<!-- BaNnErBlUrFlE-BoDy-start -->
<!-- Preheader Text : BEGIN -->
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;height:0px;max-height:0px;opacity:0;overflow:hidden;">
Hi Michael Just a few thoughts. PMIx does have two security-related attributes: #define PMIX_CRED_TYPE “pmix. sec. ctype" // (char*) when passed in PMIx_Get_credential, a prioritized, // comma-delimited list of desired credential types for use</div>
<!-- Preheader Text : END -->
<!-- Email Banner : BEGIN -->
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-height:0px;opacity:0;overflow:hidden;">ZjQcmQRYFpfptBannerStart</div>
<!--[if ((ie)|(mso))]>
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="padding: 16px 0px 16px 0px; direction: ltr" ><tr><td>
<table border="0" cellspacing="0" cellpadding="0" style="padding: 0px 10px 5px 6px; width: 100%; border-radius:4px; border-top:4px solid #90a4ae;background-color:#D0D8DC;"><tr><td valign="top">
<table align="left" border="0" cellspacing="0" cellpadding="0" style="padding: 4px 8px 4px 8px">
<tr><td style="color:#000000; font-family: 'Arial', sans-serif; font-weight:bold; font-size:14px; direction: ltr">
This Message Is From an External Sender
</td></tr>
<tr><td style="color:#000000; font-weight:normal; font-family: 'Arial', sans-serif; font-size:12px; direction: ltr">
This message came from outside your organization.
</td></tr>
</table>
</td></tr></table>
</td></tr></table>
<![endif]-->
<![if !((ie)|(mso))]>
<div dir="ltr" id="pfptBanner0jsuj86" style="all: revert !important; display:block !important; text-align: left !important; margin:16px 0px 16px 0px !important; padding:8px 16px 8px 16px !important; border-radius: 4px !important; min-width: 200px !important; background-color: #D0D8DC !important; background-color: #D0D8DC; border-top: 4px solid #90a4ae !important; border-top: 4px solid #90a4ae;">
<div id="pfptBanner0jsuj86" style="all: unset !important; float:left !important; display:block !important; margin: 0px 0px 1px 0px !important; max-width: 600px !important;">
<div id="pfptBanner0jsuj86" style="all: unset !important; display:block !important; visibility: visible !important; background-color: #D0D8DC !important; color:#000000 !important; color:#000000; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-weight:bold !important; font-weight:bold; font-size:14px !important; line-height:18px !important; line-height:18px">
This Message Is From an External Sender
</div>
<div id="pfptBanner0jsuj86" style="all: unset !important; display:block !important; visibility: visible !important; background-color: #D0D8DC !important; color:#000000 !important; color:#000000; font-weight:normal; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-size:12px !important; line-height:18px !important; line-height:18px; margin-top:2px !important;">
This message came from outside your organization.
</div>
</div>
<div style="clear: both !important; display: block !important; visibility: hidden !important; line-height: 0 !important; font-size: 0.01px !important; height: 0px"> </div>
</div>
<![endif]>
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-height:0px;opacity:0;overflow:hidden;">ZjQcmQRYFpfptBannerEnd</div>
<!-- Email Banner : END -->
<!-- BaNnErBlUrFlE-BoDy-end -->
<html><head><!-- BaNnErBlUrFlE-HeAdEr-start -->
<style>
#pfptBanner0jsuj86 { all: revert !important; display: block !important;
visibility: visible !important; opacity: 1 !important;
background-color: #D0D8DC !important;
max-width: none !important; max-height: none !important }
.pfptPrimaryButton0jsuj86:hover, .pfptPrimaryButton0jsuj86:focus {
background-color: #b4c1c7 !important; }
.pfptPrimaryButton0jsuj86:active {
background-color: #90a4ae !important; }
</style>
<!-- BaNnErBlUrFlE-HeAdEr-end -->
<meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi Michael<div><br></div><div>Just a few thoughts. PMIx does have two security-related attributes:</div><div><br></div><div><div>#define PMIX_CRED_TYPE “pmix.sec.ctype" // (char*) when passed in PMIx_Get_credential, a prioritized,</div><div> // comma-delimited list of desired credential types for use</div><div> // in environments where multiple authentication mechanisms</div><div> // may be available. When returned in a callback function, a</div><div> // string identifier of the credential type</div><div><br></div><div>#define PMIX_CRYPTO_KEY “pmix.sec.key” // (pmix_byte_object_t) blob containing crypto key</div><div><br></div><div>You can include those in the “spawn” request as part of the job-level information to be passed to all the new processes. Providing the child procs with access to the parent’s credentials can be done by including those credentials in the job-level info to spawn, or using PMIx_Connect or PMIx_Group_construct after spawn as they will distribute the parent’s job-level info. Note that OpenMPI has chosen the latter approach as it proved beneficial for the child procs to have a full picture of their parent job. The info is retrieved by individual procs with a simple PMIx_Get, passing the ID of the proc whose credential you are seeking (rank=wildcard since we assume it’s the same for all procs in the namespace) and the PMIX_CRYPTO_KEY key (if you need the type, you can ask for that too with PMIX_CRED_TYPE).</div><div><br></div><div>I suppose it is possible (perhaps in the future) for a process/job to be assigned multiple security keys - e.g., if the system supported multiple parallel fabrics, each with its own security key. If that happens, we’ll have two choices: (a) define a new attribute for passing an array of structs containing keys and associated fabric ID so you know which key goes with which fabric; and/or (b) packing that info into the PMIX_CRYPTO_KEY byte object in a specified manner so it can be unpacked at the proc.</div><div><br></div><div>We also have the PMIx_Get_credential API you can use to request and obtain a new credential. Of course, that requires that the host support it on the backend! As you probably recall, we had talked during the Aurora days about having PMIx assist with obtaining the credential from the system (or perhaps generating it algorithmically like Slurm does for VNI), but never quite got to that point. At this time, we would rely on the PMIx server’s upcall to the host to obtain the credential.</div><div><br></div><div>In terms of injecting the key into the appropriate privileged service, there are a couple of options. One could use PMIx to connect to the privileged service and pass the key that way. I suspect system security folks would be leery of that no matter how carefully we tried to construct the connection validation handshake.</div><div><br></div><div>Another option might be to create a setuid script that operates at the service-privileged level and communicates the key to the service. Might be more palatable to the security folks as the script could be tightly constrained as to its abilities and kept very simple. Or maybe have the vendors provide an appropriate library that PMIx can call to set the credential (thereby allowing the vendor to control the communication handshake).</div><div><br></div><div>Or we could assign the responsibility for setting the network key to the host. If we pass the key in the spawn command, then the host could search for it and inject it into the services where required. Vendor environments would probably be able to do that as they usually have an accepted method for talking to a privileged service. Probably won’t work for mpirun, though, as that normally doesn’t run at privilege and therefore couldn’t do the injection.</div><div><br></div><div>So if we want mpirun to support network credentials for spawn, then we probably need to either find an acceptable way to connect to the service, or get acceptance for a setuid script or library to span the gap.</div><div><br></div><div>Happy to discuss this more over the phone or at a meeting, if people would like.</div><div>Ralph</div><div><br></div><div><blockquote type="cite"><div>On Aug 19, 2025, at 5:29 AM, Raymond, Michael <mraymond@hpe.com> wrote:</div><br class="Apple-interchange-newline"><div><meta charset="UTF-8"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;"> On slide 11, “divers” works, but you may mean “diverse”.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;"> With the PMIx APIs, is there a way to get back and/or specify which network security key should be used with the new Pset? With HPE’s Slingshot and the upcoming UEC, different applications are run with different network security keys (VNIs and JobIDs respectively). Two separately-launched applications will likely have different keys and be unable to intercommunicate. MPI is going to need PMI to tell it which key to use to talk to the processes that were launched separately. MPI will also need a privileged service to add the key to its network context.