Jump to content
  • Announcements

    • admin

      PBS Forum Has Closed   06/12/17

      The PBS Works Support Forum is no longer active.  For PBS community-oriented questions and support, please join the discussion at http://community.pbspro.org.  Any new security advisories related to commercially-licensed products will be posted in the PBS User Area (https://secure.altair.com/UserArea/). 
Sign in to follow this  
enegado

How do I submit a job from a compute node?

Recommended Posts

Hello


 


We have a small cluster with a head node (PBS Server), interactive node, and 9 compute nodes


 


I can submit jobs to the cluster via the head node, but when I try to submit jobs from our interactive node, i get the following message:


 


[nuser@interactive ~]$ qsub -q workq dry_run_8.pbs 

qsub: Bad UID for job execution

 

Is there a setting that I need to set to submit jobs from outside the head node?

 

Thank you!

 

Our environment is a RHEL 6.6 64bit cluster

Share this post


Link to post
Share on other sites

Hi Enegado,


 


     From the interactive node, can you ssh passwordlessly to and from the execution hosts?  Also, is it possible that the user name of the job submitter and/or the UID and GID at the executing node are different from the submitting node. 


 

On the submission host, as the submitting user, run the "id" command.  Do the same on the execution host and compare them.  

Share this post


Link to post
Share on other sites

To add to what CJM said:


 


For a job to be accepted by the PBS server, the user at the submitting host must pass an ruserok() test.

 

From the RCMD(3) man page (check your local Linux distro documentation, it may differ from this):

 

    * The iruserok() and ruserok() functions take a remote host's IP address or name, respectively, two user names and a flag indicating whether the local user's name is that of the superuser. Then, if the user is NOT the superuser, it checks the /etc/hosts.equiv file. If that lookup is not done, or is unsuccessful, the .rhosts in the local user's home directory is checked to see if the request for service is allowed.

 

      If this file does not exist, is not a regular file, is owned by anyone other than the user or the superuser, or is writeable by anyone other than the owner, the check automatically fails. Zero is returned if the machine name is listed in the hosts.equiv file, or the host and remote user name are found in the .rhosts file; otherwise iruserok() and ruserok() return -1. If the local domain (as obtained from gethostname(2)) is the same as the remote domain, only the machine name need be specified. 

 

 

 

If the pbs_server attribute flatuid is set to true, this test is skipped and the job is accepted based on the submitting users name alone (with obvious security implications, which can be tempered by using acl_host_enable and acl_hosts).

 

 

Here is a test program to see if ruserok() passes for a given user and host:

 



/*
   Two use cases:
    1) User submitting job from remote host to server getting unexpected
        "Bad UID" message. That is, user doesn't have access when he thinks
        he should.
    2) User(s) can delete, etc other user(s) jobs. That is, one user is able
        to act as what he thinks is a different user, server sees them as
        being equivalent.


Build with "cc ruserok.c -o ruserok"


Usage (run on the PBS server system):


ruserok remote_host remote_user1 local_user2


where:


remote_host:  the host from which the job is being submitted, or where the PBS client command is issued


remote_user1: the username of the user submitting the job, or issuing the client command


local_user2: the username of the user remote_user1 is trying to submit the job as, or owner of the job that remote_user1 is trying to act on with the client command


In most cases both user names given will be the same, unless testing to see a job can be submitted as a different user with the qsub -u option.

*/




#include <errno.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
        int rc;
        char hn[257];


        if (argc != 4) {
                fprintf(stderr, "Usage: %s remote_host remote_user1 local_user2\n", argv[0]);
                return 1;
        }
        if (gethostname(hn, 256) < 0) {
                perror("unable to get hostname");
                return 2;
        }
        hn[256] = '\0';


        printf("on local host %s, from remote host %s\n", hn, argv[1]);
        rc = ruserok(argv[1], 0, argv[2], argv[3]);
        if (rc == 0)
                printf("remote user %s is allowed access as local user %s\n", argv[2], argv[3]);
        else
                printf("remote user %s is denied access as local user %s\n", argv[2], argv[3]);


        return 0;
}

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×