Skip to content

Commit 3c5ca9d

Browse files
feat(slurmd): add SSH support with pam_slurm_adopt
Enable SSH access to slurmd containers with job-based access control via pam_slurm_adopt. SSH host keys are generated at runtime, and PAM is dynamically configured to restrict SSH access to users with active jobs Ref: https://slurm.schedmd.com/pam_slurm_adopt.html
1 parent 0511977 commit 3c5ca9d

File tree

6 files changed

+57
-3
lines changed

6 files changed

+57
-3
lines changed

schedmd/slurm/25.11/rockylinux9/Dockerfile

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,7 @@ RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked <<EOR
183183
set -xeuo pipefail
184184
dnf -q -y install --setopt='install_weak_deps=False' \
185185
gawk socat \
186+
openssh-server \
186187
./slurm-devel-[0-9]*.rpm \
187188
./slurm-libpmi-[0-9]*.rpm \
188189
./slurm-pam_slurm-[0-9]*.rpm \
@@ -194,17 +195,21 @@ mkdir -p /var/spool/slurmd/
194195
cp -v /etc/nsswitch.conf{,.bak}
195196
sed -i -E "s/^passwd:[[:space:]]+/&slurm /g" /etc/nsswitch.conf
196197
sed -i -E "s/^group:[[:space:]]+/&slurm /g" /etc/nsswitch.conf
198+
# Configure SSH
199+
rm -f /etc/ssh/ssh_host_*
197200
EOR
198201

199202
COPY files/etc/supervisord.conf /etc/
200203
COPY \
201204
files/etc/supervisord.d/slurmd.ini \
202205
files/etc/supervisord.d/fakesystemd.ini \
206+
files/etc/supervisord.d/sshd.ini \
203207
/etc/supervisord.d/
204208
COPY files/usr/local/bin/fakesystemd.sh /usr/local/bin/
205209
COPY files/usr/local/bin/slurmd-entrypoint.sh /usr/local/bin/entrypoint.sh
206210

207211
EXPOSE 6818/tcp
212+
EXPOSE 22/tcp
208213
ENTRYPOINT ["entrypoint.sh"]
209214

210215
################################################################################

schedmd/slurm/25.11/rockylinux9/files/usr/local/bin/slurmd-entrypoint.sh

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ set -euo pipefail
77
# Additional arguments to pass to slurmd.
88
export SLURMD_OPTIONS="${SLURMD_OPTIONS:-} $*"
99

10+
# Additional arguments to pass to sshd.
11+
export SSHD_OPTIONS="${SSHD_OPTIONS:-""}"
12+
1013
# The asserted CPU resource limit of the pod.
1114
export POD_CPUS="${POD_CPUS:-0}"
1215

@@ -94,6 +97,17 @@ function addConfItem() {
9497
export SLURMD_OPTIONS="${slurmdOptions[*]}"
9598
}
9699

100+
# configure_pam configures PAM to use pam_slurm_adopt for SSH sessions.
101+
#
102+
# This allows SSH access to be restricted to users with active jobs on the node.
103+
function configure_pam() {
104+
# Add pam_slurm_adopt to SSH PAM configuration if not already present
105+
if ! grep -q "pam_slurm_adopt.so" /etc/pam.d/sshd 2>/dev/null; then
106+
# Insert after account include password-auth (Rocky Linux specific pattern)
107+
sed -i '/^account[[:space:]]*include[[:space:]]*password-auth/a -account required pam_slurm_adopt.so action_no_jobs=deny action_unknown=newest action_adopt_failure=deny action_generic_failure=deny disable_x11=0' /etc/pam.d/sshd
108+
fi
109+
}
110+
97111
function main() {
98112
mkdir -p /run/slurm/
99113
mkdir -p /var/spool/slurmd/
@@ -114,6 +128,12 @@ function main() {
114128
addConfItem "MemSpecLimit=${memSpecLimit}"
115129
fi
116130

131+
# Initialize SSH
132+
mkdir -p /run/sshd/
133+
chmod 0755 /run/sshd/
134+
ssh-keygen -A
135+
configure_pam
136+
117137
exec supervisord -c /etc/supervisord.conf
118138
}
119139
main

schedmd/slurm/25.11/ubuntu24.04/Dockerfile

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,7 @@ set -xeuo pipefail
179179
apt-get -qq update
180180
apt-get -qq -y install --no-install-recommends --fix-broken \
181181
gawk socat \
182+
openssh-server \
182183
./slurm-smd-client_[0-9]*.deb \
183184
./slurm-smd-client-dbgsym_[0-9]*.ddeb \
184185
./slurm-smd-dev_[0-9]*.deb \
@@ -197,17 +198,21 @@ mkdir -p /var/spool/slurmd/
197198
cp -v /etc/nsswitch.conf{,.bak}
198199
sed -i -E "s/^passwd:[[:space:]]+/&slurm /g" /etc/nsswitch.conf
199200
sed -i -E "s/^group:[[:space:]]+/&slurm /g" /etc/nsswitch.conf
201+
# Configure SSH
202+
rm -f /etc/ssh/ssh_host_*
200203
EOR
201204

