Flexlm
FLEXlm forwarding via SSH
This section explains how to forward FLEXlm floating license request via SSH.
Let's consider the following setup:
- a FLEXlm license server called flexlm,
- a workstation called workstation on which we want to run the program, but which has no direct connection to flexlm,
- a proxy computer called sshproxy, which can connect to flexlm.
We will use ssh to establish a forwarding tunnel so that license requests are forwarded from workstation, through sshproxy, and eventually to flexlm. For this, we first need to identify which ports must be forwarded.
Identifying the FLEXlm ports
The FLEXlm port is usually given by some environment variable, like this:
export LM_LICENSE_FILE=8224@flexlm
There are two problems:
- First, the FLEXlm daemon uses two processes and two ports. We only have one port as given by the LM_LICENSE_FILE variable.
- Second, the server given in LM_LICENSE_FILE might be actually a proxy to the actual FLEXlm server. We will call that server flexlmmain.
The best way to find the port is to run the program on sshproxy while running a network monitoring tool like wireshark or the Windows Firewall will all logging enabled). Say we obtain a log like this:
2012-06-01 01:17:29 CLOSE TCP 134.27.172.1 134.27.183.244 4843 8224 - - - - - - - - -
2012-06-01 01:17:29 CLOSE TCP 134.27.172.1 134.27.183.242 4843 8224 - - - - - - - - -
2012-06-01 01:17:30 CLOSE TCP 134.27.172.1 134.27.183.242 4843 60893 - - - - - - - - -
...
From the log, we see that first a connection is made to port 8224 on the first license server. Then 2 connections are made to another server, first on same port 8224, and then on another port 60893. By running the program several times, we can confirm whether the 2nd port is fixed (if not, we cannot use ssh to forward the ports and would need a more intelligent proxy).
We see that the first IP address is the one of our server flexlm. We can get the name of the 2nd server with nslookup
:
ping flexlm
PING flexlm.... (134.27.183.244): 56 data bytes
...
nslookup 134.27.183.242
...
Name: flexlmmain
Address: 134.27.183.242
Thanks to the firewall log The easiest in that case is to skip flexlm, and directly refer to flexlmmain in the license file:
export LM_LICENSE_FILE=8224@flexlmmain
We can test that our program still works using that license file.
Identifying the FLEXlm ports using tcpdump
- In /etc/hosts, map the license server name (all of them, as displayed by armcc) to localhost:
127.0.0.1 licenseserver1 licenseserver2
- We will first setup ssh forwarding for port 8224, which we know are always used:
ssh -f -N -n -q -L 8224:lichosta.be-leu01.nxp.com:8224 [user@]<host> [-p <port>]
- In two separate terminals we launch the following command
sudo tcpdump -i lo -c 500 | egrep -o "> [a-z]+\.[a-z]+\.[0-9]+:" | sort | uniq -c # In terminal 1
for i in $(seq 1 10); do armcc; done # In terminal 2
- After a few iterations, we get a list of destination ports:
1 > localhost.localdomain.36311: <= noise
...
1 > localhost.localdomain.36335: <= noise
54 > localhost.localdomain.53805: <= OUR SECOND FLEXLM PORT!
5 > localhost.localdomain.55489:
...
2 > localhost.localdomain.55561:
109 > localhost.localdomain.8224: <= OUR FIRST FLEXLM PORT!
- The 2 most used ports are the ones we need to forward:
ssh -f -N -n -q -L 8224:lichosta.be-leu01.nxp.com:8224 -L 53805:lichosta.be-leu01.nxp.com:53805 [user@]<host> [-p <port>]
Forwarding FLEXlm ports
There are actually two solutions, using either direct port forwarding or reverse forwarding.
Using Direct Port Forwarding
This requires sshproxy to be a ssh server. In that case, we tell ssh to connect to sshproxy and forward ports 8224 and 60893 on workstation to corresponding ports on flexlmmain:
# On 'workstation':
ssh -f -N -n -q -L 8224:flexlmmain:8224 -L 60893:flexlmmain:60893 sshproxy
Next we must edit /etc/hosts so that hostname flexlmmain actually points to localhost:
# On 'workstation':
sudo vi /etc/hosts
127.0.0.1 localhost flexlmmain
This way, we can keep the same license file on workstation:
# On 'workstation':
export LM_LICENSE_FILE=8224@flexlmmain
Now, we can run our program, and license request will be forwarded to the final license server.
Reverse Port Forwarding
If sshproxy does not run a ssh server, but workstation does, we can achieve the same result by using reverse port forward. On sshproxy, we tell ssh to connect to workstation, and forward any connection to license ports on that machine to the license server flexlmmain:
# On 'sshproxy':
ssh -f -N -n -q -R 8224:flexlmmain:8224 -L 60893:flexlmmain:60893 sshproxy
The rest of the procedure is the same:
# On 'workstation':
sudo vi /etc/hosts
127.0.0.1 localhost flexlmmain
License file is the same:
# On 'workstation':
export LM_LICENSE_FILE=8224@flexlmmain
Other solutions and references
References: