Trace:
[[wiki:some_examples_of_admission_rules]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
wiki:some_examples_of_admission_rules [2017/05/10 10:49] – [Example 5:] neyronwiki:some_examples_of_admission_rules [2020/04/07 21:54] – [Example 5: verify correct resources definitions] neyron
Line 138: Line 138:
 </code> </code>
  
-==== Example 4:  ==== +==== Example 4: limit access to a queue, based on usernames set in a file ====
- +
-Limit access to a queue, based on usernames set in a file+
  
 ==Answer== ==Answer==
Line 163: Line 161:
  
  
-==== Example 5:  ====+==== Example 5: give a more privilege to the owners of nodes ====
 Give a more privilege to the owners of nodes (e.g. people who payed for the nodes) to submit, by restricting others to besteffort jobs:  Give a more privilege to the owners of nodes (e.g. people who payed for the nodes) to submit, by restricting others to besteffort jobs: 
   * non-owners compete on the resources according to the scheduling policy of the besteffort queue ;   * non-owners compete on the resources according to the scheduling policy of the besteffort queue ;
Line 169: Line 167:
  
 ==Answer== ==Answer==
-  * First add a property to resources: //dedicated=none// or //dedicated=team_name// for nodes owned by each team.+  * First add a property to resources: //dedicated=NO// or //dedicated=team_name// for nodes owned by each team.
   * Then add an admission rule which describes the team list with regard to unix users and groups.   * Then add an admission rule which describes the team list with regard to unix users and groups.
-  * Non-besteffort jobs will automatically bound to resources set with //dedicated=none//, except for members of one of the defined teams, whose jobs are automatically directed to their dedicated resources (//dedicated=team_of_the_user//).+  * Non-besteffort jobs will automatically bound to resources set with //dedicated=NO//, except for members of one or more of the defined teams, whose jobs are automatically directed to the union of their dedicated resources (//dedicated=team_of_the_user//and the //dedicated=NO// resources.
   * Besteffort jobs do not have constraints: they are scheduled on any resources with the property //besteffort=YES// (usually all nodes).    * Besteffort jobs do not have constraints: they are scheduled on any resources with the property //besteffort=YES// (usually all nodes). 
  
 <code perl> <code perl>
-# Description : set dedicated property+# Description : set dedicated property for exceptional usages
  
 my @projects; my @projects;
Line 186: Line 184:
 push(@projects, \%fluminance_project); push(@projects, \%fluminance_project);
  
-my $dedicated_none 0; +my $jobaddedprop "\( dedicated='NO'" ;
-my $user_in_one_group 0;+
  
-foreach my $project (@projects) { +# original : IGRIDA admission rule 
-  my @members; +# modified : nef @ Inria Sophia 
-  foreach (@{$project->{'groups'}}) { +  
-    my $gr; +if (!(grep(/^besteffort/, @{$type_list}))) { 
-    (undef,undef,undef, $gr) = getgrnam($_); +  # Any user can run besteffort jobs on any resource :  
-    my @group_members = split(/\s+/,$gr); +  # no additional verification, no modification 
-    push(@members, @group_members); + 
-  } +  # Search for projects to which the user belongs 
-  push(@members, @{$project->{'users'}})+  foreach my $project (@projects) { 
-  my %h = map { $_ => 1 } @members; +    my @members; 
-  if ( $h{$user} eq 1 ) { +    foreach (@{$project->{'groups'}}) { 
-    if (!(grep(/dedicated(\s+|)=/, $jobproperties))){ +      my $gr; 
-      $jobproperties = "($jobproperties) AND dedicated = \'$project->{'dedicated'}\'"; +      (undef,undef,undef, $gr) = getgrnam($_); 
-      print("[ADMISSION RULE] Automatically add the constraint to go on the $project->{'dedicated'} dedicated nodes.\n"); +      my @group_members = split(/\s+/,$gr); 
-      $user_in_one_group = 1;+      #print(@group_members); 
 +      push(@members, @group_members);
     }     }
-  else +    push(@members, @{$project->{'users'}}); 
-    if (!(grep(/dedicated(\s+|)=/, $jobproperties))) { +    my %h = map $_ => 1 } @members; 
-      $dedicated_none 1+ 
-    } +    if ( $h{$user} eq 1 ) { 
-    if ((grep(/dedicated(\s+|)=(\s+|)'$project->{'dedicated'}\'/, $jobproperties)) and !(grep(/^besteffort/, @{$type_list}))) { +      #print($user); 
-      die("[ADMISSION RULE] $project->{'dedicated'} dedicated nodes are only available for best-effort jobs.\n");+      $jobaddedprop ." OR dedicated=\'$project->{'dedicated'}\'"
 +    } else { 
 +      if ((grep(/dedicated(\s+|)=(\s+|)'$project->{'dedicated'}\'/, $jobproperties))) { 
 +        die("[ADMISSION RULE] $project->{'dedicated'} dedicated nodes are only available for best-effort jobs.\n"); 
 +      }
     }     }
   }   }
-} 
  
