On 23/07/13 17:13, Chandler Wilkerson wrote: > We currently use a pam access setup like that: > > # cat /etc/security/access.conf > -:ALL EXCEPT admins root:ALL > > Then if users need access to the node while running jobs, we can do a > prolog/epilog that adds another line to allow in the user (then remove > once the job is done) > > This can become a mess if the node crashes, so I have a boot script that > replaces the file to the -:ALL EXCEPT line, but I'd like a better way. >
So this is pretty much the approach we have been using. As specific changes are made we roll these out via cfengine. This way we can have specific system classes or where necessary a system can become *special* BUT in a way that remains recorded and tracked. Always good to be able to roll back but as you mention, good to remember which of your many hosts you need to roll back ;). the touch /etc/nologin is generally only used when we take an interactive node out for repairs. It is a very simple blunt stick. Pete -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________ Beowulf mailing list, [email protected] sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
