Browse Source

Merge pull request 'Changed login_checks.sh to the version used in production and modified the quota check.' (#24) from feature/login_script_default_quota into master

Reviewed-on: #24
pull/25/head
B.E. Droge 5 months ago
parent
commit
50539b1b2e
  1. 266
      roles/ldap/files/login_checks.sh

266
roles/ldap/files/login_checks.sh

@ -1,100 +1,198 @@ @@ -1,100 +1,198 @@
#!/bin/bash
set -u
#
##
### Variables.
##
#
SLURM_ACCOUNT='users'
# Set a tag for the log entries.
LOGGER='logger --tag login_checks'
#
##
### Functions.
##
#
#
VARDIR=/var/lib/pam_script
VARLOG=$VARDIR/$PAM_USER
MOUNTPOINT1=/data
USERDIR1=$MOUNTPOINT1/$PAM_USER
MOUNTPOINT2=/scratch
USERDIR2=$MOUNTPOINT2/$PAM_USER
SACCTMGR=/usr/bin/sacctmgr
LFS=/usr/bin/lfs
AWK=/bin/awk
GREP=/bin/grep
LOGFILE=/tmp/log.$PAM_USER
GROUP=$( /usr/bin/id -g $PAM_USER )
SLURMACCOUNT=users,vulture
SSHDIR=$( eval /bin/echo ~$PAM_USER )/.ssh
# Usage: run_with_timeout N cmd args...
# or: run_with_timeout cmd args...
# In the second case, cmd cannot be a number and the timeout will be 10 seconds.
#
run_with_timeout () {
run_with_timeout () {
local time=10
if [[ $1 =~ ^[0-9]+$ ]]; then time=$1; shift; fi
#
# Run in a subshell to avoid job control messages.
#
# Run in a subshell to avoid job control messages
( "$@" &
child=$!
#
# Avoid default notification in non-interactive shell for SIGTERM.
#
trap -- "" SIGTERM
( sleep $time
kill $child 2> /dev/null
) &
wait $child
child=$!
# Avoid default notification in non-interactive shell for SIGTERM
trap -- "" SIGTERM
( sleep $time
kill $child 2> /dev/null ) &
wait $child
)
}
login_actions () {
#
# Check if login user exists as SLURM user in the SLURM accounting DB.
#
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
if [ "${PAM_USER}" != 'root' ]; then
# Only log for users other than root to prevend flooding the logs...
$LOGGER "User ${PAM_USER} already exists in SLURM DB."
create_dir () {
if [ $# -ne 2 ]; then
echo "ERROR: create_dir expects both mountpoint and directory as arguments"
exit -1
fi
echo "Checking for $2"
# Check if MOUNTPOINT is a mountpoint
if ! mountpoint -q $1; then
echo "ERROR: Exiting $1 is not mounted"
exit -1
fi
# check if directory exists in MOUNTPOINT
if [ -d "$2" ]; then
echo Directory exists, skipping create
else
echo "Creating directory"
mkdir $2
chown $PAM_USER:$GROUP $2
chmod 700 $2
fi
# check if directory exists now
if [ -d "$2" ]; then
echo Directory exists, OK
else
echo "ERROR: Directory $2 should exist but doesn't"
exit -1
fi
}
create_ssh_key() {
echo "Checking for .ssh in $SSHDIR"
if [ ! -e $SSHDIR ]; then
echo "Creating $SSHDIR"
mkdir $SSHDIR
chmod 700 $SSHDIR
chown $PAM_USER:$GROUP $SSHDIR
else
echo ".ssh directory exists already, continuing"
fi
if [ ! -e $SSHDIR/id_rsa ]; then
echo "Creating key pair"
ssh-keygen -t rsa -N "" -f $SSHDIR/id_rsa
chmod 600 $SSHDIR/id_rsa
chown $PAM_USER:$GROUP $SSHDIR/id_rsa
chown $PAM_USER:$GROUP $SSHDIR/id_rsa.pub
echo "Adding key pair to authorized_keys"
if [ ! -e $SSHDIR/authorized_keys ]; then
cp $SSHDIR/id_rsa.pub $SSHDIR/authorized_keys
chmod 600 $SSHDIR/authorized_keys
chown $PAM_USER:$GROUP $SSHDIR/authorized_keys
else
cat $SSHDIR/id_rsa.pub >> $SSHDIR/authorized_keys
fi
else
#
# Create account in SLURM accounting DB.
#
local _log_message="Creating user ${PAM_USER} in SLURM accounting DB..."
local _status="$(sacctmgr -iv create user name=${PAM_USER} account=${SLURM_ACCOUNT} fairshare=1 2>&1)"
#
# Checking for exit status does not work when executed by pam-script :(
# Therefore we explicitly re-check if the user now exists in the SLURM DB...
#
#if [ $? -eq 0 ]; then
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
