[slurm-users] [External] Re: What is an easy way to prevent users run programs on the master/login node.

Prentice Bisbal pbisbal at pppl.gov
Tue Apr 27 15:40:18 UTC 2021

Using limits.conf is not a very good approach. Limits in 
/etc/security/limits.conf apply to each individual shell, so an 
individual user can still abuse a login node by running tasks in 
multiple shells. Cgroups, which is implemented in the kernel and takes a 
system-wide view or resource usage is a much better option.

Also, /etc/security/limits.conf is applied by PAM, so if someone gets 
onto a system in a way that bypasses PAM, this limits will not be 
applied to those shells. One way top bypass PAM to use SSH with 
public/private keys.


On 4/24/21 4:03 AM, Ole Holm Nielsen wrote:
> On 24-04-2021 04:37, Cristóbal Navarro wrote:
>> Hi Community,
>> I have a set of users still not so familiar with slurm, and yesterday 
>> they bypassed srun/sbatch and just ran their CPU program directly on 
>> the head/login node thinking it would still run on the compute node. 
>> I am aware that I will need to teach them some basic usage, but in 
>> the meanwhile, how have you solved this type of user-behavior 
>> problem? Is there a preffered way to restrict the master/login 
>> resources, or actions,  to the regular users ?
> We restrict user limits in /etc/security/limits.conf so users can't 
> run very long or very big tasks on the login nodes:
> # Normal user limits
> *               hard    cpu             20
> *               hard    rss             50000000
> *               hard    data            50000000
> *               soft    stack           40000000
> *               hard    stack           50000000
> *               hard    nproc           250
> /Ole

More information about the slurm-users mailing list