IBM Cloud Docs
Before you begin deploying

Before you begin deploying

IBM® Spectrum LSF enables users to deploy HPC clusters that use LSF as a scheduling software. The deployment is performed by using Terraform and IBM Cloud Schematics as automation frameworks.

Confirm your IBM Cloud® settings

Complete the following steps before you deploy the IBM® Spectrum LSF deployable architecture.

  1. Confirm that you have an IBM Cloud Pay-As-You-Go or Subscription account. If you have a Trial or Lite account, upgrade your account.

  2. Log in to your IBM Cloud account with your IBMid.

Verify access policies

IBM Cloud® Identity and Access Management (IAM) access policies are required to install this deployable architecture and provision clusters.

To view access policies, complete the following steps:

  1. In the IBM Cloud console, select Manage > Access (IAM).

  2. In the IAM navigation menu, select Users and then select the account user.

  3. Select Access to view the associated access policies and access groups. See the following table for the permissions that you need for this deployable architecture:

    Verify access policies
    Service Resources Role
    Database for MySQL (see note) All Administrator
    IBM Cloud Project All Administrator
    All IAM Account Management services All Editor, Operator, Service ID creator, VPN Administrator, User API key creator, API key reviewer
    Security and Compliance Center All Editor, Viewer, Reader, Manager
    Resource group only All resource groups in the account Editor, Viewer
    Schematics All Manager, Editor
    DNS Services All Manager, Editor
    Key Protect All Manager, Editor
    Cloud Monitoring All Reader, Manager, Editor, Viewer
    Cloud Logs All Reader, Manager, Editor, Viewer
    Cloud Object Storage All Writer, Editor
    Activity Track Event Routing All Writer, Editor, Key manager, Service configuration reader
    All Identity and Access enabled services All Writer, Reader, Viewer, Operator
    VPC Infrastructure Services All Writer, Editor

The Database for MySQL access is required if your IBM® Spectrum LSF cluster deployment includes LSF Application Center with high availability, which is enabled by default.

Allow access to IBM Cloud public endpoints

The IBM® Spectrum LSF deployable architecture requires access to the following IBM Cloud service API public endpoints. For a successful deployment to provision the infrastructure and the associated services, ensure that you are aware of these endpoints and allow them access:

IBM Cloud public endpoints required for IBM Cloud HPC deployment
Endpoint Type Notes
iam.cloud.ibm.com IAM The IAM endpoint is protected by Akamai under the Akamai IP ranges

Gather LSF entitlement information

The offering uses Bring Your Own Licenses (BYOL) for Spectrum LSF when you deploy an LSF cluster on IBM Cloud. For production clusters, work with your business owners or license management team to make sure that your organization has procured enough licenses to deploy the HPC cluster by using IBM Spectrum LSF. Failure to comply with licenses for production use of software is a violation of the IBM International Program License Agreement.

The current solution no longer requires ibm_customer_number(ICN) for entitlement check before deploying the solution for non-production use. The solution is now available for use without ICN validation. Users can provision up to a maximum of 10 static worker nodes for evaluation or non-production use cases. If the number of worker nodes exceeds 10, it becomes the user responsibility to obtain the necessary entitlement check and licensing for those additional nodes in the production environment. For production use or for evaluating greater than 10 worker nodes, the user must purchase the necessary LSF licenses. To purchase the license, go to Purchasing licenses.

Before you can deploy your Spectrum LSF cluster, you need to create or gather some information. To get started, complete the following steps:

Create an IBM Cloud API key

Verify that you have an IBM Cloud API key. For more information, see Creating an API key.

Create an SSH key

Make sure that you have an SSH key that you can use for authentication and that it is uploaded to IBM Cloud VPC. The IBM® Spectrum LSF deployable architecture supports either RSA or Ed 25519 key types. This key is used to log in to all VSIs that you create. Make sure that you use the same key types in an LSF cluster (for example, deploy management and compute nodes with the same key). For more information about creating SSH keys, see SSH keys.

Generate the remote IP to access Spectrum LSF cluster

Generate an public IP address that is required to access the Spectrum LSF cluster nodes. click here.

If an Admin requires cluster access, they should provide the IP address from which the cluster will be accessed, whether from a local system or a virtual server instance. For multiple users, access can be granted by specifying a CIDR range.

Choose between IBM-managed or user-managed encryption

By default, VPC volumes and file shares are encrypted with IBM-managed encryption. However, you can opt for user-managed encryption per your security requirements. Customer-managed encryption uses your root key, which gives you complete control over your data. You can provision or import existing encrypted keys by using IBM Key Protect for IBM Cloud.

If you decide to use user-managed encryption, complete the following steps before you deploy your IBM® Spectrum LSF architecture:

  1. Provision an instance of Key Protect
  2. Create or import key
  3. Authorize access between:
    • Cloud Block Storage and the key management service
    • File Storage for VPC and the key management service
  4. Gather information for the following boot volume encryption deployment values (you provide this information when you deploy your IBM® Spectrum LSF architecture):
    • enable_customer_managed_encryption: Gives you toggling options.
    • kms_instance_id: Instance ID of the Key Protect instance that you create.
    • kms_key_name: Name of the KMS key that you create

Customer-managed encryption applies only to the bastion, login, and management nodes. The compute nodes are still IBM-managed.

Select the method for accessing the cluster

Access the bastion node in the cluster directly or through a VPN gateway. You set your method during cluster deployment as optional deployment input values:

  1. Directly through a floating IP that is attached to the bastion node. If you select a value of true for the enable_fip deployment input variable, then a floating IP is attached to the bastion node. If you are connecting to the LSF cluster through VPN gateway, set this value to false. If not specified, this deployment value is set to true.

  2. Through a VPN gateway. If you select a value of true for the vpn_enabled deployment input variables, it results in the creation of a VPN gateway. If you select the use of a VPN gateway, a floating IP is not attached to the bastion node. If not specified, this deployment value is set to false.

Regardless of which access method you select, values for remote_allowed_ips must be provided to identify a list of IP addresses of systems that can access the bastion node. From the bastion node, you can SSH into the primary management or login nodes, and from there, you can access compute nodes that are active in the cluster.

See the following example SSH command syntax for accessing different types of nodes:

  • Primary management node:

    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -J ubuntu@149.81.242.172 lsfadmin@10.241.0.8

  • Login node:

    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -J ubuntu@149.81.216.117 lsfadmin@10.241.16.5

  • Compute node:

    ssh lsfadmin@10.241.0.11

This worker node instance type supports a combination of multiple instance profile type that might be chosen for different number of instance count. For example, you might choose 100 instance to be created from bx2-4x16 and 10 instance from mx3d-8x80. So, you would get a total count of 110 static worker nodes with different instance profile, based on your requirement.

Next steps

After you gather the necessary input values to define your cluster configuration, you are ready to deploy your IBM Spectrum LSF cluster.

After you create and gathered your information and reviewed any additional prerequisites for your interface of choice, you are ready to begin Deploying IBM Spectrum LSF.

Before an actual deployment is done, you need to analysis the required amount of capacity in terms of vCPU and memory, so that the deployment does not fail due to capacity concerns.