-if (($dedicated_none == 1and ($user_in_one_group == 0) and ($queue_name ne "admin")) { +  $jobaddedprop ." \)"; 
-  if (!(grep(/^besteffort/, @{$type_list}))) { + 
-    $jobproperties = "($jobproperties) AND dedicated = \'none\'";+  # Always need to limit request to permitted nodes 
 +  if ($queue_name ne "admin") { 
 +    if (grep(/\S/, $jobproperties)) { 
 +      $jobproperties = "($jobproperties) AND $jobaddedprop"; 
 +    } else { 
 +      $jobproperties "$jobproperties $jobaddedprop"; 
 +    } 
 +    print("[ADMISSION RULE] Automatically add constraint to go on nodes permitted for the user.\n");
   }   }
 +
 } }
 </code> </code>
Line 224: Line 233:
 That set up: That set up:
   * For a user of team 'serpico' : ''$ oarsub -I''   * For a user of team 'serpico' : ''$ oarsub -I''
-    * => property set: ''dedicated = 'serpico''' +    * => property set: ''dedicated='NO' OR dedicated='serpico''' 
-  * That user can also use non dedicated nodes: ''$ oarsub -I -p "dedicated='none'"'' +  * That user can also force use of dedicated nodes only: ''$ oarsub -I -p "dedicated='serpico'"'' 
-    * => property set: ''dedicated='none''' +    * => property set: ''dedicated='serpico''' 
-  * For a user that does not belong to a team which owns nodes1: ''$ oarsub -I'' +  * For a user of teams 'serpico' and 'neurinfo': ''$ oarsub -I'' 
-    * => property set: ''dedicated = 'none'''+    * => property set: ''dedicated='NO' OR dedicated='serpico' OR dedicated='neurinfo''' 
 +  * For a user that does not belong to a team which owns nodes: ''$ oarsub -I'' 
 +    * => property set: ''dedicated='NO'''
   * And for that user: ''$ oarsub -I -p "dedicated='serpico'"''   * And for that user: ''$ oarsub -I -p "dedicated='serpico'"''
     * => ''ERROR : [ADMISSION RULE] serpico dedicated nodes are only available for best-effort jobs.''     * => ''ERROR : [ADMISSION RULE] serpico dedicated nodes are only available for best-effort jobs.''
   * But with: ''$ oarsub -I -t besteffort'' he can get jobs running on the dedicated nodes, which however will be stopped as soon as a job of a member of the owners' team need the nodes.   * But with: ''$ oarsub -I -t besteffort'' he can get jobs running on the dedicated nodes, which however will be stopped as soon as a job of a member of the owners' team need the nodes.
  
-(Note that there are some known limitations in that property filtering, which could allow malicious users to overcome the usage policy)+(There may be some limitations in that property filtering, which could allow malicious users to overcome the usage policy)
  
