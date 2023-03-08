To simplify the installation and administration of the DLS, the DLS is distributed as a software image to be installed or deployed on a supported platform. The DLS is a secure, hardened environment in which access to the application software is strictly controlled.



The following types of DLS software image are available:

A virtual appliance image to be installed in a VM on a supported hypervisor

A containerized software image for deployment on a supported container orchestration platform

An installable package for installation on a supported OS running in a virtualized server environment on your choice of hypervisor or on a bare-metal server

Each DLS software image is configured with a single standard user account for accessing the DLS appliance and an account with sudo user privileges for installing updates to the DLS appliance software. Modifications to these accounts are strictly controlled. You cannot add other user accounts to the software image. However, you can use a lightweight directory access protocol (LDAP) directory instead of the configured accounts for managing user access to a DLS appliance. DLS Virtual Appliance supports user account management at two levels: OS-level user accounts (dls_admin, rsu_admin) exist on the underlying operating system and are used for appliance management, while application-level user accounts (introduced in DLS 3.6.0) are created via DLS Web UI or API for accessing DLS management interfaces. Application users exist only in the DLS application database and support role-based access control (RBAC) with three pre-defined roles: DLS_ADMIN, DLS_OPERATOR, and DLS_USER.

In each VM-based virtual appliance image, the DLS application software is containerized to allow limited access to the OS so that non-root users can install security compliance and scanning tools in the VM. However, a container orchestration platform cannot control or restrict access to the OS on which the platform is running.

In the package for installation on a supported OS, the DLS application software is containerized to ensure that all software dependencies are met and to isolate the DLS application software from the underlying OS.

As far as possible, the DLS appliances based on all types of software image are functionally equivalent. Therefore, whether to use a container-based DLS appliance, a VM-based DLS appliance, or a DLS appliance from a package for installation on a supported OS depends on the requirements of your IT infrastructure or the policies of your IT department.

For additional guidelines, refer to the following resources from the vendors of platforms that support NVIDIA License System:

Before proceeding, ensure that you have a platform suitable for hosting a DLS virtual appliance or containerized DLS software image.

The hosting platform must be a physical host running a supported hypervisor or container orchestration platform.

The minimum resource requirements for the VM in which the DLS virtual appliance or DLS container will run is as follows: Number of vCPUs: 4 RAM: 8 Gbytes Disk Size: 15 Gbytes For additional guidelines, refer to Sizing Guidelines for a DLS Appliance.

The platform must have a fixed (unchanging) IP address. The IP address may be assigned dynamically by DHCP or statically configured, but must be constant.

The platform’s date and time must be set accurately. NTP is recommended.

Note: Before proceeding with the installation, refer to NVIDIA Delegated License Service Release Notes for details of supported hypervisors, details of supported container orchestration platforms, and known issues.

The platform that hosts a DLS virtual appliance must be identified by its IP address or its fully qualified domain name. It can also be identified by its CNAME. If you want to identify the platform by its fully qualified domain name, ensure that the required DNS entries are set before installing the DLS virtual appliance. If you want to identify the platform by its default host name, you must set a DNS entry that maps the default host name to the fully qualified domain name.

The process for setting these DNS entries is separate from the process for installing the DLS virtual appliance. Use the standard interfaces of the name resolution service that you are using to set the required DNS entries.

Tip: Whenever possible, set DNS entries for the platform that hosts a DLS virtual appliance. If the DNS entries are set, the DLS appliance can be accessed through both its IP address and its fully qualified domain name.

Determining Whether the Forward Pointer and Reverse Pointer DNS Entries Are Correct

For each mapping between a domain name and an IP address, ensure that you set both the forward pointer and reverse pointer DNS entries. A DLS virtual appliance requires the reverse pointer entry to determine the domain name of the DLS virtual appliance when creating a client configuration token.

Note: For the reverse pointer DNS entry on a Windows DNS server, use all lowercase for the fully qualified domain name.

To determine whether the forward pointer and reverse pointer DNS entries have been set correctly, type the following commands in a shell on any UNIX or Linux host on the same network as the DLS virtual appliance:

For the forward pointer entry, type: Copy Copied! $ host domain-name domain-name The domain name for which you want to determine whether the forward pointer DNS entry is correct. If the DNS entry has been set correctly, the command displays the IP address that is mapped to the domain name.

For the reverse pointer entry, type: Copy Copied! $ host ip-address ip-address The IP address for which you want to determine whether the reverse pointer DNS entry is correct. If the DNS entry has been set correctly, the command displays the domain name that is mapped to the IP address.

How a DLS Instance Determines Whether a Fully Qualified Domain Name Is Set

How a DLS instance determines whether a fully qualified domain name is set depends on the type of DLS instance.

VM-based DLS virtual appliance: When the VM that hosts a DLS instance starts, the DLS instance checks whether a fully qualified domain name is mapped to the IP address of the VM. If a name is mapped to the IP address of the VM, the DLS instance retrieves the name to display in the user interface of the NVIDIA Licensing application on the appliance.

When the VM that hosts a DLS instance starts, the DLS instance checks whether a fully qualified domain name is mapped to the IP address of the VM. If a name is mapped to the IP address of the VM, the DLS instance retrieves the name to display in the user interface of the NVIDIA Licensing application on the appliance. Containerized DLS Software Image: The fully qualified domain name is set through an environment variable. When the container within which the DLS software image is deployed is started, the DLS instance checks whether this environment variable is set. Note: Licensed clients outside the container must be able to resolve the fully qualified domain name. The environment variable must not specify a name that can be resolved only by the container orchestrator. If this environment variable is set, the DLS instance retrieves the name to display in the user interface of the NVIDIA Licensing application on the appliance. If this environment variable is not set, a user cannot connect to the container in which the DLS software image is deployed through a fully qualified domain name, even if a fully qualified domain name is mapped to an IP address in the DNS server. For more information, refer to Setting Properties for a Containerized DLS Software Image.



How the Host Name of the VM or Container that Hosts a DLS Instance Is Set

How the host name of the VM or container that hosts a DLS instance is set depends on the type of DLS instance.

VM-based DLS virtual appliance: The host name is preset in the virtual appliance image. The host name of a standalone DLS virtual appliance is preset to nls-si-0 . The host names of the DLS virtual appliances in an HA cluster are preset to nls-si-0 and nls-si-1 . The host name can be changed as explained in Changing the Host Name of a VM-Based DLS Virtual Appliance.

The host name is preset in the virtual appliance image. Containerized DLS Software Image: The host name is set through an environment variable. If this environment variable is not set, the container orchestration platform sets the host name to the container ID. For more information, refer to Setting Properties for a Containerized DLS Software Image.

The host name is set through an environment variable. If this environment variable is not set, the container orchestration platform sets the host name to the container ID. For more information, refer to Setting Properties for a Containerized DLS Software Image. CNAME Identification: The platform that hosts a DLS virtual appliance can also be identified by its CNAME.

To enable communication between a licensed client and a CLS or DLS instance, specific ports must be open in your firewall or proxy server. If you are using an HA cluster of DLS instances with a firewall or proxy server between the DLS instances, additional ports must be open in your firewall or proxy server.

Communications Ports Between a Licensed Client and a CLS Instance

To enable communication between a licensed client and a CLS instance, the following ports must be open in your firewall or proxy server:

Port Protocol Egress / Ingress Protocol / Service From To 80 TLS, TCP Egress License release Client CLS 443 TLS, TCP Egress License acquisition License renewal Client CLS

Note: Port 80 is used by all Windows VMs to release the licenses during the time the VM is shutdown.

Port 443 is used for returning the license at the time of license renewal and for license releases during normal operations by all VMs except Windows VMs.





Communications Ports Between a Licensed Client and a DLS Instance

To enable communication between a licensed client and a DLS instance, the following ports must be open in your firewall or proxy server:

Port Protocol Egress / Ingress Protocol / Service From To 80 TLS, TCP Egress License release Client DLS 443 TLS, TCP Egress License acquisition License renewal License release Client DLS

Note: Port 80 is used by all Windows VMs to release the licenses during the time the VM is shutdown.

Port 443 is used for returning the license at the time of license renewal and for license releases during normal operations by all VMs except Windows VMs.

The following ports for client to DLS connections are no longer required, but are supported for backward compatibility: 8081, 8082.

For a container-based DLS appliance, ports 80 and 443 might not be available for the DLS appliance to bind to, either because the container orchestrator administrator has restricted access to these ports or because the ports are in use by other containers. In this situation, you must set the environment variables DLS_HTTP_PORT and DLS_HTTPS_PORT to the ports that the DLS appliance must bind to. For more information, refer to Setting Properties for a Containerized DLS Software Image.





Communications Ports Between DLS Instances in an HA Cluster

If you are using an HA cluster of DLS instances with a firewall or proxy server between the DLS instances, the following ports must also be open in the firewall or proxy server:

Port Containerized Instance VM-Based Instance Protocol Egress/Ingress Protocol/Service From To 443 - ✔ TLS, TCP Both Licensing Services Primary DLS Secondary DLS 4369 ✔ ✔ EPMD (peer discovery) Both RabbitMQ, Erlang Primary DLS Secondary DLS 5671 ✔ ✔ AMQP, TLS Both RabbitMQ Primary DLS Secondary DLS 8080 ✔ ✔ HTTPS Both Licensing Services Primary DLS Secondary DLS 8081 ✔ ✔ HTTPS Both Licensing Services Primary DLS Secondary DLS 8082 ✔ ✔ HTTPS Both Licensing Services Primary DLS Secondary DLS 8083 ✔ ✔ HTTPS Both Licensing Services Primary DLS Secondary DLS 8084 ✔ ✔ HTTPS Both Licensing Services Primary DLS Secondary DLS 8085 ✔ ✔ HTTPS Both Licensing Services Primary DLS Secondary DLS

✔ Port is used.

- Port is not used.

The following ports that were required to be open in earlier releases are no longer used:

22

1883

5672

8883

15672

25671

25672

61613

61614

Communications Ports in the Container Orchestrator

The following ports must be available in the container orchestrator to allow the DLS appliance container to bind to them:

Port Service 8080, 18080 Administration Service 8081, 18081 Authorization Service 8082, 18082 Licensing Services 8083, 18083 File Installation 8084, 18084 Service Instance 8085 Virtual Appliance Service 9001 Process Manager (supervisord) 25672 RabbitMQ

Use the measured performance numbers to determine the optimum configuration for your container-based or VM-based DLS appliances based on the expected number and frequency of requests from licensed clients.

Throughput measures the number of clients that a VM-based or container-based DLS appliance can process in 1 second.

Note: All measurements were taken with a CPU clock speed of 3 GHz.

For a VM-based DLS appliance, the disk size is preset to 15 Gbytes in the virtual appliance image. If you want to retain diagnostic log files for longer than the default period of three months, increase the disk size in the appliance.

The measurements for a container-based DLS appliance were taken from a Docker container in an Ubuntu VM. Only the containers for the DLS appliance were running in the VM while the measurements were taken.

If you increase the number of vCPUs, you must increase the total RAM in GB to twice the number of vCPUs. For a container-based DLS appliance, increasing the number of vCPUs increases the number of worker threads. If the number of vCPUs is increased without an increase in the total RAM, some workers or services might fail.

Number of vCPUs Total RAM (GB) RAM Consumed (GB) Throughput (Clients per Second) Average Response Time (ms) 4 8 4.5 5 74 6 12 6 9 84 8 16 8 13 87

Scalability measures the maximum number of licensed clients that a VM-based or container-based DLS appliance can serve in a specific interval. A DLS appliance serves a licensed client by performing a licensing operation for the client, namely the borrowing, return, or renewal of a license. Registration of a licensed client is not considered a licensing operation because it occurs only once for any client.

These measurements capture the maximum number of licensed clients that DLS appliances with varying numbers of vCPUs and amounts of RAM can serve when licenses are borrowed for 12 hours. The maximum number of clients is directly proportional to the length of time for which licenses are borrowed. If the length of time increases, the maximum number of clients also increases.

To calculate the maximum number of clients from the length of time for which licenses are borrowed, use the following formula:

max-clients=clients-per-second⨯60⨯(renewal-interval-percentage/100)⨯borrow-time-in-hours⨯60

max-clients The maximum number of licensed clients that a DLS appliance can serve. clients-per-second The number of clients per second that the DLS appliance can serve as measured by scalability runs for each configuration. Use the number of clients per second in the table for the appropriate configuration. renewal-interval-percentage The percentage of the length of time for which a license is borrowed to which the renewal interval is set. When these measurements were taken, the renewal interval was set to 15% of the length of time in hours for which licenses were borrowed. borrow-time-in-hours The length of time in hours for which licenses are borrowed. When these measurements were taken, licenses were borrowed for 12 hours.

This formula prevents the accumulation of requests on a DLS instance, ensuring smooth operation.

Note: The measurements were taken with the throughput measured in Throughput for a DLS Appliance.

All measurements were taken with a CPU clock speed of 2.6 GHz.

The measurements for a container-based DLS appliance were taken from a Docker container in an Ubuntu VM. Only the containers for the DLS appliance were running in the VM while the measurements were taken.

Number of vCPUs Total RAM (GB) Clients per Second Calculation Maximum Number of Clients 4 8 5 5⨯60⨯0.15⨯12⨯60 32,000 6 12 9 9⨯60⨯0.15⨯12⨯60 58,000 8 16 13 13⨯60⨯0.15⨯12⨯60 84,000

Burst load performance measures the time that a VM-based or container-based DLS appliance requires to process the requests received from a large number of clients in a short interval of time. Burst load performance does not measure concurrency or throughput.

Note: Burst processing times are illustrative only because they are for retry logic in performance tests that use simulated client drivers. Times may differ with real client drivers.

The test systems were configured with 4 vCPUs and 8 GB of RAM.

The measurements for a container-based DLS appliance were taken from a Docker container in an Ubuntu VM. Only the containers for the DLS appliance were running in the VM while the measurements were taken.

Number of Clients Interval Processing Time 100 0-1 second 5 seconds 1,000 0-20 seconds 50 seconds 5,000 0-5 minutes 5 minutes 10,000 0-10 minutes 8 minutes and 42 seconds

To simplify the installation process, a VM-based DLS virtual appliance is supplied as a virtual appliance image to be installed on a supported hypervisor.

After verifying the requirements in Platform Requirements for a DLS Virtual Appliance or Containerized DLS Software Image and reviewing the guidelines in Sizing Guidelines for a DLS Appliance, install and configure the DLS virtual appliance by following this sequence of instructions:

DLS virtual appliance images are available for several hypervisors. You use standard interfaces of the hypervisor to install the DLS virtual appliance on your chosen hypervisor.

The DLS virtual appliance image for each supported hypervisor except Red Hat Enterprise Linux KVM specifies the minimum configuration for the VM as listed in Platform Requirements for a DLS Virtual Appliance or Containerized DLS Software Image. You are not required to specify the VM configuration when you install the DLS virtual appliance for these hypervisors. After installing the DLS virtual appliance, you can use standard interfaces of the hypervisor to change the configuration of the VM if necessary.

Note: If subnet conflicts occur, contact your network administrator for an appropriate subnet address and then follow these steps. Modify the back-tier property of the networks element in the /etc/dls/config/docker-compose.yml file using the rsu_admin user. Restart the VM for the change to take effect.





The DLS image for Citrix Hypervisor is distributed as a ZIP archive that contains an XVA file, which is a format that is specific to Xen-based hypervisors.

Use the Citrix XenCenter Import wizard to perform this task on the Citrix Hypervisor host on which you want to run the DLS virtual appliance.

For additional information, see Import VMs From XVA on the Citrix product documentation website.



