Putting your users in a Box · Outline . 1)Protect the machine from the job. 2)Protect the job from...

Preview:

Click to see full reader

Citation preview

Putting your users in a Box

Greg Thain

Condor Week 2013

› Why put job in a box?

› Old boxes that work everywhere* » *Everywhere that isn’t Windows

› New shiny boxes

2

Outline

1) Protect the machine from the job.

2) Protect the job from the machine.

3) Protect one job from another.

3 Protections

3

› Allows nesting

› Need not require root

› Can’t be broken out of

› Portable to all OSes

› Allows full management:

Creation // Destruction

Monitoring

Limiting

The perfect box

4

› Resources a job can (ab)use

CPU

Memory

Disk

Signals

Network.

A Job ain’t nothing but work

5

› HTCondor Preempt expression

PREEMPT = TARGET.MemoryUsage > threshold

• ProportionalSetSizeKb > threshold

› setrlimit call

USER_JOB_WRAPPER

STARTER_RLIMIT_AS

Previous Solutions

6

› Newish stuff

From here on out…

7

› Some people see this problem, and say

› “I know, we’ll use a Virtual Machine”

The Big Hammer

8

› Might need hypervisor installed

The right hypervisor (the right Version…)

› Need to keep full OS image maintained

› Difficult to debug

› Hard to federate

› Just too heavyweight

Problems with VMs

9

› Want opaque box

› Much LXC work applicable here

› Work with Best feature of HTCondor ever?

Containers, not VMs

10

› ASSIGN_CPU_AFFINITY=true

› Now works with dynamic slots

› Need not be root

› Any Linux version

Only limits the job

CPU AFFINITY

11

› You can’t kill what you can’t see

› Requirements:

HTCondor 7.9.4+

RHEL 6

USE_PID_NAMESPACES = true

• (off by default)

Doesn’t work with privsep

Must be root

PID namespaces

12

PID Namespaces

13

Init (1)

Master (pid 15)

Startd (pid 26)

Starter (pid 39)

Job (pid 1)

Starter (pid 73)

Job (pid 1)

› “Lock the kids in their room”

› Startd advertises set

›NAMED_CHROOT = /foo/R1,/foo/R2

› Job picks one:

›+RequestedChroot = “/foo/R1”

› Make sure path is secure!

Named Chroots

14

› Two basic kernel abstractions:

› 1) nested groups of processes

› 2) “controllers” which limit resources

Control Groups

aka “cgroups”

15

› Implemented as filesystem

Mounted on /sys/fs/cgroup, or /cgroup or …

› User-space tools in flux

Systemd

Cgservice

› /proc/self/cgroup

Control Cgroup setup

16

› Cpu

› Memory

› freezer

Cgroup controllers

17

› Requires:

RHEL6

HTCondor 7.9.5+

Rootly condor

No privsep

BASE_CGROUP=htcondor

And… cgroup fs mounted…

Enabling cgroups

18

› Starter puts each job into own cgroup

Named exec_dir + job id

› Procd monitors

Procd freezes and kills atomically

› MEMORY attr into memory controller

› CGROUP_MEMORY_LIMIT_POLICY

Hard or soft

Job goes on hold with specific message

Cgroups

19

Cgroup artifacts

20

04/22/13 11:39:08 Requesting cgroup

htcondor/condor_exec_slot1@localhost for job

StarterLog:

ProcLog

cgroup to htcondor/condor_exec_slot1@localhost for ProcFamily

2727.

04/22/13 11:39:13 : PROC_FAMILY_GET_USAGE

04/22/13 11:39:13 : gathering usage data for family with root

pid 2724

04/22/13 11:39:17 : PROC_FAMILY_GET_USAGE

04/22/13 11:39:17 : gathering usage

$ condor_q

-- Submitter: localhost : <127.0.0.1:58873> : localhost

ID OWNER SUBMITTED RUN_TIME ST PRI SIZE

CMD

2.0 gthain 4/22 11:36 0+00:00:02 R 0 0.0 sleep 3600

›$ ps ax | grep 3600 gthain 2727 4268 4880 condor_exec.exe 3600

21

http://127.0.0.1:58873/

$ cat /proc/2727/cgroup

3:freezer:/htcondor/condor_exec_slot1@localhost

2:memory:/htcondor/condor_exec_slot1@localhost

1:cpuacct,cpu:/htcondor/condor_exec_slot1@localho

st

A process with Cgroups

22

$ cd

/sys/fs/cgroup/memory/htcondor/condor_exec_sl

ot1@localhost/

$ cat memory.usage_in_bytes

258048

$ cat tasks

2727

23

› Or, “Shared subtrees”

