[mvapich-discuss] Disable interactive login to compute node

Wed Jul 15 00:50:56 EDT 2009

Hello Guangyu,

I appreciate your advice. 
I have misunderstood. WMS is not product name.
WMS is short for Workload Management Solution.

Regards,
Satoshi Isono

-----Original Message-----
From: Guangyu Wu [mailto:wgy at altair.com.cn] 
Sent: Tuesday, July 14, 2009 4:48 PM
To: Satoshi Isono
Cc: 'Bill Barth'; mvapich-discuss at cse.ohio-state.edu
Subject: ´ð¸´: [mvapich-discuss] Disable interactive login to compute node

Hello, satoshi:
WMS means workload management system like pbspro, lsf, sge, openpbs ,etc. it
is not module though.
In the latest pbspro package, it provides a functionality to control access
to computing nodes. It's not perfect but works very well and provides great
flexibility. If you would learn more information on this, you can find pbs
pro admin guide by google.
What bill suggested should work. However it would take considerable
scripting effort to gain robustness and necessary flexibility.

Thanks

Wu

-----ÓÊ¼þÔ¼þ-----
·¢¼þÈË: Satoshi Isono [mailto:isono at cray.com] 
·¢ËÍÊ±¼ä: 2009Äê7ÔÂ14ÈÕ 12:28
ÊÕ¼þÈË: Guangyu Wu
³ËÍ: Bill Barth; mvapich-discuss at cse.ohio-state.edu
Ö÷Ìâ: RE: [mvapich-discuss] Disable interactive login to compute node

Dear Guangyu,

Thanks for your advice. From your view, I am interested in WMS. Is WMS
contained in latest PBS pro package? Can we use WMS on other job
scheduler like Sun Grid Engine?

Regards,
Satoshi Isono

-----Original Message-----
From: henry.wuguangyu at gmail.com [mailto:henry.wuguangyu at gmail.com] On
Behalf Of Guangyu Wu
Sent: Monday, July 13, 2009 3:15 PM
To: Satoshi Isono; Bill Barth; mvapich-discuss at cse.ohio-state.edu
Subject: Re: [mvapich-discuss] Disable interactive login to compute node

Hello:
This has been a common security/management issue raised by admins.
Not sure if anyone has addressed it without using a WMS.
The latest version of PBS Pro provides a way around where the
methodology is simple, I.e, having the WMS daemon on nodes scanning
processes owner, if the owner doesn't has a job (submitted thru WMS)
running then kill the processes. This way even reomote login is not
possible.
Of course some exception are there, e.g. User can login a node during
the time his job is running there. Admins can except some users who is
not limited by this behavior.
HTH
Henry, Wu

On 7/13/09, Satoshi Isono <isono at cray.com> wrote:
> Hello Bill, everyone,
>
> Sorry, this issue may not be a MVAPICH article. Please let me have
your
> opinion on this.
>
> The background is I use MVAPICH based on SSH authorization. And the
> number of users is more one thousand. In order to run MPI, I have done
> SSH setting. As a result of my configuration, SSH login between
compute
> nodes does not need password. As we know, this is general setting for
> MPI run environment.
>
> On the other hand, anyone who has an account on compute node has done
> login for arbitrary nodes. This action is not cared from system
security
> side. I think we should consider that all users aren't able to login
> during other users job running.
>
> My concern is how everyone control such as operations. I know this may
> depend on the system policy. On big system site like a TACC, how is
this
> restricted?
>
> For example, before/after running MPI, to set available user, we are
> able to edit password file, automatically?
>
> Best regards,
> Satoshi Isono
>
>
> _______________________________________________
> mvapich-discuss mailing list
> mvapich-discuss at cse.ohio-state.edu
> http://mail.cse.ohio-state.edu/mailman/listinfo/mvapich-discuss
>