Download the ZIP archive that contains the XVA file that contains the DLS virtual appliance image to the hypervisor host. Extract the contents of the ZIP archive that you downloaded. In Citrix XenCenter, from the File menu, choose Import. Browse for and select the downloaded XVA file, and click Next. Select the server on which the imported VM will be placed and click Next. Select the storage repository where the virtual disks for the newly imported VM will be stored and click Import. Select the default virtual network interfaces in the template for the virtual appliance and click Next. Review the settings for importing the virtual machine and click Finish to create the virtual machine. Start the VM that you created.

Allow approximately 15 minutes after the VM is started for the installation of the DLS virtual appliance to complete and for the DLS virtual appliance to start. What to do after the DLS virtual appliance starts depends on whether the VM has been assigned an IP address automatically, for example, by a DHCP server:

If the VM has been assigned an IP address, what to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance: If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User. If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Otherwise, set the IP address of the DLS virtual appliance from the hypervisor as explained in Setting the IP Address of a DLS Virtual Appliance from the Hypervisor.

The DLS image for Microsoft Windows Server with Hyper-V is distributed as a ZIP archive.

Use Hyper-V Manager to perform this task on the Microsoft Windows Server with Hyper-V host on which you want to run the DLS virtual appliance.

For additional information, see Import a Virtual Machine on the Microsoft documentation website.



Download the ZIP archive that contains the DLS virtual appliance image to the hypervisor host. Extract the contents of the ZIP archive that you downloaded. From the Hyper-V ManagerActions menu, choose Import Virtual Machine. Browse for and select the folder to which you extracted the DLS virtual appliance image and click Next. When prompted to choose the type of import, select the Copy the virtual machine (create a new unique ID) option and click Next. Browse for and select the folders in which you want to store virtual machine (VM) files and click Next. Browse for and select the folder for storing the virtual disk. Note: If you are creating two VMs for a cluster of DLS instances, ensure that you choose a unique folder for each VM to prevent errors from Hyper-V Manager. Review the settings for importing the VM and click Finish to create the VM. After the VM has been created, specify the virtual switch that the VM should use. From the Actions menu under the name of the imported VM, choose Settings. Under Hardware in the left navigation bar of the Settings window, select Network Adapter, select the virtual switch from the Virtual switch drop-down list, and click Apply. Start the imported VM. From the Actions menu under the name of the imported VM, choose Connect. In the Virtual Machine Connection window that opens, click Start.

A command window opens when the installation of the imported VM is started. Use this window to log in to the DLS virtual appliance only if you need to set the IP address of the DLS virtual appliance from the hypervisor.



Allow approximately 15 minutes after the VM is started for the installation of the DLS virtual appliance to complete and for the DLS virtual appliance to start. What to do after the DLS virtual appliance starts depends on whether the VM has been assigned an IP address automatically, for example, by a DHCP server:

If the VM has been assigned an IP address, what to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance: If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User. If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Otherwise, set the IP address of the DLS virtual appliance from the hypervisor as explained in Setting the IP Address of a DLS Virtual Appliance from the Hypervisor.

After the VM has started, you can get its IP address from the Networking tab for the VM in Hyper-V Manager.

The DLS image for Red Hat Enterprise Linux KVM is distributed as a ZIP archive that contains a QEMU copy-on-write (QCOW2) image file. After preparing the QCOW2 file, install the image by using Virtual Machine Manager to create a VM from the QCOW2 file.

Perform this task from the hypervisor host.



Download the ZIP archive that contains the QCOW2 image file to the hypervisor host. Extract the contents of the ZIP archive that you downloaded. Copy the QCOW2 image file to the /var/lib/libvirt/images directory on the hypervisor host. Start Virtual Machine Manager. Add a connection to the hypervisor host. In the Virtual Machine Manager window, from the File menu, choose Add Connection. In the Add Connection window that opens, set the options in the following table and click Connect. Option Setting Hypervisor From the drop-down list, select QEMU/KVM. Connect to remote host over SSH Select this option. User Name In this text-entry field, type root . Hostname In this text-entry field, type the IP address or the fully qualified host name of the Red Hat Enterprise Linux KVM host. The connection is added to the Virtual Machine Manager window. Context click the connection that you added in the previous step and choose New. The Create a new virtual machine wizard starts. In the first New VM window, select the Import existing disk image option and click Forward. In the second New VM window, import the downloaded QCOW2 image file and choose the operating system to install. Click Browse. In the Choose Storage Volume window that opens, select the downloaded QCOW2 image file and click Choose Volume. Back in the second New VM window, type Ubuntu 22.04 in the search box and from the list of operating systems that opens, select Ubuntu 22.04 (ubuntu). Click Forward. In the third New VM window, set Memory to 8192 MiB and CPUs to 4, and click Forward. In the final New VM window, specify the VM name and the network that the VM will use. In the Name text-entry field, type your choice of name for the VM that you are creating. Select the Customize configuration before install option. From the Network Selection drop-down list, select the network that the VM will use. Click Finish. In the window for reviewing a new VM, modify the VM as follows. Remove USB Redirector 1, USB Redirector 2, and Channel spice. For each item to remove, context-click the item in the left navigation bar and from the menu that pops up, choose Remove Hardware. Change Video QXL to VGA. In the left navigation bar, select Video QXL and from the Model drop-down list, select VGA. In the the Overview tab update the Firmware to UEFI. Click Apply to save your changes to the configuration and click Begin Installation. After the VM is created, start the VM and log in to the VM to get the IP address of the VM. You must log in to the VM to get its IP address because the IP address is not shown in the Virtual Machine Manager console. Click the play button to start the VM on the hypervisor host. Use the command window that opens when the VM starts to log in to the DLS virtual appliance as the dls_admin user with the preset password welcome . Get the address of the VM. Copy Copied! $ ip addr

Allow approximately 15 minutes after the VM is started for the installation of the DLS virtual appliance to complete and for the DLS virtual appliance to start. What to do after the DLS virtual appliance starts depends on whether the VM has been assigned an IP address automatically, for example, by a DHCP server:

If the VM has been assigned an IP address, what to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance: If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User. If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Otherwise, set the IP address of the DLS virtual appliance from the hypervisor as explained in Setting the IP Address of a DLS Virtual Appliance from the Hypervisor.

The DLS image for Red Hat Virtualization is distributed as a ZIP archive that contains a QEMU copy-on-write (QCOW2) image file. After preparing the QCOW2 file, install the image by using Virtual Machine Manager to create a VM from the QCOW2 file.

Perform this task from the hypervisor host.



Download the ZIP archive that contains the QCOW2 image file to the hypervisor host. Extract the contents of the ZIP archive that you downloaded. Copy the QCOW2 image file to the /var/lib/libvirt/images directory on the hypervisor host. Start Virtual Machine Manager. Add a connection to the hypervisor host. In the Virtual Machine Manager window, from the File menu, choose Add Connection. In the Add Connection window that opens, set the options in the following table and click Connect. Option Setting Hypervisor From the drop-down list, select QEMU/KVM. Connect to remote host over SSH Select this option. User Name In this text-entry field, type root . Hostname In this text-entry field, type the IP address or the fully qualified host name of the Red Hat Enterprise Linux KVM host. The connection is added to the Virtual Machine Manager window. Context click the connection that you added in the previous step and choose New. The Create a new virtual machine wizard starts. In the first New VM window, select the Import existing disk image option and click Forward. In the second New VM window, import the downloaded QCOW2 image file and choose the operating system to install. Click Browse. In the Choose Storage Volume window that opens, select the downloaded QCOW2 image file and click Choose Volume. Back in the second New VM window, type Ubuntu 22.04 in the search box and from the list of operating systems that opens, select Ubuntu 22.04 (ubuntu). Click Forward. In the third New VM window, set Memory to 8192 MiB and CPUs to 4, and click Forward. In the final New VM window, specify the VM name and the network that the VM will use. In the Name text-entry field, type your choice of name for the VM that you are creating. Select the Customize configuration before install option. From the Network Selection drop-down list, select the network that the VM will use. Click Finish. In the window for reviewing a new VM, modify the VM as follows. Remove USB Redirector 1, USB Redirector 2, and Channel spice. For each item to remove, context-click the item in the left navigation bar and from the menu that pops up, choose Remove Hardware. Change Video QXL to VGA. In the left navigation bar, select Video QXL and from the Model drop-down list, select VGA. In the the Overview tab update the Firmware to UEFI. Click Apply to save your changes to the configuration and click Begin Installation. After the VM is created, start the VM and log in to the VM to get the IP address of the VM. You must log in to the VM to get its IP address because the IP address is not shown in the Virtual Machine Manager console. Click the play button to start the VM on the hypervisor host. Use the command window that opens when the VM starts to log in to the DLS virtual appliance as the dls_admin user with the preset password welcome . Get the address of the VM. Copy Copied! $ ip addr

Allow approximately 15 minutes after the VM is started for the installation of the DLS virtual appliance to complete and for the DLS virtual appliance to start. What to do after the DLS virtual appliance starts depends on whether the VM has been assigned an IP address automatically, for example, by a DHCP server:

If the VM has been assigned an IP address, what to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance: If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User. If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Otherwise, set the IP address of the DLS virtual appliance from the hypervisor as explained in Setting the IP Address of a DLS Virtual Appliance from the Hypervisor.

The DLS image for Ubuntu Hypervisor is distributed as a ZIP archive that contains a QEMU copy-on-write (QCOW2) image file. After preparing the QCOW2 file, install the image by using Virtual Machine Manager to create a VM from the QCOW2 file.

Perform this task from the hypervisor host.



Download the ZIP archive that contains the QCOW2 image file to the hypervisor host. Extract the contents of the ZIP archive that you downloaded. Copy the QCOW2 image file to the /var/lib/libvirt/images directory on the hypervisor host. Start Virtual Machine Manager. Add a connection to the hypervisor host. In the Virtual Machine Manager window, from the File menu, choose Add Connection. In the Add Connection window that opens, set the options in the following table and click Connect. Option Setting Hypervisor From the drop-down list, select QEMU/KVM. Connect to remote host over SSH Select this option. User Name In this text-entry field, type root . Hostname In this text-entry field, type the IP address or the fully qualified host name of the Red Hat Enterprise Linux KVM host. The connection is added to the Virtual Machine Manager window. Context click the connection that you added in the previous step and choose New. The Create a new virtual machine wizard starts. In the first New VM window, select the Import existing disk image option and click Forward. In the second New VM window, import the downloaded QCOW2 image file and choose the operating system to install. Click Browse. In the Choose Storage Volume window that opens, select the downloaded QCOW2 image file and click Choose Volume. Back in the second New VM window, type Ubuntu 22.04 in the search box and from the list of operating systems that opens, select Ubuntu 22.04 (ubuntu). Click Forward. In the third New VM window, set Memory to 8192 MiB and CPUs to 4, and click Forward. In the final New VM window, specify the VM name and the network that the VM will use. In the Name text-entry field, type your choice of name for the VM that you are creating. Select the Customize configuration before install option. From the Network Selection drop-down list, select the network that the VM will use. Click Finish. In the window for reviewing a new VM, modify the VM as follows. Remove USB Redirector 1, USB Redirector 2, and Channel spice. For each item to remove, context-click the item in the left navigation bar and from the menu that pops up, choose Remove Hardware. Change Video QXL to VGA. In the left navigation bar, select Video QXL and from the Model drop-down list, select VGA. In the the Overview tab update the Firmware to UEFI. Click Apply to save your changes to the configuration and click Begin Installation. After the VM is created, start the VM and log in to the VM to get the IP address of the VM. You must log in to the VM to get its IP address because the IP address is not shown in the Virtual Machine Manager console. Click the play button to start the VM on the hypervisor host. Use the command window that opens when the VM starts to log in to the DLS virtual appliance as the dls_admin user with the preset password welcome . Get the address of the VM. Copy Copied! $ ip addr

Allow approximately 15 minutes after the VM is started for the installation of the DLS virtual appliance to complete and for the DLS virtual appliance to start. What to do after the DLS virtual appliance starts depends on whether the VM has been assigned an IP address automatically, for example, by a DHCP server:

If the VM has been assigned an IP address, what to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance: If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User. If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Otherwise, set the IP address of the DLS virtual appliance from the hypervisor as explained in Setting the IP Address of a DLS Virtual Appliance from the Hypervisor.

The DLS image for VMware vSphere is distributed as a ZIP archive that contains an Open Virtual Appliance (OVA) file.

Use the VMware vSphere Client to perform this task on the ESXi server on which you want to run the DLS virtual appliance.

For additional information, see the following topics on the VMware Docs site:

Download the ZIP archive that contains the OVA file that contains the DLS image for VMware vSphere. Extract the contents of the ZIP archive that you downloaded. Log in to vCenter Server by using the VMware vSphere Client. From the VMware vSphere Client Actions menu, choose Deploy OVF Template. Select the Local file option, browse for and select the downloaded OVA file, and click Next. Enter the your choice of virtual machine name, select a location for the virtual machine, and click Next. Select a compute resource where the virtual machine will be created and click Next. Review the details of the template that you are deploying and click Next. Select the storage for the virtual appliance configuration and disk files and click Next. Leave the destination network as-is, set the IP allocation option to Static - Manual, and click Next. Set the virtual network and IP allocation properties for the VM and click Next. In the ipaddress text-entry field, type the IP address that you want to assign to the VM. Note: To change this address after completing the installation, you must follow the instructions in Changing the IP Address of a VMware VM Set During DLS Appliance Installation. If you use any other method to change this address, it reverts to its original setting when the VM is restarted. In the netmask text-entry field, type the subnet mask of the VM's network in classless inter-domain routing (CIDR) format without the leading slash character (/). To get a subnet mask in CIDR format from its decimal equivalent, refer to the table on page 2 of IETF RFC 1878: Variable Length Subnet Table For IPv4. For example, the subnet mask in CIDR format of the decimal equivalent 255.255.255.0 is 24. In the gateway text-entry field, type the IP address of the VM's default gateway. Note: If you leave the gateway field empty, the DLS virtual appliance uses DHCP settings. Optional: In the dns_server_one text-entry field, type the IP address of the first DNS server to be used for name resolution. Optional: In the dns_server_two text-entry field, type the IP address of the second DNS server to be used for name resolution. Review all the details of the virtual machine that you are creating and click Finish. Start the VM that you created. Note: If subnet conflicts occur, contact your network administrator for an appropriate subnet address and then follow these steps. Modify the back-tier property of the networks element in the /etc/dls/config/docker-compose.yml file using the rsu_admin user. Restart the VM for the change to take effect.

Allow approximately 15 minutes after the VM is started for the installation of the DLS virtual appliance to complete and for the DLS virtual appliance to start. What to do after the DLS virtual appliance starts depends on whether the VM has been assigned an IP address automatically, for example, by a DHCP server:

If the VM has been assigned an IP address, what to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance: If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User. If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Otherwise, set the IP address of the DLS virtual appliance from the hypervisor as explained in Setting the IP Address of a DLS Virtual Appliance from the Hypervisor.

If the VM that hosts a DLS virtual appliance has not been assigned an IP address automatically, you must set the IP address from the hypervisor. Each DLS virtual appliance provides a shell script specifically for this purpose and is configured with a user account for running the script.

Note: You can perform this task only on a VM-based DLS virtual appliance. You cannot perform this task on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make this change.

Note: The IP address of a VMware VM that hosts a DLS appliance can be set when the appliance is installed from an OVF template. If the IP address was set this way, you must follow the instructions in Changing the IP Address of a VMware VM Set During DLS Appliance Installation. If you use any other method to change this address, it reverts to its original setting when the VM is restarted.





Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS virtual appliance. If the dls_admin user has not been registered, you can still log in to the VM as the dls_admin user with the default password welcome . Run the /etc/adminscripts/set-static-ip-cli.sh script. Copy Copied! $ /etc/adminscripts/set-static-ip-cli.sh When prompted, enter the details of the IP address. The script presents any default values that are already set for the virtual appliance's network. Enter the number that denotes the IP version that the virtual appliance's network uses. For an IPv4 network, type 4 .

