Linux nodes - multiple jobs mounting smb shares #33
Description
Firstly - this example has been very helpful to us in getting our linux nodes nearly-working - thank you -
Following from it: how do we handle multiple jobs that get scheduled on the same node, which will mount, and then later unmount these shares on exit? I guess we can do job-specific mounts including the job id in the mount name, but... that sounds like it will result in a lot of mounts being created.
To try and solve this problem, we've been attempting to get a global multiuser CIFS share (with NTLM_SSP) mounted on our linux nodes, so that everyone can see a "/win-homes/" folder, but only the user running the job can only see their "/win-homes/user/..." folder inside. Then we can leave that mounted on the nodes at the system level, rather than mounting in the job activation script.
We haven't succeeded yet - and sometimes have problems where one user ends up able to see another user's home directory (but not their own...!) - we think this is something to do with PAM's keyinit module, which should provide a separate keyring per user-session, but clearly one person's creds are being used on another person's session at some point.
So the HPC-Pack question is - how do we configure PAM to run cifscreds (with a session-private keyring), for the job that hpcpack eventually runs? The activation filter itself runs as root (hence it can run mount) - but we don't think this is the place to run cifscreds for the user - we think it needs to be in the task where the session belongs to the job owner. Is this done in PAM as a "login", or a "sshd", or a "runuser"? We've had no luck yet, so wondering how the child job process is spawned, and whether we're on the right lines.
Many thanks for any suggestions.