slurm (17.02.9) - Githubissues

openhpc / ohpc

OpenHPC Integration, Packaging, and Test Repo

http://openhpc.community

Apache License 2.0

863 stars 187 forks source link

slurm (17.02.9) #591

Closed koomie closed 7 years ago

koomie commented 7 years ago

Available at: http://slurm.schedmd.com/download.html

truatpasteurdotfr commented 7 years ago

quoted from the https://www.schedmd.com/news.php page about this release version

Ryan Day (LLNL) reported an issue in SPANK environment variable handling that could allow any normal
user to execute code as root during the Prolog or Epilog. All systems using a Prolog or Epilog script are
vulnerable, regardless of whether SPANK plugins are in use.

This issue affects all Slurm versions from 15.08.0 (August 2015) to present. This issue was reported to
SchedMD on October 16th. SchedMD customers were informed on October 17th and provided a patch on
request. This is in keeping with our responsible disclosure process.

The only mitigation, aside from installing a patched version, is to disable both Prolog and Epilog settings on
your system and restart all slurmd processes.

Since it has a security impact, could it be pushed asap? thanks

koomie commented 7 years ago

yes, we have the newer version in our OBS build farm now and it is working thru dependencies. It will take a bit of time to get properly tested in our CI environment, but I'll follow up here when the newer RPMs are visible if you want to grab them early.

truatpasteurdotfr commented 7 years ago

thx :P

koomie commented 7 years ago

The CI runs using the v17.02.9 build are looking ok. Folks interested in getting access to the builds before the upcoming ohpc release can grab them from the Update3:/Factory repo. Example for CentOS is:

http://build.openhpc.community/OpenHPC:/1.3:/Update3:/Factory/CentOS_7/

koomie commented 7 years ago

Tests passing in CI.

truatpasteurdotfr commented 7 years ago

thx, quick question: I was trying to only update slurm* but failed since it also want pmix

--> Running transaction check
...
---> Package slurm-ohpc.x86_64 0:17.02.9-69.2 will be an update
--> Processing Dependency: pmix-ohpc for package: slurm-ohpc-17.02.9-69.2.x86_64
--> Finished Dependency Resolution

pmix is now a requirement for slurm? some folks will end up with both pmix (from EPEL) and pmix-ohpc.
will the yum update take care of the order of slurm-* packages upgrade or is it the sysadmin responsability to upgrade slurmdbd first (https://slurm.schedmd.com/quickstart_admin.html), then update the slurmctld/slurmd ?

koomie commented 6 years ago

Yes, with introduction of pmix in this release, pmix-ohpc becomes a Requires for slurm. However, it is currently optional to use it and requires an MPI build that is also pmix aware. In this release, that is openmpi3-pmix-slurm-gnu7-ohpc. I'm not sure there is anything special called out for upgrade ordering, so to be sure (if you are using back-end DB in your configuration), probably best to upgrade that package first.