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;"> With Slingshot, applications launched under the same job share a JobVNI in addition to their individual job-step VNIs. Applications from separate jobs and users can use DRC2 to agree upon a VNI. We’ll need a generic attribute to pass this information in PMIx.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Michael Raymond</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">HPE HPC Development Environment</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">1 (612) 851-0500</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">On Aug 18, 2025, at 20:37, Ralph Castain via mpiwg-sessions <<a href="mailto:mpiwg-sessions@lists.mpi-forum.org">mpiwg-sessions@lists.mpi-forum.org</a>> wrote:<br><br>Hi Dominik Scanned through your slides and thought they looked good. Would definitely be nice to create an MPI-level abstraction for dynamic ops! Only comment I had was to perhaps provide the equivalent of PMIx attributes to the MPI API as a<br>ZjQcmQRYFpfptBannerStart<br>This Message Is From an External Sender<span class="Apple-converted-space"> </span><br>This message came from outside your organization.<span class="Apple-converted-space"> </span><br> ZjQcmQRYFpfptBannerEnd<br>#pfptBannervq9swly { all: revert !important; display: block !important; visibility: visible !important; opacity: 1 !important; background-color: #D0D8DC !important; max-width: none !important; max-height: none !important } .pfptPrimaryButtonvq9swly:hover, .pfptPrimaryButtonvq9swly:focus { background-color: #b4c1c7 !important; } .pfptPrimaryButtonvq9swly:active { background-color: #90a4ae !important; } Hi Dominik<br><br>Scanned through your slides and thought they looked good. Would definitely be nice to create an MPI-level abstraction for dynamic ops!<br><br>Only comment I had was to perhaps provide the equivalent of PMIx attributes to the MPI API as a means of making it easier to extend in the future. I suspect the community at-large will discover additional use-cases that require new inputs, and it would be unfortunate if we had to create new APIs every time that happened.<br><br>BTW: I have the resource usage code working in both PMIx and PRRTE now - getting ready to commit those changes. Just need to clean up a couple of things first.<br><br>Ralph<br><br><br><blockquote type="cite">On Aug 18, 2025, at 12:12 PM, Dominik Huber via mpiwg-sessions <mpiwg-sessions@lists.mpi-forum.org> wrote:<br><br>This Message Is From an External Sender<br>This message came from outside your organization.<br>Hi all,<br>As discussed in our last meeting, we’re considering a presentation on the current state of our Dynamic Processes discussions at a tentative non-voting meeting in early September.<br>Since many of us will be on vacation or at EuroPar in August, it may be difficult to hold WG meetings during this period.<br>To keep things moving, I’ve uploaded a draft of our slides to Google Slides for collaboration and feedback:<br><a href="https://urldefense.us/v3/__https://docs.google.com/presentation/d/1N-eotOfiQ2C4p4XaI3SigOhDpfwDve1EFPPQXOkiJtw/edit?usp=sharing__;!!G_uCfscf7eWS!ZZ7JJyuMqw_ePrVRGgd2c0ZA9eFHjZGtCb8JB-tLRcNfV3CwUhLlbpVGO9d58RWLU9rH6YAqGc_49C6BidbUOVI$">https://docs.google.com/presentation/d/1N-eotOfiQ2C4p4XaI3SigOhDpfwDve1EFPPQXOkiJtw/edit?usp=sharing</a><br><br>I won’t be able to attend next week’s WG meeting (if one is planned), but the usual Zoom link should still work.<br><br>Best regards,<br><br>Dominik<br><br><br><br>_______________________________________________<br>mpiwg-sessions mailing list<br>mpiwg-sessions@lists.mpi-forum.org<br><a href="https://urldefense.us/v3/__https://lists.mpi-forum.org/mailman/listinfo/mpiwg-sessions__;!!G_uCfscf7eWS!ZZ7JJyuMqw_ePrVRGgd2c0ZA9eFHjZGtCb8JB-tLRcNfV3CwUhLlbpVGO9d58RWLU9rH6YAqGc_49C6B30slVuw$">https://lists.mpi-forum.org/mailman/listinfo/mpiwg-sessions</a><br></blockquote><br><br>_______________________________________________<br>mpiwg-sessions mailing list<br><a href="mailto:mpiwg-sessions@lists.mpi-forum.org">mpiwg-sessions@lists.mpi-forum.org</a><br><a href="https://urldefense.com/v3/__https://lists.mpi-forum.org/mailman/listinfo/mpiwg-sessions__;!!NpxR!gS588VmX_aP0Q8KdriJ-s37VzNYe4GiQluve17ek7ZfFwZmk-kLGiViBym6BPM6EknsunjgGGOgCau-XaKbHSon3I-girw$">https://urldefense.com/v3/__https://lists.mpi-forum.org/mailman/listinfo/mpiwg-sessions__;!!NpxR!gS588VmX_aP0Q8KdriJ-s37VzNYe4GiQluve17ek7ZfFwZmk-kLGiViBym6BPM6EknsunjgGGOgCau-XaKbHSon3I-girw$</a></blockquote></div></blockquote></div><br></div></body></html>