Technical Bulletin #467: Restricted Zone Code Execution Requirements and Guidelines

Summary

The creation of the High Performance Computing (HPC) Enclave will necessitate restricting Restricted Zone (RZ) users from executing code or scripts from a Lustre file system when on an RZ compute platform. All executables, including but not limited to those listed below, must be from either the RZ users’ /g/g* home directory or other RZ file systems such as /nfs/tmp2, /usr/gapps, /usr/local, or /usr/global:

Binary executables
Application input decks (many are effectively scripts)
Moab/SLURM submit scripts
executable shell scripts (bash, csh, perl, python, etc.)
Interpreted command files (e.g., run with "perl myfile")
Makefiles

Introduction

Lustre file systems (/p/lscratch[a,b,c,d]) will reside in the Infrastructure Zone (IZ) of the LC HPC Enclave and will be shared between the RZ and Collaboration Zone (CZ) systems. A fundamental requirement of the HPC Enclave is to protect RZ resources and their unique data even in the event of the worst-case (root level) compromise of the CZ. With such a compromise comes the possible introduction of malicious code both on CZ systems a nd IZ resources such as Lustre file systems. Because of this, RZ users will be prohibited from running executables located in Lustre when on RZ systems. The RZ has a set of dedicated NFS file systems (/g/g*, /nfs/tmp2, /usr/gapps, /usr/local,/usr/global) from which executable code can be run safely. This restriction and additional administrative controls will ensure the safety of the RZ systems and their data.

RZ Usage Model

LC will implement controls whenever possible to prevent the running of executables from Lustre on RZ systems. A common usage model for LC users is to use /p/lscratch* file systems for storing executables that are run on production clusters. For example, user name rzuser may have a Moab submit script that contains the following lines:

cd /p/lscratcha/rzuser/mpi_array [Incorrect]
srun –n8 a.out

In this example, the executable run on the production cluster is located in /p/lscratcha. This usage model will no longer be allowed for RZ users. All executables must be run either from the RZ users’ home directory, /g/g20/rzuser, or any non-Lustre RZ file system. RZ users will only use the /p/lscratch* file systems for storing output:

#MSUB –o /p/lscratcha/rzuser/mpi_array/stdout.txt [Correct]

PDF of TB467 for download and distribution.