[slurm-users] [External] Re: What is an easy way to prevent users run programs on the master/login node.
Prentice Bisbal
pbisbal at pppl.gov
Tue Apr 27 15:40:18 UTC 2021
Using limits.conf is not a very good approach. Limits in
/etc/security/limits.conf apply to each individual shell, so an
individual user can still abuse a login node by running tasks in
multiple shells. Cgroups, which is implemented in the kernel and takes a
system-wide view or resource usage is a much better option.
Also, /etc/security/limits.conf is applied by PAM, so if someone gets
onto a system in a way that bypasses PAM, this limits will not be
applied to those shells. One way top bypass PAM to use SSH with
public/private keys.
Prentice
On 4/24/21 4:03 AM, Ole Holm Nielsen wrote:
> On 24-04-2021 04:37, Cristóbal Navarro wrote:
>> Hi Community,
>> I have a set of users still not so familiar with slurm, and yesterday
>> they bypassed srun/sbatch and just ran their CPU program directly on
>> the head/login node thinking it would still run on the compute node.
>> I am aware that I will need to teach them some basic usage, but in
>> the meanwhile, how have you solved this type of user-behavior
>> problem? Is there a preffered way to restrict the master/login
>> resources, or actions, to the regular users ?
>
> We restrict user limits in /etc/security/limits.conf so users can't
> run very long or very big tasks on the login nodes:
>
> # Normal user limits
> * hard cpu 20
> * hard rss 50000000
> * hard data 50000000
> * soft stack 40000000
> * hard stack 50000000
> * hard nproc 250
>
> /Ole
>
More information about the slurm-users
mailing list