[slurm-users] CommunicationParameters=block_null_hash issue in 21.08.8
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Thu May 5 11:53:59 UTC 2022
Just a heads-up regarding setting CommunicationParameters=block_null_hash
On 5/4/22 21:50, Tim Wickberg wrote:
> An architectural flaw with how credentials are handled can be exploited to
> allow an unprivileged user to impersonate the SlurmUser account. Access to
> the SlurmUser account can be used to execute arbitrary processes as root.
> This issue impacts all Slurm releases since at least Slurm 1.0.0.
> Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd
> processes have been restarted in the cluster.
> Once all daemons have been upgraded sites are encouraged to add
> "block_null_hash" to CommunicationParameters. That new option provides
> additional protection against a potential exploit.
The block_null_hash still needs to be documented in the slurm.conf
man-page. But in https://bugs.schedmd.com/show_bug.cgi?id=14002 I was
assured that it's OK to use it now.
I upgraded 21.08.7 to 21.08.8 using RPM packages while the cluster was
running production jobs. This is perhaps not recommended (see
https://slurm.schedmd.com/quickstart_admin.html#upgrade), but it worked
without a glitch also in this case.
However, when I defined CommunicationParameters=block_null_hash in
slurm.conf later today, I started getting RPC errors on the compute nodes
and in slurmctld when jobs were completing, see bug 14002.
I would recommend sites to hold up a bit with
CommunicationParameters=block_null_hash until we have found a resolution
in bug 14002. Draining all jobs from the cluster before setting this
parameter may be the safe approach(?).
Ole Holm Nielsen
PhD, Senior HPC Officer
Department of Physics, Technical University of Denmark
More information about the slurm-users