 +==== Example 5: verify correct resources definitions ====
 +
 +Verify that the <code>oarsub -l ''resource request''</code> gives a correct resources definition.
 +
 +OAR resource request hierarchies are implicit in the OAR database, but they can be enforced by an admission rule.
 +
 +Lets assume that valid resources hierarchies are:
 +
 +  * ''switch > cluster > host > cpu > gpu > core''
 +  * ''cluster > switch > host > cpu > gpu > core''
 +  * ''cluster > switch > host > disk''
 +  * ''switch > cluster > host > disk''
 +  * ''license''
 +
 +Here both switch > cluster, or cluster > switch can be valid (some clusters spread their nodes on many switches, some clusters share a same switch). Disks are special resources to reserve disks on hosts, independently from cpu, gpu and cores. Licenses are yet a completly independente type of resources. 
 +
 +Any of those resources properties can define a valid hierarchy or resources, for instance:
 +  * ''oarsub -l switch=2/core=1'' → get 2 cores on different switches
 +  * ''oarsub -l cluster=1/host=2/disk=1'' → get 2 disks of 2 different hosts but on a same cluster
 +  * ''oarsub -l license=1'' → get 1 license
 +
 +But incorrect hierachry should raise an error:
 +  * ''oarsub -l gpu=1/host=2'' → cannot get 2 hosts for a same gpu
 +  * ''oarsub -l host=1/disk=1/core=1'' → cannot mix disk and core
 +  * ''oarsub -l switch=1/cluster=1/switch=1'' → obviously wrong
 +
 +==Answer==
 +
 +<code perl>
 +
 +# definition of the valid implicit hierarchies of resources.
 +my %valid_children = (
 +                # both cluster > switch and switch > cluster are relevant
 +                "cluster"  => ["switch", "cpu", "host", "core", "gpu", "disk"],
 +                "switch"   => ["cluster", "cpu", "host", "core", "gpu", "disk"],
 +                "host"     => ["cpu", "core", "gpu", "disk"],
 +                "cpu"      => ["core", "gpu"],
 +                "gpu"      => ["core"],
 +                "disk"     => [],
 +                "license"  => [],
 +                );
 +
 +# nodes is synonym of host
 +my %aliases = (
 +        "nodes" => "host",
 +);
 +
 +# valid values are in one of the possible hierarchies
 +my %valid_resources;
 +foreach my $key (keys %valid_children) {
 +        $valid_resources{$key} = undef;
 +        foreach my $child (@{%valid_children{$key}}) {
 +                $valid_resources{$child} = undef;
 +        }
 +}
 +my @valid_resources = keys %valid_resources;
 +
 +# test the user's request for possible errors
 +foreach my $mold (@{$ref_resource_list}) { # loop on all moldable resources requests (oarsub -l ... -l ...)
 +        foreach my $r (@{$mold->[0]}) { # loop on all joint resources requests (oarsub -l ...+...)
 +                my @resources_hierarchy;
 +                my $parent_resource;
 +                foreach my $h (@{$r->{resources}}) { # loop on every resource, look at the resource name only ($h->{resource}) not the value ($h->{value})
 +                        if(!grep { $_ eq $h->{resource} } @valid_resources) {
 +                                die("[ADMISSION RULE] Error: the requested resources '$h->{resource}' is not valid, please check your syntax.\n");
 +                        }
 +                        if (!grep { $_ eq $h->{resource} } @resources_hierarchy) {
 +                                push @resources_hierarchy, $h->{resource};
 +                        } else {
 +                                # catching the case `oarsub -l /cluster=a/switch=b/cluster=c` or `oarsub -l /switch=a/cluster=b/switch=c`
 +                                push @resources_hierarchy, $h->{resource};
 +                                die("[ADMISSION RULE] Error: duplicated resource '$h->{resource}' in the requested resources hiearchy '".join(" > ", @resources_hierarchy)."'.\n");
 +                        }
 +                        if (defined($parent_resource)) {
 +                                if (!grep { $_ eq $h->{resource} } @{$valid_children{$parent_resource}}) {
 +                                        die("[ADMISSION RULE] Error: the requested resources hierarchy '".join(" > ", @resources_hierarchy)."' is not relevant.\n");
 +                                }
 +                        }
 +                        if (exists $aliases{$h->{resource}}) {
 +                                $parent_resource = $aliases{$h->{resource}};
 +                        } else {
 +                                $parent_resource = $h->{resource};
 +                        }
 +                }
 +        }
 +}
 +</code>
wiki/some_examples_of_admission_rules.txt · Last modified: 2020/04/07 22:01 by neyron
Recent changes RSS feed GNU Free Documentation License 1.3 Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki