问题
Based on following thread; I am trying to send a job under another user.
I am logged in as the main_user, and slurm jobs are submit via main_user that can do rm -rf /home/main_user that is pretty dangerous.
In order to prevent this I want to run a job under another user's permission under the main_user's directory. I think that if I am able managed to submit the job through newly created user, that user has no permission to alter into any of my files, expect the folder that the user is running his job.
Creating a new user:
$ sudo useradd -m newuser -d /home/newuser
$ sacctmgr add account newuser --immediate
$ sacctmgr create user newuser defaultaccount=newuser adminlevel=[None] --immediate
Approach_1: Running as newUser under main_user's directory :
$ cd pathToRunMyJob
$ sudo chown -R newuser:newuser .
$ id -u newuser
1004
$ sbatch --uid=1004 run.sh
Approach_2: running job inside newly created user's folder under home directory:
$ cd /home/newuser
$ id -u newuser
1004
$ sbatch --uid=1004 run.sh
But now I am having following pending message:
JOBID PARTITION NAME USER ST TIME NODES NODELIST(REASON) 602 debug run.sh deneme PD 0:00 1 (launch failed requeued held)
Update:
I have tried to submit a job under another user via using @Dmitri Chubarov' comment: sudo su - newuser ; sbatch run.sh
That seems like solution. After I did sudo su - newuser then sbatch run.sh , it prevent newuser 's source code to change other users' folders.
Also, I just want to prevent a user not to access any important data stored by any other user. chmod go-rwx /home/* or chmod 700 ~/* makes other users' folder unaccessible; could it be a helpful solution?
回答1:
But after I do sbatch run.sh , I get following message: Submitted batch job *** ; but submitted job does not show up on squeue and the job does not launch on Slurm.
Often, that indicates that newuser is not known on the compute node. you have to run the useradd command on all compute nodes as well. But that should be clear from the Slurm log filles.
Also, I just want to prevent a user not to access any important data stored by any other user. chmod go-rwx /home/* or chmod 700 ~/* makes other users' folder unaccessible; could it be a helpful solution?
Yes, chmod go-rwx /home/* would be the way to go.
回答2:
I have combined @damienfrancois and @Dmitri Chubarov's answers:
The way I created new user:
user.sh
#!/bin/bash
NEWUSER ="user"
BASEDIR="/var/users/"
sudo useradd -d $BASEDIR/$NEWUSER -m $NEWUSER
sudo mkdir -p $BASEDIR/$NEWUSER/cache
echo $USERADDRESS / $NEWUSER 'is added as user.'
sudo chmod 700 $BASEDIR/$NEWUSER # Block others and people in the same group to do read/write/execute
sudo setfacl -R -m user:$NEWUSER:rwx $BASEDIR/$NEWUSER #Give Read/Write/Execute access to USER on the give folder.
sudo setfacl -R -m user:$SLURMUSER:rwx $BASEDIR/$NEWUSER #Give Read/Write/Execute access to root_slurmuser on the give folder.
# Add user to Slurm
sacctmgr add account $NEWUSER --immediate
sacctmgr create user $NEWUSER defaultaccount=$NEWUSER adminlevel=[None] --immediate
Later I have applied the @Dmitri Chubarov's recommendation:
Can you submit a job as a
newuserdirectly, e.g.sudo su - newuser ; sbatch run.sh?
I have submitted job as the $NEWUSER
$ sudo su - $NEWUSER -c "cd $BASEDIR/USERADDRESS_home/path_to_run &&
sbatch -c2 slurmScript.sh
来源:https://stackoverflow.com/questions/50267566/slurm-how-to-submit-a-job-under-another-user-and-prevent-to-read-other-users-f