Cluster Data Privacy (Admin Guide)

From HPC Wiki
Admin Cluster Data Privacy
Jump to navigation Jump to search

Practical Measures to increase Data Privacy on HPC Systems

SLURM

Visibility of Jobs

Slurm can be configured with the PrivateData option which can take different arguments depending on which information should be restricted. A detailed list can be found at [1]. This option has to be added to the slurm.conf and the slurmdbd.conf. For a HPC system the following choice is a good starting point: 

PrivateData=accounts,users,usage,jobs,events

Visibility of Data during a Job

Slurm job container ([2]) can be used to isolate the usage of /dev/shm and /tmp when nodes are shared between jobs.

Accounting Data

The Slurmdbd support the automatic purging of data (events, jobs, reservations, job steps, usage) in the accounting database based on a time schedule with the options PurgeEventAfter, PurgeJobAfter, PurgeResvAfter, PurgeStepAfter, PurgeSuspendAfter, PurgeTXNAfter, and PurgeUsageAfter. Together with the archiving functionality and especially the ArchiveScript fine-grained purging can be realized.

Visibility of Processes

The visibility of processes of other users on the frontend nodes or compute nodes with options like hidepid ([3]), ProtectProc and ProcSubset ([4]). However, careful testing of services especially monitoring services is required to avoid side effects.

Visibility of Login Information

The access to files like /var/log/lastlog, /var/run/utmp, and /var/log/wtmp can be restricted to disable tools like who, last and lastlog.

Retrieved from "https://hpc-wiki.info/hpc/index.php?title=Admin_Cluster_Data_Privacy&oldid=4954"