[GE users] Any reason not to have all user's workstations as submit hosts?

bdbaddog bill at baddogconsulting.com
Mon Apr 12 18:38:44 BST 2010


Reuti,

On Mon, Apr 12, 2010 at 10:23 AM, reuti <reuti at staff.uni-marburg.de> wrote:
> Am 12.04.2010 um 19:18 schrieb bdbaddog:
>
>> Reuti,
>>
>> On Mon, Apr 12, 2010 at 9:05 AM, reuti <reuti at staff.uni-marburg.de> wrote:
>>> Am 12.04.2010 um 12:35 schrieb rumpelkeks:
>>>
>>>> Well, we've got a lot of things - certainly /home - on a central file
>>>
>>> I would be concerned that someone uses local root access to gain access to other users files and credentials.
>>
>> That's how most large deployments are done.
>> (I've been at companies with up to 5k employees done this way, and
>> even allowed mounting home dir's over the WAN, which was slow of
>> course, but functional)
>> All workstations use automount to mount /home's from various fileservers.
>> There's also a noroot option on mount which won't let root access or
>> is it just write/modify non local filesystems.
>
> But when a user has local root access, he could create a local user for the one he want to access on the cluster - just use the right ID. Are there more protections to avoid this?

If this is a real concern with your user population, I'm sure there
are more ways to lock down the machines and user accounts and such,
perhaps SELinux?

In most companies I've been at it's not been a concern that such
intentional compromising of security is a reasonable concern.

In that case, certainly having only a few machines as submit hosts
which are not physically accesable and have limited root access would
be the way to go.

-Bill
>
> -- Reuti
>
>
>> -Bill
>>
>>>
>>> -- Reuti
>>>
>>>
>>>> system. Likewise, SGE is installed on a central application server. All
>>>> our systems have a 'standard' environment setup, the cluster nodes are
>>>> in no way treated special - so the user environment on the nodes is the
>>>> same as on the workstations, with the same software/data in the same
>>>> paths and all.
>>>>
>>>> Tina
>>>>
>>>> reuti wrote:
>>>>> Hi,
>>>>>
>>>>> Am 12.04.2010 um 11:51 schrieb rumpelkeks:
>>>>>
>>>>>> We do that - nearly all our hosts (definitely all workstations and
>>>>>> cluster nodes, and many of the servers) are submit hosts. Roughly 400 in
>>>>>> total. So far, not had any problems with it; definitely not seen any
>>>>>> performance (or other technical) problems.
>>>>>
>>>>> how are the job(scripts) submitted? All workstations mount /home also local?
>>>>>
>>>>> -- Reuti
>>>>>
>>>>>
>>>>>> Tina
>>>>>>
>>>>>> rayson wrote:
>>>>>>> Mainly related to security.
>>>>>>>
>>>>>>> Rayson
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 4/8/10, bdbaddog <bill at baddogconsulting.com> wrote:
>>>>>>>> Greetings,
>>>>>>>>
>>>>>>>> Is there any technical/performance reason to not have every user's
>>>>>>>> desktop as a submit host?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> -Bill
>>>>>>>>
>>>>>>>> ------------------------------------------------------
>>>>>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=252755
>>>>>>>>
>>>>>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>>>>>>
>>>>>>> ------------------------------------------------------
>>>>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=252758
>>>>>>>
>>>>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Tina Friedrich, Computer Systems Administrator, Diamond Light Source Ltd
>>>>>> Diamond House, Harwell Science and Innovation Campus - 01235 77 8442
>>>>>>
>>>>>> ------------------------------------------------------
>>>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253112
>>>>>>
>>>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>>>
>>>>> ------------------------------------------------------
>>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253114
>>>>>
>>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>>>
>>>>
>>>>
>>>> --
>>>> Tina Friedrich, Computer Systems Administrator, Diamond Light Source Ltd
>>>> Diamond House, Harwell Science and Innovation Campus - 01235 77 8442
>>>>
>>>> ------------------------------------------------------
>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253115
>>>>
>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>
>>> ------------------------------------------------------
>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253142
>>>
>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>
>>
>> ------------------------------------------------------
>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253152
>>
>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253153
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253158

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list