[GE users] Access to machines
dag at sonsorol.org
Wed Mar 14 16:04:27 GMT 2007
[ The following text is in the "WINDOWS-1252" character set. ]
[ Your display is set for the "ISO-8859-10" character set. ]
[ Some special characters may be displayed incorrectly. ]
I'll regurgitate some stuff I said a while back in a different forum ...
In short, technical fixes or "sysadmin" approaches to mandating the
use of a scheduler will never work in the long run. All you do is end
up kicking off a technological arms race with your more savvy users.
An upset user looking to game the system is always going to have far
more time and motivation than an overworked cluster admin so
generally it becomes a losing battle.
I've repeatedly found that is is far better in the long run to make
the scheduler system (and proper use of it) a policy matter. Clear
acceptable use policies need to be drafted with user input and
clearly communicated to everyone. After that, users who attempt to
bypass or game the system are referred to their manager. A 2nd
attempt to bypass the system gets reported up higher and a third
attempt results in the loss of cluster login access and a possible
referral to the HR department.
That said though, I work in commercial environments where scheduler
policies are in place to enforce fairshare-by-user or are used to
prioritize cluster resources according to very specific business,
scientific or research goals. In those settings it is very easy to
point out costs of dealing with users who repeatedly bypass the system.
Going back to the technical side .. One trick that I've seen done
with grid engine takes advantage of the fact that all Grid Engine
launched cluster tasks are all going to be a child process of a
sge_shepherd daemon. I've seen clusters where there was a recurring
cron script that would search out and "kill -9" any user process that
was not a child of a sge_shepherd. The end result was that nobody
could run a job on a node unless it was under the control of the
On Mar 14, 2007, at 11:59 AM, Colin Thomas wrote:
> We have a number of machines being put onto our grid. By default
> for a user to run on these machines they need to have an account on
> that machine, which makes sense.
> We want though for them to be able to submit jobs through the grid,
> BUT stop them from casually rsh/ssh?ing into the same node, and
> running applications outside of the grid.
> Are there any know solutions to this issue? We have thought about
> the user having an account on this machine, but with an alternative
> password: the grid then allows them on, but the user doesn?t know
> of the password on this machine to facilitate a direct ssh, but
> this could become messy with a large number of users.
> Many thanks in advance..
> Colin Thomas
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net
More information about the gridengine-users