[GE users] sanity check on idea to use project value to do fairshare among users with same uid

Charu Chaubal Charu.Chaubal at Sun.COM
Wed Nov 10 18:19:47 GMT 2004


Hi Chris,

I think using GE projects per user is the ideal way of doing this.  The 
main thing to be concerned about is security.  There are a few security 
concerns with GE that I can think of if the job script is not 
validated, then a job could do bad things to any other job, eg, qdel, 
switch pending jobs to another project with qalter, etc.  This won't 
happen if the job script is written by the admin or if the exec hosts 
are not submit hosts.

Other security concerns have to do with Unix-based permissions.  A job 
on one host could potentially kill other jobs on the same host because 
it's all the same user.  If RPC is turned on, then jobs on one host can 
affect jobs on other hosts too.

To avoid jobs affecting jobs on other hosts, you would simply turn off 
rsh, ssh, etc.  To avoid jobs affecting each other on the same host, 
you could just run one slot per host.

Or, with Solaris 10, you could split each exec host into any number of 
independent containers, eg, one per CPU, and each would be completely 
isolated from the other.

Regards,
	Charu

On Nov 10, 2004, at 10:05 AM, Chris Dagdigian wrote:

>
> Hi folks,
>
> I've got a web portal situation where many different scientific 
> applications are fronted by CGIs. Behind the scenes the CGIs are 
> talking to Grid Engine to load balance across apple and linux 
> clusters.
>
> Because the jobs are coming from the web; they all run under the same 
> UID and Grid Engine just sees a ton of jobs being run by user "apache" 
> or "www" or whatever.
>
> Grid Engine can not effectively do fairshare-by-user when all it sees 
> is many jobs being submitted by the webserver.
>
> So we have the potential for one user out of many web portal users to 
> grab a huge percentage of cluster resources. Grid Engine has no way to 
> sort this out.
>
> There is no desire to provide commandline access to the cluster so 
> there will never be a per-user unique userid set up.
>
> What I've come up with was this:
>
> 1. Each web user gets a Grid Engine project created with their 
> portal-username. This is done automatically each time a new web portal 
> user is created.
>
> 2. The portal CGIs are modified to pass on "-P <username>" whenever 
> they do a qsub or qrsh
>
> 3. Adjust Grid Engine 5.3 or 6.0u1 policies such that "Project" is 
> highly weighted within the fairshare or sharetree policies
>
>
> The end result is that by hijacking the Grid Engine project mechanism 
> I can effectively get fairshare-by-user even when all the jobs are 
> submitted with the same UID.
>
> This appears to work and I can even now do per-user resource 
> accounting tracking with grid engine by doing:
>
> # Get per user usage stats:
> $ qacct -P <portal-username>
>
>
> Just wanted to throw this out there to see if anyone sees any nasty 
> problems that could come back to bite me. Anyone see any problems with 
> Grid Engine if used in a setting where for each user there is an 
> associated project object?
>
>
> Regards,
> Chris
>
>
> -- 
> Chris Dagdigian, <dag at sonsorol.org>
> BioTeam  - Independent life science IT & informatics consulting
> Office: 617-665-6088, Mobile: 617-877-5498, Fax: 425-699-0193
> PGP KeyID: 83D4310E iChat/AIM: bioteamdag  Web: http://bioteam.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
>
>
###############################################################
# Charu V. Chaubal				# Phone: (650) 786-7672 (x87672)
# Grid Computing Technologist	# Fax:   (650) 786-4591
# Sun Microsystems, Inc.			# Email: charu.chaubal at sun.com
###############################################################


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list