Issue 4087: redo /etc/passwd mgmt - UW-HEP Help System

Title	redo /etc/passwd mgmt
Priority	low	Status	chatting
Superseder		Nosy List	dan, rader, wcmaier
Assigned To		Topic
Group	IT

Created 2006.12.22 11:03 by rader.
Last changed 2008.01.14 10:35 by wcmaier.

Messages
msg13450 (view)	From: wcmaier	To: dan, help, rader, wcmaier	Date: 2008.01.14 10:35
User gao recently informed us that he was running jobs on the g12 systems. This has come up before (notably, several s5s crashed due to interactive user jobs), and we don't have a very good response. After recommending that the user run their analysis in Condor (not always possible, as in gao's case) or purchase dedicated hardware, we have no good way of preventing unknowing or errant users from logging into the compute nodes. It is not desirable to simply remove the user accounts from the machines, as this would break several debugging methods in Condor and dCache. It is also not desirable to wall off those hosts using libwrap, since it makes administration and debugging more annoying. One solution would require the passwd management system to support different passwd entries for the same user depending on the host. In this way, we could set the shell to /sbin/nologin for most user accounts on the compute nodes. We could do the same on the PNFS server, which would allow us to map files to users more easily. As far as I can tell, this is not possible with the current passwd system. When we get around to redoing passwd management, it'd be nice if this sort of flexibility was included (or at least considered). Thanks! -- o--------------------------{ Will Maier }--------------------------o \| jabber:...wcmaier@xmpp.lfod.us \| email:..will.maier@hep.wisc.edu \| \| office:...........608.263.9692 \| cell:..............608.438.6162 \| --------------------[ UW High Energy Physics ]--------------------
msg265 (view)	From: wcmaier	To: rader, wcmaier	Date: 2006.12.22 11:39
On Fri, Dec 22, 2006 at 05:03:16PM -0000, Steve Rader via UW-HEP Help System wrote: > ginseng:/var/cfengine/masterfiles/inputs/cfrun.hosts has no other > purpose than to be used by anise to populdate /usr/local/passwd.d > > so... > 1) ditch cfrun.hosts > 2) have mkpasswdfiles create default.passwd > 3) have cfengine copy $(host).passwd if it exists else > default.passwd or something like that Alternatively, we could so something like the following: ginseng:/var/cfengine/masterfiles/ ./etc/passwd/BASE ./etc/passwd/CMS ./etc/passwd/NOC ./etc/passwd/TOOLS [...] where each file under ./etc/passwd/ represents a class of systems. cfengine could either simply copy that file over or append it to a base passwd file. This is how we're doing dCache node_configs at the moment. -- o--------------------------{ Will Maier }--------------------------o \| jabber:...wcmaier@xmpp.lfod.us \| email:..will.maier@hep.wisc.edu \| \| AIM:.................willmaier \| cell:..............608.438.6162 \| --------------------[ UW High Energy Physics ]--------------------
msg254 (view)	From: rader	To: rader	Date: 2006.12.22 11:03
ginseng:/var/cfengine/masterfiles/inputs/cfrun.hosts has no other purpose than to be used by anise to populdate /usr/local/passwd.d so... 1) ditch cfrun.hosts 2) have mkpasswdfiles create default.passwd 3) have cfengine copy $(host).passwd if it exists else default.passwd or something like that

History
Date	User	Action	Args
2008-01-14 10:35:51	wcmaier	set	nosy: + dan messages: + msg13450
2006-12-28 16:55:03	rader	set	priority: normal -> low
2006-12-22 11:39:05	wcmaier	set	status: unread -> chatting assignedto: rader messages: + msg265
2006-12-22 11:20:26	wcmaier	set	nosy: + wcmaier assignedto: rader -> (no value)
2006-12-22 11:03:16	rader	create