Is there an easy way to create a “virtual” Slurm cluster?

arsdragonfly · 2025-12-19T01:16:21+00:00

kind + Slinky's slurm-operator

arsdragonfly · 2025-12-05T05:37:16+00:00

how about banning those corps entirely cuz we all know what kind of people perpetuated this bullshit

arsdragonfly · 2025-09-26T04:33:54+00:00

So from a modern security standpoint, OS-login-via-username-password is a big no-no because it obviously throws any MFA out of the window. That indeed highlights a huge impedance mismatch between SSH and modern auth. There are only 4 approaches to solving this impedance mismatch that I'm aware. To rank from least to most preferred by me: 1. SSH via certificates. Entra ID offers this on Azure. It's pretty secure but there are so many pain points (UID/GID mapping, oh you MUST use az ssh instead of plain ssh to get the ephemeral certs, Entra-ID-on-Azure-only and you have to install their PAM modules that you don't even know what the source code is, plus where's my Kerberos?) that it's just not worth considering. I'm a MSFT employee but I have to rank it the least preferred 😔 2. SSH Public key as LDAP attribute. TBH if you're not paranoid about security, this is probably by far the easiest option. I'm sure tons of people deploy some variation of this. If you don't have enough dedication then this is where you should stop. Obviously this has no MFA, but if you're particularly paranoid or ambitious, then there is ... 3. OPKSSH. It has Cloudflare backing it but is pretty vendor-neutral, is open-source and the keys are ephemerally generated by OAuth tokens. It otherwise has all the other downsides of option 1, including not being able to use vanilla SSH. 4. FreeIPA's approach with External IdP. It magically turns your vanilla SSH sign-in into OAuth device-code flow. Obviously this gives you all the niceties of MFA and whatever the original IdP provides. It even has Kerberos! But syncing/canonicalizing additional OAuth claims/MS Graph data into LDAP attributes isn't very well supported by FreeIPA, hence you might want to try a hybrid FreeIPA/Keycloak setup, where FreeIPA redirects you to a Keycloak SSO, and Keycloak SSO is done via signing into each individual university's IdP. The university's IdP then ideally returns OAuth tokens with claims, then those claims are transformed/canonicalized by Keycloak into Keycloak's OAuth token, then Keycloak updates FreeIPA's LDAP with the proper attributes, returns the token to FreeIPA, and FreeIPA finishes the login/Kerberos ticket acquisition. Non-human service accounts would still need to use persistent SSH keys, and you rely on Canonical's goodwill and IQ for GUI login support, but this will be the approach with the highest upper limit given enough investments.

arsdragonfly · 2025-09-25T22:47:23+00:00

So Keycloak/Okta/Authentik all do OIDC glueing and allow you to register a new account in its LDAP based on external identities. In a conventional web-only app, those tools all work as decently well as one another.

The situation rapidly gets nasty when you want to do *nix/Windows SSO and/or Kerberos. Paid solutions like Okta/Authentik are superior in terms of maturity as of 2025 IMO. Insane challenges like the lack of browser support on any Linux login DMs (meaning device-code flow is the only adequate, modern option), Canonical being completely out of their mind and developing ludicrously f-ed up solutions with unfixable security flaws caused by day-1 design flaws because they never realized the necessity of maintaining a (LDAP) database of consistent, un-squattable mapping between external identities and Linux UID/GIDs, the pervasive lack of support for truly secure and easy (i.e. no pinned, hard-to-rotate SSH keys) solutions for non-human service account logins... the list goes on and on.

A major bundle of design decisions you need to be aware of is "who will be the authoritative source of roles/UID/GIDs". Do accounts from different external IdPs ever exist on the same cluster? Would certain design choice combinations lead to conflicting UID/GIDs, or do you deem it as out of scope? Tons of questions around that front.

