datavudeja · March 10, 2025 17:54
diff --git a/classic-flexlm-lmgrd.txt b/classic-flexlm-lmgrd.txt
 # Classic Flex License Manager (lmgrd)
 Gory details can be read in
 	Book Name: License Administration Guide
 	Part Number: FNP-111411-LAG00
 	Product Release Date: March 2017
 	
 ## Daemons
 Clearing away the obfuscation around the license manager is fairly simple.

 This license management has a vendor independent and vendor provided
 components.

 The vendor independent component is essentially
 	lmgrd	# license manager daemon
 	lmutil	# client utility that communicates with the daemon

 The vendor component is the vendor daemon 
 eg Matlab
 	MLM

 The vendor provides the license file which has SERVER, VENDOR lines
 which specify the parameters that lmgrd and the vendor daemon use.
 The following FEATURE and INCREMENT lines detail cryptographically 
 protected licensed facilities of the application normally including
 an expiry date. 

 We will use an imaginary application 'boojum' with vendor daemon
 'boojumd' with an license server installation -

 /opt/boojum/
            sbin/
                 lmgrd
                 boojumd
            bin/
                lmutil
            etc/
                boojum.lic



 So our boojum.lic file might look like

 	SERVER	snark.example.org 3417ab98c735 2798
 	VENDOR	boojumd /opt/boojumd/sbin port=2799

 The SERVER has the server name 'snark', the 'hostid' is the fixed host
 identifier for which the license is license was generated (if it doesn't
 match the license is invalid) and the final number is the tcp port lmgrd
 will bind (use.)
 Note: the hostid is normally the  ethernet (mac) address of one of the hosts
 interfaces. 

 ip l sh dev eth0
 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP \
    mode DEFAULT group default qlen 1000
    link/ether 34:17:ab:98:c7:35 brd ff:ff:ff:ff:ff:ff
               ** ** ** ** ** **

 The VENDOR line has the vendor daemon 'boojumd' and optionally the folder
 containing the vendor daemon (required if different from that of lmgrd)
 and the tcp port that 'boojumd' will use to communicate with the client software.
 This port is communicated via the lmgrd process to the client.

 If this port is omitted a free port is selected. 
 The port specification is necessary if the server host or intermediate
 systems have firewall rules that require amending to allow access to
 the ports that lmgrd and boojumd use. 


 ## Utilities
 lmutil encapsulates a grab bag of client functions

 See the output from lmutil -help
 eg
 	lmutil lmstat 
 	lmutil lmhostid
 	lmutil lmdown

 These utilities can be directly invoked directly by symlinking lmutil
 to the utility's name

 	cd /opt/boojum/bin
 	ln -s lmutil lmhostid
 	# etc

 ### Display Hostid - required and provided to software vendor for license generation

 	/opt/boojum/bin/lmhostid
 	lmutil - Copyright (c) 1989-2021 Flexera. All Rights Reserved.
 	The FlexNet host ID of this machine is "3417ab98c735"

 ### License Manager status

 Once the license daemons are running the licensing status is displayed

 	/opt/boojum/bin/lmstat -a -c /opt/boojum/etc/boojum.lic

 	lmstat - Copyright (c) 1989-2015 Flexera Software LLC. All Rights Reserved.
 	Flexible License Manager status on Wed 3/22/2023 20:33

 	License server status: [email protected]
 	    License file(s) on snark.example.org: /opt/boojum/etc/boojum.lic
 	snark.example.org license server UP (MASTER) v11.13.1
 	Vendor daemon status (on snark.example.org):
 	     boojumd: UP v11.13.1
 	Feature usage info:

 	Users of fit1:  (Total of 5 licenses issued;  Total of 0 licenses in use)
 	Users of fit2:  (Total of 10 licenses issued;  Total of 0 licenses in use)

 ### Shutdown License Manager
 	
 	# Note there are additional switches.
 	# lmdown --help to display.
 	/opt/boojum/bin/lmdown -c /opt/boojum/etc/boojum.lic

