Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Condor-users] condor on windows server 2003
- Date: Thu, 2 Dec 2004 12:54:00 -0700
- From: bgore@xxxxxxxxxx
- Subject: RE: [Condor-users] condor on windows server 2003
Agree remote admin of Windows credentials today is a major pain and should be improved. Awesome suggestion of enabling a host feature on condor_store_cred to store the credential on the named host, rather than locally. A *nix version of condor_store_cred would then be useful as I believe many sites have *nix based CMs from which they have security set to run remote administrative commands.
A new observation on a previous post regarding a 'verify' option to condor_store_cred to check to see if the credential stored is actually valid: a new option is not required, but the existing 'query' option just needs to include this functionality. I don't care to know if my credential is stored, but wish to know if I have a VALID credential stored.
Thanks all, ~Brooklin
PS: A version of condor_store_cred that accepts passwd (-p) IS available. You may need to ask for it though...
-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Bryan S. Maher
Sent: Thursday, December 02, 2004 10:36 AM
To: Condor-Users Mail List
Subject: RE: [Condor-users] condor on windows server 2003
Bob,
Yes, unfortunately, you need to run the condor_store_cred on all the execute nodes as user CONDOR (or whatever you are using as your dedicated username.)
Along these lines, I was going to chime in on the condor_store_cred wish list thread a few days back. It would be nice if store_cred could:
1) take a username AND password on the command line. This would allow store_cred to be used in administrative scripts to install credentials for dedicated accounts.
2) configure credentials on a remote host via hostname command line argument. This would be even nicer as an administrator (or user) could add credentials as needed from one desktop.
-Bryan
-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Robert.Nordlund@xxxxxxxxxxxxxxxx
Sent: Thursday, December 02, 2004 11:56 AM
To: Condor-Users Mail List
Subject: RE: [Condor-users] condor on windows server 2003
Bryan,
Does condor need to know the passwords for the VM1_USER accounts? Do you have to run condor_store_cred on every machine?
Thanks,
Bob Nordlund
|---------+-------------------------------->
| | "Bryan S. Maher" |
| | <Bryan.Maher@xxxxxxxx|
| | du> |
| | Sent by: |
| | condor-users-bounces@|
| | cs.wisc.edu |
| | |
| | |
| | 12/02/2004 11:43 AM |
| | Please respond to |
| | Condor-Users Mail |
| | List |
| | |
|---------+-------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: "Condor-Users Mail List" <condor-users@xxxxxxxxxxx> |
| cc: |
| Subject: RE: [Condor-users] condor on windows server 2003 |
>------------------------------------------------------------------------------------------------------------------------------|
Ian,
I have the following in my condor_config file:
VM1_USER = MYDOMAIN\CONDOR
EXECUTE_LOGIN_IS_DEDICATED = TRUE
According to Collin, making the login dedicated allows condor to assume all processes in that user context belong to the job and can be managed accordingly. Any processes running in the CONDOR user context will be killed if a job is killed. By consequence, jobs vacated by VM1 would kill jobs run by VM2. You do not have to dedicate the user login. Alternately, you could create multiple domain user accounts like CONDOR-VM1 and CONDOR-VM2 and dedicate one to each of the VM's on your machines.
-Bryan
-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Ian Chesal
Sent: Thursday, December 02, 2004 10:50 AM
To: Condor-Users Mail List; oliver@xxxxxxxxxxxx
Subject: RE: [Condor-users] condor on windows server 2003
I have a question about running condor jobs as users other than condor-reuse-vm? -- does this affect how well condor can clean up errant processes? Does conder use the unique condor-reuse-vm? user names to identify processes and sub-processes to kill when a job gets vacated from a machine? If this is the case, will vm1 and vm2 jobs now kill each other off if they are vacating the machine?
Ian
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Bryan S. Maher
> Sent: December 2, 2004 10:35 AM
> To: oliver@xxxxxxxxxxxx; Condor-Users Mail List
> Subject: RE: [Condor-users] condor on windows server 2003
>
> Oliver,
>
> I have a dedicated pool of 14 compute nodes all of which are running
> Windows 2003 Server. I had the same problem until I added the
> condor-reuse-vm? user to the administrator's group. After that,
> things worked fine. If you look in the starter log, you will see "
> Create_Process: CreateProcess failed, errno=5" which is the WIN32
> error "Access is denied."