. For an IPv6 network, type 6 . Enter the IP address that you want to assign to the DLS virtual appliance. Enter the IP address of the DLS virtual appliance's default gateway. Note: If you omit the default gateway address, the DLS virtual appliance uses DHCP settings. Enter the IP address of the first DNS server to be used for name resolution. Enter the IP address of the second DNS server to be used for name resolution. Enter the subnet mask of the DLS virtual appliance's network in classless inter-domain routing (CIDR) format without the leading slash character (/). To get a subnet mask in CIDR format from its decimal equivalent, refer to the table on page 2 of IETF RFC 1878: Variable Length Subnet Table For IPv4. For example, the subnet mask in CIDR format of the decimal equivalent 255.255.255.0 is 24.

After the IP address has been set, log files containing progress message from the script are available in the /tmp/static-ip-cli-logs directory.

What to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance:

If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User.

If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

The IP address of a VMware VM that hosts a DLS appliance can be set when the appliance is installed from an OVF template. If the IP address was set this way, you can change it only by editing vApps options within VM that hosts the DLS appliance. If you use any other method to change this address, it reverts to its original setting when the VM is restarted.

Log in to vCenter Server by using the VMware vSphere Web Client. For detailed instructions, refer to Log in to vCenter Server by Using the vSphere Web Client. From the vCenter Server inventory, navigate to the VM that hosts the DLS appliance. Shut down the VM to which you navigated in the previous step. On the Configure tab, expand Settings, select vApp options, and click Edit. In the list of vApp options, select Networkproperties.IPaddress and click Set Value. Enter the IP address that you want to assign to the VM that hosts the DLS appliance. Save your changes and start the VM.

For deployments on a supported container orchestration platform, the DLS is supplied as a containerized software image.

After verifying the requirements in Platform Requirements for a DLS Virtual Appliance or Containerized DLS Software Image, deploy a containerized DLS software image by following this sequence of instructions:

The containerized DLS software image is distributed as the ZIP archive nls-3.6.0-bios.zip.

This ZIP archive contains the following artifacts:

dls_appliance_3.6.0.tar.gz The DLS application container. dls_pgsql_3.6.0.tar.gz The PostgreSQL database container.

Note: The version of both containers must be the same.

The DLS application container and the PostgreSQL database container share a common volume for exchanging information between them. If both containers are deployed on a multinode cluster, they must be run on the same worker node.

To enable communications with the container within which the DLS appliance is running, you must set properties such as host names, IP addresses, and port numbers. Set these properties before deploying the containerized DLS software image on a supported platform.

Set the properties for a containerized DLS software image by editing the appropriate deployment file for your container orchestration platform.

Container Orchestration Platform File Docker docker-compose.yml Kubernetes nls-si-0-deployment.yaml Podman nls-si-0-deployment/compose.yml Red Hat OpenShift Container Platform nls-si-0-deployment.yaml VMware Tanzu Application Platform nls-si-0-deployment.yaml

You can set environment variables to specify string properties for all supported container orchestration platforms.

Set environment variables to specify string properties by editing the appropriate section of the deployment file for your container platform.

Deployment File Section to Edit docker-compose.yml environment: nls-si-0-deployment/compose.yml environment: nls-si-0-deployment.yaml - env:

The environment variables for specifying string properties are as follows:

Required: DLS_DB_HOST The IP address of the database container. Ensure that the IP address of the database container is a private IP address on the same subnet as the DLS appliance container. The database container must not be accessible over any public subnet. Required: DLS_PUBLIC_IP The IP address of the container orchestration platform. To access the NVIDIA Licensing application, the user connects to the container in which the DLS software image is deployed through this address. Optional: DLS_PRIVATE_HOSTNAME The host name of the container in which the DLS software image is deployed. If this environment variable is not set, the container orchestration platform sets the host name to the container ID. Optional: FQDN The fully qualified domain name that is mapped to the IP address that is specified by the DLS_PUBLIC_IP environment variable. Ensure that this name can be resolved by licensed clients. Do not specify a name that can be resolved only by the container orchestrator. If this environment variable is not set, a user cannot connect to the container in which the DLS software image is deployed through a fully qualified domain name.

You can specify integer values such as port numbers for Docker, Podman, Red Hat OpenShift Container Platform, and VMware Tanzu Application Platform as environment variables.

Note: Kubernetes does not accept strings for integer values. Therefore, you cannot specify integer values for Kubernetes as environment variables. Instead, you must specify integer values for Kubernetes as explained in Specifying Integer Values as Actual Values.





To specify integer values by setting environment variables, edit the appropriate section of the deployment file for your container platform.

Deployment File Section to Edit docker-compose.yml environment: nls-si-0-deployment/compose.yml environment: nls-si-0-deployment.yaml - env:

The following environment variables apply to Docker, Red Hat OpenShift Container Platform, and VMware Tanzu Application Platform:

Optional: CPU_CORE_LIMIT The maximum number of CPU cores that can be assigned to the DLS appliance container pod. Default: 4 Optional: DLS_HA_MAX_NODES_ENV The maximum number of instances in a cluster to which this instance is to be added. Allowed values: 2-9 Default: 2 Optional: DLS_HTTP_PORT The port on which the container in which the DLS software image is deployed listens for HTTP requests. Default: 80 Optional: DLS_HTTPS_PORT The port on which the container in which the DLS software image is deployed listens for HTTPS requests. Default: 443 Optional: DLS_RABBITMQ_SSL_PORT The Secure Sockets Layer (SSL) port through which the nodes in and HA cluster of DLS instances communicate with each other. Default: 5671

The following environment variables apply only to Red Hat OpenShift Container Platform and VMware Tanzu Application Platform:

Optional: DLS_EXPOSED_HTTP_PORT The port on which the container orchestrator listens for and forwards the request to the port that is specified by the DLS_HTTP_PORT environment variable. Not applicable to Docker or Podman. Default: 30000 Optional: DLS_EXPOSED_HTTPS_PORT The port on which the container orchestrator listens for and forwards the request to the port that is specified by the DLS_HTTP_PORTS environment variable. Not applicable to Docker or Podman. Default: 30001 Optional: DLS_VA_SERVICE_PORT The port in the container orchestrator to which the DLS appliance container binds. Not applicable to Docker or Podman. Default: 8085

Kubernetes does not accept strings for integer values. Therefore, you cannot specify integer values for Kubernetes as environment variables. Instead, you must specify integer values for Kubernetes as actual values.

To specify integer values as actual values, replace the references to environment variables with actual values in the ports: section of the nls-si-0-deployment.yaml and nls-si-0-service.yaml deployment files.

In nls-si-0-deployment.yaml, the references to environment variables in the ports: section are as follows: Copy Copied! ports: - containerPort: ${DLS_HTTP_PORT:-80} hostPort: ${DLS_EXPOSED_HTTP_PORT:-80} - containerPort: ${DLS_HTTPS_PORT:-443} hostPort: ${DLS_EXPOSED_HTTPS_PORT:-443} - containerPort: ${DLS_RABBITMQ_SSL_PORT:-5671} hostPort: ${DLS_RABBITMQ_SSL_PORT:-5671} - containerPort: 8085 hostPort: ${DLS_VA_SERVICE_PORT:-8085}

section are as follows: In nls-si-0-service.yaml, the references to environment variables in the ports: section are as follows: Copy Copied! ports: - name: "DLS_HTTP_CONTAINER" port: ${DLS_HTTP_PORT:-80} targetPort: ${DLS_HTTP_PORT:-80} nodePort: ${DLS_EXPOSED_HTTP_PORT:-30000} - name: "DLS_HTTPS_CONTAINER" port: ${DLS_HTTPS_PORT:-443} targetPort: ${DLS_HTTPS_PORT:-443} nodePort: ${DLS_EXPOSED_HTTPS_PORT:-30001} - name: "DLS_RABBITMQ_SSL_PORT" port: ${DLS_RABBITMQ_SSL_PORT:-5671} targetPort: ${DLS_RABBITMQ_SSL_PORT:-5671} nodePort: ${DLS_RABBITMQ_SSL_PORT:-5671} - name: "DLS_VA_SERVICE_PORT" port: 8085 targetPort: 8085 nodePort: ${DLS_VA_SERVICE_PORT:-8085}

The values with which to replace these references to environment variables are as follows:

Both files: ${DLS_HTTP_PORT:-80} The port on which the container in which the DLS software image is deployed listens for HTTP requests. nls-si-0-deployment.yaml: ${DLS_EXPOSED_HTTP_PORT:-80} nls-si-0-service.yaml: ${DLS_EXPOSED_HTTP_PORT:-30000} The port on which the container orchestrator listens for and forwards the request to the port that is specified by the DLS_HTTP_PORT environment variable. Both files: ${DLS_HTTPS_PORT:-443} The port on which the container in which the DLS software image is deployed listens for HTTPS requests. nls-si-0-deployment.yaml: ${DLS_EXPOSED_HTTPS_PORT:-443} nls-si-0-service.yaml: ${DLS_EXPOSED_HTTPS_PORT:-30001} The port on which the container orchestrator listens for and forwards the request to the port that is specified by the DLS_HTTP_PORTS environment variable. Both files: ${DLS_RABBITMQ_SSL_PORT:-5671} The Secure Sockets Layer (SSL) port through which the nodes in and HA cluster of DLS instances communicate with each other. Both files: ${DLS_VA_SERVICE_PORT:-8085} The port in the container orchestrator to which the DLS appliance container binds.

This example shows the ports: sections in the nls-si-0-deployment.yaml and nls-si-0-service.yaml deployment files in which the references to environment variables are replaced with actual values.

In nls-si-0-deployment.yaml, the ports: section is as follows: Copy Copied! ports: - containerPort: 80 hostPort: 80 - containerPort: 443 hostPort: 443 - containerPort: 5671 hostPort: 5671 - containerPort: 8085 hostPort: 8085

section is as follows: In nls-si-0-service.yaml, the ports: section is as follows: Copy Copied! ports: - name: "DLS_HTTP_CONTAINER" port: 80 targetPort: 80 nodePort: 30000 - name: "DLS_HTTPS_CONTAINER" port: 443 targetPort: 443 nodePort: 30001 - name: "DLS_RABBITMQ_SSL_PORT" port: 5671 targetPort: 5671 nodePort: 30002 - name: "DLS_VA_SERVICE_PORT" port: 8085 targetPort: 8085 nodePort: 30003

The containerized DLS software image is distributed with default deployment files for several container orchestration platforms. You use standard interfaces of the container orchestration platform to deploy the containerized DLS software image on your chosen platform.

The default deployment file for each supported container orchestration platform specifies the resource reservations for the container that are listed in Platform Requirements for a DLS Virtual Appliance or Containerized DLS Software Image. You are not required to specify the resource reservations for the container when you deploy the containerized DLS software image.

Follow the instructions for the container orchestration platform that you are using.

Ensure that the required environment variables have been set as explained in Setting Properties for a Containerized DLS Software Image.

Import the DLS appliance artifact and the PostgreSQL database artifact. Import the DLS appliance artifact. Copy Copied! docker load --input dls_appliance_3.6.0.tar.gz Import the PostgreSQL database artifact. Copy Copied! $ docker load --input dls_pgsql_3.6.0.tar.gz Change to the directory that contains the docker-compose.yml file. Start the DLS appliance and PostgreSQL database containers. Copy Copied! $ docker-compose up

What to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance:

If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User.

If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Perform this task if you are using Kubernetes, Red Hat OpenShift Container Platform, or VMware Tanzu Application Platform. If you are using a helm chart for deployment, edit “values.yaml” under “helm-charts/dls-appliance/” to be able to deploy the containers on Kubernetes platform.

Ensure that the following prerequisites are met:

The required environment variables have been set as explained in Setting Properties for a Containerized DLS Software Image.

A private repository for the DLS appliance artifact and the PostgreSQL database artifact has been created.

If a registry secret is required for pulling the artifacts from the private repository, the registry secret has been created. In the deployment files for the DLS appliance artifact and the PostgreSQL database artifact, the name of the registry secret is preset to registry-secret . If you create a secret with this name, you don't need to edit the deployment files to reference the secret.

Note: The DLS application container and the PostgreSQL database container share a common volume for exchanging information between them. If both containers are deployed on a multinode cluster, they must be run on the same worker node.





Import the DLS appliance artifact and the PostgreSQL database artifact into your private repository. Edit the deployment files for the DLS appliance artifact and the PostgreSQL database artifact to pull these artifacts from the private repository into which they were imported. In each file, replace the string <POPULATE THIS WITH PRIVATE REPOSITORY> with the name of the private repository. For the DLS appliance artifact, edit the following line in the file nls-si-0-deployment.yaml: Copy Copied! image: <POPULATE THIS WITH PRIVATE REPOSITORY>:appliance For the PostgreSQL database artifact, edit the following line in the file postgres-nls-si-0-deployment.yaml: Copy Copied! image: <POPULATE THIS WITH PRIVATE REPOSITORY>:pgsql If a registry secret is required for pulling the artifacts from the private repository, edit the deployment files for the DLS appliance artifact and the PostgreSQL database artifact to reference the secret. In each file, replace the string registry-secret with the name of your registry secret. For the DLS appliance artifact, edit the file nls-si-0-deployment.yaml. For the PostgreSQL database artifact, edit the file postgres-nls-si-0-deployment.yaml. Start the PostgreSQL database container pod with the supplied deployment file postgres-nls-si-0-deployment.yaml. Copy Copied! $ kubectl create -f directory/postgres-nls-si-0-deployment.yaml directory The full path to the directory that contains the file postgres-nls-si-0-deployment.yaml. Get the IP address of the PostgreSQL database container pod. Copy Copied! $ kubectl get pods -o wide Set the DLS_DB_HOST environment variable in the file nls-si-0-deployment.yaml to the IP address that you got in the previous step. Note: To enable the DLS appliance container pod to create and modify files on the volumes mapped to it, ensure that the required file access permissions are set on these volumes. Start the DLS appliance container pod with the supplied deployment file nls-si-0-deployment.yaml. Copy Copied! $ kubectl create -f directory/nls-si-0-deployment.yaml directory The full path to the directory that contains the file nls-si-0-deployment.yaml.

What to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance:

If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User.

If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

Ensure that the required environment variables have been set as explained in Setting Properties for a Containerized DLS Software Image.

