HPC UMC Groningen

Intro

The UMCG uses several Linux HPC clusters for (inter)national research projects. These clusters use the Slurm Workload Manager for job management. Deployment and functional administration is a joined effort of the Genomics Coordination Center (GCC) and the Center for Information Technology (CIT) from the University Medical Center and University of Groningen. Due to the (inter)national nature of the research projects cluster users come from various institutes.

Old  / current situation on production clusters

In the old/current situation accounts and groups have to be created manually, which is tedious and error prone: not much fun. For various technical reasons, the clusters run in the RUG network domain, but unfortunately the account management systems of RUG and UMCG do not "talk" to each other, so we have to create accounts for all users - even for the ones from the UMCG.

1. Accounts are created manually in a system named IDVault
2. Users, their public keys and groups are synced IDVault → LDAP for Linux based infra (or to an AD Windows based infra)
3. Slurm HPC cluster machines are linked to an LDAP:
   1. We use nslcd for fetching users and groups
   2. We use the OpenSSH ssh-ldap-wrapper to fetch public keys from the LDAP

In /etc/nsswitch.conf

#################### 
passwd: files ldap 
shadow: files ldap 
group:  files ldap
#####################
#
# Various other settings....
#

in /etc/ssh/sshd_config

#
# Various other settings for example to disable password-based logins, disable root logins, etc.
#
#####################
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper.bash
AuthorizedKeysCommandUser nobody
#
# Disable local authorized_keys files to enforce public keys only from LDAP.
#
AuthorizedKeysFile /dev/null
#
# Get public keys for admins from local authorized_keys file.
#
Match Group admin
    AuthorizedKeysFile .ssh/authorized_keys
####################
#
# Various other settings ....
#

New situation with SRAM on test clusters