Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
wiki:some_examples_of_admission_rules [2017/05/10 10:49] – [Example 5:] neyronwiki:some_examples_of_admission_rules [2020/04/07 22:01] (current) – [Example 5: verify correct resources definitions] neyron
Line 138: Line 138:
 </code> </code>
  
-==== Example 4:  ==== +==== Example 4: limit access to a queue, based on usernames set in a file ====
- +
-Limit access to a queue, based on usernames set in a file+
  
 ==Answer== ==Answer==
Line 163: Line 161:
  
  
-==== Example 5:  ====+==== Example 5: give a more privilege to the owners of nodes ====
 Give a more privilege to the owners of nodes (e.g. people who payed for the nodes) to submit, by restricting others to besteffort jobs:  Give a more privilege to the owners of nodes (e.g. people who payed for the nodes) to submit, by restricting others to besteffort jobs: 
   * non-owners compete on the resources according to the scheduling policy of the besteffort queue ;   * non-owners compete on the resources according to the scheduling policy of the besteffort queue ;
Line 169: Line 167:
  
 ==Answer== ==Answer==
-  * First add a property to resources: //dedicated=none// or //dedicated=team_name// for nodes owned by each team.+  * First add a property to resources: //dedicated=NO// or //dedicated=team_name// for nodes owned by each team.
   * Then add an admission rule which describes the team list with regard to unix users and groups.   * Then add an admission rule which describes the team list with regard to unix users and groups.
-  * Non-besteffort jobs will automatically bound to resources set with //dedicated=none//, except for members of one of the defined teams, whose jobs are automatically directed to their dedicated resources (//dedicated=team_of_the_user//).+  * Non-besteffort jobs will automatically bound to resources set with //dedicated=NO//, except for members of one or more of the defined teams, whose jobs are automatically directed to the union of their dedicated resources (//dedicated=team_of_the_user//and the //dedicated=NO// resources.
   * Besteffort jobs do not have constraints: they are scheduled on any resources with the property //besteffort=YES// (usually all nodes).    * Besteffort jobs do not have constraints: they are scheduled on any resources with the property //besteffort=YES// (usually all nodes). 
  
 <code perl> <code perl>
-# Description : set dedicated property+# Description : set dedicated property for exceptional usages
  
 my @projects; my @projects;
Line 186: Line 184:
 push(@projects, \%fluminance_project); push(@projects, \%fluminance_project);
  
-my $dedicated_none 0; +my $jobaddedprop "\( dedicated='NO'" ;
-my $user_in_one_group 0;+
  
-foreach my $project (@projects) { +# original : IGRIDA admission rule 
-  my @members; +# modified : nef @ Inria Sophia 
-  foreach (@{$project->{'groups'}}) { +  
-    my $gr; +if (!(grep(/^besteffort/, @{$type_list}))) { 
-    (undef,undef,undef, $gr) = getgrnam($_); +  # Any user can run besteffort jobs on any resource :  
-    my @group_members = split(/\s+/,$gr); +  # no additional verification, no modification 
-    push(@members, @group_members); + 
-  } +  # Search for projects to which the user belongs 
-  push(@members, @{$project->{'users'}})+  foreach my $project (@projects) { 
-  my %h = map { $_ => 1 } @members; +    my @members; 
-  if ( $h{$user} eq 1 ) { +    foreach (@{$project->{'groups'}}) { 
-    if (!(grep(/dedicated(\s+|)=/, $jobproperties))){ +      my $gr; 
-      $jobproperties = "($jobproperties) AND dedicated = \'$project->{'dedicated'}\'"; +      (undef,undef,undef, $gr) = getgrnam($_); 
-      print("[ADMISSION RULE] Automatically add the constraint to go on the $project->{'dedicated'} dedicated nodes.\n"); +      my @group_members = split(/\s+/,$gr); 
-      $user_in_one_group = 1;+      #print(@group_members); 
 +      push(@members, @group_members);
     }     }
-  else +    push(@members, @{$project->{'users'}}); 
-    if (!(grep(/dedicated(\s+|)=/, $jobproperties))) { +    my %h = map $_ => 1 } @members; 
-      $dedicated_none 1+ 
-    } +    if ( $h{$user} eq 1 ) { 
-    if ((grep(/dedicated(\s+|)=(\s+|)'$project->{'dedicated'}\'/, $jobproperties)) and !(grep(/^besteffort/, @{$type_list}))) { +      #print($user); 
-      die("[ADMISSION RULE] $project->{'dedicated'} dedicated nodes are only available for best-effort jobs.\n");+      $jobaddedprop ." OR dedicated=\'$project->{'dedicated'}\'"
 +    } else { 
 +      if ((grep(/dedicated(\s+|)=(\s+|)'$project->{'dedicated'}\'/, $jobproperties))) { 
 +        die("[ADMISSION RULE] $project->{'dedicated'} dedicated nodes are only available for best-effort jobs.\n"); 
 +      }
     }     }
   }   }
-} 
  
