HPC
/
pg-playbooks
6
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity
Browse Source

Merge pull request 'Changed login_checks.sh to the version used in production and modified the quota check.' (#24) from feature/login_script_default_quota into master 

Reviewed-on: #24
pull/25/head
B.E. Droge 5 months ago
parent
53f9a22938 4cfa01b162
commit
50539b1b2e
1 changed files with 182 additions and 84 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 266
      roles/ldap/files/login_checks.sh

266
roles/ldap/files/login_checks.sh
Unescape View File

@ -1,100 +1,198 @@ @@ -1,100 +1,198 @@
#!/bin/bash
set -u
#
##
### Variables.
##
#
SLURM_ACCOUNT='users'
# Set a tag for the log entries.
LOGGER='logger --tag login_checks'
#
##
### Functions.
##
#
#
VARDIR=/var/lib/pam_script
VARLOG=$VARDIR/$PAM_USER
MOUNTPOINT1=/data
USERDIR1=$MOUNTPOINT1/$PAM_USER
MOUNTPOINT2=/scratch
USERDIR2=$MOUNTPOINT2/$PAM_USER
SACCTMGR=/usr/bin/sacctmgr
LFS=/usr/bin/lfs
AWK=/bin/awk
GREP=/bin/grep
LOGFILE=/tmp/log.$PAM_USER
GROUP=$( /usr/bin/id -g $PAM_USER )
SLURMACCOUNT=users,vulture
SSHDIR=$( eval /bin/echo ~$PAM_USER )/.ssh
# Usage: run_with_timeout N cmd args...
# or: run_with_timeout cmd args...
# In the second case, cmd cannot be a number and the timeout will be 10 seconds.
#
run_with_timeout () {
run_with_timeout () {
local time=10
if [[ $1 =~ ^[0-9]+$ ]]; then time=$1; shift; fi
#
# Run in a subshell to avoid job control messages.
#
# Run in a subshell to avoid job control messages
( "$@" &
child=$!
#
# Avoid default notification in non-interactive shell for SIGTERM.
#
trap -- "" SIGTERM
( sleep $time
kill $child 2> /dev/null
) &
wait $child
child=$!
# Avoid default notification in non-interactive shell for SIGTERM
trap -- "" SIGTERM
( sleep $time
kill $child 2> /dev/null ) &
wait $child
)
}
login_actions () {
#
# Check if login user exists as SLURM user in the SLURM accounting DB.
#
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
if [ "${PAM_USER}" != 'root' ]; then
# Only log for users other than root to prevend flooding the logs...
$LOGGER "User ${PAM_USER} already exists in SLURM DB."
create_dir () {
if [ $# -ne 2 ]; then
echo "ERROR: create_dir expects both mountpoint and directory as arguments"
exit -1
fi
echo "Checking for $2"
# Check if MOUNTPOINT is a mountpoint
if ! mountpoint -q $1; then
echo "ERROR: Exiting $1 is not mounted"
exit -1
fi
# check if directory exists in MOUNTPOINT
if [ -d "$2" ]; then
echo Directory exists, skipping create
else
echo "Creating directory"
mkdir $2
chown $PAM_USER:$GROUP $2
chmod 700 $2
fi
# check if directory exists now
if [ -d "$2" ]; then
echo Directory exists, OK
else
echo "ERROR: Directory $2 should exist but doesn't"
exit -1
fi
}
create_ssh_key() {
echo "Checking for .ssh in $SSHDIR"
if [ ! -e $SSHDIR ]; then
echo "Creating $SSHDIR"
mkdir $SSHDIR
chmod 700 $SSHDIR
chown $PAM_USER:$GROUP $SSHDIR
else
echo ".ssh directory exists already, continuing"
fi
if [ ! -e $SSHDIR/id_rsa ]; then
echo "Creating key pair"
ssh-keygen -t rsa -N "" -f $SSHDIR/id_rsa
chmod 600 $SSHDIR/id_rsa
chown $PAM_USER:$GROUP $SSHDIR/id_rsa
chown $PAM_USER:$GROUP $SSHDIR/id_rsa.pub
echo "Adding key pair to authorized_keys"
if [ ! -e $SSHDIR/authorized_keys ]; then
cp $SSHDIR/id_rsa.pub $SSHDIR/authorized_keys
chmod 600 $SSHDIR/authorized_keys
chown $PAM_USER:$GROUP $SSHDIR/authorized_keys
else
cat $SSHDIR/id_rsa.pub >> $SSHDIR/authorized_keys
fi
else
#
# Create account in SLURM accounting DB.
#
local _log_message="Creating user ${PAM_USER} in SLURM accounting DB..."
local _status="$(sacctmgr -iv create user name=${PAM_USER} account=${SLURM_ACCOUNT} fairshare=1 2>&1)"
#
# Checking for exit status does not work when executed by pam-script :(
# Therefore we explicitly re-check if the user now exists in the SLURM DB...
#
#if [ $? -eq 0 ]; then
