Multi-Category Security (MCS) Guide

MCS Overview

Slurm can be configured to associate a category label to jobs and optionally ensure that nodes can only be shared among jobs having the same category label. Job and node information can optionally be filtered based on their MCS labels in coordination with the PrivateData option: only users having access to the associated MCS label will have access to the information. The MCS plugin is responsible for these features.

Users may either request a particular category label for a job, or use the default value generated by the MCS plugin implementation. The MCS plugin is responsible for checking that the user provided label is valid for the user.

MCS labels can be either enforced or specified on demand on jobs. When set to ondemand, MCS label will only be set when users specify a valid one at submission time. It is the responsibility of the MCS plugin to validate the correctness of the requested labels. When enforced, the MCS plugin implementation will always associate the default MCS label of users to their jobs unless users specify another valid one.

The selection of nodes can be filtered on MCS labels : on demand (ondemand) or always (select) or never (noselect). User can force the filter with --exclusive=mcs option (except if noselect mode).

The MCS category label (also called MCS label) for a job is shown in squeue with the format option mcslabel. The node's inherited MCS label is shown with scontrol show nodes. The sview command can also be used to see those MCS labels.

The following configuration parameters are available:

  • MCSPlugin: Specifies which plugin should be used.
  • MCSParameters: Specifies options to pass to the MCS plugin implementation. The string is of the form:
    The defaults are "ondemand,ondemandselect" and no privatedata
    • [ondemand|enforced]: set MCS label on jobs either on demand (using --mcs-label option) or always
    • [,noselect|,select|,ondemandselect]: select nodes with filter on MCS label : never, always or on demand (using --exclusive=mcs option)
    • [,privatedata]: accordingly with privatedata option:
      if privatedata and privatedata=jobs: jobs informations are filtered based on their MCS labels
      if privatedata and privatedata=nodes: nodes informations are filtered based on their MCS labels
      Only mcs/group is currently supporting the mcs_plugin_parameters option. It can be used to specify the list of user groups (separated by |) that can be mapped to MCS labels by the mcs/group plugin.

Some examples





View MCS parameters

Configured MCS parameters can be viewed using the scontrol command.

scontrol show config |grep MCS
MCSPlugin          = mcs/group
MCSParameters      = ondemand,noselect:groupA|groupB|groupC

Put a mcs_label in job using salloc, sbatch or srun command

srun -n10 -t 1000 --mcs-label=groupB ./job &

Put a mcs_label in job with exclusivity

srun -n10 -t 1000 --mcs-label=groupB --exclusive=mcs ./job &

With mcs/account plugin : put a different account/mcs-label in job

srun -n10 -t 1000 -A another_account_than_default ./job &

View MCS parameters in usage

The squeue command can also display the MCS with mcslabel format option

squeue -O jobid,username,mcslabel
JOBID               USER                MCSLABEL
2                   foo                 groupA
3	            bar                 groupB

The scontrol command will now display the MCS_label

scontrol show nodes
NodeName=node0001 Arch=x86_64 CoresPerSocket=4
   CPUAlloc=0 CPUErr=0 CPUTot=8 CPULoad=0.01 Features=(null)
   NodeAddr=noder0001 NodeHostName=node0001 Version=15.08
   OS=Linux RealMemory=23780 AllocMem=0 Sockets=2 Boards=1
   State=IDLE ThreadsPerCore=1 TmpDisk=0 Weight=40 Owner=N/A
   MCS_label=groupA BootTime=2015-08-05T10:14:41
   SlurmdStartTime=2015-09-07T13:42:28 CapWatts=n/a
   CurrentWatts=0 LowestJoules=0 ConsumedJoules=0
   ExtSensorsJoules=n/s ExtSensorsWatts=0 ExtSensorsTemp=n/s

Last modified 20 November 2015