Re: [slurm-dev] Re: Qos limits associations and AD auth Hey Benjamin,
I am sorry english is not my mother language, so I barely understand
what you wrote
can you explain when you have more time?
Thanks, Nadav
On 18/10/2017 17:59, Benjamin LIPERE wrote:
Sorry, bad Phone typo
Le 18 oct. 2017 08:07, "Benjamin LIPERE" <<!-- tmpl_var LEFT_BRACKET
-->1<!-- tmpl_var RIGHT_BRACKET -->benjamin.lipere...@gmail.com>
a écrit :
Wellington, for security, first wrong starting. HPC not secure.
Except if you have à 10pers team. I hope that at list you put thé
cluster behind a router firewall in à militarisation zone. If you
d'idées not second score in your ass, Man. Also thé third screw is
that you let ssh access to not trusted student. You can't secure
that. Oh, you can try, but éther your job won't running, except if
you code thèm compatible with your security, or your security
rules will be non-sense to impress your boss that you are awesome.
That mean that you cut ssh or put it in à conteneur systèm. That
were you start for security on a HPC. After that you May add somme
quota with thé scheduler, but be carefull not crashing your jobs.Do
you have Skype ?
Le 18 oct. 2017 07:47, "Nadav Toledo" <<!-- tmpl_var LEFT_BRACKET -->2<!--
tmpl_var RIGHT_BRACKET -->nadavtol...@cs.technion.ac.il>
a écrit :
can you ellaborate what exactly you mean by web portal?
at the moment users are logging to login server via ssh with
their AD credentials, these creds are being auth against AD
via pbis-open
What do you suggest I add to these mechanism and how it will
help me with slurm?
On 18/10/2017 08:43, Benjamin LIPERE wrote:
Yo. Put à freaking Web portail, if you add this to thé
cluster you and your student will have to manage it. The
will get bad habit of it. Or installé à singularity
cluster. You Can code all this in à afternoon easy.
Le 18 oct. 2017 07:35, "Nadav Toledo" <<!-- tmpl_var LEFT_BRACKET
-->3<!-- tmpl_var RIGHT_BRACKET -->nadavtol...@cs.technion.ac.il>
a écrit :
Sorry for all the wierd symbols, I was copying the
code from linux terminal
here is the clean code(I hope):
if ((accounting_enforce & ACCOUNTING_ENFORCE_QOS)
&& assoc_ptr
&& !admin
&& (!assoc_ptr->usage->valid_qos
|| !bit_test(assoc_ptr->usage->valid_qos,
qos_rec->id))) {
error("This association %d(account='%s', "
"user='%s', partition='%s') does not have "
"access to qos %s",
assoc_ptr->id, assoc_ptr->acct, assoc_ptr->user,
assoc_ptr->partition, qos_rec->name);
*error_code = ESLURM_INVALID_QOS;
return NULL;
}
if (assoc_mgr_fill_in_assoc(acct_db_conn, &assoc_rec,
accounting_enforce, &assoc_ptr, false)) {
info("_job_create: invalid account or partition for
user %u, "
"account '%s', and partition '%s'",
job_desc->user_id, assoc_rec.acct,
assoc_rec.partition);
error_code = ESLURM_INVALID_ACCOUNT;
goto cleanup_fail;
On 18/10/2017 08:26, Nadav Toledo wrote:
Hey everyone,
I am working at a university and we trying to
setup a slurm cluster for courses and research.
for the courses we would like to enforce qos on
users that can connect via pbis-open auth. meaning
they are authenticating against AD server.
There are alot of users and each semester they are
changing.
My question is, how can i achieve :
A. enforce qosן¿½ (AccountingStorageEnforce=limits,qos)
B. Don't enforce associations , meaning anyone who
can login to the server can submit jobs
C. having slurmdbd record each user activity
D. The users are not in /etc/passwd, loging being
made by pbis-open
about B:ן¿½ The reason is I dont want to manually
adding each user to the slurm database (sacctmgr
create user...)
Regarding A+B:
I have seen this answer :<!-- tmpl_var LEFT_BRACKET -->4<!--
tmpl_var RIGHT_BRACKET
-->https://groups.google.com/forum/#!msg/slurm-devel/9Iu4c_qTb8w/ec0O36eW7dsJ;context-place=searchin/slurm-devel/Association$20ldap|sort:relevance
But for me atleast it doesn't seem to work, I
comment out the following code(inside
src/slurmctld/job_mgr.c), then make clean, make,
make install, still got the error: srun: error:
Unable to allocate resources: Invalid account or
account/partition combination specified
the error on slurmctld :
slurmctld: error: User 243309139 not found
slurmctld: _job_create: invalid account or
partition for user 243309139, account '(null)',
and partition 'all'
slurmctld: _slurm_rpc_allocate_resources: Invalid
account or account/partition combination specified
(243309139ן¿½ is the uid of a user auth against AD
server, and doesn't show up in passwd nor in slurm
database)
/*ן¿½ן¿½ן¿½ן¿½ן¿½ if ((accounting_enforce &
ACCOUNTING_ENFORCE_QOS)
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && assoc_ptr
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && !admin
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ &&
(!assoc_ptr->usage->valid_qos
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ ||
!bit_test(assoc_ptr->usage->valid_qos,
qos_rec->id))) {
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
error("This association %d(account='%s', "
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
"user='%s', partition='%s') does not have "
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
"access to qos %s",
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
assoc_ptr->id, assoc_ptr->acct, assoc_ptr->user,
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
assoc_ptr->partition, qos_rec->name);
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
*error_code = ESLURM_INVALID_QOS;
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
return NULL;
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ }
*/
perhaps I should do something with these lines
(same file)?
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ if
(assoc_mgr_fill_in_assoc(acct_db_conn, &assoc_rec,
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
accounting_enforce, &assoc_ptr, false)) {
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
info("_job_create: invalid account or partition
for user %u, "
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
"account '%s', and partition '%s'",
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
job_desc->user_id, assoc_rec.acct,
assoc_rec.partition);
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½
error_code = ESLURM_INVALID_ACCOUNT;
ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ goto
cleanup_fail;
Thank you all for helping, Nadav
<!-- tmpl_var LEFT_BRACKET -->1<!-- tmpl_var RIGHT_BRACKET -->
mailto:benjamin.lipere...@gmail.com
<!-- tmpl_var LEFT_BRACKET -->2<!-- tmpl_var RIGHT_BRACKET -->
mailto:nadavtol...@cs.technion.ac.il
<!-- tmpl_var LEFT_BRACKET -->3<!-- tmpl_var RIGHT_BRACKET -->
mailto:nadavtol...@cs.technion.ac.il
<!-- tmpl_var LEFT_BRACKET -->4<!-- tmpl_var RIGHT_BRACKET -->
https://groups.google.com/forum/#%21msg/slurm-devel/9Iu4c_qTb8w/ec0O36eW7dsJ;context-place=searchin/slurm-devel/Association$20ldap
