Open MPI logo

Open MPI User's Mailing List Archives

  |   Home   |   Support   |   FAQ   |   all Open MPI User's mailing list

Subject: Re: [OMPI users] control openmpi or force to use pbs?
From: Duke Nguyen (duke.lists_at_[hidden])
Date: 2013-02-18 21:49:20


Sorry for the late update. Anyway, per suggestions, here is what I did:
 * prevent ssh-login to the nodes except admins
 * reconfigure torque with --with-pam (then reinstall torque, openmpi
etc...)

After testing for a few days with some intensive jobs, everything looks
fine :)

Thanks for all the helps/suggestsions/comments,

D.

On 2/6/13 10:58 PM, Reuti wrote:
> Am 06.02.2013 um 16:45 schrieb Duke Nguyen:
>
> > On 2/6/13 10:06 PM, Jeff Squyres (jsquyres) wrote:
> >> On Feb 6, 2013, at 5:11 AM, Reuti <reuti_at_[hidden]> wrote:
> >>
> >>>> Thanks Reuti and Jeff, you are right, users should not be allowed
> to ssh to all nodes, which is how our cluster was set up: users can
> even password-less ssh to any node. I know this is not appropriate
> question in OpenMPI forum, but how can we setup so that user can only
> ssh (with password) to nodes that are allocated to them at the time of
> qsub'ing? I am still new to all of this cluster thing :)
> >>> I even disallow this. Only admin staff is allowed to login to the
> nodes. This forces also the admin to look for a tight integration of
> the user's software into the queuing system.
> >>
> >> +1
> >>
> >> FWIW, that makes one-more-thing that you have to setup and maintain
> (because it doesn't happen by default -- you'd have to add some extra
> scripting in the ssh authentication stuff to enable that functionality).
> >>
>
> > Thanks, that what I want to do too, but I thought if it is impossible
> > because ssh is needed for seting up a cluster. From what I understand:
>
> > * for an user to run pbs jobs, master and clients should have that user
> > on their passwd/shadow/group files
>
> Or use NIS / LDAP to have a central location for this information.
>
>
> > * configure ssh server on clients to prohibit certain users
>
> Correct, like a line in /etc/ssh/sshd_config:
>
> AllowGroups admin
>
> and only admin staff has this group as one of their secondary groups
> attached.
>
> -- Reuti
>
>
> > Is that right?
>
> > _______________________________________________
> > users mailing list
> > users_at_[hidden]
> > http://www.open-mpi.org/mailman/listinfo.cgi/users
>
>
> _______________________________________________
> users mailing list
> users_at_[hidden]
> http://www.open-mpi.org/mailman/listinfo.cgi/users
>