[Beowulf] Authentication within beowulf clusters.

Steven Timm timm at fnal.gov
Mon Feb 2 10:32:01 EST 2004


On Mon, 2 Feb 2004, Joe Landman wrote:

> I have tried to avoid NIS on linux, as it appears not to be as stable as
> needed under heavy load.  I have had customers bring it crashing down
> when it serves login information, just by running simple scripts across
> the cluster.

To clarify, the problem is when there is some cron job (or reboot)
in which a couple of hundred nodes all go after the NIS server
at once.  It's magnified by the fact that there's an NIS lookup
done even when it's a user in the local password file such as root.

The problems can be mitigated by having a lot of nodes be slaves.
At one point I had all of the nodes of my cluster be slaves.  But
the problem with that is that the transmission protocol is not
perfect and every once in a while you wind up with a slave
server that is down a map or two.

We've now shifted to pushing out our password files via rsync.

>
> I prefer pushing name service lookups through DNS, and I tend to use
> dnsmasq for these (http://www.thekelleys.org.uk/dnsmasq/doc.html).
> Setting up a full blown named/bind system for a cluster seems like
> significant overkill in most cases.
>
> On the authentication side, I had high hopes for LDAP, but haven't been
> able to easily/repeatably make a working LDAP server with databases.  I
> am starting to think more along the lines of a simple database with pam
> modules on the frontend.  See
> http://freshmeat.net/projects/pam_pgsql/?topic_id=136 or
> http://sourceforge.net/projects/pam-mysql/ for examples.

Our set of kerberos 5 kdc's have thus far been able to handle the load
of some 1500 nodes with more still coming.  Plus then we have no
real passwords in the passwd file and thus the security issues
of distributing it are much less critical.

Steve Timm


>
>
>
> On Mon, 2004-02-02 at 07:45, Brent M. Clements wrote:
> > Nscd is a necessary evil sometimes though.
> >
> > -B
> >
> > Brent Clements
> > Linux Technology Specialist
> > Information Technology
> > Rice University
> >
> >
> > On Mon, 2 Feb 2004, Leif Nixon wrote:
> >
> > > Jag <agrajag at dragaera.net> writes:
> > >
> > > > On Sat, 2004-01-31 at 10:25, Robert G. Brown wrote:
> > > >
> > > >> NIS works fine for many purposes as well, but be warned -- in certain
> > > >> configurations and for certain tasks it becomes a very high overhead
> > > >> protocol.  In particular, it adds an NIS hit to every file stat, for
> > > >> example, so that it can check groups and permissions.
> > > >
> > > > A good way around this is to run nscd (Name Services Caching Daemon).
> > >
> > > I'm really, really suspicious against nscd. I've more than once seen
> > > it hang on to stale information forever for no good reason at all.
> > >
> > > --
> > > Leif Nixon                                    Systems expert
> > > ------------------------------------------------------------
> > > National Supercomputer Centre           Linkoping University
> > > ------------------------------------------------------------
> > > _______________________________________________
> > > Beowulf mailing list, Beowulf at beowulf.org
> > > To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
> > >
> > _______________________________________________
> > Beowulf mailing list, Beowulf at beowulf.org
> > To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
>
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list