MUNGE - Slurm Authentication Service

HPC

Published

November 3, 2015

Modified

January 25, 2024

MUNGE (MUNGE Uid ‘N’ Gid Emporium)…

…authentication service for creating and validating credentials
…highly scalable…designed for HPC clusters
…hosts form a security realm…defined by a shared cryptographic key
- …clients create/validate credentials without root privileges
- …process to authenticate the UID/GID of another local/remote process

References…

GitHub Repository
- https://dun.github.io/munge
- https://github.com/dun/munge/releases
Wiki - Installation Guide & Man-Pages
- https://github.com/dun/munge/wiki/Installation-Guide
Fedora EPEL Package
- https://src.fedoraproject.org/rpms/munge
RPM SPEC & Systemd Service Unit
- https://github.com/dun/munge/blob/master/munge.spec.in
- https://github.com/dun/munge/blob/master/src/etc/munge.systemd.service.in

`munged.service`

Create a munge.service Systemd unit…

cat > /etc/systemd/system/munge.service <<'EOF'
[Unit]
Description=munged authentication service
[Service]
Type=forking
User=munge
Group=munge
RuntimeDirectory=munge
RuntimeDirectoryMode=0755
EnvironmentFile=-/etc/default/munge
ExecStart=munged $MUNGE_OPTIONS
[Install]
WantedBy=default.target
EOF
# load new unit file...restart...check state
systemctl daemon-reload && systemctl restart munge
systemctl status --full --lines=50 munge

Shared Secret

….requires a shared secret on all nodes…

…stored in /etc/munge/munge.key
…typically distributed by configuration management

# create the configuration directory (if missing)
mkdir /etc/munge \
      && chown munge:munge /etc/munge \
      && chmod 0700 /etc/munge
# create a shared secret
sudo -u munge /usr/sbin/mungekey -v
# ...or...
dd if=/dev/urandom of=/etc/munge/munge.key bs=1 count=1024
# ...adjust permissions
chown munge:munge /etc/munge/munge.key
chmod 0600 /etc/munge/munge.key

Verify functionality…

# encode credential
munge -n
# enode & decode credential 
munge -n | unmunge
munge -n -t 10 | ssh $node unmunge
ssh $node munge -n -t 10 | unmunge

Configuration

Fore-ground daemon for debugging…

# overwrite nologin and run munged in foreground
su -s /bin/bash munge -c "$MUNGE_PATH/sbin/munged $OPTIONS -Fv"
# ...with logging to a file /var/log/... don't foreground
su -s /bin/bash munge -c "$MUNGE_PATH/sbin/munged $OPTIONS"
ps -p $(pgrep munged) -fH ; pkill munged

Use a dedicated user…

groupadd -r munge
useradd -c "MUNGE authentication service" \
        -d "/var/lib/munge" \
        -g munge \
        -s /sbin/nologin \
        -r munge

munged enforces files permissions…

# PRNG Seed...
mkdir -p /var/lib/munge \
       && chown munge:munge /var/lib/munge \
       && chmod 0700 /var/lib/munge
# socket configuration...
cat > /usr/lib/tmpfiles.d/munge.conf <<EOF
d /run/munge 0755 munge munge -
EOF
systemd-tmpfiles --create /usr/lib/tmpfiles.d/munge.conf
# log-files...
mkdir /var/log/munge \
      && chown munge:munge /var/log/munge \
      && chmod 0700 /var/log/munge

Non-Default Paths

Path to the socket is set by a compile time option…

…MUNGE Installation Guide
…specifically --runstatedir=/run

# options to configure the build
./configure --sysconfdir=/etc --localstatedir=/var --runstatedir=/run

Custom paths to all files…

munged \
      --seed-file=/var/lib/munge/munge.seed \
      --key-file=/etc/munge/munge.key \
      --pid-file=/run/munge/munged.pid \
      --socket /run/munge/munge.socket.2 \
      --log-file=/var/log/munge/munged.log

Slurm is configured with --with-munge=$path…

slurmctld & slurmdbd require socket= for non-default path…

>>> grep Auth /etc/slurm/slurm*
/etc/slurm/slurm.conf:AuthType=auth/munge
/etc/slurm/slurm.conf:AuthInfo=socket=/run/munge/munge.socket.2
/etc/slurm/slurmdbd.conf:AuthType=auth/munge
/etc/slurm/slurmdbd.conf:AuthInfo=socket=/run/munge/munge.socket.2

It is likely that Slurm uses the MUNGE API man 3 munge…

…with a context format described in man 3 munge_ctx
…which support MUNGE_OPT_SOCKET
…depends on propagation of the socket location by the caller
…seams that sacct* commands are not support a non-default socket

Thread Count

Munge daemon runs with two threads by default…

…higher thread count can improve its throughput.
…start with munged --num-threads 10
…thread count to 10 will not have negative effects

--- title: MUNGE - Slurm Authentication Service categories: - HPC date: 2015/11/03 date-modified: 2024/01/25 toc-expand: 2 --- MUNGE (MUNGE Uid 'N' Gid Emporium)... - ...authentication service for creating and validating credentials - ...highly scalable...designed for HPC clusters - ...hosts form a security realm...defined by a shared cryptographic key - ...clients create/validate credentials without root privileges - ...process to authenticate the UID/GID of another local/remote process References... - GitHub Repository - <https://dun.github.io/munge> - <https://github.com/dun/munge/releases> - Wiki - Installation Guide & Man-Pages - <https://github.com/dun/munge/wiki/Installation-Guide> - Fedora EPEL Package - <https://src.fedoraproject.org/rpms/munge> - RPM SPEC & Systemd Service Unit - <https://github.com/dun/munge/blob/master/munge.spec.in> - <https://github.com/dun/munge/blob/master/src/etc/munge.systemd.service.in> ## `munged.service` Create a `munge.service` Systemd unit... ```sh cat > /etc/systemd/system/munge.service <<'EOF' [Unit] Description=munged authentication service [Service] Type=forking User=munge Group=munge RuntimeDirectory=munge RuntimeDirectoryMode=0755 EnvironmentFile=-/etc/default/munge ExecStart=munged $MUNGE_OPTIONS [Install] WantedBy=default.target EOF # load new unit file...restart...check state systemctl daemon-reload && systemctl restart munge systemctl status --full --lines=50 munge ``` ## Shared Secret ....requires a shared secret on all nodes... - ...stored in `/etc/munge/munge.key` - ...typically distributed by configuration management ```bash # create the configuration directory (if missing) mkdir /etc/munge \ && chown munge:munge /etc/munge \ && chmod 0700 /etc/munge # create a shared secret sudo -u munge /usr/sbin/mungekey -v # ...or... dd if=/dev/urandom of=/etc/munge/munge.key bs=1 count=1024 # ...adjust permissions chown munge:munge /etc/munge/munge.key chmod 0600 /etc/munge/munge.key ``` Verify functionality... ```sh # encode credential munge -n # enode & decode credential munge -n | unmunge munge -n -t 10 | ssh $node unmunge ssh $node munge -n -t 10 | unmunge ``` ## Configuration Fore-ground daemon for debugging... ```sh # overwrite nologin and run munged in foreground su -s /bin/bash munge -c "$MUNGE_PATH/sbin/munged $OPTIONS -Fv" # ...with logging to a file /var/log/... don't foreground su -s /bin/bash munge -c "$MUNGE_PATH/sbin/munged $OPTIONS" ps -p $(pgrep munged) -fH ; pkill munged ``` Use a dedicated user... ```sh groupadd -r munge useradd -c "MUNGE authentication service" \ -d "/var/lib/munge" \ -g munge \ -s /sbin/nologin \ -r munge ``` `munged` enforces files permissions... ```bash # PRNG Seed... mkdir -p /var/lib/munge \ && chown munge:munge /var/lib/munge \ && chmod 0700 /var/lib/munge # socket configuration... cat > /usr/lib/tmpfiles.d/munge.conf <<EOF d /run/munge 0755 munge munge - EOF systemd-tmpfiles --create /usr/lib/tmpfiles.d/munge.conf # log-files... mkdir /var/log/munge \ && chown munge:munge /var/log/munge \ && chmod 0700 /var/log/munge ``` ## Non-Default Paths Path to the socket is set by a compile time option... - ...[MUNGE Installation Guide][nZBET] - ...specifically `--runstatedir=/run` [nZBET]: https://github.com/dun/munge/wiki/Installation-Guide#installing-from-the-release-tarball ```sh # options to configure the build ./configure --sysconfdir=/etc --localstatedir=/var --runstatedir=/run ``` Custom paths to all files... ```sh munged \ --seed-file=/var/lib/munge/munge.seed \ --key-file=/etc/munge/munge.key \ --pid-file=/run/munge/munged.pid \ --socket /run/munge/munge.socket.2 \ --log-file=/var/log/munge/munged.log ``` Slurm is configured with `--with-munge=$path`... `slurmctld` & `slurmdbd` require `socket=` for non-default path... ```sh >>> grep Auth /etc/slurm/slurm* /etc/slurm/slurm.conf:AuthType=auth/munge /etc/slurm/slurm.conf:AuthInfo=socket=/run/munge/munge.socket.2 /etc/slurm/slurmdbd.conf:AuthType=auth/munge /etc/slurm/slurmdbd.conf:AuthInfo=socket=/run/munge/munge.socket.2 ``` It is likely that Slurm uses the MUNGE API `man 3 munge`... - ...with a context format described in `man 3 munge_ctx` - ...which support `MUNGE_OPT_SOCKET` - ...depends on propagation of the socket location by the caller - ...seams that `sacct*` commands are not support a non-default socket ## Thread Count Munge daemon runs with two threads by default... - ...higher thread count can improve its throughput. - ...start with `munged --num-threads 10` - ...thread count to 10 will not have negative effects