[slurm-users] What is an easy way to prevent users run programs on the master/login node.

Bas van der Vlies bas.vandervlies at surf.nl
Thu May 20 14:28:01 UTC 2021

same here we use the systemd user slice in out pam stack:
# Setup for local and ldap  logins
session required   pam_systemd.so
session required   pam_exec.so seteuid type=open_session 

#!/bin/sh -e

PAM_UID=$(getent passwd "${PAM_USER}" | cut -d: -f3)

if [ "${PAM_UID}" -ge 1000 ]; then
     /bin/systemctl set-property "user-${PAM_UID}.slice" CPUQuota=400% 
CPUAccounting=true MemoryLimit=16G MemoryAccounting=true

and also kill process that use to much time and exlude some processes:

On 20/05/2021 16:03, mercan wrote:
> Hi;
> We use a bash script to watch and kill users' processes, if they exceed 
> the our cpu and memory limits. Also this solution ensures total usage of 
> cpu or memory can not exceed because of a lot of well behaved users as 
> well as a bad user:
> https://github.com/mercanca/kill_for_loginnode.sh
> Ahmet M.
> 20.05.2021 15:40 tarihinde Timo Rothenpieler yazdı:
>> On 24.04.2021 04:37, Cristóbal Navarro wrote:
>>> Hi Community,
>>> I have a set of users still not so familiar with slurm, and yesterday 
>>> they bypassed srun/sbatch and just ran their CPU program directly on 
>>> the head/login node thinking it would still run on the compute node. 
>>> I am aware that I will need to teach them some basic usage, but in 
>>> the meanwhile, how have you solved this type of user-behavior 
>>> problem? Is there a preffered way to restrict the master/login 
>>> resources, or actions,  to the regular users ?
>>> many thanks in advance
>>> -- 
>>> Cristóbal A. Navarro
>> I just put a drop-in config file for systemd into
>> /etc/systemd/system/user-.slice.d/user-limits.conf
>>> [Slice]
>>> CPUQuota=800%
>>> MemoryHigh=48G
>>> MemoryMax=56G
>>> MemorySwapMax=0
>> Accompanied by another drop-in that resets all those limits for root.
>> This enforces that no single user can use up all CPUs (limited to 8 
>> Hyperthreads) and RAM, and can't cause the system to swap.
>> Other than that, we leave it to the users due diligence to not trash 
>> up the login nodes, which so far worked fine.
>> They occasionally compile stuff on the login nodes in preparation of 
>> runs, so I don't want to limit them too much.

Bas van der Vlies
| HPCV Supercomputing | Internal Services  | SURF | 
https://userinfo.surfsara.nl |
| Science Park 140 | 1098 XG Amsterdam | Phone: +31208001300 |
|  bas.vandervlies at surf.nl

More information about the slurm-users mailing list