>
> I also experienced this problem on 1 out of 3 (approximately) of my
> Windows XP machines. I'm at a loss to explain why the default
> installation worked on some machines and not others since every one of
> my workstations is built from the same standard RIS deployment image.
>
> I started with v.6.6.6 on my execution nodes. Since then, the entire
> pool was upgraded to v6.6.7. These versions will work on Windows 2003
> Server.
>
> In my configuration, I created a domain user called CONDOR and
> specified jobs to run using MYDOMAIN\CONDOR as a dedicated user. I
> configured my execution nodes to use MYDOMAIN\CONDOR in lieu of
> condor-reuse-vm?. This allows my jobs to access domain network shares
> at runtime. Note that this is also a potential security hole
> depending on the permissions you give to CONDOR. In my case, I had to
> make CONDOR an administrator on all the compute nodes just to get
> things to run. I was assured by folks at the cs.wisc that
> this shouldn't be necessary but I just can't get it to run otherwise.
>
> -Bryan
>
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Oliver Hotz
> Sent: Thursday, December 02, 2004 10:23 AM
> To: 'Björn Baumeier'; 'Condor-Users Mail List'
> Subject: RE: [Condor-users] condor on windows server 2003
>
> I put up some more information
>
> www.heimlich.net/~oliver/condor
>
> here you can find the log files.. maybe somebody can make something of
> it.
>
> It is matching the Winnt52 correctly
>
>
>
> -----Original Message-----
> From: Björn Baumeier [mailto:baumeier@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, December 01, 2004 11:43 PM
> To: oliver@xxxxxxxxxxxx; 'Condor-Users Mail List'
> Subject: AW: [Condor-users] condor on windows server 2003
>
> Hello Oliver!
>
> We are running a Windows 2003 Server in terminalserver mode to
> function as central submit node in our pool. The condor version we
> installed is 6.6.6 and things are working fine without any additional
> settings. However, since we don't use the server as a compute node, I
> can't tell if there is any trouble with that.
>
> Can you submit jobs from the server to other node in the pool? If you
> try to submit to the server, what does "condor_q -analyse" produce?
> If I am not completely wrong, Windows Server 2003 has "OpSys=WINNT52"
> whereas a Windows XP system has "OpSys=WINNT51". So maybe no
> match has been found.
>
> Bjoern
>
>
>
>
> ------------------------------------------------------
> Björn Baumeier baumeier@xxxxxxxxxxxxxxxxxxx
> Universität Münster
> Institut für Festkörpertheorie
> Wilhelm-Klemm-Strasse 10
> D-48149 Münster
> Tel. +49 251 83 - 33583
> ------------------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] Im Auftrag von Oliver Hotz
> Gesendet: Donnerstag, 2. Dezember 2004 03:24
> An: 'Condor-Users Mail List'
> Betreff: [Condor-users] condor on windows server 2003
>
> Hey guys..
>
> I am having some extreme problems with getting condor to run on
> windows server 2003.
>
> I know its probably some sort of permissions or security policy thing,
> but I just don`t know what.
>
> I installed everything on windows xp pro, and a simple .bat file
> (creating an empty text document on c:\) works just fine.
>
> However, when I try to do the same thing on windows server 2003, same
> condor config, same installation, the file never gets written to c:\..
> neither do I get a error log or output log for that .sub/bat file.
>
> Any ideas ?.. anyone that has gotten condor to work on windows 2003
> server and knows its working ?.. what kind of security policies did
> you change, etc ?.. I really thought I have tried everything
> possible.. I just can't think of anything... this is with condor 6.7.2
>
> oliver
>
>
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> http://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
>
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> http://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
>
>
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> http://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx http://lists.cs.wisc.edu/mailman/listinfo/condor-users
_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx http://lists.cs.wisc.edu/mailman/listinfo/condor-users
*************************************************************************
PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
*************************************************************************
_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx http://lists.cs.wisc.edu/mailman/listinfo/condor-users
_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx http://lists.cs.wisc.edu/mailman/listinfo/condor-users