Import the DLS appliance artifact and the PostgreSQL database artifact. Import the DLS appliance artifact. Copy Copied! $ podman load --input dls_appliance_3.6.0.tar.gz Import the PostgreSQL database artifact. Copy Copied! $ podman load --input dls_pgsql_3.6.0.tar.gz Change to the podman directory. Optional: Edit the postgres-nls-si-0-deployment/compose.yml file to customize the subnets with which you want to create the postgres-nls-si-0-deployment_back-tier network. By default, the postgres-nls-si-0-deployment_back-tier network is created with the following subnets: IPv4: 172.16.238.0/28

IPv6: 2001:3984:3989::/64 Create the postgres-nls-si-0-deployment_back-tier network, configurations volume mapping, and postgres-data volume mapping, and deploy the PostgreSQL database container. Copy Copied! $ podman-compose -f postgres-nls-si-0-deployment/compose.yml up -d For information about the configurations and postgres-datavolume mappings, refer to Volume Mappings for a Containerized DLS Software Image. Confirm that the postgres-nls-si-0-deployment_back-tier network, configurations volume mapping, and postgres-data volume mapping were created and that the PostgreSQL database container was deployed. Confirm that the postgres-nls-si-0-deployment_back-tier network has been created. Copy Copied! # podman network ls NETWORK ID NAME DRIVER 2f259bab93aa podman bridge 272c45824a80 postgres-nls-si-0-deployment_back-tier bridge Confirm that the properties of the postgres-nls-si-0-deployment_back-tier network, for example, its subnets, are correct. Copy Copied! # podman network inspect postgres-nls-si-0-deployment_back-tier [ { "name": "postgres-nls-si-e-deployment_back-tier”, "id": "272cu5824a80fd8117261f28e820f920999fudes6a03ua78lesecf1015a76201", "driver": "bridge", "network_interface": "cni-podmanl", "created": "2023-03-08T07:42:03.88777482", "subnets": [ { "subnet": "172.16.238.0/28", "gateway": "172.16.238.1" }, { "subnet": "2001:3984:3989::/64", "gateway": "2001:3984:3989::1" } ], "ipv6_enabled": true, "internal": false, "dns_enabled": true, "labels": { "com.docker.compose.project": "postgres-nls-si-0-deployment", "io.podman.compose.project": "postgres-nls-si-0-deployment" }, "ipam_options": { "driver": "host-local" } } ] Confirm that the configurations volume mapping and postgres-data volume mapping were created. Copy Copied! # podman volume ls DRIVER VOLUME NAME local configurations local postgres-data Confirm that the PostgreSQL database container was deployed. Copy Copied! # podman container ls Get the IP address of the PostgreSQL database container pod. Copy Copied! $ podman inspect postgres-nls-si-0-deployment_postgres-nls-si-0_1 Set the DLS_DB_HOST environment variable in the file nls-si-0-deployment/compose.yml to the IP address that you got in the previous step. Create the logs volume mapping and rabbitmq_data volume mapping, and deploy the DLS appliance container. Copy Copied! $ podman-compose -f nls-si-0-deployment/compose.yml up -d For information about the logs and rabbitmq_data volume mappings, refer to Volume Mappings for a Containerized DLS Software Image. Confirm that the logs volume mapping and rabbitmq_data volume mapping were created and that the DLS appliance container was deployed. Confirm that the logs volume mapping and rabbitmq_data volume mapping were created. Copy Copied! # podman volume ls DRIVER VOLUME NAME ... local logs ... local rabbitmq_data Confirm that the DLS appliance container was deployed. Copy Copied! # podman container ls

What to do next depends on whether you are performing a new installation or are upgrading an existing DLS instance:

If you are performing a new installation, register the DLS administrator user on the appliance as explained in Registering the DLS Administrator User.

If you are upgrading an existing DLS instance, migrate the existing DLS instance as explained in Migrating a DLS Instance.

When a containerized DLS software image is deployed, several volume mappings are created for maintaining the state of the NVIDIA Licensing application in the DLS appliance.

The mapping of the volumes to the container filesystem can be found in the respective deployment files depending on the Orchestrator platform that the containerized appliance is being deployed on.

Platform File Docker docker-compose.yml Kubernetes nls-si-0-deployment.yaml Podman compose.yml Openshift nls-si-0-deployment.yaml Tanzu nls-si-0-deployment.yaml

The volume mappings that are created are as follows:

configurations Contains the state of the DLS appliance container to enable its dynamic properties to be retrieved if the container fails. logs Contains log files created by the NVIDIA Licensing application in the DLS appliance. postgres-data Contains NVIDIA Licensing application data created by the PostgreSQL database. Because this volume contains information about available and checked out licenses, ensure that access to this volume is limited. rabbitmq_data Contains information about the real-time replication of data between nodes in an HA cluster of DLS instances.

Note: These volume mappings maintain the state of the NVIDIA Licensing application in the DLS appliance. Therefore, do not modify these volume mappings.

When this issue occurs, the service enters a crash loop, container creating, pending sequence before the container enters an error state.

This issue might affect Kubernetes, Red Hat OpenShift Container Platform, or VMware Tanzu Application Platform. It does not affect Docker.



Ensure that the file access permissions on the volumes allow write access by the database container and the DLS appliance container, for example 707 (rwx---rwx) . If the containerized DLS software image is deployed on a multinode cluster, ensure that the database container and the DLS appliance container are running on the same worker node. If the Kubernetes cluster does not dynamically provision persistent volumes when creating persistent volume claims, ensure that the persistent volumes are created manually with file access permissions that allow the database container and the DLS appliance container to write to them. Ensure that the versions of the database container and the DLS appliance container are identical.

The DLS application container and the PostgreSQL database container share a common volume for exchanging information between them. If the volume mode access is incorrect, start-up of only the first container pod to be started is successful. The remaining container pod fails to start because the volume is already mounted on the first container pod to be started.

This issue might affect Kubernetes, Red Hat OpenShift Container Platform, or VMware Tanzu Application Platform. It does not affect Docker.



If both containers are deployed on a multinode cluster, ensure that the DLS application container and the PostgreSQL database container run on the same worker node. Ensure that the PostgreSQL database container pod is started before the DLS appliance container pod. For more information, refer to Deploying the Containerized DLS Software Image on Kubernetes Platforms.

This issue occurs if port numbers are specified as references to environment variables in the deployment files. Because Kubernetes does not accept string values for port numbers, you cannot specify port numbers for Kubernetes by setting environment variables.

This issue might affect Kubernetes. It does not affect other supported container orchestration platforms.

When this issue occurs, the following error messages are displayed:

Copy Copied! error: error validating ".": error validating data:[ ValidationError(Deployment.spec.template.spec.containers[0].ports[0].containerPort): invalid type for io.k8s.api.core.v1.ContainerPort.containerPort: got "string", expected "integer", ValidationError(Deployment.spec.template.spec.containers[0].ports[0].hostPort): invalid type for io.k8s.api.core.v1.ContainerPort.hostPort: got "string", expected "integer", ValidationError(Deployment.spec.template.spec.containers[0].ports[1].containerPort): invalid type for io.k8s.api.core.v1.ContainerPort.containerPort: got "string", expected "integer", ValidationError(Deployment.spec.template.spec.containers[0].ports[1].hostPort): invalid type for io.k8s.api.core.v1.ContainerPort.hostPort: got "string", expected "integer", ValidationError(Deployment.spec.template.spec.containers[0].ports[2].containerPort): invalid type for io.k8s.api.core.v1.ContainerPort.containerPort: got "string", expected "integer", ValidationError(Deployment.spec.template.spec.containers[0].ports[2].hostPort): invalid type for io.k8s.api.core.v1.ContainerPort.hostPort: got "string", expected "integer", ValidationError(Deployment.spec.template.spec.containers[0].ports[3].hostPort): invalid type for io.k8s.api.core.v1.ContainerPort.hostPort: got "string", expected "integer"];

Edit the deployment files to specify port numbers as integer values instead of references to environment variables. For instructions, refer to Specifying Integer Values as Actual Values. Start the DLS appliance container pod with the supplied deployment file nls-si-0-deployment.yaml. Copy Copied! $ kubectl create -f directory/nls-si-0-deployment.yaml directory The full path to the directory that contains the file nls-si-0-deployment.yaml.

When this issue occurs, the containerized DLS appliance starts correctly but the management interface of the NVIDIA Licensing application is not loaded into the browser.

Ensure that the DLS_DB_HOST environment variable set to the IP address of the database container. Ensure that the environment variables for port mappings set in the deployment files are correct and that the ports are open on the Kubernetes node. Ensure that the port specified by the DLS_EXPOSED_HTTPS_PORT environment variable is open in the firewall on the node that is hosting the DLS appliance container. If the Kubernetes cluster does not dynamically provision persistent volumes when creating persistent volume claims, ensure that the persistent volumes are created manually with file access permissions that allow the database container and the DLS appliance container to write to them. Ensure that the versions of the database container and the DLS appliance container are identical.

High availability (HA) configuration or online upgrade between two containerized DLS appliances fails if port mappings or volume configurations are incorrect.

Ensure that the same ports are exposed and mapped internally for both containers. The following environment variables must be the same for both containers. DLS_EXPOSED_HTTP_PORT

DLS_EXPOSED_HTTPS_PORT Ensure that the DLS_RABBITMQ_SSL_PORT environment variable is set to 5671 for both containers Ensure that ports 5671, 8081 and 8084 are open on the containers within which the containerized DLS appliances are deployed. Ensure that Ports 8080 through 8085 are open on each worker node. Ensure that the sizes of the volumes rabbitmq-data, postgres-data, logs and configurations are equal to or exceed the minimum recommended storage space. Volume Minimum Recommended Storage Space rabbitmq-data 2 GiB postgres-data 10 GiB logs 500 MiB configurations 1 GiB Ensure that the file access permissions on the folders inside the rabbitmq-data volume allow write access by the containers.

A licensed Windows client returns a license by sending an HTTP request to the DLS instance on port 80. If the container orchestrator within which a containerized DLS appliance is deployed cannot receive requests on this port, the client cannot return a license.

How to resolve this issue depends on whether you can control the port on which the container orchestrator listens for HTTP requests.

If you can control the port on which the container orchestrator listens for HTTP requests from licensed clients, ensure that the DLS_EXPOSED_HTTP_PORT environment variable is set to 80.

environment variable is set to 80. Otherwise, use a load balancer to do path based routing of all license return requests to the URL https://dls-ip-address:dls-exposed-https-port/leasing/v1/lessor/shutdown dls-ip-address The IP address that is specified in the DLS_PUBLIC_IP environment variable. dls-exposed-https-port The port number that is specified in the DLS_EXPOSED_HTTPS_PORT environment variable. For more information about these environment variables, refer to Setting Properties for a Containerized DLS Software Image.

A configuration error for a containerized DLS instance can prevent a licensed client from obtaining a license if the client configuration token specifies a fully qualified domain name. However, this error does not prevent a client from obtaining a license if the client configuration token specifies an IP address.

Set the FQDN environment variable to the fully qualified domain name that is mapped to the IP address of the container in which the DLS software image is deployed. Ensure that this name can be resolved by licensed clients. Do not specify a name that can be resolved only by the container orchestrator. Restart the container in which the DLS appliance is deployed.

Insufficient storage for a containerized DLS instance can prevent node health information from being displayed on the Service Instance page of the management interface of the NVIDIA Licensing application.

Force reload the Service Instance page in the browser. If the node health information is still missing after the page is reloaded, check the amount of storage space available in the volumes created for the DLS appliance container. For more information about these volumes, refer to Volume Mappings for a Containerized DLS Software Image. If any volumes are full, resize the volumes and restart the container in which the DLS appliance is deployed.

In some deployments, the podman-compose up command might fail with the error RuntimeError: missing networks: back-tier .

This failure is caused by a known issue with Podman Compose 1.0.3 and earlier versions.

Ensure that you are using one of the supported versions of Podman Compose listed in NVIDIA Delegated License Service Release Notes . If necessary, install the latest version of Podman from GitHub.

Copy Copied! # pip3 install https://github.com/containers/podman-compose/archive/devel.tar.gz

Re-deploying a containerized DLS software image on Red Hat OpenShift Container Platform might fail because permission issues prevent a new PostgreSQL database container from being deployed. This issue can cause an in-place upgrade to fail because an in-place upgrade requires the containerized DLS software image to be re-deployed.

When this issue occurs, the following error messages are displayed:

Copy Copied! chown: /etc/dls/config/ldap3-2.9.1.dist-info: Permission denied chown: /etc/dls/config/ldap3: Permission denied chown: /etc/dls/config/chardet-4.0.0.dist-info: Permission denied chown: /etc/dls/config/chardet: Permission denied chown: /etc/dls/config/certifi-2022.12.7.dist-info: Permission denied chown: /etc/dls/config/certifi: Permission denied





Change to the directory where the configuration volume is mounted. Change to the /etc/dls/config/ directory. Copy Copied! $ cd /etc/dls/config/ Forcibly remove the directories for which permission is denied and their contents. Copy Copied! $ \rm -rf ldap3-2.9.1.dist-info ldap3 \ chardet-4.0.0.dist-info chardet \ certifi-2022.12.7.dist-info certifi Try again to deploy the containerized DLS software image on Red Hat OpenShift Container Platform. For detailed instructions, refer to Deploying the Containerized DLS Software Image on Kubernetes Platforms.

Containerized DLS Appliance fails to start on Openshift Platform with "Error: The directory named as part of the path /var/log/supervisor/supervisord.log does not exist".

Navigate to the logs volume and create folders supervisor and nginx . Ensure that the file access permissions on the log volumes allow write access by the DLS appliance container, for example: Copy Copied! $ 707 (rwx---rwx)

For installation on a supported operating system, the Delegated License Server (DLS) component of the NVIDIA License System is supplied as an installable package. The package includes the containerization software and container images that are required to run the NVIDIA Licensing application on the operating system. The operating system can be running in a virtualized server environment on your choice of hypervisor or on a bare-metal server.

Ensure that the server on which you are installing the DLS software image has at least 15 GB of free disk space.

The DLS software image ZIP archive for the Red Hat Enterprise Linux OS contains the following artifacts:

Docker container orchestrator RPM packages

Appliance container images Database container image Application container image

Installation script with the helper scripts

README file

VERSION file

Extract the contents of the ZIP archive to a local folder. Update the file access permissions of the installApplicance.sh file to allow execute permission. Copy Copied! $ chmod +x installAppliance.sh Run the installApplicance.sh installation script. When the installation is complete, confirm that messages on the console indicate that the NVIDIA Licensing application has started.

User Account Purpose dls_admin DLS administrator account. This account provides access through a web-based management interface to the NVIDIA Licensing application on a DLS virtual appliance. The DLS administrator user name can be changed from the preset dls_admin name. rsu_admin DLS sudo user account. This user account has the elevated privileges required to install updates to the DLS appliance software that NVIDIA releases periodically. To comply with the terms of the GPL/LGPL v3 license under which the GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance are released, this account also has the elevated privileges required to update and upgrade these libraries.

User Account Purpose dls_admin DLS administrator account. This account provides access through a web-based management interface to the NVIDIA Licensing application on a DLS virtual appliance. The DLS administrator user name can be changed from the preset dls_admin name. rsu_admin DLS sudo user account. This user account has the elevated privileges required to install updates to the DLS appliance software that NVIDIA releases periodically. To comply with the terms of the GPL/LGPL v3 license under which the GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance are released, this account also has the elevated privileges required to update and upgrade these libraries. Note: This account is not available for containerized DLS software images.





Each DLS virtual appliance is configured with a user account specifically for administering the DLS. This account provides access through a web-based management interface to the NVIDIA Licensing application on the appliance. Before administering a DLS virtual appliance, you must register this user to be able to access this management interface.

If you intend to configure a cluster of DLS instances, you need perform this task only for the DLS instance from which you will configure the cluster. The registration of the DLS administrator user is propagated from this instance to the other instance when you configure the cluster.



Open a web browser and connect to the URL https://dls-vm-ip-address . dls-vm-ip-address The IP address or, if defined, the fully qualified domain name or the CNAME of the VM on which the DLS virtual appliance is installed. You can get the IP address from the management console of your hypervisor. On the Set Up page that opens, click NEW INSTALLATION. On the Register User page that opens, provide the credentials for the DLS administrator user. Note: If the DLS administrator user has already been registered, the login page opens instead of the Register User page. Optional: If you want to change the user name from the preset name dls_admin , replace the text in the Username field with your choice of user name. Provide a password for the DLS administrator user and confirm the password. The password must be at least eight characters long and is case sensitive. Note: You can change the DLS administrator user name and password at any time after the DLS administrator user is registered. For instructions, refer to Changing the DLS Administrator User Name and Password. Click REGISTER. The Register User page is refreshed to confirm that the user has been registered and displays a local reset secret to enable you to reset the user's password. Copy the local reset secret and store it securely, for example, by clicking the clipboard icon and pasting the local reset secret into a plain text file that is readable only by you. You will need this key to reset the DLS administrator user's password. Click CONTINUE TO LOGIN. On the login page that opens, type the user name of the DLS administrator user, provide the password that you set for this user, and click LOGIN.

