[slurm-users] CommunicationParameters=block_null_hash issue in 21.08.8

Marcus Boden mboden at gwdg.de
Thu May 5 12:45:55 UTC 2022


Hi Ole,

we had a similar issues on our systems. As I understand from the bug you 
linked, we just need to wait until all the old jobs are finished (and 
the old slurmstepd are gone). So a full drain should not be necessary?

Best,
Marcus

On 05.05.22 13:53, Ole Holm Nielsen wrote:
> Just a heads-up regarding setting 
> CommunicationParameters=block_null_hash in slurm.conf:
> 
> On 5/4/22 21:50, Tim Wickberg wrote:
>> CVE-2022-29500:
>>
>> An architectural flaw with how credentials are handled can be 
>> exploited to allow an unprivileged user to impersonate the SlurmUser 
>> account. Access to the SlurmUser account can be used to execute 
>> arbitrary processes as root.
>>
>> This issue impacts all Slurm releases since at least Slurm 1.0.0.
>>
>> Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd 
>> processes have been restarted in the cluster.
>>
>> Once all daemons have been upgraded sites are encouraged to add 
>> "block_null_hash" to CommunicationParameters. That new option provides 
>> additional protection against a potential exploit.
> 
> The block_null_hash still needs to be documented in the slurm.conf 
> man-page.  But in https://bugs.schedmd.com/show_bug.cgi?id=14002 I was 
> assured that it's OK to use it now.
> 
> I upgraded 21.08.7 to 21.08.8 using RPM packages while the cluster was 
> running production jobs.  This is perhaps not recommended (see 
> https://slurm.schedmd.com/quickstart_admin.html#upgrade), but it worked 
> without a glitch also in this case.
> 
> However, when I defined CommunicationParameters=block_null_hash in 
> slurm.conf later today, I started getting RPC errors on the compute 
> nodes and in slurmctld when jobs were completing, see bug 14002.
> 
> I would recommend sites to hold up a bit with 
> CommunicationParameters=block_null_hash until we have found a resolution 
> in bug 14002.  Draining all jobs from the cluster before setting this 
> parameter may be the safe approach(?).
> 
> /Ole
> 

-- 
Marcus Vincent Boden, M.Sc. (he/him)
AG Computing
Tel.:   +49 (0)551 201-2191, E-Mail: mboden at gwdg.de
-------------------------------------------------------------------------
Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen 
(GWDG) Burckhardtweg 4, 37077 Göttingen, URL: https://gwdg.de

Support: Tel.: +49 551 39-30000, URL: https://gwdg.de/support
Sekretariat: Tel.: +49 551 39-30001, E-Mail: gwdg at gwdg.de

Geschäftsführer: Prof. Dr. Ramin Yahyapour
Aufsichtsratsvorsitzender: Prof. Dr. Norbert Lossau
Sitz der Gesellschaft: Göttingen
Registergericht: Göttingen, Handelsregister-Nr. B 598

Zertifiziert nach ISO 9001
-------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4842 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20220505/b339dc6b/attachment.bin>


More information about the slurm-users mailing list