Re: [slurm-dev] Re: Qos limits associations and AD auth Hey Benjamin, I am sorry english is not my mother language, so I barely understand what you wrote can you explain when you have more time?
Thanks, Nadav On 18/10/2017 17:59, Benjamin LIPERE wrote: Sorry, bad Phone typo Le 18 oct. 2017 08:07, "Benjamin LIPERE" <<!-- tmpl_var LEFT_BRACKET -->1<!-- tmpl_var RIGHT_BRACKET -->benjamin.lipere...@gmail.com> a écrit : Wellington, for security, first wrong starting. HPC not secure. Except if you have à 10pers team. I hope that at list you put thé cluster behind a router firewall in à militarisation zone. If you d'idées not second score in your ass, Man. Also thé third screw is that you let ssh access to not trusted student. You can't secure that. Oh, you can try, but éther your job won't running, except if you code thèm compatible with your security, or your security rules will be non-sense to impress your boss that you are awesome. That mean that you cut ssh or put it in à conteneur systèm. That were you start for security on a HPC. After that you May add somme quota with thé scheduler, but be carefull not crashing your jobs.Do you have Skype ? Le 18 oct. 2017 07:47, "Nadav Toledo" <<!-- tmpl_var LEFT_BRACKET -->2<!-- tmpl_var RIGHT_BRACKET -->nadavtol...@cs.technion.ac.il> a écrit : can you ellaborate what exactly you mean by web portal? at the moment users are logging to login server via ssh with their AD credentials, these creds are being auth against AD via pbis-open What do you suggest I add to these mechanism and how it will help me with slurm? On 18/10/2017 08:43, Benjamin LIPERE wrote: Yo. Put à freaking Web portail, if you add this to thé cluster you and your student will have to manage it. The will get bad habit of it. Or installé à singularity cluster. You Can code all this in à afternoon easy. Le 18 oct. 2017 07:35, "Nadav Toledo" <<!-- tmpl_var LEFT_BRACKET -->3<!-- tmpl_var RIGHT_BRACKET -->nadavtol...@cs.technion.ac.il> a écrit : Sorry for all the wierd symbols, I was copying the code from linux terminal here is the clean code(I hope): if ((accounting_enforce & ACCOUNTING_ENFORCE_QOS) && assoc_ptr && !admin && (!assoc_ptr->usage->valid_qos || !bit_test(assoc_ptr->usage->valid_qos, qos_rec->id))) { error("This association %d(account='%s', " "user='%s', partition='%s') does not have " "access to qos %s", assoc_ptr->id, assoc_ptr->acct, assoc_ptr->user, assoc_ptr->partition, qos_rec->name); *error_code = ESLURM_INVALID_QOS; return NULL; } if (assoc_mgr_fill_in_assoc(acct_db_conn, &assoc_rec, accounting_enforce, &assoc_ptr, false)) { info("_job_create: invalid account or partition for user %u, " "account '%s', and partition '%s'", job_desc->user_id, assoc_rec.acct, assoc_rec.partition); error_code = ESLURM_INVALID_ACCOUNT; goto cleanup_fail; On 18/10/2017 08:26, Nadav Toledo wrote: Hey everyone, I am working at a university and we trying to setup a slurm cluster for courses and research. for the courses we would like to enforce qos on users that can connect via pbis-open auth. meaning they are authenticating against AD server. There are alot of users and each semester they are changing. My question is, how can i achieve : A. enforce qosן¿½ (AccountingStorageEnforce=limits,qos) B. Don't enforce associations , meaning anyone who can login to the server can submit jobs C. having slurmdbd record each user activity D. The users are not in /etc/passwd, loging being made by pbis-open about B:ן¿½ The reason is I dont want to manually adding each user to the slurm database (sacctmgr create user...) Regarding A+B: I have seen this answer :<!-- tmpl_var LEFT_BRACKET -->4<!-- tmpl_var RIGHT_BRACKET -->https://groups.google.com/forum/#!msg/slurm-devel/9Iu4c_qTb8w/ec0O36eW7dsJ;context-place=searchin/slurm-devel/Association$20ldap|sort:relevance But for me atleast it doesn't seem to work, I comment out the following code(inside src/slurmctld/job_mgr.c), then make clean, make, make install, still got the error: srun: error: Unable to allocate resources: Invalid account or account/partition combination specified the error on slurmctld : slurmctld: error: User 243309139 not found slurmctld: _job_create: invalid account or partition for user 243309139, account '(null)', and partition 'all' slurmctld: _slurm_rpc_allocate_resources: Invalid account or account/partition combination specified (243309139ן¿½ is the uid of a user auth against AD server, and doesn't show up in passwd nor in slurm database) /*ן¿½ן¿½ן¿½ן¿½ן¿½ if ((accounting_enforce & ACCOUNTING_ENFORCE_QOS) ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && assoc_ptr ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && !admin ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ && (!assoc_ptr->usage->valid_qos ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ || !bit_test(assoc_ptr->usage->valid_qos, qos_rec->id))) { ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ error("This association %d(account='%s', " ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ "user='%s', partition='%s') does not have " ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ "access to qos %s", ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ assoc_ptr->id, assoc_ptr->acct, assoc_ptr->user, ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ assoc_ptr->partition, qos_rec->name); ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ *error_code = ESLURM_INVALID_QOS; ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ return NULL; ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ } */ perhaps I should do something with these lines (same file)? ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ if (assoc_mgr_fill_in_assoc(acct_db_conn, &assoc_rec, ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ accounting_enforce, &assoc_ptr, false)) { ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ info("_job_create: invalid account or partition for user %u, " ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ "account '%s', and partition '%s'", ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ job_desc->user_id, assoc_rec.acct, assoc_rec.partition); ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ error_code = ESLURM_INVALID_ACCOUNT; ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ן¿½ goto cleanup_fail; Thank you all for helping, Nadav <!-- tmpl_var LEFT_BRACKET -->1<!-- tmpl_var RIGHT_BRACKET --> mailto:benjamin.lipere...@gmail.com <!-- tmpl_var LEFT_BRACKET -->2<!-- tmpl_var RIGHT_BRACKET --> mailto:nadavtol...@cs.technion.ac.il <!-- tmpl_var LEFT_BRACKET -->3<!-- tmpl_var RIGHT_BRACKET --> mailto:nadavtol...@cs.technion.ac.il <!-- tmpl_var LEFT_BRACKET -->4<!-- tmpl_var RIGHT_BRACKET --> https://groups.google.com/forum/#%21msg/slurm-devel/9Iu4c_qTb8w/ec0O36eW7dsJ;context-place=searchin/slurm-devel/Association$20ldap