[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Restrict pool to a single submit machine

On Aug 21, 2006, at 12:02 PM, Pascal Jermini wrote:

I would like to know if it is possible to have only one submit machine per Condor pool. In other words, what we want to do is to avoid having rogue submit machines in our pool, since we would like to have all our users to log
into our single submit machine for accounting purpose.

Six months ago someone suggested
(https://lists.cs.wisc.edu/archive/condor-users/2006-February/ msg00270.shtml) to put a restriction in the START expressions, in order to restrict the execution of jobs coming from a known schedd (by the way, I guess that with
the new support of regexps it becomes trivial to perform the proposed
We are not sure if this method is reliable enough to avoid rogue submit machines, as the job classad can easily be altered in order to make it likes
the job comes from a legitimate submit host...

You use the hostallow_write config parameter and/or X509 or kerberos to restrict which machines can join the pool. If you restrict hostallow_write on the execute machines to only include the central manager and submit machine, then the execute machines won't talk to any rogue submit machines.

|           Jaime Frey           | I used to be a heavy gambler.     |
|       jfrey@xxxxxxxxxxx        | But now I just make mental bets.  |
| http://www.cs.wisc.edu/~jfrey/ | That's how I lost my mind.        |