 ## Setup and Starting Daemons

 **RULE** 	DO NOT RUN AS flex license manager as ROOT

 Assign a role based account to each daemon
 eg
 	groupadd -g 3333 boojumd
 	useradd -u 3333 -g boojumd -s /sbin/nologin boojumd

 ### Systemd Service file

 A stripped down version

 -----------------------------------------------------------------
 [Unit]
 Description=Boojum Snark license manager
 After=network.target

 [Service]
 Type=forking
 User=boojumd

 ExecStart=/opt/boojum/sbin/lmgrd -local -c /opt/boojum/etc/boojum.lic -l /var/opt/boojum/log/boojumd.log
 ExecReload=/opt/boojum/bin/lmreread -c /opt/boojum/etc/boojum.lic
 ExecStop=/opt/boojum/bin/lmdown -q -c /opt/boojum/etc/boojum.lic
 SuccessExitStatus=15

 PrivateTmp=true

 [Install]
 WantedBy=multi-user.target
 -----------------------------------------------------------------

 ### System V Init script

 Stripped down init script.
 -----------------------------------------------------------------
 #! /bin/sh 
 #
 # description: starts boojum licensing daemon
 #
 PKG=boojum

 OPTDIR=/opt/$PKG
 SBINDIR=$OPTDIR/sbin
 BINDIR=$OPTDIR/bin
 ETCDIR=$OPTDIR/etc
 PKG_LICENSE_FILE=$ETCDIR/boojum.lic

 LOGDIR=/var/opt/$PKG/log
 LOGFILE=$LOGDIR/boojumd.log

 LMGRD=$SBINDIR/lmgrd
 VENDOR_DAEMON=boojumd
 LMDOWN=$BINDIR/lmdown
 LMSTAT=$BINDIR/lmstat
 LMREREAD=$BINDIR/lmreread

 LM_USER=boojumd

 case $1 in
 start)
        /bin/su $LM_USER "$LMGRD -c $PKG_LICENSE_FILE -l $LOGFILE"
        sleep 5 
 ;;
 stop)  
        /bin/su $LM_USER -c "$LMDOWN -q -c $PKG_LICENSE_FILE"
 ;;
 status)
        /bin/su $LM_USER -c "$LMSTAT -S $$VENDOR_DAEMON -c $PKG_LICENSE_FILE"
 ;;
 reload)
        /bin/su $LM_USER -c "$LMREREAD -c $PKG_LICENSE_FILE"
 ;;
 esac
 -----------------------------------------------------------------
 ### Lmgrd Synopsis (from Guide)

 lmgrd [‐c license_file_list] [‐l [+]debug_log_path]
 [‐2 ‐p] [‐local] [‐x lmdown] [‐x lmremove] [‐z] [‐v] [‐help]

 -2 -p 	-- On UNIX systems, ‐2 ‐p  restricts usage of lmdown , lmreread , and lmremove —as well as
           lmswitch , lmswitchr , and lmnewlog —to a license administrator who is by default root. If
           there is a UNIX group called lmadmin , then use is restricted to only members of that              
           group. If root is not a member of this group, then root does not have permission to
           use any of the above utilities.
 -local  -- On UNIX systems, restricts the lmdown and lmreread commands to be run only from
           the same system where lmgrd is running.
 -x lmdown   -- Disables the lmdown command
 -x lmremove -- Disables the lmremove command
 -z          -- Runs in foreground. The default behavior is to run in the background.

 ## Notes
 A lot of software include an irritating gui license administration application on top
 of flexlm - usually a Java based abomination. It can normally be removed or ignored.

 Only two components are required to run a license server are
 1) sufficiently recent lmgrd and lmutil
 to support the vendor daemon and licensing features and
 2) the vendor daemon binrary and a valid license file for the license server.

 If you wish to run two separate servers with separate ports and license files which
 license the same application and overlapping features ensure that the systemd
 service file has "PrivateTmp=true"
 Otherwise the vendor daemons will lock each other out.
 [Hint: think about this.]

