Re: [Condor-users] how to ask an execute machine "stop after this job" ?

[Nicolas GUIOT <nicolas.guiot@xxxxxxx>]

Todd,

First, too bad for my IPs...anyway it's too late, but I don't care that much... I trust my firewall :)
Then, I can explain your misundertanding about the IP addresses : 
"io" is the central maanger (0.74), and the 1.7 was the execute machine, a.k.a. localhost, from which I also tried to condor_off.

Then, thank you, now it's working : I needed to modify the SETTABLE_ATTRS_CONFIG value, which was to false... Now I'm OK with the HOSTALLOW_*, etc...

Bye
Nicolas

----------------
On Tue, 15 May 2007 14:02:25 -0500
Todd Tannenbaum wrote:

> Nicolas GUIOT wrote:
> > I tried that, 
>  > 5/15 17:52:51 DaemonCore: PERMISSION DENIED to unknown user from host 
> <172.27.1.7:35148> for command 484 (DAEMONS_OFF_PEACEFUL)
>  > 5/15 17:57:30 DaemonCore: Command received via TCP from host 
> <172.27.1.7:35172>
> 
> You mean condor_off -peaceful <name>  ?
> 
> That most definitely should work and is what you want.  Realize you must 
> do it from a machine and/or user authorized for ADMINISTRATOR access.
> 
>  From your logs it says denied to 172.27.1.7.
> 
> But your condor_config says administrator commands from
>     io.lbt.ibpc.fr, localhost
> 
> And DNS says
> > C:\home\tannenba\ws_v68-branch\src\condor_daemon_core.V6>nslookup io.lbt.ibpc.fr
> > 
> > Server:  dns4.cs.wisc.edu
> > Address:  128.105.1.78
> > 
> > Non-authoritative answer:
> > Name:    io.lbt.ibpc.fr
> > Address:  172.27.0.74
> 
> Since 172.27.0.74 != 172.27.1.7, the command was denied.
> Does your central manager have multiple interfaces?  If so, then you may 
> want to add the other interface names or addresses into 
> HOSTALLOW_ADMINISTRATOR.
> 
> BTW - note this email group has archives publically available on the 
> web, so depending on your level of paranoia, I don't know if you wanna 
> be listing actual IP addrs and hostnames in your messages....
> 
> > and also "condor_config_val -rset START=False", and it gives me the following in the MasterLog : 
>  > 5/15 17:57:30 DaemonCore: received command 60002 (DC_CONFIG_PERSIST), 
> calling handler (handle_config())
>  > 5/15 17:57:30 WARNING: Someone at 172.27.1.7 is trying to modify "START"
>  > 5/15 17:57:30 WARNING: Potential security problem, request refused
> 
> As it should.  Doing remote condor_config_val commands requires CONFIG 
> level access, which is above and beyond ADMINISTRATOR.  So you'd need to 
> edit ALLOW_CONFIG (or HOSTALLOW_CONFIG) and also edit either 
> ENABLE_RUNTIME_CONFIG and/or ENABLE_PERSISTENT_CONFIG to True to enable 
> configuration over the wire at all.
> 
> Also see the SETTABLE_ATTRS_[ADMINISTRATOR|OWNER|CONFIG] settings that 
> control what config attributes can be changed remotely.
> 
> So you may ask why is why is remote config access so protected, and why 
> is it disabled by default (requiring the admin to explicitly enable it)? 
>   Because it is so powerful - much more powerful than just typical 
> ADMINISTRATOR access for bringing Condor up and down on nodes, etc. 
> Think about it - if you are starting the condor_master as root, and the 
> config setting DAEMON_LIST tells the master what to launch as root... 
> you can connect the dots.  ;).
> 
> Hope the above is helpful
> regards,
> Todd
> 
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR
> 

----------

----------------------------------------------------
CNRS - UPR 9080 : Laboratoire de Biochimie Theorique

Institut de Biologie Physico-Chimique
13 rue Pierre et Marie Curie
75005 PARIS - FRANCE

Tel : +33 158 41 51 70
Fax : +33 158 41 50 26
----------------------------------------------------