If you want to use the virtual appliance for a single DLS instance, what to do next depends on whether you intend to use a static IP address for the virtual appliance that is hosting the DLS instance.

If you want to use the virtual appliance in an HA cluster of DLS instances, configure the cluster as explained in Configuring an HA Cluster of DLS Instances.

If you want to use a static IP address for the virtual appliance that is hosting the DLS instance, set the address as explained in Setting the Static IP Address of a DLS Virtual Appliance.

Otherwise, configure the DLS instance as explained in Configuring a Service Instance.

If you need to reset the DLS administrator user's password, follow the Forgot Password? link on the login page and, when prompted, type the local reset secret, provide a new password for this user, and confirm the new password.

If you need to reset the DLS administrator user's password but do not have the local reset secret, you can download a reset secret from the NVIDIA Licensing Portal.

If you are not already logged in, log in to the NVIDIA Enterprise Application Hub and click NVIDIA LICENSING PORTAL to go to the NVIDIA Licensing Portal. In the left navigation pane, click SERVICE INSTANCES. In the list of service instances on the Service Instance page that opens, from the Actions menu for the DLS instance, choose Download Reset Secret. (Note that the menu is too narrow, so the text is truncated.) When prompted, click DOWNLOAD. A file named dls_local_reset_secret_mm-dd-yyyy-hh-mm-ss.tok is saved to your default downloads folder.

When resetting the DLS administrator user's password, upload the reset secret to the DLS instance.

If you choose not to change the DLS administrator user name when registering the DLS administrator user, you can change it at any time after the DLS administrator user is registered. You can also change the password for the DLS administrator user.



Note: If there is more than one user in the system, changing the username or password will not be allowed. For more details on how to delete a user when multiple users exist, please refer to User Deletion in Appliances with Multiple Users Registered.

Note: For information about managing multiple application-level users with RBAC, see Section 2.8.4 and subsequent subsections.





Open a web browser and connect to the URL https://dls-vm-ip-address . dls-vm-ip-address The IP address or, if defined, the fully qualified domain name or the CNAME of the VM on which the DLS virtual appliance is installed. You can get the IP address from the management console of your hypervisor. At the top right of the Dashboard page in the NVIDIA Licensing application on the DLS appliance that opens, click View settings. In the My Info window that opens, click Change username/password. In the Change Username/Password window that opens, make the changes that you want and click CHANGE USERNAME/PASSWORD. If you want to change the user name, replace the text in the Username field with your choice of user name. In the Current password text-entry field, type the current password for the DLS administrator user. In the New password text-entry field, type the password that you want for the DLS administrator user. If you do not want to change the password, type the current password for the DLS administrator user. You cannot leave this field empty. In the Confirm new password text-entry field, type the password that you typed in the New password text-entry field.

The predefined DLS sudo user account rsu_admin has the elevated privileges required to install updates to the DLS appliance software that NVIDIA releases periodically. To comply with the terms of the GPL/LGPL v3 license under which the GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance are released, this account also has the elevated privileges required to update and upgrade these libraries.

Perform this task for each DLS virtual appliance for which you want to create the DLS sudo user account. If the DLS virtual appliance is hosting a node in an HA cluster, the creation of the user is not automatically propagated to the other node in the cluster.

Note: You can perform this task only on a VM-based DLS virtual appliance. You cannot perform this task on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make this change.





From the hypervisor, log in as the user dls_admin to the VM that hosts the DLS virtual appliance. Run the /etc/adminscripts/enable_sudo.sh script. Copy Copied! $ /etc/adminscripts/enable_sudo.sh When prompted, provide a password for the rsu_admin user.

The sudo user with elevated privileges rsu_admin is created.

Role-Based Access Control (RBAC) is an access control method in which permissions to perform operations are assigned to roles, and users are assigned to roles. In DLS, RBAC provides:

Separation of duties between administrators, operators, and viewers

between administrators, operators, and viewers Least privilege principle by granting only the permissions needed for each role

by granting only the permissions needed for each role Simplified administration by managing permissions at the role level instead of per-user

by managing permissions at the role level instead of per-user Audit compliance through clear role definitions and assignment tracking

DLS provides three pre-defined roles with distinct permission levels.

Role Privilege Level Primary Use Case DLS_ADMIN 1 (Highest) Full system administration and configuration DLS_OPERATOR 2 (Medium) Day-to-day license operations and management DLS_USER 3 (Lowest) Read-only access for viewing and reporting

Note: Roles are pre-defined and cannot be customized. Organizations should assign users to the appropriate pre-defined role based on their job responsibilities.

DLS_ADMIN (Administrator)

Purpose: Complete system administration with full control over all DLS operations.

Key Capabilities:

User Management : Create, modify, and delete local user accounts

: Create, modify, and delete local user accounts Role Management : Assign and modify user role assignments

: Assign and modify user role assignments LDAP Configuration : Configure LDAP/Active Directory integration and group mappings

: Configure LDAP/Active Directory integration and group mappings System Configuration : Modify all system settings including SSL/TLS, email alerts, and general settings

: Modify all system settings including SSL/TLS, email alerts, and general settings Node Management : Configure high availability, IP addresses, and node operations

: Configure high availability, IP addresses, and node operations License Management : Full CRUD (create, read, update, delete) operations on license pools and servers

: Full CRUD (create, read, update, delete) operations on license pools and servers Maintenance Operations : Perform system upgrades, database backups, snapshots, and migrations

: Perform system upgrades, database backups, snapshots, and migrations Security Configuration : Manage SSL certificates, TLS cipher settings, and API keys

: Manage SSL certificates, TLS cipher settings, and API keys Audit and Compliance: Export, archive, and manage audit event logs

Typical Job Roles:

DLS System Administrators

IT Infrastructure Administrators

Security Administrators

DevOps Engineers (with administrative responsibilities)

Access Level: Full read and write access to all resources and configurations.

DLS_OPERATOR (Operator)

Purpose: Operational access for day-to-day license management without ability to modify security settings, users, or system infrastructure.

Key Capabilities:

License Operations : Create, update, and delete license pools and servers

: Create, update, and delete license pools and servers Service Instance Management : Modify service instance configurations

: Modify service instance configurations Settings Configuration : Configure general settings, email alerts (excludes SSL, TLS, LDAP)

: Configure general settings, email alerts (excludes SSL, TLS, LDAP) Client Configuration : Generate client configuration tokens

: Generate client configuration tokens Lease Operations : View all leases and perform bulk release operations: Configure high availability, IP addresses, and node operations

: View all leases and perform bulk release operations: Configure high availability, IP addresses, and node operations Monitoring : View metrics, events, and system status

: View metrics, events, and system status API Key Management: Import and export API keys

Restrictions (Cannot perform):

User or role management

LDAP configuration changes

Node management or HA configuration

SSL/TLS certificate or cipher configuration

System upgrades or maintenance operations

Individual lease creation, modification, or deletion

Event export, import, or archiving

Typical Job Roles:

License Administrators

Operations Team Members

Technical Support Staff

Application Administrators

Access Level: Read access to all resources; write access to license pools, service instances, and operational settings only.

DLS_USER (User/Viewer)

Purpose: Read-only access for viewing license information, system status, and generating reports.

Key Capabilities:

View Operations : View all license pools, servers, leases, and configurations

: View all license pools, servers, leases, and configurations Reporting : Generate reports on license usage and system status

: Generate reports on license usage and system status Monitoring : View system metrics, events, and alerts: Configure general settings, email alerts (excludes SSL, TLS, LDAP)

: View system metrics, events, and alerts: Configure general settings, email alerts (excludes SSL, TLS, LDAP) Information Access: Access all user, role, and system information in read-only mode

Restrictions (Cannot perform):

Any create, update, or delete operations

Configuration changes

User or role management

License pool or server modifications

System administration tasks

Typical Job Roles:

End Users viewing their license allocations

Business Stakeholders monitoring license usage

Technical Support Staff

Reporting Analysts

Access Level: Read-only access to all resources; no write or configuration capabilities.

Permission Hierarchy and Precedence

When a user has multiple role assignments (ONLY possible with LDAP multi-group membership), DLS applies the role with the highest privilege:

If an LDAP user belongs to both “License_Admins” (mapped to DLS_ADMIN) and “License_Users” (mapped to DLS_USER), the user will be assigned the DLS_ADMIN role (highest privilege).

Local users are application-level user accounts created and managed directly within the DLS instance. Local users authenticate using credentials stored in the DLS database (separate from LDAP/Active Directory).

Important: Local users are application users that exist only in the DLS application database. They are NOT created on the underlying operating system. The only OS-level users are dls_admin (protected user) and rsu_admin (sudo user), which are created during appliance setup.

Prerequisites

To manage local users, you must::

Have the DLS_ADMIN role assigned to your account

role assigned to your account Be logged into the DLS Web UI

Procedure

Navigate to User Management: Log in to the DLS Web UI

Navigate to Settings > Local User Management Initiate User Creation: Click the Create User button

button The “Create New User” dialog appears Enter User Details Username : Enter a unique username (alphanumeric and underscores allowed) Must be unique across all local users Cannot match existing LDAP usernames Example: license_operator1 , john.doe

: Enter a unique username (alphanumeric and underscores allowed) Password : Enter a strong password meeting policy requirements: Length: 15-64 characters Must contain: uppercase letter, lowercase letter, digit, special character Cannot contain username Cannot be one of the last 5 passwords

: Enter a strong password meeting policy requirements: Role : Select the role to assign from dropdown: DLS_ADMIN DLS_OPERATOR DLS_USER

: Select the role to assign from dropdown: Save the User: Click Create to save the user account

to save the user account A success message confirms user creation

The new user appears in the user list Verify User Creation: Locate the new user in the User Management table

Verify the assigned role is displayed correctly

Verify the user status is “Active”

Post-Creation Steps

Securely communicate the credentials to the user

Instruct the user to change their password on first login (recommended)

During User Creation

Select the appropriate role from the “Role” dropdown during user creation

The role assignment is automatically created when the user is saved

Modifying an Existing User’s Role:

Navigate to Settings > Local User Management Locate the user in the user list Click the Edit icon next to the user In the “Edit User” dialog, select the new role from the “Role” dropdown Click Save to apply the role change The user’s permissions are updated immediately The user must log out and log back in for the new permissions to take effect

Important: Each user can have only one role assigned at a time

Changing a user’s role immediately affects their access permissions

Active user sessions continue with old permissions until token expiration (typically 1 hour)

For immediate effect, the user should log out and log back in

Procedure:

Navigate to Settings > Local User Management Locate the user to modify Click the Edit icon next to the user In the “Edit User” dialog, modify the allowed fields: Role assignment

Password Click Update User to apply changes

Self-Service Modifications:

Users can modify their own accounts through self-service options:

Change Password : Navigate to User Profile > Change Password Requires current password verification New password must meet password policy

: Navigate to > Change Username : Navigate to User Profile > Change Username Requires current password verification New username must be unique

: Navigate to >

Prerequisites:

Must have DLS_ADMIN role

Cannot delete the system application user (first application user created during setup)

Cannot delete your own user account (must be deleted by another administrator)

Note: This function deletes application-level users from the DLS database. OS-level users (dls_admin, rsu_admin) cannot be deleted through DLS Web UI or APIs as they exist on the underlying operating system and are required for appliance management.

Procedure:

Navigate to Settings > Local User Management Locate the user to delete Click the Delete icon next to the user In the confirmation dialog, review the warning: User account will be permanently deleted

All role assignments will be removed

Action cannot be undone Click Confirm to proceed with deletion A success message confirms the deletion The user is removed from the user list

Impact of User Deletion:

User can no longer log in to DLS

Active sessions for the deleted user are invalidated

Audit logs retain records of the user’s past actions

Role assignments are automatically removed (cascade delete)

Password Policy Requirements:

All passwords (local users and API-generated) must comply with DLS password policy:

Length Requirements:

Minimum: 15 characters

Maximum: 64 characters

Complexity Requirements (must contain at least one of each):

Uppercase letter (A-Z)

Lowercase letter (a-z)

Digit (0-9)

Special character: !@#$%^&*()_+-=[]{}|;:,.<>?

Security Requirements: (must contain at least one of each):

Must not contain whitespace characters

Must not contain the username

Must not contain repetitive patterns (e.g., “aaa”, “111”)

Must not match any of the last 5 passwords (password history)

Must differ by at least 8 characters from the previous password

Example Valid Passwords: (must contain at least one of each):

MySecureP@ssw0rd2024!

ComplexLicense#Admin99

Str0ng!DLS$Access2024

Example Invalid Passwords:

short (too short, less than 15 characters)

NoSpecialCharacter123 (missing special character)

all lowercase password! (missing uppercase letter)

john.doe@Example123! (contains username “john.doe”)

Self-Service Password Change

Log in to DLS Web UI Navigate to User Profile > Change Password . Enter the following information: Current Password : Your existing password

: Your existing password New Password : New password meeting policy requirements

: New password meeting policy requirements Confirm Password: Re-enter new password Click Change Password Success message confirms the password change You are logged out automatically (in some implementations) Log back in with the new password

Administrator Password Reset

Administrators with DLS_ADMIN role can reset any user’s password

Navigate to Administration > User Management Locate the user whose password needs reset Click the Reset Password icon next to the user A temporary password is generated and displayed Copy the temporary password securely Click Close Communicate the temporary password to the user securely Instruct the user to change their password on next login

The Password Rotation API enables automated password management for local users using Enterprise-scoped API Keys. This is useful for:

Compliance requirements mandating regular password rotation

Automated password management workflows

Integration with secret management systems (e.g., HashiCorp Vault, AWS Secrets Manager)

Service account password rotation

Prerequisites:

Enterprise-scoped API Key from NVIDIA Licensing Portal

API Key imported into DLS instance: New password meeting policy requirements

HTTPS connection to DLS instance

Request Headers:

x-api-key: <your-enterprise-api-key>

Content-Type: application/json

Request Body Parameters:

Parameter Type Required Description username string Yes Target username for password rotation current_password string Yes Current password for verification new_password string No Optional: Specify new password (if omitted, system generates one)

Option 1: Auto-Generated Password (Recommended)

The system automatically generates a strong password that meets all policy requirements:

Copy Copied! curl -X POST 'https://192.0.2.10/service_instance_manager/v1/pw-rotate' \ --header 'x-api-key: 0ae280b9-58e2-809c-3c24-4069c5bd40c2' \ --header 'Content-Type: application/json' \ --data-raw '{ "username": "license_operator1", "current_password": "CurrentP@ssw0rd2024" }'

Success Response (HTTP 200):

Copy Copied! { "new_password": "X7k#mP9$vL2@qR5&nW8", "local_reset_secret": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "message": "Password rotated successfully." }

Option 2: User-Provided Password

Specify a custom password that must meet all policy requirements:

Copy Copied! curl -X POST 'https://192.0.2.10/service_instance_manager/v1/pw-rotate' \ --header 'x-api-key: 0ae280b9-58e2-809c-3c24-4069c5bd40c2' \ --header 'Content-Type: application/json' \ --data-raw '{ "username": "license_operator1", "current_password": "CurrentP@ssw0rd2024", "new_password": "MyNewStr0ng!Password123" }'

Important: Store the returned new_password and local_reset_secret securely. The password cannot be retrieved later.

