Wellington, for security, first wrong starting. HPC not secure. Except if
you have à 10pers team. I hope that at list you put thé cluster behind a
router firewall in à militarisation zone. If you d'idées not second score
in your ass, Man. Also thé third screw is that you let ssh access to not
trusted student. You can't secure that. Oh, you can try, but éther your job
won't running, except if you code thèm compatible with your security, or
your security rules will be non-sense to impress your boss that you are
awesome.
That mean that you cut ssh or put it in à conteneur systèm. That were you
start for security on a HPC. After that you May add somme quota with thé
scheduler, but be carefull not crashing your jobs.
Do you have Skype ?
Le 18 oct. 2017 07:47, "Nadav Toledo" <nadavtol...@cs.technion.ac.il> a
écrit :
> can you ellaborate what exactly you mean by web portal?
> at the moment users are logging to login server via ssh with their AD
> credentials, these creds are being auth against AD via pbis-open
> What do you suggest I add to these mechanism and how it will help me with
> slurm?
>
> On 18/10/2017 08:43, Benjamin LIPERE wrote:
>
> Yo. Put à freaking Web portail, if you add this to thé cluster you and
> your student will have to manage it. The will get bad habit of it. Or
> installé à singularity cluster. You Can code all this in à afternoon easy.
>
> Le 18 oct. 2017 07:35, "Nadav Toledo" <nadavtol...@cs.technion.ac.il> a
> écrit :
>
>> Sorry for all the wierd symbols, I was copying the code from linux
>> terminal
>> here is the clean code(I hope):
>>
>> if ((accounting_enforce & ACCOUNTING_ENFORCE_QOS)
>> && assoc_ptr
>> && !admin
>> && (!assoc_ptr->usage->valid_qos
>> || !bit_test(assoc_ptr->usage->valid_qos, qos_rec->id))) {
>> error("This association %d(account='%s', "
>> "user='%s', partition='%s') does not have "
>> "access to qos %s",
>> assoc_ptr->id, assoc_ptr->acct, assoc_ptr->user,
>> assoc_ptr->partition, qos_rec->name);
>> *error_code = ESLURM_INVALID_QOS;
>> return NULL;
>> }
>>
>>
>>
>> if (assoc_mgr_fill_in_assoc(acct_db_conn, &assoc_rec,
>> accounting_enforce, &assoc_ptr, false)) {
>> info("_job_create: invalid account or partition for user %u, "
>> "account '%s', and partition '%s'",
>> job_desc->user_id, assoc_rec.acct, assoc_rec.partition);
>> error_code = ESLURM_INVALID_ACCOUNT;
>> goto cleanup_fail;
>>
>>
>>
>> On 18/10/2017 08:26, Nadav Toledo wrote:
>>
>> Hey everyone,
>> I am working at a university and we trying to setup a slurm cluster for
>> courses and research.
>> for the courses we would like to enforce qos on users that can connect
>> via pbis-open auth. meaning they are authenticating against AD server.
>> There are alot of users and each semester they are changing.
>>
>> My question is, how can i achieve :
>>
>> A. enforce qosן¿½ (AccountingStorageEnforce=limits,qos)
>> B. Don't enforce associations , meaning anyone who can login to the
>> server can submit jobs
>> C. having slurmdbd record each user activity
>> D. The users are not in /etc/passwd, loging being made by pbis-open
>>
>> about B:ן¿½ The reason is I dont want to manually adding each user to the
>> slurm database (sacctmgr create user...)
>>
>>
>> *Regarding A+B: *I have seen this answer :https://groups.google.com/for
>> um/#!msg/slurm-devel/9Iu4c_qTb8w/ec0O36eW7dsJ;context-place=
>> searchin/slurm-devel/Association$20ldap|sort:relevance
>>
>> But for me atleast it doesn't seem to work, I comment out the following
>> code(inside src/slurmctld/job_mgr.c), then make clean, make, make install,
>> still got the error: srun: error: Unable to allocate resources: Invalid
>> account or account/partition combination specified
>>
>> the error on slurmctld :
>> slurmctld: error: User 243309139 not found
>> slurmctld: _job_create: invalid account or partition for user 243309139,
>> account '(null)', and partition 'all'
>> slurmctld: _slurm_rpc_allocate_resources: Invalid account or
>> account/partition combination specified
>>
>> (243309139ן¿½ is the uid of a user auth against AD server, and doesn't
>> show up in passwd nor in slurm database)
>>
>> /*ן¿½ן¿½ן¿½ן¿½ן¿½ if ((accounting_enforce & ACCOUNTING_ENFORCE_QOS)
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && assoc_ptr
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && !admin
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && (!assoc_ptr->usage->valid_qos
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ ||
>> !bit_test(assoc_ptr->usage->valid_qos, qos_rec->id))) {
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ error("This association
>> %d(account='%s', "
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
>> "user='%s', partition='%s') does not have "
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ "access
>> to qos %s",
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
>> assoc_ptr->id, assoc_ptr->acct, assoc_ptr->user,
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
>> assoc_ptr->partition, qos_rec->name);
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ *error_code =
>> ESLURM_INVALID_QOS;
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ return NULL;
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ }
>> */
>>
>> perhaps I should do something with these lines (same file)?
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ if (assoc_mgr_fill_in_assoc(acct_db_conn, &assoc_rec,
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ accounting_enforce,
>> &assoc_ptr, false)) {
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ info("_job_create: invalid
>> account or partition for user %u, "
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ "account
>> '%s', and partition '%s'",
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
>> job_desc->user_id, assoc_rec.acct, assoc_rec.partition);
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ error_code =
>> ESLURM_INVALID_ACCOUNT;
>> ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ goto cleanup_fail;
>>
>>
>> Thank you all for helping, Nadav
>>
>>
>>
>
