Presentation is loading. Please wait.

Presentation is loading. Please wait.

Putting your users in a Box Greg Thain Center for High Throughput Computing.

Published byRaymond Edgar Modified over 9 years ago

Similar presentations

Presentation on theme: "Putting your users in a Box Greg Thain Center for High Throughput Computing."— Presentation transcript:

1 Putting your users in a Box Greg Thain Center for High Throughput Computing

2 › Why put job in a box? › Old boxes that work everywhere* »*Everywhere that isn’t Windows › New shiny boxes 2 Outline

3 1) Protect the machine from the job. 2) Protect the job from the machine. 3) Protect one job from another. 3 Protections 3

4 › Allows nesting › Need not require root › Can’t be broken out of › Portable to all OSes › Allows full management:  Creation // Destruction  Monitoring  Limiting The perfect box 4

5 › Resources a job can (ab)use  CPU  Memory  Disk  Signals  Network. A Job ain’t nothing but work 5

6 › HTCondor Preempt expression  PREEMPT = TARGET.MemoryUsage > threshold ProportionalSetSizeKb > threshold › setrlimit call  USER_JOB_WRAPPER  STARTER_RLIMIT_AS Previous Solutions 6

7 › Newish stuff From here on out… 7

8 › Some people see this problem, and say › “I know, we’ll use a Virtual Machine” The Big Hammer 8

9 › Might need hypervisor installed  The right hypervisor (the right Version…) › Need to keep full OS image maintained › Difficult to debug › Hard to federate › Just too heavyweight Problems with VMs 9

10 › Want opaque box › Much LXC work applicable here › Work with Best feature of HTCondor ever? Containers, not VMs 10

11 › ASSIGN_CPU_AFFINITY=true › Now works with dynamic slots › Need not be root › Any Linux version  Only limits the job CPU AFFINITY 11

12 › You can’t kill what you can’t see › Requirements:  HTCondor 7.9.4+  RHEL 6  USE_PID_NAMESPACES = true (off by default)  Doesn’t work with privsep  Must be root PID namespaces 12

13 PID Namespaces 13 Init (1) Master (pid 15) Startd (pid 26) Starter (pid 39) Job (pid 1) Starter (pid 73) Job (pid 1)

14 › “Lock the kids in their room” › Startd advertises set › NAMED_CHROOT = /foo/R1,/foo/R2 › Job picks one: › +RequestedChroot = “/foo/R1” › Make sure path is secure! Named Chroots 14

15 › Two basic kernel abstractions: › 1) nested groups of processes › 2) “controllers” which limit resources Control Groups aka “cgroups” 15

16 › Implemented as filesystem  Mounted on /sys/fs/cgroup, or /cgroup or … › User-space tools in flux  Systemd  Cgservice › /proc/self/cgroup Control Cgroup setup 16

17 › Cpu › Memory › freezer Cgroup controllers 17

18 › Requires:  RHEL6, RHEL7 even better  HTCondor 7.9.5+  Rootly condor  BASE_CGROUP=htcondor  And… cgroup fs mounted… Enabling cgroups 18

19 › Starter puts each job into own cgroup  Named exec_dir + job id › Procd monitors  Procd freezes and kills atomically › MEMORY attr into memory controller › CGROUP_MEMORY_LIMIT_POLICY  Hard or soft  Job goes on hold with specific message Cgroups with HTCondor 19

20 Cgroup artifacts 20 04/22/13 11:39:08 Requesting cgroup htcondor/condor_exec_slot1@localhost for job … StarterLog: ProcLog … cgroup to htcondor/condor_exec_slot1@localhost for ProcFamily 2727. 04/22/13 11:39:13 : PROC_FAMILY_GET_USAGE 04/22/13 11:39:13 : gathering usage data for family with root pid 2724 04/22/13 11:39:17 : PROC_FAMILY_GET_USAGE 04/22/13 11:39:17 : gathering usage

21 $ condor_q -- Submitter: localhost : : localhost127.0.0.1:58873 ID OWNER SUBMITTED RUN_TIME ST PRI SIZE CMD 2.0 gthain 4/22 11:36 0+00:00:02 R 0 0.0 sleep 3600 › $ ps ax | grep 3600 gthain 2727 4268 4880 condor_exec.exe 3600 21

22 $ cat /proc/2727/cgroup 3:freezer:/htcondor/condor_exec_slot1@localhost 2:memory:/htcondor/condor_exec_slot1@localhost 1:cpuacct,cpu:/htcondor/condor_exec_slot1@localho st A process with Cgroups 22

23 $ cd /sys/fs/cgroup/memory/htcondor/condor_exec_sl ot1@localhost/ $ cat memory.usage_in_bytes 258048 $ cat tasks 2727 23

24 › Or, “Shared subtrees” › Goal: protect /tmp from shared jobs › Requires  Condor 7.9.4+  RHEL 5  Doesn’t work with privsep  HTCondor must be running as root  MOUNT_UNDER_SCRATCH = /tmp,/var/tmp MOUNT_UNDER_SCRATCH 24

25 MOUNT_UNDER_SCRATCH=/tmp,/var/tmp Each job sees private /tmp, /var/tmp Downsides: No sharing of files in /tmp MOUNT_UNDER_SCRATCH 25

26 Future work 26

27 Future Work Docker Universe Containers give Linux processes a private: Cgroups + Repo for images Bind mounts

28 › Questions? › See cgroup reference material in kernel doc https://www.kernel.org/doc/Documentation/cgroups/ cgroups.txthttps://www.kernel.org/doc/Documentation/cgroups/ cgroups.txt › LKN article about shared subtree mounts: http://lwn.net/Articles/159077/ Conclusion 28

Download ppt "Putting your users in a Box Greg Thain Center for High Throughput Computing."

Similar presentations

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Using Matrices in Real Life

Using Matrices in Real Life
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Our library has two forms of encyclopedias: Hard copy and electronic versions. The first is simply the old-fashioned book on the shelf type of encyclopedia.

Our library has two forms of encyclopedias: Hard copy and electronic versions. The first is simply the old-fashioned "book on the shelf" type of encyclopedia.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)

FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)

Similar presentations

Ads by Google