of users that have EnFuzion administrator privileges; and user.accounts, which contains rules for user account handling on EnFuzion nodes.
The EnFuzion root software provides additional security features that enhance system provided security. These features include the capability to remove clear text passwords from enfuzion.nodes and a private-public key method to authenticate the root to the nodes.
The rest of the chapter describes details about establishing communication with the node, configuring root.options, configuring user related options, and root based security features.
In most environments, EnFuzion nodes are specified in the enfuzion.nodes file. The file defines how the Dispatcher on the EnFuzion root connects with its nodes. Alternatively, nodes can be specified through the API, described in detail in the Section called Application Programming Interface in Chapter 10. Nodes can also connect directly to the Dispatcher, without requiring a corresponding line in the enfuzion.nodes file. See the Section called node start in Chapter 10 for more information on this process. The rest of this section provides details about the enfuzion.nodes file.
EnFuzion checks for the enfuzion.nodes file in the following locations: the local working directory, the $ENFUZION_PATH/config directory, and the config subdirectory of the EnFuzion installation directory.
On Linux/Unix, the default installation directory is $HOME/enfuzion for regular users and /usr/local/enfuzion for the root user. Both locations are checked.
On Windows NT/2000/XP, the default installation directory is C:\enfuzion.
For each node, enfuzion.nodes contains a line, describing the host name, the user name and the method used to establish a connection between the root and the node. A different method can be used by each node to connect to the root, which makes it easy to combine hosts with different operating systems and configurations. Lines that start with "#" are treated as comments.
The following sections describe the contents of the enfuzion.nodes file for Windows based nodes, for Linux/Unix based nodes, for custom based methods, and for nodes that are started remotely.
By default, EnFuzion uses the EnFuzion Starter Service on Windows NT/2000/XP, which significantly simplifies configuration of Windows nodes.
For each Windows based node, the enfuzion.nodes file contains a line in the following format:
<host_name> <user_name> <password>
The items, <host_name>, <user_name>, and <password> specify the host name, the user name under which EnFuzion executes programs and the user password on that host.
<user_name> can contain an optional <domain>. It takes one of the following forms:
<user_account>
<domain>\<user_account>
<user_account>@<domain>
If only <user_account> is provided, the node host name is used
for the domain name.
If the root host is a non-Windows computer, but the node host is a Windows computer, then the line format is as follows:
<host_name> <user_name> <password> WindowsNT
The example below details an enfuzion.nodes file that specifies EnFuzion nodes on four computers called ballet, swanlake, mandarin, and firebird. EnFuzion uses "enfuzion" as its user to execute programs with the password "enftest". All nodes, including the root, are Windows-based hosts.
Example of a Windows root and Windows nodes:
# this file describes my cluster
ballet.domain.com enfuzion enftest
swanlake.domain.com enfuzion enftest
mandarin.domain.com enfuzion enftest
firebird.domain.com enfuzion enftest
If the root is a non-Windows host, but the nodes are Windows-based, then the example above would look like the following.
Example of a non-Windows root and Windows nodes:
# this file describes my cluster
ballet.domain.com enfuzion enftest WindowsNT
swanlake.domain.com enfuzion enftest WindowsNT
mandarin.domain.com enfuzion enftest WindowsNT
firebird.domain.com enfuzion enftest WindowsNT
Some Windows installations might require that a domain name be specified for a node, in addition to the host name and the user name. In that case, the domain name can be specified along with the user name. The following is an example of the corresponding syntax for the enfuzion.nodes file:
<host_name> [<domain_name>\]<user_name> [ <password> ] [WindowsNT]
A domain name is optional, and if not specified, the local domain is used.
Passwords are required by EnFuzion to start the execution of nodes on Windows hosts. If the same password is shared among several computers, its handling in enfuzion.nodes can be simplified. When a host has a password that is already specified for a previous host in the configuration file, its password can be written as a "$" symbol, followed by the previous host's name, indicating that both hosts use the same password. In clusters with a large number of nodes, this feature can significantly simplify password changes.
The original example above, using shared passwords, would look like the following.
Example of shared passwords:
# this file describes my cluster
ballet.domain.com enfuzion enftest
swanlake.domain.com enfuzion $ballet.domain.com
mandarin.domain.com enfuzion $ballet.domain.com
firebird.domain.com enfuzion $ballet.domain.com
In some environments, it may not be desirable to keep clear text passwords in the enfuzion.nodes file. EnFuzion supports the use of encrypted passwords, which is described in the Section called Encrypted Passwords in enfuzion.nodes.
EnFuzion provides several methods to connect a root to a Linux/Unix-based host. These methods include ssh, rsh or telnet.
The ssh method is recommended, since it provides the highest level of security and is the easiest for installation. If the ssh method is used to connect to a remote node, then the root and the node must be configured for RSA based authentication. RSA based authentication allows the root to access a node without sending its password in a clear text format. The details of configuring the root and nodes for the ssh access are described in the Section called Configuring EnFuzion Nodes for Remote ssh Access in Chapter 4.
The example below assumes that the root and nodes have been configured to use RSA based authentication. If the root and nodes are not configured for RSA based authentication, then the Dispatcher and other programs prompt for a password. This method is not recommended, since it precludes batch execution of the Dispatcher.
For each Linux/Unix based node with ssh, the enfuzion.nodes file contains a line in the following format:
<host_name> <user_name> dummy ssh
<host_name>, and <user_name> specify the host name, and the user name under which EnFuzion executes programs. Since a password is not required, the third field, which normally contains a password, is ignored.
The example below shows an enfuzion.nodes file that specifies EnFuzion nodes on four computers called ballet, swanlake, mandarin, and firebird. EnFuzion uses "enfuzion" as its user to execute programs. ssh is used to connect to all nodes and is configured for RSA based authentication for accesses from the root.
Example of Linux/Unix-based nodes with ssh, using RSA:
# this file describes my cluster
ballet.domain.com enfuzion dummy ssh
swanlake.domain.com enfuzion dummy ssh
mandarin.domain.com enfuzion dummy ssh
firebird.domain.com enfuzion dummy ssh
rsh can used to connect to nodes instead of ssh by replacing the ssh keyword with the Unixrsh keyword. Nodes must be configured so that no password is required for rsh access to nodes.
For each Linux/Unix based node with rsh, the enfuzion.nodes file contains a line in the following format:
<host_name> <user_name> dummy Unixrsh
If rsh access is used instead of ssh, the example above would look like the following.
Example of Linux/Unix-based nodes with rsh:
# this file describes my cluster
ballet.domain.com enfuzion dummy Unixrsh
swanlake.domain.com enfuzion dummy Unixrsh
mandarin.domain.com enfuzion dummy Unixrsh
firebird.domain.com enfuzion dummy Unixrsh
Telnet, a standard Linux/Unix protocol, is another method that EnFuzion can use to connect to nodes. This method is the least recommended, since it provides the lowest level of security, because clear text password are sent over the network.
For each telnet based node, the enfuzion.nodes file contains a line in the following format:
<host_name> <user_name> <password>
<host_name>, <user_name>, and <password> specify the host name, the user name under which EnFuzion executes programs and the user password on that host.
If the root host is a non-Linux/Unix computer, but the node host is a telnet based node, then the line format is as follows:
<host_name> <user_name> <password> Unix
The example below shows an enfuzion.nodes file that specifies EnFuzion nodes on four computers called ballet, swanlake, mandarin, and firebird. EnFuzion uses "enfuzion" as its user to execute programs with the password "enftest". All nodes are telnet-based hosts, and the root is a Linux/Unix-based host.
Example of a Linux/Unix root and telnet nodes:
# this file describes my cluster
ballet.domain.com enfuzion enftest
swanlake.domain.com enfuzion enftest
mandarin.domain.com enfuzion enftest
firebird.domain.com enfuzion enftest
If the root is a non-Linux/Unix host, but the nodes are telnet-based, then the example above would look like the following.
Example of a non-Linux/Unix root and telnet nodes:
# this file describes my cluster
ballet.domain.com enfuzion enftest Unix
swanlake.domain.com enfuzion enftest Unix
mandarin.domain.com enfuzion enftest Unix
firebird.domain.com enfuzion enftest Unix
Passwords are required by EnFuzion to start the execution of nodes on telnet- based hosts. If the same password is shared among several computers, its handling in enfuzion.nodes can be simplified. When a host has a password that is already specified for a previous host in the configuration file, its password can be written as a "$" symbol, followed by the previous host's name, indicating that both hosts use the same password. In clusters with a large number of nodes, this feature can significantly simplify password changes.
The original example above, using shared passwords, would look like the following.
Example of shared passwords:
# this file describes my cluster
ballet.domain.com enfuzion enftest
swanlake.domain.com enfuzion $ballet.domain.com
mandarin.domain.com enfuzion $ballet.domain.com
firebird.domain.com enfuzion $ballet.domain.com
In some environments, it may not be desirable to have clear text passwords in the enfuzion.nodes file. EnFuzion supports the use of encrypted passwords, as described elsewhere in the Section called Encrypted Passwords in enfuzion.nodes.
Although EnFuzion provides a wide variety of methods to connect to a node, some environments require custom methods. EnFuzion supports custom remote execution, which allows users to start remote EnFuzion nodes through a user provided program, instead of using any of the standard methods.
For each node with a custom method, the enfuzion.nodes file contains a line in the following format:
<host_name> <user_name> <password> command <start_command>
The <host_name>, <user_name>, and <password> specify the host name, the user name under which EnFuzion executes programs and the user password on that host. <start_command> is the command used to start the node.
