[GE users] Access to machines

Chris Dagdigian dag at sonsorol.org
Wed Mar 14 16:04:27 GMT 2007

    [ The following text is in the "WINDOWS-1252" character set. ]
    [ Your display is set for the "ISO-8859-10" character set.  ]
    [ Some special characters may be displayed incorrectly. ]

I'll regurgitate some stuff I said a while back in a different forum ...

In short, technical fixes or "sysadmin" approaches to mandating the  
use of a scheduler will never work in the long run. All you do is end  
up kicking off a technological arms race with your more savvy users.  
An upset user looking to game the system is always going to have far  
more time and motivation than an overworked cluster admin so  
generally it becomes a losing battle.

I've repeatedly found that is is far better in the long run to make  
the scheduler system (and proper use of it) a policy matter. Clear  
acceptable use policies need to be drafted with user input and  
clearly communicated to everyone.  After that, users who attempt to  
bypass or game the system are referred to their manager. A 2nd  
attempt to bypass the system gets reported up higher and a third  
attempt results in the loss of cluster login access and a possible  
referral to the HR department.

That said though, I work in commercial environments where scheduler  
policies are in place to enforce fairshare-by-user or are used to  
prioritize cluster resources according to very specific business,  
scientific or research goals. In those settings it is very easy to  
point out costs of dealing with users who repeatedly bypass the system.

Going back to the technical side .. One trick that I've seen done  
with grid engine takes advantage of the fact that all Grid Engine  
launched cluster tasks are all going to be a child process of a  
sge_shepherd daemon.  I've seen clusters where there was a recurring  
cron script that would search out and "kill -9" any user process that  
was not a child of a sge_shepherd. The end result was that nobody  
could run a job on a node unless it was under the control of the  

My $.02


On Mar 14, 2007, at 11:59 AM, Colin Thomas wrote:

> Hi,
> We have a number of machines being put onto our grid. By default  
> for a user to run on these machines they need to have an account on  
> that machine, which makes sense.
> We want though for them to be able to submit jobs through the grid,  
> BUT stop them from casually rsh/ssh?ing into the same node, and  
> running applications outside of the grid.
> Are there any know solutions to this issue? We have thought about  
> the user having an account on this machine, but with an alternative  
> password: the grid then allows them on, but the user doesn?t know  
> of the password on this machine to facilitate a direct ssh, but  
> this could become messy with a large number of users.
> Many thanks in advance..
> Colin Thomas

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list