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
_log_message="${_log_message}"' done!'
else
_log_message="${_log_message}"' FAILED. You cannot submit jobs. Contact an admin!'
$LOGGER "${_status}"
fi
$LOGGER -s "${_log_message}"
fi
else
echo "Key exists, checking for authorized_keys"
if [ ! -e $SSHDIR/authorized_keys ]; then
cp $SSHDIR/id_rsa.pub $SSHDIR/authorized_keys
chmod 600 $SSHDIR/authorized_keys
chown $PAM_USER:$GROUP $SSHDIR/authorized_keys
else
echo "authorized_keys exists, doing nothing"
fi
fi
echo "Final check for authorized_keys, to see if we are OK"
if [ ! -e $SSHDIR/authorized_keys ]; then
echo "ERROR: authorized_keys has not been generated"
exit -1
fi
}
#
##
### Main.
##
#
#
# Make sure we execute this file only for interactive sessions with a real shell.
# Hence not for SFTP connections,
# which will terminate instantly when anything that is not a valid FTP command is printed on STDOUT or STDERR.
# For SFTP connections as well as SLURM jobs the TERM type is dumb,
# but in the first case there are no SLURM related environment variables defined.
#
# SOURCE_HPC_ENV variable checking disabled (it is not set ) Egon 30-10-2018
#if [ ${TERM} == 'dumb' ] && [ -z ${SOURCE_HPC_ENV} ]; then
if [ ${TERM} == 'dumb' ]; then
$LOGGER "debug: exiting because of dumb terminal"
exit 0
fi
#
# Run the desired login actions with a timeout of 10 seconds.
#
run_with_timeout 10 login_actions
set_quota () {
if [ $# -ne 5 ]; then
echo "ERROR: set_quota expects 4 values for quota and a file system name"
exit -1
fi
if [ "$PAM_USER" == "root" ]; then
return 0
fi
echo "Checking for existing quota in $5"
quota_user=$( $LFS quota -u $PAM_USER $5 | $GREP $5 | $AWK '{print $3}' )
quota_group=$( $LFS quota -g $GROUP $5 | $GREP $5 | $AWK '{print $3}' )
# Check if quota obtained are real numbers
if ! [[ $quota_user =~ ^-?[0-9]+$ && $quota_group =~ ^-?[0-9]+$ ]]; then
echo "ERROR: Strange quota"
exit -1
fi
# Add the quota for user and group, to check if either is set
# Quota user must be 0 for all users in the current situation.
quota=$(($quota_user + $quota_group))
# regexp for checking if quota are a number
echo Quota: $quota
# If quota are not set or a small value (default quota) they must be set
if [ $quota -le "4096" ]; then
echo "Setting quota for $5"
$LFS setquota -g $GROUP --block-softlimit $1 --block-hardlimit $2 --inode-softlimit $3 --inode-hardlimit $4 $5
if [ $? -ne 0 ]; then
echo "ERROR: Problem setting quota"
exit -1
fi
else
echo "FD: Quota already set, doing nothing"
fi
}
add_user_to_slurm() {
echo "Adding account to SLURM db"
user_exists=$( $SACCTMGR show user $PAM_USER | grep $PAM_USER )
if [ -z "$user_exists" ]; then
$SACCTMGR -i create user name=$PAM_USER account=$SLURMACCOUNT fairshare=1
if [ $? -ne 0 ]; then
echo "ERROR: Problem creating user in accounting database"
exit -1
fi
else
echo User already exists in slurm. OK.
fi
}
login_actions () {
echo "Checking if $PAM_USER has been handled already"
if [ -f "$VARLOG" ]; then
echo "User already known, exiting"
exit 0
fi
create_dir $MOUNTPOINT1 $USERDIR1
create_dir $MOUNTPOINT2 $USERDIR2
create_ssh_key
# Create account in SLURM accounting db
add_user_to_slurm
# set lustre-quota:
set_quota 20G 22G 100k 110k /home
set_quota 250G 275G 1000k 1100k /data
set_quota 10T 20T 5000k 5500k /scratch
# Final action: create file with username in /var directory
echo $( /usr/bin/getent passwd $PAM_USER | /bin/awk -F ':' '{print $5}' ) > $VARLOG
echo "Finished actions successfully"
}
# Log start of script
echo "Script starting" > $LOGFILE
# Run the desired actions with a timeout of 10 seconds
run_with_timeout 10 login_actions >> $LOGFILE
echo "Script finished" >> $LOGFILE
exit 0

Write Preview
Loading…
Cancel
Save