[Beowulf] Definition of HPC
Joe Landman
landman at scalableinformatics.com
Wed Apr 17 09:56:53 PDT 2013
On 04/17/2013 12:34 PM, Max R. Dechantsreiter wrote:
> Ellis,
>
>>> As to your "Issue #2:"
>>>
>>> "Owned compute" has some advantages over "rented compute." In general, the
>>> control one has over one's owned resources enables applications to run with
>>> greater performance. Some optimizations just demand root access!
>> Although I hear those who have responded to this, this is particularly true
>> in my case as a systems researcher. Not only is my research impossible to
>> optimize without root access, it's impossible to perform whatsoever. Because
>> of that I am constantly at odds with my IT dept at PSU. Hence the NAS server
>> and small beo-cluster in my home...
> I have had similar experiences - academic IT departments are the worst!
Without naming names ... we had a cluster we had set up several years
ago, with a particular cluster distribution compromised by an errant
graduate student running windows on a compromised laptop. They couldn't
break into the cluster, so they installed a key logger, and caught him
typing the root password. The rest is, shall we say, history.
http://scalability.org/?p=905
http://scalability.org/?p=909
We implored them to never ever do what they did. They chose to ignore
us, as "research couldn't get done without root".
Well, that attacked knocked this *entire university* off the interwebs
for a few hours.
We caught heat because they ignored our advice. So we set up a system
that was simply not compromisable. If you never type a password, you
have zero probability of ever capturing a password to log in with. And
if no ports are ever publicly exposed, its extraordinarily hard to break
a port service. You can DDoS it, but there are simple countermeasures
that can be implemented to black-hole the low end of that range. At the
higher end, you start overloading each node up the chain and you can't
handle that without support from your network provider.
So, I am sorry ... if you *require* root to perform your work on a
regular basis, chances are, you are one misstep from misfortune, and its
quite likely to be self-inflicted.
This said, the most amazing thing about this whole episode was, after
reporting this, and following the forensic clues, and reporting them to
the cluster mailing list ... those in charge of the mailing list took
great personal offence at the writeup and reporting ... and banned me
from the list. I was more saddened than annoyed, as what I found and
reported on would likely have helped others prevent attacks. No skin
off my nose, we took this as a signal to work much harder on Tiburon,
which is now quite good.
But back to the running with scissors down broken staircases, in the
dark, with low coefficients of friction on the stable steps, and many
missing or unstable steps ... that is running as root. Make sure you
have good, recent backups, and you test that your backups are recent,
and correct, before you go break something important. And if you rely
upon external support, make darned sure they have a clue.
http://scalability.org/?p=5832
Explaining to investors, customers, management, granting agencies how
your own management failures resulted in massive data/information
lossage is not ... well ... a pleasant thing. Usually results in a few
firings.
Running as root? Yeah, its that bad. Just say no.
--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: landman at scalableinformatics.com
web : http://scalableinformatics.com
http://scalableinformatics.com/siflash
phone: +1 734 786 8423 x121
fax : +1 866 888 3112
cell : +1 734 612 4615
More information about the Beowulf
mailing list