Flexlm

From miki
Jump to navigation Jump to search

FLEXlm forwarding via SSH

This section explains how to forward FLEXlm floating license request via SSH.

Let's consider the following setup:

  • a FLEXlm license server called flexlm,
  • a workstation called workstation on which we want to run the program, but which has no direct connection to flexlm,
  • a proxy computer called sshproxy, which can connect to flexlm.

We will use ssh to establish a forwarding tunnel so that license requests are forwarded from workstation, through sshproxy, and eventually to flexlm. For this, we first need to identify which ports must be forwarded.

Identifying the FLEXlm ports

The FLEXlm port is usually given by some environment variable, like this:

export LM_LICENSE_FILE=8224@flexlm

There are two problems:

  • First, the FLEXlm daemon uses two processes and two ports. We only have one port as given by the LM_LICENSE_FILE variable.
  • Second, the server given in LM_LICENSE_FILE might be actually a proxy to the actual FLEXlm server. We will call that server flexlmmain.

The best way to find the port is to run the program on sshproxy while running a network monitoring tool like wireshark or the Windows Firewall will all logging enabled). Say we obtain a log like this:

2012-06-01 01:17:29 CLOSE TCP 134.27.172.1 134.27.183.244 4843 8224 - - - - - - - - -
2012-06-01 01:17:29 CLOSE TCP 134.27.172.1 134.27.183.242 4843 8224 - - - - - - - - -
2012-06-01 01:17:30 CLOSE TCP 134.27.172.1 134.27.183.242 4843 60893 - - - - - - - - -
...

From the log, we see that first a connection is made to port 8224 on the first license server. Then 2 connections are made to another server, first on same port 8224, and then on another port 60893. By running the program several times, we can confirm whether the 2nd port is fixed (if not, we cannot use ssh to forward the ports and would need a more intelligent proxy).

We see that the first IP address is the one of our server flexlm. We can get the name of the 2nd server with nslookup:

ping flexlm
PING flexlm.... (134.27.183.244): 56 data bytes
...
nslookup 134.27.183.242
...
Name:     flexlmmain
Address:  134.27.183.242

Thanks to the firewall log The easiest in that case is to skip flexlm, and directly refer to flexlmmain in the license file:

export LM_LICENSE_FILE=8224@flexlmmain

We can test that our program still works using that license file.

Identifying the FLEXlm ports using tcpdump

  • In /etc/hosts, map the license server name (all of them, as displayed by armcc) to localhost:
127.0.0.1      licenseserver1    licenseserver2
  • We will first setup ssh forwarding for port 8224, which we know are always used:
ssh -f -N -n -q -L 8224:lichosta.be-leu01.nxp.com:8224 [user@]<host> [-p <port>]
  • In two separate terminals we launch the following command
sudo tcpdump -i lo -c 500 | egrep -o "> [a-z]+\.[a-z]+\.[0-9]+:" | sort | uniq -c    # In terminal 1
for i in $(seq 1 10); do armcc; done                                                 # In terminal 2
  • After a few iterations, we get a list of destination ports:
      1 > localhost.localdomain.36311:     <= noise
      ...
      1 > localhost.localdomain.36335:     <= noise
     54 > localhost.localdomain.53805:     <= OUR SECOND FLEXLM PORT!
      5 > localhost.localdomain.55489:
      ...
      2 > localhost.localdomain.55561:
    109 > localhost.localdomain.8224:      <= OUR FIRST FLEXLM PORT!
  • The 2 most used ports are the ones we need to forward:
ssh -f -N -n -q -L 8224:lichosta.be-leu01.nxp.com:8224 -L 53805:lichosta.be-leu01.nxp.com:53805 [user@]<host> [-p <port>]

Forwarding FLEXlm ports

There are actually two solutions, using either direct port forwarding or reverse forwarding.

Using Direct Port Forwarding

This requires sshproxy to be a ssh server. In that case, we tell ssh to connect to sshproxy and forward ports 8224 and 60893 on workstation to corresponding ports on flexlmmain:

# On 'workstation':
ssh -f -N -n -q -L 8224:flexlmmain:8224 -L 60893:flexlmmain:60893 sshproxy

Next we must edit /etc/hosts so that hostname flexlmmain actually points to localhost:

# On 'workstation':
sudo vi /etc/hosts
127.0.0.1    localhost    flexlmmain

This way, we can keep the same license file on workstation:

# On 'workstation':
export LM_LICENSE_FILE=8224@flexlmmain

Now, we can run our program, and license request will be forwarded to the final license server.

Reverse Port Forwarding

If sshproxy does not run a ssh server, but workstation does, we can achieve the same result by using reverse port forward. On sshproxy, we tell ssh to connect to workstation, and forward any connection to license ports on that machine to the license server flexlmmain:

# On 'sshproxy':
ssh -f -N -n -q -R 8224:flexlmmain:8224 -L 60893:flexlmmain:60893 sshproxy

The rest of the procedure is the same:

# On 'workstation':
sudo vi /etc/hosts
127.0.0.1    localhost    flexlmmain

License file is the same:

# On 'workstation':
export LM_LICENSE_FILE=8224@flexlmmain

Other solutions and references

References:

  • flexproxy, apparently a proxy program that could deal with dynamically allocated port
  • Using SSH port forwarding: [1], [2].