202205
COPY files/etc/supervisor/supervisord.conf /etc/supervisor/
203206
COPY \
204207
files/etc/supervisor/conf.d/slurmd.conf \
205208
files/etc/supervisor/conf.d/fakesystemd.conf \
209+
files/etc/supervisor/conf.d/sshd.conf \
206210
/etc/supervisor/conf.d/
207211
COPY files/usr/local/bin/fakesystemd.sh /usr/local/bin/
208212
COPY files/usr/local/bin/slurmd-entrypoint.sh /usr/local/bin/entrypoint.sh
209213

210214
EXPOSE 6818/tcp
215+
EXPOSE 22/tcp
211216
ENTRYPOINT ["entrypoint.sh"]
212217

213218
################################################################################

schedmd/slurm/25.11/ubuntu24.04/files/usr/local/bin/slurmd-entrypoint.sh

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ set -euo pipefail
77
# Additional arguments to pass to slurmd.
88
export SLURMD_OPTIONS="${SLURMD_OPTIONS:-} $*"
99

10+
# Additional arguments to pass to sshd.
11+
export SSHD_OPTIONS="${SSHD_OPTIONS:-""}"
12+
1013
# The asserted CPU resource limit of the pod.
1114
export POD_CPUS="${POD_CPUS:-0}"
1215

@@ -94,6 +97,17 @@ function addConfItem() {
9497
export SLURMD_OPTIONS="${slurmdOptions[*]}"
9598
}
9699

100+
# configure_pam configures PAM to use pam_slurm_adopt for SSH sessions.
101+
#
102+
# This allows SSH access to be restricted to users with active jobs on the node.
103+
function configure_pam() {
104+
# Add pam_slurm_adopt to SSH PAM configuration if not already present
105+
if ! grep -q "pam_slurm_adopt.so" /etc/pam.d/sshd 2>/dev/null; then
106+
# Insert after common-account include
107+
sed -i '/^@include common-account/a -account required pam_slurm_adopt.so action_no_jobs=deny action_unknown=newest action_adopt_failure=deny action_generic_failure=deny disable_x11=0' /etc/pam.d/sshd
108+
fi
109+
}
110+
97111
function main() {
98112
mkdir -p /run/slurm/
99113
mkdir -p /var/spool/slurmd/
@@ -114,6 +128,12 @@ function main() {
114128
addConfItem "MemSpecLimit=${memSpecLimit}"
115129
fi
116130

131+
# Initialize SSH
132+
mkdir -p /run/sshd/
133+
chmod 0755 /run/sshd/
134+
ssh-keygen -A
135+
configure_pam
136+
117137
exec supervisord -c /etc/supervisor/supervisord.conf
118138
}
119139
main

schedmd/slurm/master/rockylinux9/files/usr/local/bin/slurmd-entrypoint.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -95,11 +95,13 @@ function addConfItem() {
9595
export SLURMD_OPTIONS="${slurmdOptions[*]}"
9696
}
9797

98-
# Configure PAM for pam_slurm_adopt (following login's dynamic pattern)
98+
# configure_pam configures PAM to use pam_slurm_adopt for SSH sessions.
99+
#
100+
# This allows SSH access to be restricted to users with active jobs on the node.
99101
function configure_pam() {
100102
# Add pam_slurm_adopt to SSH PAM configuration if not already present
101103
if ! grep -q "pam_slurm_adopt.so" /etc/pam.d/sshd 2>/dev/null; then
102-
# Insert after common-account include
104+
# Insert after account include password-auth (Rocky Linux specific pattern)
103105
sed -i '/^account[[:space:]]*include[[:space:]]*password-auth/a -account required pam_slurm_adopt.so action_no_jobs=deny action_unknown=newest action_adopt_failure=deny action_generic_failure=deny disable_x11=0' /etc/pam.d/sshd
104106
fi
105107
}

schedmd/slurm/master/ubuntu24.04/files/usr/local/bin/slurmd-entrypoint.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,9 @@ function addConfItem() {
9595
export SLURMD_OPTIONS="${slurmdOptions[*]}"
9696
}
9797

98-
# Configure PAM for pam_slurm_adopt (following login's dynamic pattern)
98+
# configure_pam configures PAM to use pam_slurm_adopt for SSH sessions.
99+
#
100+
# This allows SSH access to be restricted to users with active jobs on the node.
99101
function configure_pam() {
100102
# Add pam_slurm_adopt to SSH PAM configuration if not already present
101103
if ! grep -q "pam_slurm_adopt.so" /etc/pam.d/sshd 2>/dev/null; then

0 commit comments

Comments
 (0)