Cluster Isolation

Isolated Mode is available to on-premises tenants that are running RHEL/CentOS 7.x or later. Running a cluster in Isolated Mode restricts user access to that cluster. This mode is intended for situations where adjustments must be made to the cluster using either an automated script or manual commands. When a cluster is in Isolated Mode:

• Only "cluster superuser" users can access the cluster via SSH. A cluster superuser is a user who has the tenant keypair (and LDAP/AD sudo privileges, if applicable). This privilege can be assigned using the Cluster Superuser Privilege pull-down menu in the Create New Tenant or Edit Tenant screen (see Creating a New Tenant or Project and Editing an Existing Tenant or Project) as follows:
  • Site Admin and Tenant Member/Admin: The Platform Administrators and the Tenant Member and Tenant Administrator users may access the keypair and change cluster Isolated Mode settings.
  • Site Admin and Tenant Admin: The Platform Administrators and the Tenant Administrator users may access the keypair and change cluster Isolated Mode and Two Phase Delete settings. Tenant Member users may enable Isolated Mode and/or Two Phase Delete, but cannot disable these options.
  • Site Admin Only: The Platform Administrators may access the keypair and change cluster Isolated Mode and Two Phase Delete settings. Tenant Administrator and Tenant Member users may enable Isolated Mode and/or Two Phase Delete, but cannot disable these options.
• Only the cluster SSH port can be accessed from outside the cluster. No other services/ports can be accessed. (Full functionality is available once you have logged in to the cluster.)
• Any existing SSH connections are cut when the cluster is placed into Isolated Mode.
• Isolated Mode events will appear in the Cluster History tab of the Cluster Details screen for a cluster.
• The cluster will continue running any current jobs when placed into Isolated Mode; however, the cluster will not accept any new jobs.
• The cluster can only be edited by a cluster superuser.
• The cluster can only be started, stopped, or rebooted by a cluster superuser.
• ActionScripts can only be run by a cluster superuser.
• The cluster can only be deleted by a cluster superuser.
• Users cannot access cluster services via any links in the Services column of the Node(s) Info tab in the Cluster Details screen.

A cluster may be placed into Isolated Mode at any time during its life cycle. For example:

• You may need to add Kerberos protection to a new cluster before placing it into service. In this case, be sure to check the Isolated Mode check box when creating the cluster, as described in Creating a New Cluster. The notation Isolation Event: created appears in the Details column of the Cluster Management screen, and the status isolated also appears in the Status column of the Cluster Management screen.
• Updates or other configuration changes may need to occur at other times. You can place the cluster into Isolated Mode by clicking the Edit icon (pencil) for that cluster to open the Edit Cluster screen for that cluster, and then checking the Isolated Mode check box. The notation Isolation Event: manual edit appears in the Details column of the Cluster Management screen, and the status isolated also appears in the Status column of the Cluster Management screen.
• If you need to run any scripts, transfer data, or perform any other tasks immediately prior to deleting a cluster, then you can enable the Two Phase Delete option when creating or editing the cluster. The notation Two Phase Delete: true appears in the Details column of the Cluster Management screen. When this option is enabled, then deleting a cluster as described in Deleting a Cluster proceeds as follows:
  • If you are not a cluster superuser, then the cluster will be placed into Isolated Mode. The notation Isolation Event: delete requested appears in the Details column of the Cluster Management screen, and the status isolated appears in the Status column of the Cluster Management screen. A cluster superuser will need to complete the deletion.
  • If you are a cluster superuser, then the cluster will be placed into Isolated Mode, as described above. Perform any required tasks, and then delete the cluster as described in Deleting a Cluster.