On Wed, Aug 14, 2019 at 05:11:02PM +0200, Nicolas FOURNIALS wrote:
> Hi,
> Le 14/08/2019 à 16:35, Andreas Haupt a écrit :
> > Preventing access to the 'wrong' gpu devices by "malicious jobs" is not
> > that easy. An idea could be to e.g. play with device permissions.
> That's what we do by having /dev/nvidia[0-n] files owned by root and with
> permissions 660.
> Prolog (executed as root) changes the file owner to give it to the user
> running the job. Epilog gives the file back to root.
We do something similar but change the group of the device to match the one
assigned to the job.  This allows for multiple jobs from the same user 
without interference.  You have to set a magic kernel option
to prevent ther permissions on the device files from auto-changing.


Attachment: signature.asc
Description: PGP signature

users mailing list

Reply via email to