 To use the '-z' switch of lmgrd in the systemd service file change 
 Type=simple instead of Type=forking

diff --git a/classic-flexlm-tools.txt b/classic-flexlm-tools.txt
 What probably isn't documented is that lmstat (and presumably the software using the licensing service)
 actually downloads a copy of the license file from the license server.

 This is extremely useful when the vendor daemon is NOT configured to use a fixed tcp port and the license
 server is firewalled between the client and the server.

 Typically all is working and then a new license file is installed and the service restarted. 
 The vendor daemon is then allocated or binds a random ephemeral tcp port for which there are not firewall rule
 permitting this (new) traffic.

 Armed with this information you can hassle the license server administrator(s) to add a port= clause to
 the VENDOR line or to open the firewalled port (guess which one they will choose.)

 Cutting to the chase:

 /bin/strace -o /dev/stdout -s 64000 -e trace=recvfrom /opt/flexlm/bin/lmstat -c [email protected]

 You may have to construct a client licence file if the "-c port@server" doesn't work
 ie
  # /tmp/boojum.lic
  SERVER snark.example.org ANY 2798
  USE_SERVER

 /bin/strace -o /dev/stdout -s 64000 -e trace=recvfrom /opt/flexlm/bin/lmstat -c /tmp/boojum.lic

 STRACECMD="/bin/strace -o /dev/stdout -s 64000 -e trace=recvfrom /opt/flexlm/bin/lmstat -c /tmp/boojum.lic"

 $STRACECMD | grep -e SERVER
 recvfrom(3, "????SERVER snark.example.org 3417ab98c735 2798\nVENDOR boojumd /opt/boojumd/sbin port=2799\n etc etc

 Strace translates \015 -> \r, \012 -> \n, \011 -> \t and " into \"
 so you can clean up the output a little with sed
 eg
 $STRACECMD | grep -e SERVER | sed -E -e '/^recvfrom.*SERVER/SERVER/' -e 's/\\n/\n/g' -e 's/\\t/\t/g' -e 's/\\\\/\\/g'

 You don't need much imagination to see that you can reconstruct the original license file.
 Hint: think about this.

 If the license file is very large (lots of FEATURES etc) then the file's contents will be 
 returned in multiple recvfrom calls.

 The last one will have a terminal \"\0"
 ie
  recvfrom(3, ".........lots.....\"\0", N, 0, NULL, NULL) = N
 where N is the requested number of bytes.
	# Classic Flex License Manager (lmgrd)
	Gory details can be read in
	Book Name: License Administration Guide
	Part Number: FNP-111411-LAG00
	Product Release Date: March 2017

	## Daemons
	Clearing away the obfuscation around the license manager is fairly simple.

	This license management has a vendor independent and vendor provided
	components.

	The vendor independent component is essentially
	lmgrd # license manager daemon
	lmutil # client utility that communicates with the daemon

	The vendor component is the vendor daemon
	eg Matlab
	MLM

	The vendor provides the license file which has SERVER, VENDOR lines
	which specify the parameters that lmgrd and the vendor daemon use.
	The following FEATURE and INCREMENT lines detail cryptographically
	protected licensed facilities of the application normally including
	an expiry date.

	We will use an imaginary application 'boojum' with vendor daemon
	'boojumd' with an license server installation -

	/opt/boojum/
	sbin/
	lmgrd
	boojumd
	bin/
	lmutil
	etc/
	boojum.lic



	So our boojum.lic file might look like

	SERVER snark.example.org 3417ab98c735 2798
	VENDOR boojumd /opt/boojumd/sbin port=2799

	The SERVER has the server name 'snark', the 'hostid' is the fixed host
	identifier for which the license is license was generated (if it doesn't
	match the license is invalid) and the final number is the tcp port lmgrd
	will bind (use.)
	Note: the hostid is normally the ethernet (mac) address of one of the hosts
	interfaces.

	ip l sh dev eth0
	2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP \
	mode DEFAULT group default qlen 1000
	link/ether 34:17:ab:98:c7:35 brd ff:ff:ff:ff:ff:ff


	The VENDOR line has the vendor daemon 'boojumd' and optionally the folder
	containing the vendor daemon (required if different from that of lmgrd)
	and the tcp port that 'boojumd' will use to communicate with the client software.
	This port is communicated via the lmgrd process to the client.

