sysadmin:projects:w23:portkeynoexec
Portkey Home Folder Noexec
As a jumpbox, Portkey is not intended to be used as either a VSCode Remote, or for users to run any non-system utilities, other than to SCP/SFTP files to or from their SoCS Home Folder, or to shell on to another on-campus server. Many students were still connecting directly to Portkey with VSCode which was causing server outages on Portkey as VSCode used up all available system memory.
To fix this issue, the following changes were made.
- Home Folders on Portkey were set to mount with the nfs “noexec” option which would disallow any binaries from being executed from a users home folder
- To do this, a new AutoFS mapping of auto_master_secnet_noexec was created
- New autoMountKey entries were set up for this AutoFS Mapping, which were configured with the “noexec” nfs option
- AutoFS on Portkey was configured to use this mapping instead of the usual auto_master_secnet mapping for hosts on the SoCS backend network
Students who now attempt to connect VSCode to Portkey will be met with an error message. Portkey has not had any resourcing issues since this change was made.
sysadmin/projects/w23/portkeynoexec.txt · Last modified: 2023/03/15 14:28 by kjohns23