_log_message="${_log_message}"' done!'
else
_log_message="${_log_message}"' FAILED. You cannot submit jobs. Contact an admin!'
$LOGGER "${_status}"
fi
$LOGGER -s "${_log_message}"
fi
else
echo "Key exists, checking for authorized_keys"
if [ ! -e $SSHDIR/authorized_keys ]; then
cp $SSHDIR/id_rsa.pub $SSHDIR/authorized_keys
chmod 600 $SSHDIR/authorized_keys
chown $PAM_USER:$GROUP $SSHDIR/authorized_keys
else
echo "authorized_keys exists, doing nothing"
fi
fi
echo "Final check for authorized_keys, to see if we are OK"
if [ ! -e $SSHDIR/authorized_keys ]; then
echo "ERROR: authorized_keys has not been generated"
exit -1
fi
}
#
##
### Main.
##
#
#
# Make sure we execute this file only for interactive sessions with a real shell.
# Hence not for SFTP connections,
# which will terminate instantly when anything that is not a valid FTP command is printed on STDOUT or STDERR.
# For SFTP connections as well as SLURM jobs the TERM type is dumb,
# but in the first case there are no SLURM related environment variables defined.
#
# SOURCE_HPC_ENV variable checking disabled (it is not set ) Egon 30-10-2018
#if [ ${TERM} == 'dumb' ] && [ -z ${SOURCE_HPC_ENV} ]; then
if [ ${TERM} == 'dumb' ]; then
$LOGGER "debug: exiting because of dumb terminal"
exit 0
fi
#
# Run the desired login actions with a timeout of 10 seconds.
#
run_with_timeout 10 login_actions
set_quota () {
if [ $# -ne 5 ]; then
echo "ERROR: set_quota expects 4 values for quota and a file system name"
exit -1
fi
if [ "$PAM_USER" == "root" ]; then
return 0
fi
echo "Checking for existing quota in $5"
quota_user=$( $LFS quota -u $PAM_USER $5 | $GREP $5 | $AWK '{print $3}' )
quota_group=$( $LFS quota -g $GROUP $5 | $GREP $5 | $AWK '{print $3}' )
# Check if quota obtained are real numbers
if ! [[ $quota_user =~ ^-?[0-9]+$ && $quota_group =~ ^-?[0-9]+$ ]]; then
echo "ERROR: Strange quota"
exit -1
fi
# Add the quota for user and group, to check if either is set
# Quota user must be 0 for all users in the current situation.
quota=$(($quota_user + $quota_group))
# regexp for checking if quota are a number
echo Quota: $quota
# If quota are not set or a small value (default quota) they must be set
if [ $quota -le "4096" ]; then
echo "Setting quota for $5"
$LFS setquota -g $GROUP --block-softlimit $1 --block-hardlimit $2 --inode-softlimit $3 --inode-hardlimit $4 $5
if [ $? -ne 0 ]; then
echo "ERROR: Problem setting quota"
exit -1
fi
else
echo "FD: Quota already set, doing nothing"
fi
}
add_user_to_slurm() {
echo "Adding account to SLURM db"
user_exists=$( $SACCTMGR show user $PAM_USER | grep $PAM_USER )
if [ -z "$user_exists" ]; then
$SACCTMGR -i create user name=$PAM_USER account=$SLURMACCOUNT fairshare=1
if [ $? -ne 0 ]; then
echo "ERROR: Problem creating user in accounting database"
exit -1
fi
else
echo User already exists in slurm. OK.
fi
}
login_actions () {
echo "Checking if $PAM_USER has been handled already"
if [ -f "$VARLOG" ]; then
echo "User already known, exiting"
exit 0
fi
create_dir $MOUNTPOINT1 $USERDIR1
create_dir $MOUNTPOINT2 $USERDIR2
create_ssh_key
# Create account in SLURM accounting db
add_user_to_slurm
# set lustre-quota:
set_quota 20G 22G 100k 110k /home
set_quota 250G 275G 1000k 1100k /data
set_quota 10T 20T 5000k 5500k /scratch
# Final action: create file with username in /var directory
echo $( /usr/bin/getent passwd $PAM_USER | /bin/awk -F ':' '{print $5}' ) > $VARLOG
echo "Finished actions successfully"
}
# Log start of script
echo "Script starting" > $LOGFILE
# Run the desired actions with a timeout of 10 seconds
run_with_timeout 10 login_actions >> $LOGFILE
echo "Script finished" >> $LOGFILE
exit 0

Loading…
Cancel
Save