Hi,
Le 14/08/2019 à 16:35, Andreas Haupt a écrit :
Preventing access to the 'wrong' gpu devices by "malicious jobs" is not
that easy. An idea could be to e.g. play with device permissions.
That's what we do by having /dev/nvidia[0-n] files owned by root and
with permissions 660.
Prolog (executed as root) changes the file owner to give it to the user
running the job. Epilog gives the file back to root.
It works fine for us.
If we had no possibility to run prolog/epilog as root, we'd have had the
possibility to write a small script caring about the owner change, that
we'd have run with sudo in the prolog; the protection would have been
less effective (a malicious user could search for the script and call it
himself) but that prevents any mistaken use of a GPU not attributed to
the job.
Regards,
--
Nicolas Fournials
System administrator
CC-IN2P3/CNRS
_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users
