From ebcc934ae6ed349abbd1693a534d4beba01b63aa Mon Sep 17 00:00:00 2001
From: Danny Auble <da@llnl.gov>
Date: Tue, 14 Nov 2006 17:34:24 +0000
Subject: [PATCH] added some security to the images used by the bluegene plugin
---
NEWS | 3 +-
.../select/bluegene/plugin/bg_job_place.c | 137 ++++++++++++++++++
src/plugins/select/bluegene/plugin/bluegene.c | 41 +++++-
src/plugins/select/bluegene/plugin/bluegene.h | 8 +-
4 files changed, 176 insertions(+), 13 deletions(-)
diff --git a/NEWS b/NEWS
index cb0794496a0..6aedea181b2 100644
--- a/NEWS
+++ b/NEWS
@@ -4,8 +4,7 @@ documents those changes that are of interest to users and admins.
* Changes in SLURM 1.2.0-pre7
=============================
-- BLUEGENE - added configurable images for bluegene block creation.
- (No documentation out side of srun and sbatch just yet,
- no sercurity either)
+ (No documentation out side of srun and sbatch just yet)
* Changes in SLURM 1.2.0-pre6
=============================
diff --git a/src/plugins/select/bluegene/plugin/bg_job_place.c b/src/plugins/select/bluegene/plugin/bg_job_place.c
index cd6990aaeda..5928ceb4a53 100644
--- a/src/plugins/select/bluegene/plugin/bg_job_place.c
+++ b/src/plugins/select/bluegene/plugin/bg_job_place.c
@@ -99,6 +99,8 @@ static int _find_best_block_match(struct job_record* job_ptr,
ListIterator itr2;
bg_record_t *record = NULL;
bg_record_t *found_record = NULL;
+ image_t *image = NULL;
+ image_group_t *image_group = NULL;
uint16_t req_geometry[BA_SYSTEM_DIMENSIONS];
uint16_t start[BA_SYSTEM_DIMENSIONS];
uint16_t conn_type, rotate, target_size = 0;
@@ -110,6 +112,7 @@ static int _find_best_block_match(struct job_record* job_ptr,
int rot_cnt = 0;
int created = 0;
int found = 0;
+ int allow = 0;
uint32_t max_procs = NO_VAL;
List lists_of_lists = NULL;
List temp_list = NULL;
@@ -122,6 +125,7 @@ static int _find_best_block_match(struct job_record* job_ptr,
char *mloaderimage; /* mloaderImage for this request */
char *ramdiskimage; /* RamDiskImage for this request */
int rc = SLURM_SUCCESS;
+
if(!total_cpus)
total_cpus = DIM_SIZE[X] * DIM_SIZE[Y] * DIM_SIZE[Z]
* procs_per_node;
@@ -204,12 +208,145 @@ static int _find_best_block_match(struct job_record* job_ptr,
SELECT_DATA_MAX_PROCS, &max_procs);
select_g_get_jobinfo(job_ptr->select_jobinfo,
SELECT_DATA_BLRTS_IMAGE, &blrtsimage);
+ if(!blrtsimage)
+ blrtsimage = xstrdup(default_blrtsimage);
+
+ allow = 0;
+ itr = list_iterator_create(bg_blrtsimage_list);
+ while((image = list_next(itr))) {
+ if(!strcasecmp(blrtsimage, image->name)
+ || !strcasecmp("*", image->name)) {
+ if(image->def) {
+ allow = 1;
+ break;
+ }
+ if(!image->groups || !list_count(image->groups)) {
+ allow = 1;
+ break;
+ }
+ itr2 = list_iterator_create(image->groups);
+ while((image_group = list_next(itr))) {
+ if(image_group->gid == job_ptr->group_id) {
+ allow = 1;
+ break;
+ }
+ }
+ list_iterator_destroy(itr2);
+ if(allow)
+ break;
+ }
+ }
+ list_iterator_destroy(itr);
+ if(!allow) {
+ error("User %u:%u is not allowed to use BlrtsImage %s",
+ blrtsimage);
+ return SLURM_ERROR;
+ }
select_g_get_jobinfo(job_ptr->select_jobinfo,
SELECT_DATA_LINUX_IMAGE, &linuximage);
+ if(!linuximage)
+ linuximage = xstrdup(default_linuximage);
+ allow = 0;
