[torqueusers] disabling direct access to compute nodes
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Fri Oct 5 13:08:44 MDT 2007
Markus Seto wrote:
> Hi, I've recently started fiddling with a torque installation, and was
> wondering if it's possible to disable direct access to the compute nodes
> from the master node. I've noticed some users cheating the system and
> directly logging into compute nodes to run jobs, and I want to force them to
> use the queue system, but I was told that direct access with ssh keys is
> needed for torque to run. any ideas?
The low-tech bullet-proof method we use is to have separate login nodes for
users. We restrict logins to the master server by using the AllowUsers
option in /etc/ssh/sshd_config (see "man sshd_config") so that normal users
can't login there.
Now, the login nodes are on our public network, whereas all compute
nodes are on a private network (the master server of course connects
to both of these networks). Users on the login nodes can submit jobs
etc., but they have NO way of ever communicating with the compute nodes !
They can communicate with the master server, and that's it !
Some people may think that the submit nodes must be able to communicate
with the compute nodes in order for the batch system to work, but that
is just not true. Of course, your NFS filserver (if it's different from
the master server) must connect to both the private and the public network
The disadvantages: With our setup interactive Torque jobs (qsub -I)
are not possible. The workaround: If a few select users genuinely
need interactive login access to the compute nodes, then we enable
their login to the master server by adding them in the /etc/ssh/sshd_config
file. If you don't like to allow user logins to the master server,
a dedicated login server with restricted logins could be made in stead
with a second network card that connects to the private network.
More information about the torqueusers