Error Responses:

400 Bad Request - Invalid password:

Copy Copied! { "error": "Bad Request", "message": "Invalid new password. Password must contain at least one uppercase letter, one lowercase letter, one digit, and one special character." }

401 Unauthorized - Invalid API Key:

Copy Copied! { "error": "Unauthorized", "message": "Invalid API Key" }

403 Forbidden - Insufficient permissions:

Copy Copied! { "error": "Forbidden", "message": "API Key does not have Enterprise scope" }

LDAP (Lightweight Directory Access Protocol) integration enables DLS to authenticate users against enterprise directory services such as:

Microsoft Active Directory

Benefits of LDAP Integration:

Centralized user authentication

Automatic role assignment based on group membership

Simplified user lifecycle management

Single sign-on capabilities

Compliance with enterprise security policies

Configuring LDAP Settings

LDAP authentication can be configured through either the DLS Web UI or programmatically via RESTful API. Both methods provide the same configuration capabilities.

LDAP authentication can be configured through either the DLS Web UI or programmatically via RESTful API. Both methods provide the same configuration capabilities.

Access LDAP Configuration: Log in to DLS Web UI with DLS_ADMIN role

Navigate to Settings page

page Locate the LDAP Configuration section Configure LDAP Connection LDAP Server : Enter hostname or IP address of your LDAP server

: Enter hostname or IP address of your LDAP server Port : Enter LDAP port (389 for LDAP, 636 for LDAPS)

: Enter LDAP port (389 for LDAP, 636 for LDAPS) Use Secure Connection (LDAPS) : Enable for encrypted communication

: Enable for encrypted communication Authentication Type : Select NTLM or SASL

: Select NTLM or SASL Domain: Enter domain name (required for NTLM/Active Directory) Configure Search Settings: Root DN : Enter root distinguished name (e.g., “dc=example,dc=com”)

: Enter root distinguished name (e.g., “dc=example,dc=com”) Search Base : Enter base DN for user searches (e.g., “CN=Users,DC=example,DC=com”)

: Enter base DN for user searches (e.g., “CN=Users,DC=example,DC=com”) Search Filter : Enter LDAP query (e.g., “(uid={0})” or “(&(objectCategory=Person)(userPrincipalName=*))“): Enable for encrypted communication

: Enter LDAP query (e.g., “(uid={0})” or “(&(objectCategory=Person)(userPrincipalName=*))“): Enable for encrypted communication Search Scope : Select SUBTREE (recursive) or BASE (single level): Select NTLM or SASL

: Select SUBTREE (recursive) or BASE (single level): Select NTLM or SASL Username Attribute : Enter attribute name (e.g., “uid”, “sAMAccountName”, “userPrincipalName”): Enter domain name (required for NTLM/Active Directory)

: Enter attribute name (e.g., “uid”, “sAMAccountName”, “userPrincipalName”): Enter domain name (required for NTLM/Active Directory) Follow Referrals: Enable if your LDAP server uses referrals Upload CA Certificate (for LDAPS): If using secure connection, upload your LDAP server’s root CA certificate in PEM format Configure Group-to-Role Mappings (Optional):: Toggle Enable Group based access

Enter LDAP group DN (e.g., “CN=LicenseAdmins,DC=example,DC=com”)

Select corresponding DLS role (DLS_ADMIN, DLS_OPERATOR, or DLS_USER)

Repeat for additional groups Test Configuration: Enter test credentials (username and password of an LDAP user)

Click Test Connection to validate settings

to validate settings Review test results to ensure successful authentication Save Configuration:: Click Save to apply LDAP settings

to apply LDAP settings LDAP authentication is now active for user logins

Web UI Configuration Notes::

All fields are validated before saving

Test connection feature helps identify configuration issues before deployment

Group mappings can be added, edited, or removed dynamically

Configuration changes take effect immediately

API Endpoint:

Copy Copied! POST https://<dls-appliance-ip>/auth/v1/ldap

Request Headers:

Copy Copied! x-api-key: <your-enterprise-api-key> Content-Type: application/json

Request Body Parameters

Parameter Type Required Description enable_ldap string Yes Enable LDAP authentication: “true” or “false” ldap_server string Yes LDAP server hostname or IP address ldap_port integer Yes LDAP server port (389 for LDAP, 636 for LDAPS) use_secure string No Use LDAPS/TLS: “true” or “false” (default: “false”) authentication_type string Yes Authentication mechanism: “NTLM” or “SASL” domain string Conditional Domain name for NTLM authentication (required for Windows AD) root_dn string No Root Distinguished Name (e.g., “dc=example,dc=com”) search_base string Yes Base DN for user searches (e.g., “CN=Users,DC=example,DC=com”) search_filter string Yes LDAP search filter (e.g., “(uid={0})” or “(&(objectCategory=Person)(userPrincipalName=*))“) search_scope string Yes Search depth: “SUBTREE” (recursive) or “BASE” (single level) username_attribute string Yes Attribute containing username (e.g., “uid”, “sAMAccountName”) referrals string No Follow LDAP referrals: “true” or “false” (default: “false”) ldap_tls_ca_certs string Conditional PEM-encoded root CA certificate (required when use_secure is “true”) ldap_group_role_mapping object No Map LDAP group DNs to DLS roles (see below) test_ldap boolean No Test connection before saving: true or false (recommended: true) test_ldap_creds object No Test credentials for validation (username/password)

Example: Basic LDAP Configuration (NTLM with Active Directory)

Copy Copied! curl -X POST 'https://192.0.2.10/auth/v1/ldap' \ --header 'x-api-key: 0ae280b9-58e2-809c-3c24-4069c5bd40c2' \ --header 'Content-Type: application/json' \ --data-raw '{ "enable_ldap": "true", "test_ldap": true, "ldap_server": "192.0.2.50", "ldap_port": 389, "use_secure": "false", "authentication_type": "NTLM", "domain": "example.com", "root_dn": "dc=example,dc=com", "search_base": "CN=Users,DC=example,DC=com", "search_filter": "(&(objectCategory=Person)(userPrincipalName=*))", "username_attribute": "sAMAccountName", "search_scope": "SUBTREE", "referrals": "false", "test_ldap_creds": { "username": "testuser", "password": "TestP@ssw0rd123" } }'

Success Response (HTTP 200):

Copy Copied! { "message": "LDAP configuration updated successfully", "enable_ldap": true }

Example: Secure LDAP Configuration (LDAPS with TLS)

Copy Copied! curl -X POST 'https://192.0.2.10/auth/v1/ldap' \ --header 'x-api-key: 0ae280b9-58e2-809c-3c24-4069c5bd40c2' \ --header 'Content-Type: application/json' \ --data-raw '{ "enable_ldap": "true", "ldap_server": "ldap.example.com", "ldap_port": 636, "use_secure": "true", "authentication_type": "SIMPLE", "root_dn": "dc=example,dc=com", "search_base": "ou=users,dc=example,dc=com", "search_filter": "(objectClass=inetOrgPerson)", "username_attribute": "uid", "search_scope": "SUBTREE", "ldap_tls_ca_certs": "-----BEGIN CERTIFICATE-----

MIIE...certificate content...==

-----END CERTIFICATE-----" }'

Overview:

Group-to-role mapping enables automatic role assignment based on LDAP group membership. When a user authenticates via LDAP, DLS:

Retrieves the user’s LDAP group memberships Checks if any groups are mapped to DLS roles Assigns the appropriate role based on mapping configuration

Configuration

Add the ldap_group_role_mapping object to your LDAP configuration request:

Copy Copied! { "ldap_group_role_mapping": { "CN=LicenseAdmins,OU=Groups,DC=example,DC=com": "DLS_ADMIN", "CN=LicenseOperators,OU=Groups,DC=example,DC=com": "DLS_OPERATOR", "CN=LicenseUsers,OU=Groups,DC=example,DC=com": "DLS_USER" } }

Key Points:

Group DN Format : Use the full Distinguished Name (DN) of the LDAP group

: Use the full Distinguished Name (DN) of the LDAP group Case Sensitivity : Group DNs are case-sensitive; ensure exact match with your LDAP directory

: Group DNs are case-sensitive; ensure exact match with your LDAP directory Role Values: Must be one of: “DLS_ADMIN”, “DLS_OPERATOR”, “DLS_USER”

Complete Example:

Copy Copied! curl -X POST 'https://192.0.2.10/auth/v1/ldap' \ --header 'x-api-key: 0ae280b9-58e2-809c-3c24-4069c5bd40c2' \ --header 'Content-Type: application/json' \ --data-raw '{ "enable_ldap": "true", "ldap_server": "192.0.2.50", "ldap_port": 389, "use_secure": "false", "authentication_type": "NTLM", "domain": "example.com", "root_dn": "dc=example,dc=com", "search_base": "CN=Users,DC=example,DC=com", "search_filter": "(&(objectCategory=Person)(userPrincipalName=*))", "username_attribute": "sAMAccountName", "search_scope": "SUBTREE", "ldap_group_role_mapping": { "CN=DLS-Admins,OU=Security Groups,DC=example,DC=com": "DLS_ADMIN", "CN=DLS-Operators,OU=Security Groups,DC=example,DC=com": "DLS_OPERATOR", "CN=DLS-Users,OU=Security Groups,DC=example,DC=com": "DLS_USER" } }'

Behavior Scenarios:

Scenario 1: No Group Mapping Configured

If ldap_group_role_mapping is empty or not provided:

All authenticated LDAP users receive DLS_ADMIN role by default

role by default Use case: Quick LDAP setup or environments where all LDAP users should have admin access

Scenario 2: Partial Group Mapping

If only some groups are mapped:

Only users in mapped groups can log in

Users in unmapped groups are denied access to the DLS Web UI portal.

Use case: Controlled access where only specific teams should access DLS

Scenario 3: Multiple Group Membership

If a user belongs to multiple groups with different role mappings:

User receives the role with highest privilege (lowest privilege_level number)

(lowest privilege_level number) Example: User in both “DLS-Admins” (DLS_ADMIN, level 1) and “DLS-Users” (DLS_USER, level 3) receives DLS_ADMIN role

Use case: Users with overlapping responsibilities

Role Determination Logic:

Copy Copied! Step 1: Check group-to-role mapping ↓ If user belongs to one or more mapped groups: → Assign role with highest privilege (lowest privilege_level number) ↓ If user belongs to no mapped groups: ↓ Check if any mappings are configured: → If NO mappings: Assign DLS_ADMIN (default) → If mappings exist: Access Denied

Example Scenarios:

Scenario 1: Multiple Group Membership with Highest Privilege User: jane.smith LDAP Groups: [CN=LicenseAdmins,DC=example,DC=com, CN=LicenseUsers,DC=example,DC=com]

Group Mapping:

CN=LicenseAdmins,... → DLS_ADMIN (privilege_level=1)

CN=LicenseUsers,... → DLS_USER (privilege_level=3)

Result: DLS_ADMIN (highest privilege = lowest level number)

Scenario 2: No Mappings Configured

User: new.user

ldap_group_role_mapping: {} (empty)

Result: DLS_ADMIN (default when no mappings exist)

Scenario 3: Access Denied

User: unknown.user

LDAP Groups: [CN=Some_Other_Group,DC=example,DC=com]

User Mapping: (no match)

Group Mapping: CN=LicenseAdmins,... → DLS_ADMIN (no match)

Result: Access Denied (403 Forbidden error)

Testing Before Saving Configuration::

Use the test_ldap parameter to validate LDAP connectivity before saving configuration:

Copy Copied! { "test_ldap": true, "test_ldap_creds": { "username": "testuser", "password": "TestP@ssw0rd123" } }

What Gets Tested:

LDAP server connectivity

Search base validity

Search filter correctness

Username attribute mapping

Authentication mechanism (NTLM/SASL)

Group retrieval (if configured)

Role mapping logic

Success Response (HTTP 200):

Copy Copied! { "message": "LDAP configuration updated successfully", "enable_ldap": true, "test_result": { "status": "Success", "username": "testuser", "ldap_role": "DLS_OPERATOR", "groups": [ "CN=LicenseOperators,DC=example,DC=com" ] } }

Error Response (HTTP 400):

Copy Copied! { "error": "Bad Request", "message": "LDAP connection test failed: Unable to connect to LDAP server at 192.0.2.50:389" }

Testing After Configuration Saved:

After saving LDAP configuration, test authentication:

Attempt Login: Navigate to DLS Web UI login page

Enter LDAP username and password

Click Login Verify Successful Login: User is redirected to DLS Dashboard

User’s role is displayed in user profile

User can access features appropriate to their assigned role Check Audit Logs: Navigate to Events in DLS Web UI

Filter by “Login” events

Verify LDAP authentication events are logged

To view the current LDAP configuration:

Log in to DLS Web UI with DLS_ADMIN role Navigate to Settings page Locate the LDAP Configuration section View all configured settings including: Server connection details

Search configuration

Group-to-role mappings Sensitive fields (passwords, certificates) are masked for security

Note: LDAP configuration can be modified directly from the Web UI by updating fields and clicking Save.

Via RESTful API

API Endpoint:

Copy Copied! GET https://<dls-appliance-ip>/auth/v1/ldap

Request Headers:

Copy Copied! x-api-key: <your-enterprise-api-key>

Example Request:

Copy Copied! curl -X GET 'https://192.0.2.10/auth/v1/ldap' \ --header 'x-api-key: 0ae280b9-58e2-809c-3c24-4069c5bd40c2'

Success Response (HTTP 200):

Copy Copied! { "enable_ldap": true, "ldap_server": "192.0.2.50", "ldap_port": 389, "use_secure": false, "authentication_type": "NTLM", "referrals": false, "domain": "example.com", "root_dn": "dc=example,dc=com", "search_base": "CN=Users,DC=example,DC=com", "search_filter": "(&(objectCategory=Person)(userPrincipalName=*))", "username_attribute": "sAMAccountName", "search_scope": "SUBTREE", "ldap_group_role_mapping": { "CN=LicenseAdmins,DC=example,DC=com": "DLS_ADMIN", "CN=LicenseOperators,DC=example,DC=com": "DLS_OPERATOR", "CN=LicenseUsers,DC=example,DC=com": "DLS_USER" } }

Note: Sensitive fields like bind passwords and ldap_tls_ca_certs are not returned in the response for security reasons.

Disabling LDAP Authentication

LDAP authentication can be disabled through either the Web UI or API.Via DLS Web UI

To Temporarily Disable LDAP (preserve configuration):

Navigate to Settings page Locate the LDAP Configuration section Toggle Enable LDAP to OFF Click Save Configuration is preserved and can be re-enabled by toggling back to ON

To Completely Remove LDAP Configuration:

Navigate to Settings page Locate the LDAP Configuration section Click Delete LDAP Configuration or Remove Confirm deletion All LDAP settings and group mappings are removed

You can use a lightweight directory access protocol (LDAP) directory instead of the configured accounts for managing user access to a DLS appliance. When integrated with an LDAP server, the DLS appliance uses Windows Challenge/Response, formerly NT (New Technology) LAN Manager, (NTLM) for authenticating users.

The dls_diagnostics and dls_system users have been replaced with the default user, which is the dls_admin user. For the initial installation of DLS and prior to registration on the UI, the default password for the dls_admin user is welcome. Once registration on the portal is done, the same password and username can be used to login to the VM Appliance from the hypervisor console.

Since a new user role is used in DLS 3.X, the password for dls_admin must be reset in order to login to the CLI of the DLS Appliance following a migration from DLS 2.X and older.

The dls_admin user has the same capabilities as that of dls_system and dls_diagnostics . In other words, all are able to configure appliance network properties, enable the sudo user, configure disk expansion, view log files, configuration files, etc.

user has the same capabilities as that of and . In other words, all are able to configure appliance network properties, enable the sudo user, configure disk expansion, view log files, configuration files, etc. The rsu_admin user role would be used for an in-place upgrade, applying security patches, and the execution of NVIDIA-provided scripts. This is true unless it is used for OS-based package updates; in that case, there is no concern for DLS support.

If you want to enable secure LDAP (LDAPS), ensure that the following prerequisites are met:

You have obtained the required certificate file in the correct format. For a TLS certificate, the authentication certificate is the Root CA certificate in Base-64 encoded X.509 (.cer) format.