-if (($dedicated_none == 1and ($user_in_one_group == 0) and ($queue_name ne "admin")) { +  $jobaddedprop ." \)"; 
-  if (!(grep(/^besteffort/, @{$type_list}))) { + 
-    $jobproperties = "($jobproperties) AND dedicated = \'none\'";+  # Always need to limit request to permitted nodes 
 +  if ($queue_name ne "admin") { 
 +    if (grep(/\S/, $jobproperties)) { 
 +      $jobproperties = "($jobproperties) AND $jobaddedprop"; 
 +    } else { 
 +      $jobproperties "$jobproperties $jobaddedprop"; 
 +    } 
 +    print("[ADMISSION RULE] Automatically add constraint to go on nodes permitted for the user.\n");
   }   }
 +
 } }
 </code> </code>
Line 224: Line 233:
 That set up: That set up:
   * For a user of team 'serpico' : ''$ oarsub -I''   * For a user of team 'serpico' : ''$ oarsub -I''
-    * => property set: ''dedicated = 'serpico''' +    * => property set: ''dedicated='NO' OR dedicated='serpico''' 
-  * That user can also use non dedicated nodes: ''$ oarsub -I -p "dedicated='none'"'' +  * That user can also force use of dedicated nodes only: ''$ oarsub -I -p "dedicated='serpico'"'' 
-    * => property set: ''dedicated='none''' +    * => property set: ''dedicated='serpico''' 
-  * For a user that does not belong to a team which owns nodes1: ''$ oarsub -I'' +  * For a user of teams 'serpico' and 'neurinfo': ''$ oarsub -I'' 
-    * => property set: ''dedicated = 'none'''+    * => property set: ''dedicated='NO' OR dedicated='serpico' OR dedicated='neurinfo''' 
 +  * For a user that does not belong to a team which owns nodes: ''$ oarsub -I'' 
 +    * => property set: ''dedicated='NO'''
   * And for that user: ''$ oarsub -I -p "dedicated='serpico'"''   * And for that user: ''$ oarsub -I -p "dedicated='serpico'"''
     * => ''ERROR : [ADMISSION RULE] serpico dedicated nodes are only available for best-effort jobs.''     * => ''ERROR : [ADMISSION RULE] serpico dedicated nodes are only available for best-effort jobs.''
   * But with: ''$ oarsub -I -t besteffort'' he can get jobs running on the dedicated nodes, which however will be stopped as soon as a job of a member of the owners' team need the nodes.   * But with: ''$ oarsub -I -t besteffort'' he can get jobs running on the dedicated nodes, which however will be stopped as soon as a job of a member of the owners' team need the nodes.
  
-(Note that there are some known limitations in that property filtering, which could allow malicious users to overcome the usage policy)+(There may be some limitations in that property filtering, which could allow malicious users to overcome the usage policy)
  
