[Beowulf] Restricting users from ssh into nodes

Mark Hahn hahn at mcmaster.ca
Wed Jul 24 21:40:38 PDT 2013

>> I would argue that this sort of restriction is BOFHish
> I think of it more as protecting user jobs from other users who are
> new to HPC and probably well meaning (or desperate to get jobs running).

do you really find users who decide to choose their own nodes?

to me, there are three quite separate issues:
a) users who deliberately bypass the scheduler.
b) users who accidentally bypass the scheduler, or equivalently jobs
that escape the scheduler.  "rogue jobs".
c) users who want to run eg ps on their job processes.

limiting ssh access, done right, can permit (c) and prevent (a).
we don't really see (a) enough to worry about it (we're pretty big
on at least basic user inculcation...)  and most of (b) I see is 
actually not helped, since the rogue jobs are usually escapees,
rather than mis-aimed.

> As the users project here get allocated service units and charged for
> compute time in those units we have a duty to make sure they are
> getting the time they've been allocated.

yes, that's an interesting angle.  I suppose you could charge by utime+stime
rather than real time.

thanks, mark hahn.

More information about the Beowulf mailing list