same here we use the systemd user slice in out pam stack:
```
# Setup for local and ldap logins
session required pam_systemd.so
session required pam_exec.so seteuid type=open_session
/etc/security/limits.sh
```
limit.sh:
```
#!/bin/sh -e
PAM_UID=$(getent passwd "${PAM_USER}" | cut -d: -f3)
if [ "${PAM_UID}" -ge 1000 ]; then
/bin/systemctl set-property "user-${PAM_UID}.slice" CPUQuota=400%
CPUAccounting=true MemoryLimit=16G MemoryAccounting=true
fi
```
and also kill process that use to much time and exlude some processes:
*
https://github.com/basvandervlies/cf_surfsara_lib/blob/master/doc/services/sara_user_consume_resources.md
On 20/05/2021 16:03, mercan wrote:
Hi;
We use a bash script to watch and kill users' processes, if they exceed
the our cpu and memory limits. Also this solution ensures total usage of
cpu or memory can not exceed because of a lot of well behaved users as
well as a bad user:
https://github.com/mercanca/kill_for_loginnode.sh
Ahmet M.
20.05.2021 15:40 tarihinde Timo Rothenpieler yazdı:
On 24.04.2021 04:37, Cristóbal Navarro wrote:
Hi Community,
I have a set of users still not so familiar with slurm, and yesterday
they bypassed srun/sbatch and just ran their CPU program directly on
the head/login node thinking it would still run on the compute node.
I am aware that I will need to teach them some basic usage, but in
the meanwhile, how have you solved this type of user-behavior
problem? Is there a preffered way to restrict the master/login
resources, or actions, to the regular users ?
many thanks in advance
--
Cristóbal A. Navarro
I just put a drop-in config file for systemd into
/etc/systemd/system/user-.slice.d/user-limits.conf
[Slice]
CPUQuota=800%
MemoryHigh=48G
MemoryMax=56G
MemorySwapMax=0
Accompanied by another drop-in that resets all those limits for root.
This enforces that no single user can use up all CPUs (limited to 8
Hyperthreads) and RAM, and can't cause the system to swap.
Other than that, we leave it to the users due diligence to not trash
up the login nodes, which so far worked fine.
They occasionally compile stuff on the login nodes in preparation of
runs, so I don't want to limit them too much.
--
Bas van der Vlies
| HPCV Supercomputing | Internal Services | SURF |
https://userinfo.surfsara.nl |
| Science Park 140 | 1098 XG Amsterdam | Phone: +31208001300 |
| bas.vandervl...@surf.nl