You shouldn't need to muck with slurm cgroups code nor use a full
chroot solution to remove access to certain fileystems for unauthorized
jobs. You can write a simple plugin to put the job in a private
namespace via the unshare(2) system call, mark the new filesystem
tree private, then unmount
You may also be able to use pam_namespace(8) which should exist
in most distros already.
I also have a little lua library that binds the unshare(2)
and chroot(2) system calls, which might be useful with the
spank/lua plugin (We use it to create per-job /tmp and /dev/shm
directories, and to
the pam_namespace sounds really interesting and seems to do the equivalent
and much more, I will keep that in mind for next unshare related works and
forget about pam_unshare :).
Regards,
Matthieu
2012/12/17 Mark A. Grondona mgrond...@llnl.gov
You may also be able to use pam_namespace(8)
Hi Marcin,
Could you describe the use case for preventing access when the lustre license
isn't specified? That might help me offer a better solution.
Off the top of my head I could see using prolog/epilog scripts to mount and
unmount lustre as required however this only works if your nodes
2012/12/16 Aaron Knister aaron.knis...@gmail.com
Hi Marcin,
Hi Aaron,
Could you describe the use case for preventing access when the lustre
license isn't specified? That might help me offer a better solution.
For instance, I know that my lustre installation can support efficiently
only
If you define 20 lustre licenses in Slurm and every job using those
resources requests a license that should work. Linux cgroups could
prevent file system for jobs without a license, but that would require
some non-trivial changes to the Slurm code.
Quoting Marcin Stolarek