Architecture
Components
This diagram represents all Slurm-web components with their respective roles and integration with Slurm workload manager:
Slurm-web is based on 3 components:
-
agent: Sends requests to Slurm
slurmrestdservice which exposes a REST API forslurmctldandslurmdbddaemons. The agent is also in charge of the authorizations enforcement and acts as a caching layer over Slurm. -
gateway: Performs user authentication and acts as a reserve proxy for the agents.
-
frontend: The representation layer for the user interface. It is actually served by the gateway application and executed on client side in web browsers.
Integration
In addition to Slurm workload manager, Slurm-web interacts with some other external services and data sources:
The gateway component authenticates users with an entreprise LDAP directory. Slurm-web supports all major LDAP services implementation such as OpenLDAP, FreeIPA and Active Directory with legacy NIS and RFC 2307 bis schemas.
The agent component reads the RBAC autorization policy from a plain INI file with permissions associated to roles and LDAP groups.
Optionally, the agent can also:
-
Extract cluster racking topology from RacksDB database to generate interactive graphical representation of nodes status in the racks.
-
Connect to Redis in-memory key/value database to save cached data from Slurm.
-
Integrate with Prometheus (or compatible) by exporting various Slurm metrics for storage in timeseries database. The agent can then query this database to get historical values of these metrics.
Protocols
Protocols and authentication realms involved in communications between Slurm-web and Slurm components are represented in this diagram:
All communications from the clients web browsers to Slurm-web agent component are performed with HTTP over TCP/IP network protocols. These network communications can be secured with SSL/TLS (aka. HTTPS) over standard port TCP/443 with a production HTTP server. After initial authentication with LDAP directory, users are authenticated between these components with JSON Web Token (JWT). Slurm-web has its own JWT realm, with its dedicated JWT signing key, to secure communication between its components.
Slurm slurmrestd supports incoming HTTP requests on:
-
Unix socket, with two authentication methods:
rest_auth/local, in whichslurmrestdauthenticates users with client process UID/GID, andrest_auth/jwtwith tokens signed by Slurm JWT signing key. -
TCP/IP socket, with
rest_auth/jwtauthentication supported only.
Slurm-web agent supports all these combinations of sockets and authentication methods. Please refer to slurmrestd access configuration page for more details.
Slurm components communicates with specific binary RPC protocol over TCP/IP
sockets, secured by either Munge or
Slurm internal mechanism.
When JWT authentication is used between Slurm-web agent and Slurm slurmrestd
service, the auth/jwt alternative authentication type must also be enabled in
main Slurm and slurmdbd configuration.
Multi-clusters Distribution
Slurm-web is designed to support natively multiple HPC clusters with a central dashboard. In this configuration, the components are distributed as represented in this diagram:
In this configuration, the agent component must be deployed on all clusters
collocated with Slurm slurmrestd daemon. An agent interacts with only one
Slurm cluster.
The gateway can be installed on a central server. It distributes the requests to the agents deployed on the clusters.
Slurm REST API versions
Slurm-web 4.2.0 is officially tested and supported with Slurm REST API v0.0.40. This version of Slurm REST API is available in Slurm 23.11, 24.05 and 24.11.
This table represents all Slurm REST API versions supported by the latest Slurm releases:
Slurm releases |
Supported API versions |
||
Latest |
Compatible |
Deprecated |
|
23.02 |
0.0.39 |
0.0.38 |
0.0.37 |
23.11 |
0.0.40 |
0.0.39 |
0.0.38 |
24.05 |
0.0.41 |
0.0.40 |
0.0.39 |
24.11 |
0.0.42 |
0.0.41 |
0.0.40 |