automating commands on nodes
Robert G. Brown
rgb at phy.duke.edu
Tue Jun 6 06:36:58 PDT 2000
On Tue, 6 Jun 2000, Anand Kumria wrote:
> On Sun, Jun 04, 2000 at 05:11:58PM -0700, Peter Jay Salzman wrote:
> > hi jakob,
> >
> > we have ssh on the beowulf frontend, but not on the nodes. any ideas on
> > automating installing ssh on the nodes? i haven't seen redhat 6.1 ssh rpms,
>
> Unless all of your nodes are exposed on the public internet, do you need
> ssh on them? I wouldn't have thought so.
Goodness. We just had an extended discussion of this, and it should be
in the archives from just last week or two weeks ago. The answer is "no,
but it often won't matter and makes good sense". ssh provides certain
services (notably forwarding of ports and a universally portable
environment in /etc/environment) that can be very useful to a beowulf
user at the expense of about 0.15 seconds per connection (plus any time
spend encrypting traffic, which is usually negligible for small files).
In terms of net load, bproc (being actively worked on by scyld.com) is
by far the most efficient way to run remote shell commands and so forth
on a beowulf (I haven't yet tested it personally but they report times
of 0.01 seconds for a file copy, IIRC from last week), but integrates
deeply with the kernel to accomplish this and so isn't for everyone.
rsh costs ~0.1[1-5] seconds for a (small) file copy (or any other kind
of connection) but provides "no" security, no cross-network encryption,
no forwarding or ports or preloading of environment. ssh costs ~0.2[5-9]
for a small file copy.
If you are running ssh on the head node (presumably bundled into an RPM
or ready-to-install tarball) then the effort required to install it on
the nodes via e.g. kickstart, rsync, or whatever is essentially zero.
If all you use remote shells for is to synchronize a few /etc files,
enable MPI and PVM to (infrequently) spawn remote processes, allow login
access to the nodes from hosts outside the gateway node and so forth
there is really no reason to avoid using ssh and (strictly IMHO) there
are several good reasons to use it. If you use remote shells a LOT for
a LARGE true beowulf, you should almost certainly use bproc as it is
likely to be on a track that will evolve into a true distributed beowulf
kernel (peering into my crystal ball with a wink at the Scyld folks) and
you can probably contribute to the development.
Perhaps there is some ground in between for rsh, but I personally would
like to see it killed dead as it is a brainless and obsolete security
incident waiting to happen IN ADDITION TO having been designed back when
issues like the passing of environments and forwarding of ports hadn't
yet come to the foreground. Even if you configure ssh to use no
encryption and not to verify connections at all (making it "just like"
rsh) you still get /etc/environment and port forwarding.
>
> > i guess that's a remnant of the USA's moronic crypto export policy (which i
> > understand was mostly lifted).
>
> For source code, mostly. Binaries are still troublesome.
There are several issues associated with ssh distribution. One is the
RSA patent that is due to expire in September. However, I've heard that
they've applied for an extension and that extensions are usually
knee-jerk granted. Hopefully this time sanity will prevail and the knee
won't jerk.
The RSA patent is NOT international because it is directly based on work
published almost 100 years ago, and international patents are not
granted for ideas based on published work. Finally yes, there was/is
the USA's moronic crypto policy.
For all of these reasons, many crypt-concerned software companies are
finding it expedient to become multinational (even if they are totally
home-grown) and to distribute their encryption software from a European
office. IBM has just played this trick. Looks like Red Hat is right in
there. It is perfectly legal for them to produce and distribute
RSA-based software in Europe. I actually have no idea if one is
breaking the law (nominally) if one purchases RH or SuSE linux "packaged
in Germany" that contains ssh with all the RSA stuff included, or if one
downloads it from a European site. I must say that I don't much care,
either -- US software patents are often nonsense because the folks in
the patent office are utterly ignorant of what is de facto in the public
domain. At this moment I could do something like say: "Hmmm, perhaps
neural networks can be used to identify clown faces in bank cameras". I
can go find and build and train an utterly prosaic NN for that purpose.
If I then file a patent for a "NN clown-face identification engine for
use in the banking industry" there is an excellent chance that it will
be granted.
If suddenly the banking world realizes that nearly fifty percent of
their customers in clown faces are there to rob the bank and not to make
a deposit after working a kid's birthday party and my company "CF-ID
Inc." takes off, I can then squash possible competitors when they go to
the SAME books I went to to build my NN to duplicate the idea. It
doen't matter that the patent is stupid and indefensible. Unless a big
player tries to get into the market and has the capital for a court
fight, I'm pretty safe and can run my own little monopoly for many, many
years.
Think it can't happen? It has. The "idea" of using NN's in credit card
fraud detection is patented this very day, in spite of it being an
utterly prosaic application of the NN. Although it is indefensible, it
worked long enough for the company that obtained the patent to build
themselves a de facto monopoly that still has very few competitors.
Probably oversimplified, but I assure you -- if Sterling, Becker et. al.
had tried to PATENT the beowulf concept, the pre-existence of PVM and
MPI and/or Gnu and Linux would very likely not have been enough to keep
it from being granted. Companies like paralogic and alta tech would
have to license the "technology" from S&B Inc. A software patent is
much stronger protection, in its way, than a software copyright, as one
can generally reverse engineer a copyrighted software product from an
API, but one has to really fight to show that a patent, once granted, is
invalid.
>
> > i've tried to use mandrake's ssh packages on a redhat 6.1, but redhat balked
> > at the mandrake rpms.
>
> oh well. so much for a single packaging system.
The issue is usually how they interface with e.g. pam. ssh is pretty
complicated stuff. A "perfectly built" RPM would probably remain
portable, but a sloppily built one might well fail simply because it has
dependencies that weren't correctly established (by the builder) at
build time.
rgb
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb at phy.duke.edu
More information about the Beowulf
mailing list