[ofa-general] Is IBIS only for querying OpenSM?

Philippe Gregoire philippe.gregoire at cea.fr
Fri Apr 18 00:35:42 PDT 2008 

terry watson a e'crit :
> Hi all,
>
> I will be performing some testing of partitioning used as a security control. Am I right in believing that IBIS will be able to set partition table values of the local compute node I am logged on to, even though they are not using OpenSM, but rather a SM on a switch? Could I then attempt to access a partition that I was originally excluded from accessing?
>
> I am new to Infiniband technology and would also appreciate a response from an expert who has views on the strength of the security that partitioning provides in separating two clusters that should have no interaction whatsoever.
>
> Thanks,
> Dave
> _________________________________________________________________
> Discover the new Windows Vista
> http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE_______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
>
> To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
>
>   
The partitions are only managed by the subnet manager - either opensm 
running on a node into the fabric or an embedded subnet manager on a switch.
For opensm , partitions are defined into a configuration file 
/etc/opensm/partitions.conf, for a embedded subnet manager, you have to 
configure the partitions using the CLI or GUI provided by the switch.
Defining a partition is mainly choosing a pkey and ports nodes with 
their membership (limited or not).

The subnet manager assigned the pkeys to the ports of the node when ib 
kernel modules are loaded. You can see the partitions the IB port belong 
to by ( I mean those defined by the subnet manager) :
# grep -v 0x0000 /sys/class/infiniband/mthca0/ports/1/pkeys/*
/sys/class/infiniband/mthca0/ports/1/pkeys/0:0xffff
/sys/class/infiniband/mthca0/ports/1/pkeys/1:0x8001
/sys/class/infiniband/mthca0/ports/1/pkeys/2:0x8002
/sys/class/infiniband/mthca0/ports/1/pkeys/3:0x8003
/sys/class/infiniband/mthca0/ports/1/pkeys/4:0x8010

A port may belong to many partitions. Nodes (ports) may have different 
partitions configurations. Partitions order for a port is not always the 
same ( it may depend on the chronology of partition declarations in the 
subnet manager)

Over these partitions, you can define new IP (IP over IB) interfaces by 
creating files like /etc/sysconfig/network-scripts/ifcfg-ib0.8002 :
# cat /etc/sysconfig/network-scripts/ifcfg-ib0.8002
DEVICE=ib0.8002
BOOTPROTO=static
IPADDR=XXX.YYY.ZZZ.TTT
NETMASK=255.255.255.0
NETWORK=255.255.255.0
ONBOOT=yes

The openibd script create the child interface and configure it at system 
startup using some special devices to do that :
echo $pkey > /sys/class/net/ib0/create_child

But this command creates only a child interface on the node, but 
communications on this interface will not work until you add the port 
node to the corresponding partition into the subnet manager 
configuration. Then you will see the pkey appearing automatically  into 
files /sys/class/infiniband/mthca0/ports/1/pkeys/*  on the node.

[root at cors118 ~]# echo 0x8009 >  /sys/class/net/ib0/create_child
[root at cors118 ~]# dmesg | grep 8009
divert: not allocating divert_blk for non-ethernet device ib0.8009
[root at cors118 ~]# grep -v 0x0000 
/sys/class/infiniband/mthca0/ports/1/pkeys/*
/sys/class/infiniband/mthca0/ports/1/pkeys/0:0xffff
/sys/class/infiniband/mthca0/ports/1/pkeys/1:0x8001
/sys/class/infiniband/mthca0/ports/1/pkeys/2:0x8002
/sys/class/infiniband/mthca0/ports/1/pkeys/3:0x8003
/sys/class/infiniband/mthca0/ports/1/pkeys/4:0x8010
[root at cors118 ~]# ifconfig -a | grep 8009
ib0.8009  Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
[root at cors118 ~]# echo 0x8009 >  /sys/class/net/ib0/delete_child
[root at cors118 ~]# dmesg | grep 8009
divert: not allocating divert_blk for non-ethernet device ib0.8009
divert: no divert_blk to free, ib0.8009 not ethernet

To use MPI with partitions, you have also to configure it (in the 
configuration file) . For MVAPICH you must use  VIADEV_DEFAULT_PKEY_IX 
or VIADEV_DEFAULT_PKEY in the config file : 
/usr/mpi/gcc/mvapich-1.0.0/etc/mvapich.conf . AT CEA, I'm using  
VIADEV_DEFAULT_PKEY (pkey value)
as we have nodes with different partitions configurations.


Hoping this will help you.
Regards
Philippe Gregoire CEA/DAM


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/general/attachments/20080418/534584d2/attachment.html>

More information about the general mailing list