 +==== Example 5: verify correct resources definitions ====
 +
 +Verify that the ''oarsub -l [resource request]'' gives a correct resources definition.
 +
 +OAR resource request hierarchies are implicit in the OAR database, but they can be enforced by an admission rule.
 +
 +Lets assume that valid resources hierarchies are:
 +
 +  * ''switch > cluster > host > cpu > gpu > core''
 +  * ''cluster > switch > host > cpu > gpu > core''
 +  * ''cluster > switch > host > disk''
 +  * ''switch > cluster > host > disk''
 +  * ''license''
 +
 +Here both switch > cluster, or cluster > switch can be valid (some clusters spread their nodes on many switches, some clusters share a same switch). A GPU never spans several CPUs. The disk property defines special resources to reserve disks on hosts, independently from cpu, gpu and core properties. The license property is yet a completely independent type of resource. 
 +
 +Any of those resources properties can define a valid hierarchy or resources, for instance:
 +  * ''oarsub -l switch=2/core=1'' → get 2 cores on different switches
 +  * ''oarsub -l cluster=1/host=2/disk=1'' → get 2 disks of 2 different hosts but on a same cluster
 +  * ''oarsub -l license=1'' → get 1 license
 +
 +But incorrect hierachry should raise an error:
 +  * ''oarsub -l gpu=1/host=2'' → cannot get 2 hosts for a same gpu
 +  * ''oarsub -l host=1/disk=1/core=1'' → cannot mix disk and core
 +  * ''oarsub -l switch=1/cluster=1/switch=1'' → obviously wrong
 +
 +==Answer==
 +
 +<code perl>
 +
 +# definition of the valid implicit hierarchies of resources.
 +my %valid_children = (
 +                # both cluster > switch and switch > cluster are relevant
 +                "cluster"  => ["switch", "cpu", "host", "core", "gpu", "disk"],
 +                "switch"   => ["cluster", "cpu", "host", "core", "gpu", "disk"],
 +                "host"     => ["cpu", "core", "gpu", "disk"],
 +                "cpu"      => ["core", "gpu"],
 +                "gpu"      => ["core"],
 +                "disk"     => [],
 +                "license"  => [],
 +                );
 +
 +# nodes is synonym of host
 +my %aliases = (
 +        "nodes" => "host",
 +);
 +
 +# valid values are in one of the possible hierarchies
 +my %valid_resources;
 +foreach my $key (keys %valid_children) {
 +        $valid_resources{$key} = undef;
 +        foreach my $child (@{%valid_children{$key}}) {
 +                $valid_resources{$child} = undef;
 +        }
 +}
 +my @valid_resources = keys %valid_resources;
 +
 +# test the user's request for possible errors
 +foreach my $mold (@{$ref_resource_list}) { # loop on all moldable resources requests (oarsub -l ... -l ...)
 +        foreach my $r (@{$mold->[0]}) { # loop on all joint resources requests (oarsub -l ...+...)
 +                my @resources_hierarchy;
 +                my $parent_resource;
 +                foreach my $h (@{$r->{resources}}) { # loop on every resource, look at the resource name only ($h->{resource}) not the value ($h->{value})
 +                        if(!grep { $_ eq $h->{resource} } @valid_resources) {
 +                                die("[ADMISSION RULE] Error: the requested resources '$h->{resource}' is not valid, please check your syntax.\n");
 +                        }
 +                        if (!grep { $_ eq $h->{resource} } @resources_hierarchy) {
 +                                push @resources_hierarchy, $h->{resource};
 +                        } else {
 +                                # catching the case `oarsub -l /cluster=a/switch=b/cluster=c` or `oarsub -l /switch=a/cluster=b/switch=c`
 +                                push @resources_hierarchy, $h->{resource};
 +                                die("[ADMISSION RULE] Error: duplicated resource '$h->{resource}' in the requested resources hiearchy '".join(" > ", @resources_hierarchy)."'.\n");
 +                        }
 +                        if (defined($parent_resource)) {
 +                                if (!grep { $_ eq $h->{resource} } @{$valid_children{$parent_resource}}) {
 +                                        die("[ADMISSION RULE] Error: the requested resources hierarchy '".join(" > ", @resources_hierarchy)."' is not relevant.\n");
 +                                }
 +                        }
 +                        if (exists $aliases{$h->{resource}}) {
 +                                $parent_resource = $aliases{$h->{resource}};
 +                        } else {
 +                                $parent_resource = $h->{resource};
 +                        }
 +                }
 +        }
 +}
 +</code>
wiki/some_examples_of_admission_rules.txt · Last modified: 2020/04/07 22:01 by neyron
Recent changes RSS feed GNU Free Documentation License 1.3 Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki