HPC/Application licenses: Difference between revisions

From CNM Wiki
< HPC
Jump to navigation Jump to search
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==
Licenses for several high-profile commercial applications are hosted on servers within the Carbon HPC cluster.
Licenses for several high-profile commercial applications are hosted on servers within the Carbon HPC cluster.
Applications consuming these licenses can run in the following modes and network locations:
Applications consuming these licenses can run as follows:
# On a machine outside the HPC cluster,
# On a machine outside the HPC cluster,
# Interactively on Carbon's '''login nodes''', either in a [[HPC/VNC|virtual desktop (VNC)]], or displaying on your own X11 display.
# Interactively on Carbon's '''login nodes''', either in a [[HPC/VNC|virtual desktop (VNC)]], or displaying on your own X11 display.
Line 11: Line 11:
To run on HPC-internal computers (cases 2 and 3), no network considerations arise for license access, though they do for remote graphics.
To run on HPC-internal computers (cases 2 and 3), no network considerations arise for license access, though they do for remote graphics.


== License servers ==
== Eligible remote computers ==
* If a user's computer is located physically at CNM or connected over VPN:
For help with ''installing'' or ''running'' commercially licensed applications, the target computer must meet ''all'' of the following requirements:
: Enter, in the license configuration dialog or into the configuration file of an application, the following ''short host names'' (without a domain part):
* be Argonne-owned,
* have the application already installed, or hold a download of the application's online or offline installer,
* be able or eligible to reach the Carbon license servers (components of the Carbon HPC cluster) over the network by short host name.
: For this, at least one of the computer's networking connection must be:
:* ''wired'', in building 440/441 at Argonne, or
:* the ''Argonne-auth'' WiFi network in the same building, or
:* a VPN connection that has been opened by the user account of a '''CNM staff''' member, which includes regular employees, postdocs, and students, since only such an HR status will place the user in the correct firewall perimeter,
: Alternatively, the computer must:
:* have an SSH connection open to {{sshgw}} that has been configured to forward (tunnel) the appropriate  network ports of one of Carbon's license servers.
 
== Configure client applications to access the license servers ==
=== Option 1: Single license server ===
If your computer primarily uses SSH tunneling to connect to CNM:
* Ensure that tunneling to <code>clicense1</code> is ''configured'' and is ''active''
* Enter as license server:
localhost
Redundant license servers, described below, cannot be easily leveraged over ssh,
because typically the same default port numbers are used on all license servers,
and that cannot be tunneled simultaneously on the same port.
 
=== Option 2: Redundant license servers ===
You can configure your application so that it can automatically select,
under certain conditions (given below),
the license server from 1 of 3 servers that we run at CNM.
This improves license availability because when one of the servers is down, such as for maintenance,
one of the other 2 can step in to serve the license.
 
This selection requires full-fledged network connectivity for the computer where you wish to run the licensed application on. It must:
:* be ''located physically at CNM'', '''and'''
:* be on an active ''wired'' or ''Argonne-auth WiFi'' network connection,
* '''or'''
:* has ''VPN active'', '''and'''
:* you are an ''NST staff member'' (only then is your computer "virtually" at NST/CNM).
 
To use the 3-server redundant license servers,
enter the following ''short host names'' (having no domain part)
into the license configuration dialog of an application or in its configuration files:
  clicense1
  clicense1
  clicense2
  clicense2
  clicense3
  clicense3
* If the computer uses SSH tunneling:
** Ensure that tunneling to <code>clicense1</code> is ''configured'' and is ''active''
** Enter <code>localhost</code> as license server.
: Server redundancy cannot be leveraged over ssh since, typically, the same default port numbers are used on all license servers, which cannot be tunneled in this manner.


For port numbers, see application-specific documentation.
For port numbers, see application-specific documentation.


== Eligible remote computers ==
== Host name resolution ==
For both ''installing'' and ''running'' licensed applications, the target computer must meet '''all''' of the following requirements:
Verify that from the target computer the license server IP addresses can be looked up (resolved) from their short host names:
* be Argonne-owned,
<source lang="bash">
* have the application pre-installed, or hold a download of the application's online or offline installer,
nslookup clicense1
* be able to reach the Carbon license servers (components of the Carbon HPC cluster) over the network by short host name.
</source>
: Thus, the computer's networking connections must be:
To this end, the target computer's network profile settings must include the following '''DNS domains:'''
:* ''wired'', in building 440/441 at Argonne, or
:* the ''Argonne-auth'' WiFi network in the same building, or
:* a VPN connection that has been opened by the user account of a '''CNM staff''' member, which includes regular employees, postdocs, and students, since only such an HR status will place the user in the correct firewall perimeter,
: or the computer must:
:* have an SSH connection open to {{sshgw}} that has been configured to forward (tunnel) Carbon's license server network ports.
 
To look up (resolve) the IP addresses of the license servers from their short host names, the target computer's network profile settings must include the following DNS domains:
* <code>cnm.anl.gov</code>
* <code>cnm.anl.gov</code>
* <code>nst.anl.gov</code>
* <code>nst.anl.gov</code>
That is implicitly the case for SSH-tunneled connections, but for all other connection types the domains usually must be specifically added (once) in the computer's network configuration.
One or both of these domains must usually be explicitly added (once) to the appropriate VPN or networking configuration, unless ssh tunneling is used.


== Eligible user and administrator accounts ==
== Eligible user and administrator accounts ==
For ''installing'' a licensed application on a non-HPC computer, the active user account must:
For ''installing'' a licensed application on a non-HPC computer, the active user account must:
* have the ability to install applications on the target computer (already ''be'' local administrator, as opposed to ability to become so).
* have the ability to install applications on the target computer (be or become local administrator).


For ''running'' some installers, and for all applications, the active user account must:
For ''running'' some installers, and for all applications, the active user account must:
* belong to a Service Desk member, or to an end user who is an '''Argonne employee''' (as opposed to a CNM Facility User), and  
* belong to a Service Desk member, or to an end user who is an '''Argonne employee''', and  
* have been authorized to access the application license.
* have been authorized to access the application license.


If not already done, request license access for the specific ''account name'' and ''application name'', and await confirmation.
If not already done, request license access for the specific ''account name'' and ''application name'', and await confirmation.


The user accounts for running installers vs. applications need not be the same.
; Notes:
Some installers require and verify license access before proceeding.
<!-- CNM Facility Users who are external to Argonne are not typically eligible. -->
 
The user accounts for running installers vs. applications need not be the same. – Some installers require and verify license access before proceeding.
Access requests are made under the user account running the installer,
Access requests are made under the user account running the installer,
so administrator accounts must be authorized by account name in the same manner as regular user accounts.
so administrator accounts must be authorized by account name in the same manner as regular user accounts.

Latest revision as of 17:45, November 5, 2021

Introduction

Licenses for several high-profile commercial applications are hosted on servers within the Carbon HPC cluster. Applications consuming these licenses can run as follows:

  1. On a machine outside the HPC cluster,
  2. Interactively on Carbon's login nodes, either in a virtual desktop (VNC), or displaying on your own X11 display.
  3. Non-interactively (as a batch job) on Carbon's compute node.

Read below about running on non-HPC computers (case 1).

To run on HPC-internal computers (cases 2 and 3), no network considerations arise for license access, though they do for remote graphics.

Eligible remote computers

For help with installing or running commercially licensed applications, the target computer must meet all of the following requirements:

  • be Argonne-owned,
  • have the application already installed, or hold a download of the application's online or offline installer,
  • be able or eligible to reach the Carbon license servers (components of the Carbon HPC cluster) over the network by short host name.
For this, at least one of the computer's networking connection must be:
  • wired, in building 440/441 at Argonne, or
  • the Argonne-auth WiFi network in the same building, or
  • a VPN connection that has been opened by the user account of a CNM staff member, which includes regular employees, postdocs, and students, since only such an HR status will place the user in the correct firewall perimeter,
Alternatively, the computer must:
  • have an SSH connection open to mega that has been configured to forward (tunnel) the appropriate network ports of one of Carbon's license servers.

Configure client applications to access the license servers

Option 1: Single license server

If your computer primarily uses SSH tunneling to connect to CNM:

  • Ensure that tunneling to clicense1 is configured and is active
  • Enter as license server:
localhost

Redundant license servers, described below, cannot be easily leveraged over ssh, because typically the same default port numbers are used on all license servers, and that cannot be tunneled simultaneously on the same port.

Option 2: Redundant license servers

You can configure your application so that it can automatically select, under certain conditions (given below), the license server from 1 of 3 servers that we run at CNM. This improves license availability because when one of the servers is down, such as for maintenance, one of the other 2 can step in to serve the license.

This selection requires full-fledged network connectivity for the computer where you wish to run the licensed application on. It must:

  • be located physically at CNM, and
  • be on an active wired or Argonne-auth WiFi network connection,
  • or
  • has VPN active, and
  • you are an NST staff member (only then is your computer "virtually" at NST/CNM).

To use the 3-server redundant license servers, enter the following short host names (having no domain part) into the license configuration dialog of an application or in its configuration files:

clicense1
clicense2
clicense3

For port numbers, see application-specific documentation.

Host name resolution

Verify that from the target computer the license server IP addresses can be looked up (resolved) from their short host names:

nslookup clicense1

To this end, the target computer's network profile settings must include the following DNS domains:

  • cnm.anl.gov
  • nst.anl.gov

One or both of these domains must usually be explicitly added (once) to the appropriate VPN or networking configuration, unless ssh tunneling is used.

Eligible user and administrator accounts

For installing a licensed application on a non-HPC computer, the active user account must:

  • have the ability to install applications on the target computer (be or become local administrator).

For running some installers, and for all applications, the active user account must:

  • belong to a Service Desk member, or to an end user who is an Argonne employee, and
  • have been authorized to access the application license.

If not already done, request license access for the specific account name and application name, and await confirmation.

Notes

The user accounts for running installers vs. applications need not be the same. – Some installers require and verify license access before proceeding. Access requests are made under the user account running the installer, so administrator accounts must be authorized by account name in the same manner as regular user accounts.

Available license tokens

A license must be available (not be in use) to run the application, and, where applicable, to run the installer.

Troubleshooting

When a license error occurs, one or more of the above requirements may not be met.

Review the following:

  • Carefully read the error message. This is the first and best step to narrow down potential causes of a failure to obtain a license.
  • Is the target computer in a suitable network location and connection state?
  • Is the application configured with short host names for the license servers?
  • Does the configuration of the active network profile include the correct DNS search domains?
  • Has license access been granted to the active user account?
  • Is failure to obtain a license token persistent, i.e., have you retried at a later time?

Applications

Find applications-specific details at: