Follow the PBS Pro Design Document Guidelines.
This design is to let the scheduler run as a non-root user.
The scheduler does not really need to run as root, it can do everything it needs to without root permissions. This will increase the security of the machine.
There will be a new pbs.conf variable called PBS_DAEMON_SERVICE_USER.
It will be set by:
- editing /etc/pbs.conf
- setting PBS_DAEMON_SERVICE_USER in the environment when doing an rpm install
By default, it will not be set.
If not set, it will be "root".
This will be read by:
When the scheduler finds incorrect permissions, the scheduler will log "<dir/file name> has incorrect permissions, make sure it is owned by <current user>"
The pbs_sched binary will now be packaged with 755 permissions, so the PBS_DAEMON_SERVICE_USER can execute it.
pbs_benchpress will now accept a new parameter daemon-user, a colon separated list of daemon service users.
DAEMON_USER has been added to pbs_testusers, so that pbs_config --make-ug will make a new user.
However, since the default is still root, DAEMON_SERVICE_USER is defined as a copy of ROOT_USER.
Testers will be able to use the created daemon user by using the daemon-user parameter for benchpress, as said above.
The following deprecated features will no longer work:
Schedulers that aren't run by root might not be able to query MoM for MoM dynamic resources (mom_dyn_res scripts) via rmget
Admins should make sure server_dyn_res scripts are owned and executable by PBS_DAEMON_SERVICE_USER
If PBS_DAEMON_SERVICE_USER is changed after installation, the admin must change the ownership of these files/directories manually.
If peer scheduling is enabled, PBS_DAEMON_SERVICE_USER must be a manager on the peer server.
When the scheduler starts, it will check if sched_priv/sched_logs is owned by the current user; if not, the scheduler will terminate.
If PBS_DAEMON_SERVICE_USER is changed, the server and scheduler must be restarted.
These are possible future improvements that can be iterations on this feature.
Project Documentation Main Page