[Beowulf] Definition of HPC
Ellis H. Wilson III
ellis at cse.psu.edu
Thu Apr 18 07:37:28 PDT 2013
On 04/17/2013 12:56 PM, Joe Landman wrote:
> Without naming names ... we had a cluster we had set up several years
> ago, with a particular cluster distribution compromised by an errant
> graduate student running windows on a compromised laptop. They couldn't
> break into the cluster, so they installed a key logger, and caught him
> typing the root password. The rest is, shall we say, history.
> We implored them to never ever do what they did. They chose to ignore
> us, as "research couldn't get done without root".
> Well, that attacked knocked this *entire university* off the interwebs
> for a few hours.
> We caught heat because they ignored our advice. So we set up a system
> that was simply not compromisable. If you never type a password, you
> have zero probability of ever capturing a password to log in with. And
> if no ports are ever publicly exposed, its extraordinarily hard to break
> a port service. You can DDoS it, but there are simple countermeasures
> that can be implemented to black-hole the low end of that range. At the
> higher end, you start overloading each node up the chain and you can't
> handle that without support from your network provider.
> So, I am sorry ... if you *require* root to perform your work on a
> regular basis, chances are, you are one misstep from misfortune, and its
> quite likely to be self-inflicted.
> Running as root? Yeah, its that bad. Just say no.
I do research on the Linux kernel, specifically in the caching/FS bits,
and more in the parallel file system and Hadoop arena.
With Hadoop development, I never need root. I mean, after all, it's a
user-level framework! Oh wait, I forgot I have to tune sysctls,
partition and format drives, nuke caches between runs, perform block
traces for inputs to simulators, and do dozens of other things that
require super user privileges.
Please note: I NEVER run as root, I just "tinker" as root. I don't
think there is ever a good reason to run as root. But having and using
root is not so evil as you claim. In particular, I have NO doubt you
require root to build JackRabbits, but I doubt you claim you are "one
misstep from misfortune." You're probably just careful.
As another example, I required root to expand some of the Panasas
equipment that I have available to me to serve Hadoop in a new and novel
manner. I simply wasn't getting in without root. I of course then
added a new user and ran from that perspective, but please, rest assured
that there is indeed "research [that] couldn't get done without root."
ellis (the not-so-evil grad student)
More information about the Beowulf