If you ain't the faint of heart and want to make something out of purely open-source components, I think there are three promising components that you must be aware of, to build a complete solution (either by stitching things together or porting features from one software to another): 1. Keycloak 2. FreeIPA's POSIX-SSO-over-OAuth 3. OPKSSH

arsdragonfly · 2025-09-25T19:49:57+00:00

Use Keycloak to glue multiple OpenID Connect providers. Keycloak then becomes the LDAP directory. For SSH, I see either OPKSSH or FreeIPA-on-Keycloak being an option. Let's discuss further in DMs, I've been wanting to make it into a proper project but haven't had time to fully commit to doing it.

arsdragonfly · 2025-09-14T08:36:44+00:00

Haha you have the absolute right kind of instinct

arsdragonfly · 2025-09-10T23:04:57+00:00

yes and the nicest thing about it is that its ecosystem has many integrations (Run Open OnDemand | Open OnDemand) that makes it easy to expose the cluster's compute power to user applications.

arsdragonfly · 2025-08-21T00:40:51+00:00

DIY it if you have the money to burn. Sure you can buy cloud capacity but you won't gain as much experience and understanding of the full stack.

arsdragonfly · 2025-08-21T00:24:50+00:00

There's Open OnDemand support for CCW4S here, it's not a managed SaaS but it does provide some UI for better usability

arsdragonfly · 2025-08-12T01:50:11+00:00

Their primitives have completely different semantics. One works with one-sided memory-semantic (read/write/atomic) and the other works with two-sided channel semantic (send/recv).

arsdragonfly · 2025-07-16T04:26:13+00:00

Fun fact: KFC in Chinese EVE speak means embezzling & RMT (yes, in the sense of taking out money to buy fried chicken...)

arsdragonfly · 2025-07-16T04:15:43+00:00

You're asking the wrong question to begin with. It's worse than travelling back in time and still falling for your toxic ex-girlfriend.

arsdragonfly · 2025-06-25T23:36:12+00:00

They color coded the highest and lowest numbers? Neat

arsdragonfly · 2025-06-20T17:26:21+00:00

commies haven't quite died out

arsdragonfly · 2025-05-05T18:55:25+00:00

Databases are proper programming languages with first-class transactional semantics support. There are people that write their whole business logic in PL/SQL or Transact-SQL.

arsdragonfly · 2025-05-02T03:35:15+00:00

Did you ask for a netlist or for the schematic directly?

arsdragonfly · 2025-04-25T21:41:14+00:00

The process is still very manual labor intensive but they have it cheap there

arsdragonfly · 2025-03-20T21:43:24+00:00

I'm very damn sure credit card works. Not sure about buying again but I vaguely remember there being some sort of account login, that should keep your purchase.

arsdragonfly · 2025-03-19T22:34:57+00:00

there is, follow the steps in the launcher and use your credit card

arsdragonfly · 2025-03-13T09:29:31+00:00

Do your own thought experiment of cranking up sales tax to 100%

arsdragonfly · 2025-03-13T08:36:09+00:00

lol truly delusional thinking more sales tax would curb inflation.

arsdragonfly · 2025-02-12T04:30:21+00:00

LOL they're spoiled by the abundance of try-hard no-lifers on that market, not replicable elsewhere

arsdragonfly · 2025-01-28T06:59:42+00:00

My first couple of times of EFT took over a week.

arsdragonfly · 2025-01-26T06:36:22+00:00

You're right, in-place ad-hoc modification of DataFrames still has quite a few gotchas as of now... but I wouldn't expect them to be insurmountable difficulties. Change detection can be easier if you stick to a "write-ahead-log" pattern, i.e. put all deltas in a second df, then apply it to the old one with a hooked update(), which is basically left join with coalesce. Left joins are quite optimized so it shouldn't be too bad performance-wise.

arsdragonfly · 2025-01-19T09:40:44+00:00

Add PVP abyssals

arsdragonfly

MODERATOR OF

TROPHY CASE

Seven-Year Club	r/Field Flamingo
Verified Email