› Goal: protect /tmp from shared jobs

› Requires

Condor 7.9.4+

RHEL 5

Doesn’t work with privsep

HTCondor must be running as root

MOUNT_UNDER_SCRATCH = /tmp,/var/tmp

MOUNT_UNDER_SCRATCH

24

MOUNT_UNDER_SCRATCH=/tmp,/var/tmp

Each job sees private /tmp, /var/tmp

Downsides:

No sharing of files in /tmp

MOUNT_UNDER_SCRATCH

25

› Per job FUSE and other mounts?

› non-root namespaces

Future work

26

› Prevent jobs from messing with everyone

on the network:

› See Lark and SDN talks Thursday at 11

Not covered in this talk

27

› Questions?

› See cgroup reference material in kernel doc • https://www.kernel.org/doc/Documentation/cgroups/

cgroups.txt

› LKN article about shared subtree mounts: • http://lwn.net/Articles/159077/

Conclusion

28

https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
http://lwn.net/Articles/159077/

Recommended

CRUSH EVERY JOB TM - Screen Machine
Documents
Grinding Machine Magazine - Job Shops
Documents
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Engineering
CrisisGo on the iPad “Empowering those whose job it is to protect others”
Documents
ASK FOR SENTRICON IT’S YOUR HOME SYSTEM PROTECT IT … · Eliminate the Queen. Protect Your Largest Investment. IT’S YOUR HOME. PROTECT IT FROM AN AROUND-THE-CLOCKEATING MACHINE
Documents
Respect yourself. Protect yourself.Respect yourself. Protect yourself.Respect yourself. Protect yourself. Are You Working Now or Looking for a Job? Approximately 80% of teenagers have
Documents
Using Big Data and Machine Learning to Protect Your Online Service
Documents
Job and Machine Policy Configuration CERN Oct 2014 Todd Tannenbaum
Documents
Best Cnc Machine Job Work in Rajkot
Documents
Harnessing Virtual Machine Resource Control for Job Management · Harnessing Virtual Machine Resource Control for Job Management Laura Grit, David Irwin, Varun Marupadi, Piyush
Documents
Landing on the right job: a Machine Learning approach to
Documents
Machine Operator I Reference Job #15-003files.ctctcdn.com/1763179d201/e86fe5d6-bfdb-450d-b4dc-0f566e41… · Machine Operator I Reference Job #15-003 Tri-Star Electronics International,
Documents
JOB list - Trinity School, Carlisletrinity.cumbria.sch.uk/.../07/Carlisle-Job-List-12th-Janua…  · Web viewCarlisle & Eden job list ... Training to be Provided - NVQ in Machine
Documents
Protect yourself from job-hunting scams and fraudsters
Documents
PROTECT THE ENVIRONMENTd2z4qs2e3spnc1.cloudfront.net/product_file/file/2785/tennant-t1-walk-behind-floor...PROTECT THE ENVIRONMENT Please dispose of packaging materials and old machine
Documents
Quantum Computing in the Cloud: Analyzing job and machine
Documents
Technology and people: The great job-creating machine · PDF fileTechnology and people: The great job-creating machine . A positive narrative about technology and progress has . dominated
Documents
Single Machine Scheduling with Interfering Job Setspeople.umass.edu/hbalasub/Interfering_Job_Sets_COR_v13.pdf1 Single Machine Scheduling with Interfering Job Sets Ketan Khowala1,3,
Documents
An n job single machine sequencing algorithm for
Documents
TAILGATE TRAINING T S – N Protect Your Hearing On the Job #11 Hearing.pdf · TAILGATE TRAINING TIP SHEET® – NO. 11 (CONTINUED) Protect Your Hearing On the Job HEARING PROTECTION
Documents