+ itr = list_iterator_create(bg_linuximage_list);
+ while((image = list_next(itr))) {
+ if(!strcasecmp(linuximage, image->name)
+ || !strcasecmp("*", image->name)) {
+ if(image->def) {
+ allow = 1;
+ break;
+ }
+ if(!image->groups || !list_count(image->groups)) {
+ allow = 1;
+ break;
+ }
+ itr2 = list_iterator_create(image->groups);
+ while((image_group = list_next(itr))) {
+ if(image_group->gid == job_ptr->group_id) {
+ allow = 1;
+ break;
+ }
+ }
+ list_iterator_destroy(itr2);
+ if(allow)
+ break;
+ }
+ }
+ list_iterator_destroy(itr);
+ if(!allow) {
+ error("User %u:%u is not allowed to use LinuxImage %s",
+ linuximage);
+ return SLURM_ERROR;
+ }
select_g_get_jobinfo(job_ptr->select_jobinfo,
SELECT_DATA_MLOADER_IMAGE, &mloaderimage);
+ if(!mloaderimage)
+ mloaderimage = xstrdup(default_mloaderimage);
+ allow = 0;
+ itr = list_iterator_create(bg_mloaderimage_list);
+ while((image = list_next(itr))) {
+ if(!strcasecmp(mloaderimage, image->name)
+ || !strcasecmp("*", image->name)) {
+ if(image->def) {
+ allow = 1;
+ break;
+ }
+ if(!image->groups || !list_count(image->groups)) {
+ allow = 1;
+ break;
+ }
+ itr2 = list_iterator_create(image->groups);
+ while((image_group = list_next(itr))) {
+ if(image_group->gid == job_ptr->group_id) {
+ allow = 1;
+ break;
+ }
+ }
+ list_iterator_destroy(itr2);
+ if(allow)
+ break;
+ }
+ }
+ list_iterator_destroy(itr);
+ if(!allow) {
+ error("User %u:%u is not allowed to use MloaderImage %s",
+ mloaderimage);
+ return SLURM_ERROR;
+ }
select_g_get_jobinfo(job_ptr->select_jobinfo,
SELECT_DATA_RAMDISK_IMAGE, &ramdiskimage);
+ if(!ramdiskimage)
+ ramdiskimage = xstrdup(default_ramdiskimage);
+ allow = 0;
+ itr = list_iterator_create(bg_ramdiskimage_list);
+ while((image = list_next(itr))) {
+ if(!strcasecmp(ramdiskimage, image->name)
+ || !strcasecmp("*", image->name)) {
+ if(image->def) {
+ allow = 1;
+ break;
+ }
+ if(!image->groups || !list_count(image->groups)) {
+ allow = 1;
+ break;
+ }
+ itr2 = list_iterator_create(image->groups);
+ while((image_group = list_next(itr))) {
+ if(image_group->gid == job_ptr->group_id) {
+ allow = 1;
+ break;
+ }
+ }
+ list_iterator_destroy(itr2);
+ if(allow)
+ break;
+ }
+ }
+ list_iterator_destroy(itr);
+ if(!allow) {
+ error("User %u:%u is not allowed to use RamDiskImage %s",
+ ramdiskimage);
+ return SLURM_ERROR;
+ }
if(req_geometry[X] != 0 && req_geometry[X] != (uint16_t)NO_VAL) {
target_size = 1;
diff --git a/src/plugins/select/bluegene/plugin/bluegene.c b/src/plugins/select/bluegene/plugin/bluegene.c
index 35e549192a4..86d077b1e60 100644
--- a/src/plugins/select/bluegene/plugin/bluegene.c
+++ b/src/plugins/select/bluegene/plugin/bluegene.c
@@ -1869,6 +1869,7 @@ extern int read_bg_conf(void)
&count, "BlrtsImage", tbl)) {
for (i = 0; i < count; i++) {
list_append(bg_blrtsimage_list, image_array[i]);
+ image_array[i] = NULL;
}
}
if (!s_p_get_string(&default_blrtsimage, "DefaultBlrtsImage", tbl)) {
@@ -1884,13 +1885,20 @@ extern int read_bg_conf(void)
"If this isn't correct please set DefaultBlrtsImage",
default_blrtsimage);
} else {
- /* we might want to add the default to the list */
+ debug3("default BlrtsImage %s", default_blrtsimage);
+ image = xmalloc(sizeof(image_t));
+ image->name = xstrdup(default_blrtsimage);
