[GE users] Any reason not to have all user's workstations as submit hosts?

prentice prentice at ias.edu
Wed Apr 14 16:14:21 BST 2010


reuti wrote:
> Am 12.04.2010 um 12:35 schrieb rumpelkeks:
> 
>> Well, we've got a lot of things - certainly /home - on a central file 
> 
> I would be concerned that someone uses local root access to gain access to other users files and credentials.
> 
> -- Reuti

You can reduce that risk by NOT setting 'no_root_squash' on the NFS
server. This will prevent root accounts on the client from accessing
files on the NFS server with root privileges. Regular user files could
still be accessed from an account with a UID/GID that matches the file
ownerships on the server, but that requires a little more work/guessing.
Root's files will still be safe.

NFSv4 drastically reduces this risk since it uses Kerberos and finer
grained ACLs than NFS versions <= 3. I have no experience with NFSv4,
though, so I don't know how much harder it is to use, and what
performance penalties there are. Of course NFSv4(.1?) should provide a
boost to performance through pNFS.

--
Prentice


> 
>> system. Likewise, SGE is installed on a central application server. All 
>> our systems have a 'standard' environment setup, the cluster nodes are 
>> in no way treated special - so the user environment on the nodes is the 
>> same as on the workstations, with the same software/data in the same 
>> paths and all.
>>
>> Tina
>>
>> reuti wrote:
>>> Hi,
>>>
>>> Am 12.04.2010 um 11:51 schrieb rumpelkeks:
>>>
>>>> We do that - nearly all our hosts (definitely all workstations and 
>>>> cluster nodes, and many of the servers) are submit hosts. Roughly 400 in 
>>>> total. So far, not had any problems with it; definitely not seen any 
>>>> performance (or other technical) problems.
>>> how are the job(scripts) submitted? All workstations mount /home also local?
>>>
>>> -- Reuti
>>>
>>>
>>>> Tina
>>>>
>>>> rayson wrote:
>>>>> Mainly related to security.
>>>>>
>>>>> Rayson
>>>>>
>>>>>
>>>>>
>>>>> On 4/8/10, bdbaddog <bill at baddogconsulting.com> wrote:
>>>>>> Greetings,
>>>>>>
>>>>>> Is there any technical/performance reason to not have every user's
>>>>>> desktop as a submit host?
>>>>>>
>>>>>> Thanks,
>>>>>> -Bill
>>>>>>
>>>>>> ------------------------------------------------------
>>>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=252755
>>>>>>
>>>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>>>>
>>>>> ------------------------------------------------------
>>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=252758
>>>>>
>>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>>>
>>>> -- 
>>>> Tina Friedrich, Computer Systems Administrator, Diamond Light Source Ltd
>>>> Diamond House, Harwell Science and Innovation Campus - 01235 77 8442
>>>>
>>>> ------------------------------------------------------
>>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253112
>>>>
>>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>> ------------------------------------------------------
>>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253114
>>>
>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>>>
>>
>> -- 
>> Tina Friedrich, Computer Systems Administrator, Diamond Light Source Ltd
>> Diamond House, Harwell Science and Innovation Campus - 01235 77 8442
>>
>> ------------------------------------------------------
>> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253115
>>
>> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
> 
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253142
> 
> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
> 

-- 
Prentice Bisbal
Linux Software Support Specialist/System Administrator
School of Natural Sciences
Institute for Advanced Study
Princeton, NJ

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253390

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list