	If this port is omitted a free port is selected.
	The port specification is necessary if the server host or intermediate
	systems have firewall rules that require amending to allow access to
	the ports that lmgrd and boojumd use.


	## Utilities
	lmutil encapsulates a grab bag of client functions

	See the output from lmutil -help
	eg
	lmutil lmstat
	lmutil lmhostid
	lmutil lmdown

	These utilities can be directly invoked directly by symlinking lmutil
	to the utility's name

	cd /opt/boojum/bin
	ln -s lmutil lmhostid
	# etc

	### Display Hostid - required and provided to software vendor for license generation

	/opt/boojum/bin/lmhostid
	lmutil - Copyright (c) 1989-2021 Flexera. All Rights Reserved.
	The FlexNet host ID of this machine is "3417ab98c735"

	### License Manager status

	Once the license daemons are running the licensing status is displayed

	/opt/boojum/bin/lmstat -a -c /opt/boojum/etc/boojum.lic

	lmstat - Copyright (c) 1989-2015 Flexera Software LLC. All Rights Reserved.
	Flexible License Manager status on Wed 3/22/2023 20:33

	License server status: [email protected]
	License file(s) on snark.example.org: /opt/boojum/etc/boojum.lic
	snark.example.org license server UP (MASTER) v11.13.1
	Vendor daemon status (on snark.example.org):
	boojumd: UP v11.13.1
	Feature usage info:

	Users of fit1: (Total of 5 licenses issued; Total of 0 licenses in use)
	Users of fit2: (Total of 10 licenses issued; Total of 0 licenses in use)

	### Shutdown License Manager

	# Note there are additional switches.
	# lmdown --help to display.
	/opt/boojum/bin/lmdown -c /opt/boojum/etc/boojum.lic

	## Setup and Starting Daemons

	RULE DO NOT RUN AS flex license manager as ROOT

	Assign a role based account to each daemon
	eg
	groupadd -g 3333 boojumd
	useradd -u 3333 -g boojumd -s /sbin/nologin boojumd

	### Systemd Service file

	A stripped down version

	-----------------------------------------------------------------
	[Unit]
	Description=Boojum Snark license manager
	After=network.target

	[Service]
	Type=forking
	User=boojumd

	ExecStart=/opt/boojum/sbin/lmgrd -local -c /opt/boojum/etc/boojum.lic -l /var/opt/boojum/log/boojumd.log
	ExecReload=/opt/boojum/bin/lmreread -c /opt/boojum/etc/boojum.lic
	ExecStop=/opt/boojum/bin/lmdown -q -c /opt/boojum/etc/boojum.lic
	SuccessExitStatus=15

	PrivateTmp=true

	[Install]
	WantedBy=multi-user.target
	-----------------------------------------------------------------

	### System V Init script

	Stripped down init script.
	-----------------------------------------------------------------
	#! /bin/sh
	#
	# description: starts boojum licensing daemon
	#
	PKG=boojum

	OPTDIR=/opt/$PKG
	SBINDIR=$OPTDIR/sbin
	BINDIR=$OPTDIR/bin
	ETCDIR=$OPTDIR/etc
	PKG_LICENSE_FILE=$ETCDIR/boojum.lic

	LOGDIR=/var/opt/$PKG/log
	LOGFILE=$LOGDIR/boojumd.log

	LMGRD=$SBINDIR/lmgrd
	VENDOR_DAEMON=boojumd
	LMDOWN=$BINDIR/lmdown
	LMSTAT=$BINDIR/lmstat
	LMREREAD=$BINDIR/lmreread

