Le 14/08/2019 à 16:35, Andreas Haupt a écrit :
Preventing access to the 'wrong' gpu devices by "malicious jobs" is not
that easy. An idea could be to e.g. play with device permissions.

That's what we do by having /dev/nvidia[0-n] files owned by root and with permissions 660. Prolog (executed as root) changes the file owner to give it to the user running the job. Epilog gives the file back to root.
It works fine for us.
If we had no possibility to run prolog/epilog as root, we'd have had the possibility to write a small script caring about the owner change, that we'd have run with sudo in the prolog; the protection would have been less effective (a malicious user could search for the script and call it himself) but that prevents any mistaken use of a GPU not attributed to the job.


Nicolas Fournials
System administrator
users mailing list

Reply via email to