The command is called on the root host whenever the node is started by EnFuzion. It is provided with the following options:
<host_name> <user_name> <password> nodestart <node_command>
The first three arguments, <host_name>, <user_name>, and <password>, are the same as in enfuzion.nodes file. The <node_command> contains the command to be executed by EnFuzion on the node system to start the EnFuzion node software.
The <node_command> starts the enfnodeserver executable on the node (see the Section called Enfnodeserver in Chapter 11 for more details about the program). The path to the program is different depending on whether <user_name> is the root account or a regular user account. If <user_name> is the root account, <node_command> contains the following string:
cd /usr/local/enfuzion ; ./enfnodeserver -d -p <root_IP> <root_port>
The <root_IP> is the IP address of the root computer and <root_port> is the port number to which the node connects to exchange files or execute commands on the root system.
For all non-root accounts, <node_command> contains the following string:
cd ; cd enfuzion ; ./enfnodeserver -d -p <root_IP> <root_port>
The user command, specified in <start_command> can use the command line above and its own method to start the node. The node program, called Enfnodeserver, must be started with the same options as the standard EnFuzion command.
With the -d option, enfnodeserver creates a child, which runs as a daemon. It is important that <start_command> waits for the parent enfnodeserver process to exit. Otherwise, the parent can be terminated before the child daemon is started successfully, causing the node start procedure to fail. One simple solution is to wait for the prompt after the node start command is issued.
By default, the node port number used by the root for connection is assigned dynamically. If the network traffic between the root and a node is controlled by a firewall, then dynamic port assignment might not be compatible with the firewall. In such cases, the node can be configured in enfuzion.nodes with a static port assignment.
A static port is specified for a node by adding the port option to its line in enfuzion.nodes:
<host_name> <user_name> ... port <port_number>
The port option works with any method for starting a node. An example of a static port assignment for nodes started with ssh is shown below.
Example:
# nodes are started with ssh and use port 1234
ballet.domain.com enfuzion dummy ssh port 1234
swanlake.domain.com enfuzion dummy ssh port 1234
mandarin.domain.com enfuzion dummy ssh port 1234
firebird.domain.com enfuzion dummy ssh port 1234
For all node start methods described so far, the root host is responsible for starting a node. With EnFuzion, it is also possible to start a node independently of programs on the root host. A node can be started independently, either manually as a daemon on the node host, or using some other user defined method.
For each independently started node, the enfuzion.nodes file contains a line in the following format:
<host_name> dummy dummy nostart port <port_number>
The <host_name> and <port_number> specify the host name and the port number to use for connection to that host.
The example below shows an enfuzion.nodes file that specifies EnFuzion nodes on four computers called ballet, swanlake, mandarin, and firebird. Nodes are available on port 1234.
Example:
# independently started nodes, using port 1234
ballet.domain.com dummy dummy nostart port 1234
swanlake.domain.com dummy dummy nostart port 1234
mandarin.domain.com dummy dummy nostart port 1234
firebird.domain.com dummy dummy nostart port 1234
It is the user's responsibility to start the nodes and make them available at the specified hosts and ports before the Dispatcher is started. For an independent node start, the node server must be started with the following command line:
enfnodeserver -c <port> -r -hThe <port> is the port number on which the node server waits for a connection. The same configuration can be achieved with the following configuration options in the node.config file on the node:
nodeport <port>
report off
hello off
In the example above, the node server terminates after the first connected root terminates. If the node server needs to wait for another connection from the EnFuzion root, it must be started with the following command line:
enfnodeserver -c <port> -r -h -bWith these options, the node server never exits and is always ready for a connection from the root. The same configuration can be achieved with the following configuration options in the node.config file on the node:
nodeport <port>
report off
hello off
batch on
Options in the node.config file are described in more detail in the Section called Specifying Node Configuration Options in Chapter 7.
Normally, EnFuzion nodes are specified in the enfuzion.nodes file on the root and started and controlled by the root. In some environments, it is preferable that nodes are started independently and connect directly to the EnFuzion root. This feature can be useful when EnFuzion is integrated with batch schedulers, when the networking environment is limited by firewalls or when node configuration changes often.
The root and the node must both be configured to provide for independent node starting. On the root, the rootport option must be specified in the root.options file to provide a root port number for node connections. By default, the port is not open.
The node must be configured to connect directly to the EnFuzion root, which is done through several options in the node.config file on the node. The connect option must be turned on. The root host and the root port number must be provided with roothost and rootport options, respectively. Optionally, the connectretry and connectdelay options can be specified to change the EnFuzion provided default values.
Options in the node.config file are described in more detail in the Section called Specifying Node Configuration Options in Chapter 7.