	LM_USER=boojumd

	case $1 in
	start)
	/bin/su $LM_USER "$LMGRD -c $PKG_LICENSE_FILE -l $LOGFILE"
	sleep 5
	;;
	stop)
	/bin/su $LM_USER -c "$LMDOWN -q -c $PKG_LICENSE_FILE"
	;;
	status)
	/bin/su $LM_USER -c "$LMSTAT -S $$VENDOR_DAEMON -c $PKG_LICENSE_FILE"
	;;
	reload)
	/bin/su $LM_USER -c "$LMREREAD -c $PKG_LICENSE_FILE"
	;;
	esac
	-----------------------------------------------------------------
	### Lmgrd Synopsis (from Guide)

	lmgrd [‐c license_file_list] [‐l [+]debug_log_path]
	[‐2 ‐p] [‐local] [‐x lmdown] [‐x lmremove] [‐z] [‐v] [‐help]

	-2 -p -- On UNIX systems, ‐2 ‐p restricts usage of lmdown , lmreread , and lmremove —as well as
	lmswitch , lmswitchr , and lmnewlog —to a license administrator who is by default root. If
	there is a UNIX group called lmadmin , then use is restricted to only members of that
	group. If root is not a member of this group, then root does not have permission to
	use any of the above utilities.
	-local -- On UNIX systems, restricts the lmdown and lmreread commands to be run only from
	the same system where lmgrd is running.
	-x lmdown -- Disables the lmdown command
	-x lmremove -- Disables the lmremove command
	-z -- Runs in foreground. The default behavior is to run in the background.

	## Notes
	A lot of software include an irritating gui license administration application on top
	of flexlm - usually a Java based abomination. It can normally be removed or ignored.

	Only two components are required to run a license server are
	1) sufficiently recent lmgrd and lmutil
	to support the vendor daemon and licensing features and
	2) the vendor daemon binrary and a valid license file for the license server.

	If you wish to run two separate servers with separate ports and license files which
	license the same application and overlapping features ensure that the systemd
	service file has "PrivateTmp=true"
	Otherwise the vendor daemons will lock each other out.
	[Hint: think about this.]

	To use the '-z' switch of lmgrd in the systemd service file change
	Type=simple instead of Type=forking
	What probably isn't documented is that lmstat (and presumably the software using the licensing service)
	actually downloads a copy of the license file from the license server.

	This is extremely useful when the vendor daemon is NOT configured to use a fixed tcp port and the license
	server is firewalled between the client and the server.

	Typically all is working and then a new license file is installed and the service restarted.
	The vendor daemon is then allocated or binds a random ephemeral tcp port for which there are not firewall rule
	permitting this (new) traffic.

	Armed with this information you can hassle the license server administrator(s) to add a port= clause to
	the VENDOR line or to open the firewalled port (guess which one they will choose.)

	Cutting to the chase:

	/bin/strace -o /dev/stdout -s 64000 -e trace=recvfrom /opt/flexlm/bin/lmstat -c [email protected]

	You may have to construct a client licence file if the "-c port@server" doesn't work
	ie
	# /tmp/boojum.lic
	SERVER snark.example.org ANY 2798
	USE_SERVER

	/bin/strace -o /dev/stdout -s 64000 -e trace=recvfrom /opt/flexlm/bin/lmstat -c /tmp/boojum.lic

	STRACECMD="/bin/strace -o /dev/stdout -s 64000 -e trace=recvfrom /opt/flexlm/bin/lmstat -c /tmp/boojum.lic"

	$STRACECMD \| grep -e SERVER
	recvfrom(3, "????SERVER snark.example.org 3417ab98c735 2798\nVENDOR boojumd /opt/boojumd/sbin port=2799\n etc etc

	Strace translates \015 -> \r, \012 -> \n, \011 -> \t and " into \"
	so you can clean up the output a little with sed
	eg
	$STRACECMD \| grep -e SERVER \| sed -E -e '/^recvfrom.*SERVER/SERVER/' -e 's/\\n/\n/g' -e 's/\\t/\t/g' -e 's/\\\\/\\/g'

	You don't need much imagination to see that you can reconstruct the original license file.
	Hint: think about this.

	If the license file is very large (lots of FEATURES etc) then the file's contents will be
	returned in multiple recvfrom calls.

	The last one will have a terminal \"\0"
	ie
	recvfrom(3, ".........lots.....\"\0", N, 0, NULL, NULL) = N
	where N is the requested number of bytes.