[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Condor-users] How to change condors log file permission settings?

  At the Uni of Essex, we have a SuSE8.2 controller machine with some
linux machines which are now successfully talking after getting the
firewall set up correctly. I have made condor the owner of all
executables, and start the condor_master as root. 
  The complete pool of XP machnes have now disappeared completely,
although they did this the other day, and at some stage overnight
reappeared, I guess when the machine rebooted? In fact I have just
proved this, readded the firwewall connections for condor_master,
condor_starter, condor_startd, condor_shadow and condor_schedd. For good
measure, I also added condor_submit - this is a full execute machine. I
need to do this around a few other winxp machines, as we are in a state
of transition at the moment. A simple test job started, runs ok on the
controller until renegotiating with the submission machine. 
  Question is -- what user does the winxp machines condor need to be
owned by? And am I opening enough exceptions in the xp sp2 firewall to
allow the negotiator to respond  to the return call?

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Bruce Beckles
Sent: 09 September 2004 16:14
To: John Wheez
Cc: condor-users@xxxxxxxxxxx
Subject: Re: [Condor-users] How to change condors log file permission

On Thu, 9 Sep 2004, John Wheez wrote:

> Thanks for the tips.

Welcome :)

> Since the condor submit creates the log files this is the program 
> which
> sets the permissions...so i think i will try your idea of changing the

> permissions of the binary to see if that makes the log files writeable

> by user "condor". My only workaround has been running condor daemons
> "root" which is not recommended.

>From what you are saying you will have the same problem (and what I've
suggested would also fix/work around this) for any job's output file
(i.e. that it is owned by the user runnning condor_submit, but user
"condor" can't write to it), unless your jobs don't write anything to
standard output (or you choose not to have that output returned).

Be aware that if you do what I've said then that means that if (a)
someone can impersonate the user "condor" or (b) ask the user "condor"
to do something on their behalf (perhaphs a Condor job using the
standard universe?), then they can write to/delete these files. 

Also, if you are not running the Condor schedd daemon as root then any
files that your job produces that Condor would normally return using its
file transfer mechanism will be owned by user "condor" and ONLY user
"condor" will have read permissions (and also only user "condor" will
have write permissions).  This means the user who submitted the job
can't read any files the job has created when it was run on the remote
This is normally a big problem... :(

	-- Bruce

Bruce Beckles,
e-Science Specialist,
University of Cambridge Computing Service.

Condor-users mailing list