Is there any way to remove sensitive info from the output files, or disable writing certain output files altogether?
For example, suppose we want to run an encrypted singularity container as a wrapper for bc_desktop. We can pull the password using an environment variable, but then the value is saved in job_script_content.sh.
I’m not sure there are secrets in OnDemand. That is, the unprivileged user has to be able to read that from somewhere. You may be able to set environment variables when you submit the job, or perhaps read from some /etc/ location - but that’s only obfuscating the variable. An unprivileged user has to be able to get this information - meaning it’s not really a secret.
That said - maybe a Slurm prologue (or your scheduler sversion of the same feature) is where you want to set this.
Thanks for the suggestion.