The certificate file has the correct name. Certificate File File Name TLS certificate (The Root CA Server Certificate in Base-64 encoded X.509 format) A certificate with an extension .cer For more information about LDAP, see .

Log in to the DLS virtual appliance that you are integrating with an LDAP directory. In the left navigation pane, click SETTINGS. The configuration for integration can be done from the Service Instance Settings page page that opens. When configuring LDAP integration, in the case of a DLS VM Appliance, users have to provide Additional Details to be able to integrate LDAP with the operating system, so that LDAP users can login to the VM Appliance using SSH or the hypervisor console. For more settings related to integrating LDAP with operating system, users can login to the DLS appliance VM from the hypervisor console using the dls_admin user, then edit the file: Copy Copied! /etc/ldap.conf The logged-in user will have the same permissions as the dls_admin user on the VM appliance. Optional: If you want to enable LDAPS, on the Service Instance Settings page page, click Use secure LDAP (LDAPS)? to test the LDAPS connection.

Each DLS virtual appliance is configured with a user account specifically for administering the DLS. This account provides access through a web-based management interface to the NVIDIA Licensing application on the appliance.

Ensure that the DLS administrator user has been registered for the appliance as explained in Registering the DLS Administrator User.

Open a web browser and connect to the URL https://dls-vm-ip-address . dls-vm-ip-address The IP address or, if defined, the fully qualified domain name or the CNAME of the VM on which the DLS virtual appliance is installed. You can get the IP address from the management console of your hypervisor. On the login page that opens, provide the user credentials for the DLS administrator user on the DLS virtual appliance and click LOGIN.

If LDAP is used as an alternative to the fixed set of user accounts for user management, you can use the rsu_admin account to administer the DLS virtual appliance instead. See Integrating a DLS Instance with an LDAP Server for more information.

To collect the log files of a DLS Virtual Appliance to troubleshoot a problem, use the dls_admin user and run the sudo /etc/adminscripts/collect_dls_logs.sh command.

The collect_dls_logs.sh script collects the following information for analysis:

Critical information: CPU information from /proc/cpuinfo RAM information from /proc/meminfo DLS startup log file /var/log/applicationStartup.log DLS VM appliance log file /var/log/applianceOps.log IP address information log file /var/log/ip_address.log Disk consumption (directories with more than 100 MB usage and database disk consumption) and free space Docker logs for both containers

Non-critical logs: Chrony, timesyncd, and timedatectl output Syslog information Audit log files

Service log files: Log files for the DLS services



The deletion of an additional user in a system with multiple users is facilitated through a shell script. This script must be executed on the primary node within a High Availability (HA) cluster. It ensures that user deletion is only performed if the specified user exists and if the system has more than one registered user. If the user does not exist or if the system contains only a single user, the script will not execute the deletion, thereby maintaining the integrity of the user management process.

Enable the sudo user rsu_admin on the DLS appliance. Log in to the appliance using rsu_admin . Run the /etc/adminscripts/delete_user.sh script . It accepts an argument of username to be deleted: $ /etc/adminscripts/delete_user.sh dls_user_to_be_deleted

To provide licensed clients with continued access to licenses if a DLS instance fails, you can configure a highly available (HA) cluster of two or more DLS instances in a failover configuration. A failover configuration consists of a primary instance, which is actively serving licenses to licensed clients, and one or more secondary instances, which act as a backup for the primary instance.

If you are configuring an HA cluster of containerized DLS instances, you must deploy the containers that host the instances on different Kubernetes clusters. To prevent the NVIDA Licensing application from behaving abnormally, do not deploy the containers on different worker nodes in the same Kubernetes cluster. The application would behave abnormally because the orchestrator forwards requests to ports that are mapped onto the corresponding Kubernetes service.

If an attempt to configure an HA cluster of containerized DLS instances fails, refer to HA Configuration or Online Upgrade Fails for troubleshooting information.

Note: After configuring high availability, you can optionally enable Virtual IP Management to provide transparent failover for licensed clients. Virtual IP Management automatically migrates a single IP address between cluster nodes during failover, allowing clients to maintain connectivity without reconfiguration. See Section 2.9.x Configuring Virtual IP Management for High Availability for details.





By default, a DLS instance can be added only to an HA cluster of two instances. If you want to add a DLS instance to a cluster of more than two DLS instances, you must set the maximum cluster size explicitly.

After setting the maximum cluster size for a DLS instance, you cannot change it.



How to set the maximum cluster size for a DLS instance depends on whether the instance is a VM-based instance or a containerized instance. For detailed instructions, refer to:

Perform this task on each DLS instance that you want to add to a cluster of more than two DLS instances.



Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS instance's virtual appliance. If the dls_admin user has not been registered, you can still log in to the VM as the dls_admin user with the default password welcome . Run script /etc/adminscripts/enable_ha_max.sh. Copy Copied! $ /etc/adminscripts/enable_ha_max.sh When prompted, enter an integer in the range 2-9 that specifies the maximum number of instances in the cluster to which you want to add this instance.

After setting the maximum cluster size for the instance, add the instance to a cluster as explained in Creating or Expanding an HA Cluster of DLS Instances.

Perform this task on each DLS instance that you want to add to a cluster of more than two DLS instances.



Edit the appropriate deployment file for your container orchestration platform to uncomment the line that sets the environment variable DLS_HA_MAX_NODES_ENV . To determine the deployment file for your container orchestration platform, refer to Setting Properties for a Containerized DLS Software Image Set the DLS_HA_MAX_NODES_ENV environment variable to an integer in the range 2-9 that specifies the maximum number of instances in the cluster to which you want to add this instance. How to set an integer value depends on your container orchestration platform. For more information, refer to the following topics: Specifying Integer Values as Environment Variables

Specifying Integer Values as Actual Values This example sets the maximum cluster size for a containerized DLS instance to 3. Copy Copied! DLS_HA_MAX_NODES_ENV=${DLS_HA_MAX_NODES_ENV:-3} Restart the container.

After setting the maximum cluster size for the instance, add the instance to a cluster as explained in Creating or Expanding an HA Cluster of DLS Instances.

Any time after creating or configuring a standalone DLS instance, you can create an HA Cluster of DLS instances by converting the instance into a node in a cluster and adding a second instance to the cluster. You can also expand an existing cluster by adding a DLS instance to it.

Ensure that the following prerequisites are met:

The DLS virtual appliance that will host the DLS instance to be added to the cluster has been installed and started. Note: The version of this virtual appliance must be identical to the version of the virtual appliances that are hosting the instances that are already members of the cluster. You cannot configure an HA cluster in which the versions of the virtual appliances are different.

The DLS administrator user has not been registered on the DLS virtual appliance that will host the DLS instance to be added to the cluster. The registration of the DLS administrator user is propagated to the other instance when you configure the cluster. Note: If you are creating a cluster from a pair of newly created standalone DLS instances, ensure that the DLS administrator user has been registered only on one virtual appliance.

been registered on the DLS virtual appliance that will host the DLS instance to be added to the cluster. The registration of the DLS administrator user is propagated to the other instance when you configure the cluster. If you are configuring a cluster of more than two nodes, ensure that the maximum cluster size has been set for each DLS instance that you want to be a member of the cluster. For detailed instructions, refer to Setting the Maximum Cluster Size for a DLS Instance .

Log in to the DLS virtual appliance that will host or is already hosting the primary DLS instance. If you are creating a cluster, log in to the DLS virtual appliance that hosts the DLS instance that you want to convert. After the instance is converted, it will initially be the primary DLS instance.

If you want to expand an existing cluster, log in to the DLS virtual appliance that hosts the primary node in the cluster. In the left navigation pane, click SERVICE INSTANCE. On the Service Instance page that opens, under Node Configuration, set the Enable High Availability option. The text-entry field and the PING button are activated, and the CREATE HA CLUSTER button is deactivated. In the text-entry field, type the IP address or, if configured, the fully qualified domain name of the other virtual appliance to be configured in a cluster and click PING. After the cluster is configured, this DLS virtual appliance will initially host a secondary DLS instance. If the virtual appliance that will initially host the secondary DLS instance can be reached, the message SUCCESS appears next to the PING button and the CREATE HA CLUSTER button is activated.

appears next to the button and the button is activated. Otherwise, the message FAILURE appears next to the PING button and the CREATE HA CLUSTER button remains deactivated. Click CREATE HA CLUSTER to start the configuration and wait for it to complete. The Service Instance page displays the progress of the HA cluster configuration. The configuration process takes approximately 10 minutes to complete.

When the configuration is complete, the Service Instance page is updated to show the node health of the cluster.

If you intend to use static IP addresses for the virtual appliances that are hosting the DLS instances in the cluster, set the address of each virtual appliance as explained in Setting the Static IP Address of a DLS Virtual Appliance. Otherwise, configure the DLS instance on the virtual appliance that is hosting the primary DLS instance as explained in Configuring a Service Instance.

If a client configuration token has already been generated for any instance in the cluster, regenerate the client configuration token for the instance as explained in Generating a Client Configuration Token.

To fail over or change the roles of the DLS instances, restart the DLS virtual appliance that is hosting the primary DLS instance.

Note: If the instances in an HA cluster of DLS instances fail or are shut down at the same time, avoid a race condition by restarting only one instance and waiting until the startup of that instance is complete before starting the next instance.

You can remove a secondary node from an HA cluster. If the secondary node is removed from a two-node cluster, the primary node is converted to a standalone DLS instance. You can perform this task to remove a secondary node even if it is down.



Log in to the DLS virtual appliance that hosts the primary node in the cluster. In the left navigation pane, click SERVICE INSTANCE. On the Service Instance page that opens, under Node Health, click REMOVE adjacent to the DLS virtual appliance that hosts the secondary node that you want to remove. When asked if you want to remove the node, click CONFIRM.

What happens to the node that has been removed depends on the type of platform that is hosting the nodes in the cluster:

For a cluster of instances on VM-based DLS virtual appliances, the virtual appliance that hosts the node is shut down and all data on the node is removed.

For a cluster of instances on different container orchestrators, the container that hosts the node is not shut down. You must shut down the container manually.

If the secondary node is removed from a two-node cluster, the primary node is converted to a standalone DLS instance.



If a client configuration token has already been generated for any instance in the cluster, regenerate the client configuration token for the instance as explained in Generating a Client Configuration Token.

If all nodes fail or are shut down, you must restart the last node to fail or be shut down first. If you restart the first node to fail or be shut down first, the node will not be functional until the other nodes are started.

Initially, the primary node in an HA cluster is the node that is hosted on the DLS appliance from which the cluster was created. It remains the primary node unless or until it fails, at which point failover occurs and the secondary node becomes the primary node. If you want to control which node is the primary node a cluster, you can mark a secondary node as the primary node in the cluster.

Log in to the DLS virtual appliance that hosts the secondary node that you want to mark as the primary node. In the left navigation pane of the NVIDIA Licensing dashboard, click SERVICE INSTANCE. On the Service Instance page that opens, locate the Current Node Role property and click Mark As Primary. When asked to confirm that you want to mark the node as the primary node, click Mark As Primary. The node assumes the primary role and starts to serve licenses to clients. All other nodes in the cluster, including the node that was the primary node, are marked as secondary nodes.

By default, the DoD-approved login banner warning is disabled. If a VM-based DLS appliance is running on a US Government (USG) Information System (IS) that is provided for USG-authorized use only, enable this warning for logins through the hypervisor management console and through secure shell (SSH). When enabled, the banner warning is displayed whenever a user tries to log in to the system.

Ensure that the sudo DLS user account rsu_admin has been created as explained in Creating the DLS sudo User Account.

Enable the DoD-approved login banner warning for logins through the hypervisor management console. Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS virtual appliance. Run the /etc/adminscripts/enable_stig_custom_message.sh script. Copy Copied! $ /etc/adminscripts/enable_stig_custom_message.sh Enable the DoD-approved login banner warning for logins through SSH. Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS appliance. As root, grant read access for all users to the message of the day file (/etc/motd) and allow the owner of the file also to write to and execute the file. Copy Copied! $ sudo chmod 644 /etc/motd

If you need to disable the DoD-approved login banner warning for logins through the hypervisor management console, run the /etc/adminscripts/disable_stig_custom_message.sh script as the dls_admin user.

The Virtual IP (VIP) Management feature enables seamless failover for NVIDIA Delegated License Service (DLS) instances configured in a high availability (HA) cluster. By assigning a single virtual IP address that automatically migrates between cluster nodes during failover events, client applications maintain uninterrupted access to licensing services without manual reconfiguration.

Key Benefits

Transparent Failover : Licensed clients connect to a single virtual IP address that automatically moves to the active primary node during failover events

: Licensed clients connect to a single virtual IP address that automatically moves to the active primary node during failover events Zero Client Reconfiguration : Client configuration tokens remain valid across failover events, eliminating the need to update client systems

: Client configuration tokens remain valid across failover events, eliminating the need to update client systems Automatic Network Convergence : Gratuitous ARP (GARP) ensures immediate network routing updates when the virtual IP migrates

: Gratuitous ARP (GARP) ensures immediate network routing updates when the virtual IP migrates Split-Brain Prevention : Built-in safeguards prevent multiple nodes from simultaneously claiming the virtual IP address

: Built-in safeguards prevent multiple nodes from simultaneously claiming the virtual IP address Centralized Management: RESTful API and web UI for configuring and monitoring virtual IP assignments

Supported Platforms

Virtual IP Management is available on:

DLS Virtual Appliances (VM-based) version 3.6.0 and later

All supported hypervisors (VMware vSphere, Microsoft Hyper-V, Nutanix AHV, Red Hat Virtualization)

Note: Virtual IP Management is not available on containerized DLS deployments in pure container environments (Docker Compose without VM).

Before configuring Virtual IP Management, ensure the following requirements are met.

Network Requirements

Available IP Address : One unused IPv4 or IPv6 address on the same subnet as your DLS cluster nodes

: One unused IPv4 or IPv6 address on the same subnet as your DLS cluster nodes Network Permissions : The IP address must not be in use by any other device or reserved by DHCP: Client configuration tokens remain valid across failover events, eliminating the need to update client systems

: The IP address must not be in use by any other device or reserved by DHCP: Client configuration tokens remain valid across failover events, eliminating the need to update client systems Layer 2 Connectivity : All nodes in the HA cluster must be on the same Layer 2 network segment

: All nodes in the HA cluster must be on the same Layer 2 network segment ARP Support: Network infrastructure must support Address Resolution Protocol (ARP) and Gratuitous ARP

HA Cluster Requirements

A functional high availability cluster with:

Two Or more DLS instances configured as primary and secondary nodes

For information on configuring an HA cluster, see Configuring High Availability for a DLS Instance in the License System User Guide.



System Requirements

LS Version: 3.6.0 or later

User Permissions

DLS Administrator : Access to the DLS web UI with DLS_ADMIN role

: Access to the DLS web UI with DLS_ADMIN role Portal Access:Not required (virtual IP configuration is managed entirely on the DLS instance)

How Virtual IP Management Works

When configured, the Virtual IP Management system operates as follows:

Initial Configuration: An administrator assigns a virtual IP address to the HA cluster from the settings page of DLS Web UI of current primary node, which is automatically replicated to all secondary nodes. Primary Assignment: The current primary node automatically assigns the virtual IP to its network interface. Network Announcement: The primary node sends Gratuitous ARP packets to inform the network of the IP-to-MAC address mapping. Client Connectivity: Licensed clients connect to the virtual IP address for license requests. Failover Detection: When the secondary node detects primary node failure through heartbeat loss, it initiates failover. VIP Migration: The secondary node (now primary) assigns the virtual IP to its network interface. Network Update: Gratuitous ARP packets announce the new MAC address for the virtual IP. Client Continuity: Licensed clients continue using the same virtual IP address without reconfiguration.

