Using limits.conf is not a very good approach. Limits in
/etc/security/limits.conf apply to each individual shell, so an
individual user can still abuse a login node by running tasks in
multiple shells. Cgroups, which is implemented in the kernel and takes a
system-wide view or resource usage is a much better option.
Also, /etc/security/limits.conf is applied by PAM, so if someone gets
onto a system in a way that bypasses PAM, this limits will not be
applied to those shells. One way top bypass PAM to use SSH with
public/private keys.
Prentice
On 4/24/21 4:03 AM, Ole Holm Nielsen wrote:
On 24-04-2021 04:37, Cristóbal Navarro wrote:
Hi Community,
I have a set of users still not so familiar with slurm, and yesterday
they bypassed srun/sbatch and just ran their CPU program directly on
the head/login node thinking it would still run on the compute node.
I am aware that I will need to teach them some basic usage, but in
the meanwhile, how have you solved this type of user-behavior
problem? Is there a preffered way to restrict the master/login
resources, or actions, to the regular users ?
We restrict user limits in /etc/security/limits.conf so users can't
run very long or very big tasks on the login nodes:
# Normal user limits
* hard cpu 20
* hard rss 50000000
* hard data 50000000
* soft stack 40000000
* hard stack 50000000
* hard nproc 250
/Ole
