<div dir="ltr">Just 3 more things to think about re where ssh should be enabled or disabled.<div><br></div><div>1. Many people's job scripts use ssh either directly (to say clean up /tmp) or indirectly from mpirun. (good mpirun's use the batch engine's per-node daemon to launch the binaries not ssh). Hence simple disabling of ssh will break many batch scripts.</div>
<div><br></div><div>2. Some 'batch jobs' are actually interactive sessions - eg salloc in SLURM for interactive debugging sessions.</div><div><br></div><div>3. If a user has a a set of say 32 nodes allocated to them and in use for one of their batch jobs, it is reasonable to allow them interactive access to those compute nodes - eg for profiling, debugging or computational steering.</div>
<div><br></div><div>Daniel</div><div><br></div><div>Daniel Kidger</div><div>Bull Information Systems, UK</div><div> </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 July 2013 06:08, Christopher Samuel <span dir="ltr"><<a href="mailto:samuel@unimelb.edu.au" target="_blank">samuel@unimelb.edu.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div class="im">On 25/07/13 14:40, Mark Hahn wrote:<br>
<br>
> do you really find users who decide to choose their own nodes?<br>
<br>
</div>In the past yes, they've come from places who either haven't had a<br>
queuing system or who haven't use HPC before and haven't read the docs<br>
or been to the courses.<br>
<div class="im"><br>
> limiting ssh access, done right, can permit (c) and prevent (a).<br>
<br>
</div>That's what we do. Users can login to nodes their jobs are on. I'm<br>
hoping that the aims of the Slurm PAM module to be able to move users<br>
SSHing into the node into the cgroup for their jobs will get<br>
implemented. That way if they do login and run stuff that impacts<br>
they'll only hurt their own jobs.<br>
<div class="im"><br>
> we don't really see (a) enough to worry about it (we're pretty big<br>
> on at least basic user inculcation...) and most of (b) I see is<br>
> actually not helped, since the rogue jobs are usually escapees,<br>
> rather than mis-aimed.<br>
<br>
</div>Yeah, we see rogue jobs and have health check scripts that can fix<br>
them up for the simple cases (and alert us and take the node offline<br>
for others). That helps with having to deal with the emails from<br>
users asking why their jobs are running slower than usual.<br>
<div class="im"><br>
> I suppose you could charge by utime+stime rather than real time.<br>
<br>
</div>That would mean a lot of extra hacking around as we're using Gold<br>
(with Torque and Moab) at the moment and will be moving to Slurm in<br>
the very near future (as it's what we run on our BG/Q), so we bend to<br>
their whim on charging.<br>
<div class="im"><br>
cheers!<br>
Chris<br>
- --<br>
Christopher Samuel Senior Systems Administrator<br>
VLSCI - Victorian Life Sciences Computation Initiative<br>
Email: <a href="mailto:samuel@unimelb.edu.au">samuel@unimelb.edu.au</a> Phone: <a href="tel:%2B61%20%280%293%20903%2055545" value="+61390355545">+61 (0)3 903 55545</a><br>
<a href="http://www.vlsci.org.au/" target="_blank">http://www.vlsci.org.au/</a> <a href="http://twitter.com/vlsci" target="_blank">http://twitter.com/vlsci</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iEYEARECAAYFAlHwss4ACgkQO2KABBYQAh8UywCgiFnVHUxTCAF8DPQkdMQCutD8<br>
PuEAnRz91qSEQM1mfwZfBV7CsoVjZLk/<br>
=+JDY<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org">Beowulf@beowulf.org</a> sponsored by Penguin Computing<br>
To change your subscription (digest mode or unsubscribe) visit <a href="http://www.beowulf.org/mailman/listinfo/beowulf" target="_blank">http://www.beowulf.org/mailman/listinfo/beowulf</a><br>
</div></div></blockquote></div><br></div>