[Beowulf] block runing jobs individually on each node

Josip Loncaric josip at lanl.gov
Thu Apr 7 13:26:16 PDT 2005


jerry xu wrote:
> 
>    I just want to forbid people running any of their own program at each
> node. They are only allowed to submit job through the batch system
> (OpenPBS).

You can use PAM to prevent logins into your nodes for most users.  Just 
modify /etc/pam.d/rlogin to include the line

auth requisite /lib/security/pam_localuser.so file=/etc/loginusers

immediately after the pam_nologin.so entry, and copy the /etc/passwd 
entries for authorized rlogin users (usually only root) to 
/etc/loginusers on your nodes.  Any user not in /etc/loginusers will be 
denied rlogin, although they will still be able to rexec.

This won't work for /etc/pam.d/rexec because PBS normally needs rexec to 
start permissible jobs.   A crude tool to at least encourage PBS use is 
a cron job to kill regular users' non-PBS jobs, e.g. hourly or even more 
often.  A PBS job will have PBS environment variables defined.

On my old cluster, we were satisfied with the above two measures, since 
inadvertent rlogin was our only real problem.

Finally, perhaps someone has written a PAM module that restricts normal 
users' node access to PBS jobs only.

Sincerely,
Josip



More information about the Beowulf mailing list