Split-Brain Prevention Mechanisms

The VIP Management system includes multiple safeguards to prevent split-brain scenarios where both nodes attempt to claim the virtual IP:

Startup Safety Check : Nodes verify their role (primary/secondary) on system startup and remove VIP assignments if configured as secondary.

: Nodes verify their role (primary/secondary) on system startup and remove VIP assignments if configured as secondary. Duplicate Detection : Before assigning the VIP, nodes use arping to detect if another system is already using the IP address.

: Before assigning the VIP, nodes use to detect if another system is already using the IP address. Network Isolation : During VIP removal, iptables rules temporarily block traffic to/from the VIP to prevent packet loss.

: During VIP removal, rules temporarily block traffic to/from the VIP to prevent packet loss. Role-Based Assignment : Only the node with the primary role can assign the virtual IP.

: Only the node with the primary role can assign the virtual IP. ARP Cache Flush: Stale ARP entries are cleared during VIP removal to prevent routing issues.

Network Traffic Flow

Normal Operation (Primary Node Active):

Licensed Client > Virtual IP (192.0.2.100) > Primary Node (eth0) > DLS Services

During Failover:

Primary Node Failure Detected

Secondary Promotes to Primary

Virtual IP Migrates to New Primary

GARP Sent (3 packets)

Network Updates ARP Cache

Licensed Client > Virtual IP (192.0.2.100) > New Primary Node (eth0) > DLS Services

Old Primary Returns Online:

Old Primary Boots

Detects self having SECONDARY role

Removes Any Stale VIP Assignment

Remains as Secondary Node

Does NOT Reclaim Virtual IP

Before configuring Virtual IP Management, ensure the following requirements are met.

Task Overview

Configuring Virtual IP Management for an HA cluster involves the following tasks:

1. Assigning the virtual IP address via API or web UI

2. Verifying VIP assignment and network connectivity

3. Testing failover behavior



Assigning Virtual IP address using DLS - Web UI

Navigate to the Settings page on the Primary node’s DLS Web UI Expand the UI card “Virtual IP Address Configuration” Set the Virtual IP and click on “Configure”

Removing a Virtual IP Address

To remove the virtual IP assignment from the HA cluster:

Use the web UI to delete the configured virtual IP from Settings page . Expand the UI card Virtual IP Address Configuration .

Click Delete Virtual IP

Important: Deleting the virtual IP triggers immediate removal from both primary and secondary nodes. Licensed clients will lose connectivity to the virtual IP address.

To verify that the virtual IP is correctly assigned to the primary node:

On the Primary DLS Node:

Check if VIP is assigned to network interface

Copy Copied! ip addr show | grep <virtual-ip>

Expected output:

Copy Copied! inet 192.0.2.100/24 scope global secondary eth0

Verify VIP configuration file:

Copy Copied! cat /var/lib/docker/volumes/configurations/_data/vip/ip.txt

Expected output: 192.0.2.100

From Another System on the Network:

Verify ARP entry points to primary node

Copy Copied! arping -c 3 <virtual-ip>

Expected output shows primary node's MAC address.

Monitoring VIP Events

Virtual IP events are logged to multiple locations:

System Logs:

VIP reassignment script logs tail -f /var/log/vip_reassignment.log

Systemd service logs journalctl -u vipReassignment.path -f

journalctl -u vipReassignment.service -f

DLS Application Logs:

Logs can be accessed at /var/lib/docker/volumes/logs/_data using OS user dls_admin or sudo user rsu_admin.

Heartbeat service logs tail -f /var/lib/docker/volumes/logs/_data/heartbeat.log

HA configuration logs tail -f /var/lib/docker/volumes/logs/_data/ha_config.log

DLS Web UI:

Navigate to Dashboard > Events- Filter by Operation: “Configure Virtual IP” or “Delete Virtual IP”

Review event details including timestamp and user

To observe VIP behavior during a failover event:

Monitor Primary Node Logs: Copy Copied! tail -f /var/log/vip_reassignment.log Trigger Failover (for testing): Restart the primary node virtual machine to simulate a failure and trigger failover. Expected Log Sequence On Primary Node (before failure): Virtual IP 192.0.2.100 assigned successfully

Sent 3 gratuitous ARP packets for 192.0.2.100 On Secondary Node (after failover detection): Failover detected, promoting to primary

Virtual IP 192.0.2.100 assigned successfully

Sent 3 gratuitous ARP packets for 192.0.2.100 Verify Client Connectivity: Licensed clients should maintain connectivity throughout the failover event (typically 30-60 seconds for complete failover).

After assigning a virtual IP to your HA cluster, configure licensed clients to use the virtual IP address.

Prerequisites:

Virtual IP address configured on the HA cluster

Client configuration token available

Procedure:

Generate Client Configuration Token In the DLS web UI: Navigate to License Servers > Client Configuration Tokens

> Click Generate Token

Save the generated token file Apply Token on Licensed Client (Windows) Copy Copied! C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken\client_configuration_token.tok" nvidia-smi -q | Select-String "License Status Apply Token on Licensed Client (Linux) Copy Copied! sudo cp client_configuration_token.tok /etc/nvidia/ClientConfigToken/ nvidia-smi -q | grep "License Status" Verify License Acquisition The output should show: vGPU Software Licensed Product License Status : Licensed

Note: Clients configured with the virtual IP address will maintain connectivity during failover events without requiring token regeneration or reconfiguration.

Planning Virtual IP Deployment

· IP Address Selection: Choose an IP address that:

Is on the same subnet as your DLS cluster nodes

Is not allocated by DHCP

Is outside your organization’s dynamic IP ranges

Has been verified as unused via network scanning

Follows your organization’s IP address naming conventions

· Documentation: Maintain documentation of:

Virtual IP address assignment

Physical IP addresses of primary and secondary nodes

Network subnet configuration

Network Configuration

ARP Cache Timeout : Configure network switches with appropriate ARP cache timeouts (recommended: 60-300 seconds) to balance between network efficiency and failover speed.

: Configure network switches with appropriate ARP cache timeouts (recommended: 60-300 seconds) to balance between network efficiency and failover speed. Port Security : If using port security on network switches, configure: Allow multiple MAC addresses per port (for VIP migration) Use “sticky” MAC learning with a sufficient MAC address limit Exclude ports connecting to DLS nodes from strict port security

: If using port security on network switches, configure:

Network Monitoring: Configure network monitoring to:

Alert on duplicate IP address detection

Monitor ARP table changes for the virtual IP

Track failover events and VIP migration timing

High Availability Configuration

· Testing Schedule: Regularly test failover behavior:

Monthly: Graceful failover testing (stop services on primary)

Quarterly: Forced failover testing (power off primary VM)

After any network changes: Full failover validation

· Maintenance Windows: During maintenance:

Test VIP assignment after any DLS version upgrades

Verify VIP configuration after HA cluster changes

Validate client connectivity after network infrastructure updates

· Monitoring and Alerts: Configure monitoring for:

VIP-related events in DLS event logs

Abnormal failover frequency (may indicate network issues)

Security Considerations

· Network Segmentation: Deploy DLS instances in a secure network segment:

Use firewalls to control access to DLS management interfaces

Allow VIP traffic only from authorized client subnets

Implement network ACLs for inter-node communication

· Audit Trail: Regularly review:

Virtual IP configuration change events

Failover event logs

Unauthorized access attempts to VIP management APIs

Backup and Recovery

Configuration Backup: Include VIP configuration in DLS backups:

VIP configuration is stored in the DLS configuration database

Use DLS backup/migration features to preserve VIP settings

Document VIP assignment separately for disaster recovery

Disaster Recovery: In DR scenarios:

VIP assignment can be retained when restoring to a new cluster

Ensure the new network segment can accommodate the VIP address

Update network infrastructure (switches, routers) if changing subnets

Security Considerations

Backup and Recovery

A VM-based DLS virtual appliance strictly controls access to the underlying OS. Therefore, the management interface of the NVIDIA Licensing application enables you to perform configuration tasks that change the configuration of the underlying OS. During initial setup, you create both an OS-level user (dls_admin) and a system administrator application account (DLS_ADMIN role). After setup is complete, you can create additional application users with different roles and configure LDAP authentication if needed. See User Accounts on a DLS Virtual Appliance for details.

Note: You can perform these tasks only on a VM-based DLS virtual appliance. You cannot perform them on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make equivalent changes for a containerized DLS software image.

Note: For VM-based DLS virtual appliances configured in an HA cluster, you can also configure Virtual IP Management to enable transparent failover for licensed clients. Virtual IP Management automatically migrates a floating IP address between cluster nodes during failover events. See Section 2.9.x Configuring Virtual IP Management for High Availability for details.





You can use the management interface to the NVIDIA Licensing application to replace the existing IP address of the appliance with a new static IP address. The existing IP address can be an address assigned by DHCP or another static IP address.

Note: You can perform this task only on a VM-based DLS virtual appliance. You cannot perform this task on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make this change.

Note: The IP address of a VMware VM that hosts a DLS appliance can be set when the appliance is installed from an OVF template. If the IP address was set this way, you must follow the instructions in Changing the IP Address of a VMware VM Set During DLS Appliance Installation. If you use any other method to change this address, it reverts to its original setting when the VM is restarted. In this situation, the CONFIGURE IP ADDRESS button is deactivated and dimmed.





The instance that the DLS virtual appliance is hosting must already be configured as a standalone DLS instance or as an instance in a HA cluster.

Note: You can set the static IP of the secondary node in an HA cluster from the primary node in the cluster.





If you aren't logged in already, log in to the DLS virtual appliance. In the left navigation pane, click SERVICE INSTANCE. On the Service Instance page that opens, under Node Health, click CONFIGURE IP ADDRESS adjacent to the DLS virtual appliance for which you are setting a static IP address. CAUTION: If the DLS virtual appliance for which you are setting a static IP address is a node in an HA cluster and the type of any node is unknown, do not attempt to set the static IP address. Any change to the static IP address is not propagated to the node whose type is unknown because the node is unreachable. In the Configure Node IP Address window that opens, provide the details of the IP address of the node and click UPDATE. In the Static IP address text-entry field, type the IP address that you want to assign to the DLS virtual appliance. In the Gateway text-entry field, type the IP address of the DLS virtual appliance's default gateway. Note: If you leave the Gateway field empty, the DLS virtual appliance uses DHCP settings. In the Netmask Prefix text-entry field, type the subnet mask of the DLS virtual appliance's network in classless inter-domain routing (CIDR) format without the leading slash character (/). The netmask prefix must be an integer in the range 2-32. To get a subnet mask in CIDR format from its decimal equivalent, refer to the table on page 2 of IETF RFC 1878: Variable Length Subnet Table For IPv4. For example, the subnet mask in CIDR format of the decimal equivalent 255.255.255.0 is 24. In the first DNS Server text-entry field, type the IP address of the first DNS server to be used for name resolution. In the second DNS Server text-entry field, type the IP address of the second DNS server to be used for name resolution. If you are setting the IP address of the instance that you are logged in to, your browser will be disconnected from the instance after the update is complete. In this situation, you will need to log in to the DLS appliance again at the IP address that you set. Note: Setting the IP address of an instance in an HA cluster causes a failover of the cluster. As a result of the failover, the roles of the primary and secondary instances in the cluster are reversed. If necessary, log in to the DLS virtual appliance again by connecting to the URL https://dls-vm-static-ip-address . dls-vm-static-ip-address The static IP address that you set for the DLS virtual appliance.

If the DLS instance hasn't already been configured and is a standalone instance or the primary instance in an HA cluster, configure the instance as explained in Configuring a Service Instance.

If necessary, you can revert the network configuration of a DLS appliance to DHCP after a static IP address has been assigned to the DLS appliance. After the network configuration is reverted to DHCP, the IP address of the appliance's network interface is assigned automatically. To revert the network configuration to DHCP, use the operating system command nmcli. Each DLS virtual appliance is configured with a user account with the elevated privileges required for running the nmcli command.

Perform this task from the hypervisor console, not from a secure shell (SSH) session. This task requires the requires DLS appliance's network service to be restarted, which would disconnect an SSH session.

Note: You can perform this task only on a VM-based DLS virtual appliance. You cannot perform this task on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make this change.

In the nmcli commands in the following steps for changing the configuration of the DLS appliance's network interface, you can use the modify subcommand as an alternative to the edit subcommand.



Ensure that the sudo DLS user account rsu_admin has been created.

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS appliance. Get the connection name of the DLS appliance's network interface. Copy Copied! $ sudo nmcli connection show The connection name of the DLS appliance's network interface in this example is Wired connection 1. Copy Copied! $ sudo nmcli connection show NAME UUID TYPE DEVICE Wired connection 1 458e8070-3a5b-41a2-9946-25b519bfc8f4 ethernet -- Change the assignment of an IP address to the DLS appliance's network interface from manual to automatic. Copy Copied! $ sudo nmcli conn edit "connection-name" ipv4.method auto connection-name The connection name that you obtained in the previous step. This example changes the assignment of an IP address to the DLS appliance's network interface Wired connection 1 from manual to automatic. Copy Copied! $ sudo nmcli conn edit "Wired connection 1" ipv4.method auto Remove the static IP address that was set for the DLS appliance from the DNS settings of the appliance's network interface. Copy Copied! $ sudo nmcli conn edit "connection-name" -ipv4.addresses ip-address-to-remove connection-name The connection name that you specified in the previous step. ip-address-to-remove The IP address that you want to remove, which is the static IP address that was set for the DLS appliance's network interface. This example removes the IP address 192.0.2.89 from the DNS settings of the DLS appliance's network interface Wired connection 1. Copy Copied! $ sudo nmcli conn edit "Wired connection 1" -ipv4.addresses 192.0.2.89 Restart the DLS appliance's networking service. Stop the DLS appliance's networking service. Copy Copied! $ sudo nmcli networking off Start the networking service. Copy Copied! $ sudo nmcli networking on Restart the VM that hosts the DLS appliance.

The host name of a VM-based DLS virtual appliance is preset in the virtual appliance image. If you require a specific host name, you can change the name from the hypervisor. Each DLS virtual appliance provides a shell script specifically for this purpose.

Note: You can perform this task only on a VM-based DLS virtual appliance. You cannot perform this task on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make this change.





Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS appliance. If the dls_admin user has not been registered, you can still log in to the VM as the dls_admin user with the default password welcome . Run the /etc/adminscripts/set-hostname.sh script. Copy Copied! $ /etc/adminscripts/set-hostname.sh When prompted, enter your choice of new host name for the VM-based DLS virtual appliance.

You can use the management interface to the NVIDIA Licensing application to expand the disk space of the DLS virtual appliance.



Note: You can perform this task only on a VM-based DLS virtual appliance. You cannot perform this task on a containerized DLS software image. Instead, you can use standard interfaces of the OS on which the container orchestration platform is running to make this change.



Perform this task on the Hypervisor where your DLS appliance is installed.



Turn off the virtual machine. Expand the virtual hard disk associated to the VM through the hypervisor console. Right-click on the VM and navigate to the Edit Settings. Expand the disk space from the console. Click OK to confirm. Start the virtual machine. Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS virtual appliance. If the dls_admin user has not been registered, you can still log in to the VM as the dls_admin user with the default password welcome . Run the following script: /etc/adminscripts/expand_disk.sh Ignore the log message that says: Copy Copied! Information: you may need to update /etc/fstab Validate the disk size for the /dev/mapper/vgnls--si--0-root using the df -h command.

Note: In the case of ESXi, Hyper V, and KVM, each DLS virtual machine should be imported from the respective image of the hypervisor. If the virtual machines are cloned or created by snapshot, you will not be able to edit or expand the disk from the hypervisor console.