+ image->def = true;
+ image->groups = NULL;
+ /* we want it to be first */
+ list_push(bg_blrtsimage_list, image);
}
-
+
if (s_p_get_array((void ***)&image_array,
&count, "LinuxImage", tbl)) {
for (i = 0; i < count; i++) {
list_append(bg_linuximage_list, image_array[i]);
+ image_array[i] = NULL;
}
}
if (!s_p_get_string(&default_linuximage, "DefaultLinuxImage", tbl)) {
@@ -1906,13 +1914,20 @@ extern int read_bg_conf(void)
"If this isn't correct please set DefaultLinuxImage",
default_linuximage);
} else {
-
+ debug3("default LinuxImage %s", default_linuximage);
+ image = xmalloc(sizeof(image_t));
+ image->name = xstrdup(default_linuximage);
+ image->def = true;
+ image->groups = NULL;
+ /* we want it to be first */
+ list_push(bg_linuximage_list, image);
}
if (s_p_get_array((void ***)&image_array,
&count, "MloaderImage", tbl)) {
for (i = 0; i < count; i++) {
list_append(bg_mloaderimage_list, image_array[i]);
+ image_array[i] = NULL;
}
}
if (!s_p_get_string(&default_mloaderimage,
@@ -1929,13 +1944,20 @@ extern int read_bg_conf(void)
"If this isn't correct please set DefaultMloaderImage",
default_mloaderimage);
} else {
-
+ debug3("default MloaderImage %s", default_mloaderimage);
+ image = xmalloc(sizeof(image_t));
+ image->name = xstrdup(default_mloaderimage);
+ image->def = true;
+ image->groups = NULL;
+ /* we want it to be first */
+ list_push(bg_mloaderimage_list, image);
}
if (s_p_get_array((void ***)&image_array,
&count, "RamDiskImage", tbl)) {
for (i = 0; i < count; i++) {
list_append(bg_ramdiskimage_list, image_array[i]);
+ image_array[i] = NULL;
}
}
if (!s_p_get_string(&default_ramdiskimage,
@@ -1952,7 +1974,13 @@ extern int read_bg_conf(void)
"If this isn't correct please set DefaultRamDiskImage",
default_ramdiskimage);
} else {
-
+ debug3("default RamDiskImage %s", default_ramdiskimage);
+ image = xmalloc(sizeof(image_t));
+ image->name = xstrdup(default_ramdiskimage);
+ image->def = true;
+ image->groups = NULL;
+ /* we want it to be first */
+ list_push(bg_ramdiskimage_list, image);
}
if (!s_p_get_uint16(&bluegene_numpsets, "Numpsets", tbl))
@@ -2900,8 +2928,7 @@ static int _add_bg_record(List records, List used_nodes, blockreq_t *blockreq)
bg_record->ramdiskimage = xstrdup(blockreq->ramdiskimage);
else
bg_record->ramdiskimage = xstrdup(default_ramdiskimage);
- info("default is %s", bg_record->blrtsimage);
-
+
if(bg_record->conn_type != SELECT_SMALL) {
/* this needs to be an append so we keep things in the
order we got them, they will be sorted later */
diff --git a/src/plugins/select/bluegene/plugin/bluegene.h b/src/plugins/select/bluegene/plugin/bluegene.h
index 674ca2ece49..4286ff59d95 100644
--- a/src/plugins/select/bluegene/plugin/bluegene.h
+++ b/src/plugins/select/bluegene/plugin/bluegene.h
@@ -128,10 +128,10 @@ typedef struct {
/* Global variables */
extern rm_BGL_t *bg;
-extern char *bluegene_blrts;
-extern char *bluegene_linux;
-extern char *bluegene_mloader;
-extern char *bluegene_ramdisk;
+extern char *default_blrtsimage;
+extern char *default_linuximage;
+extern char *default_mloaderimage;
+extern char *default_ramdiskimage;
extern char *bridge_api_file;
extern bg_layout_t bluegene_layout_mode;
extern uint16_t bluegene_numpsets;
--
GitLab