Re: [Condor-users] Condor in a secure academic environment

[Adam Thorn <alt36@xxxxxxxxx>]

On Wed, 2008-04-30 at 23:14 +0200, Pascal Jermini wrote:

> To effectively limit access to the data stored on the compute node, I think
> that using a virtual machine could be a solution, but then you may get a
> performance hit...and in my opinion a rather complicated architecture to deal
> with...

For what it's worth, my pool has Condor tucked away inside virtual
machines (as provided by util-vserver: Linux virtual machines on a Linux
host), mainly to ensure that Condor jobs can't possibly get at data on
the host machine but also because we generally like being able to
seperate Condor from non-Condor usage. It's appealing that if I ever had
a rogue job run (though I never have) then I can trivially nuke the
virtual machine without the user sitting in front of the computer notice
anything. For other reasons particular to our setup our Condor traffic
goes over a private network, so networking is straightforward (host
machine gets public IP address, virtual machine gets private one). 

I've not performed a careful study but have run identical programs
inside and outside of the virtual machine, and have never been able to
notice a performance hit. As for administration: building the virtual
machines in the first place took a ~20 line bash script, and there's a
short init.d script to make the network interfaces come up properly.
Other than the small amount of work to set them up, I wouldn't say
there's been any overhead in day-to-day admin. Based on my experience,
I'd certainly recommend considering virtual machines if they fulfil your
needs.

Adam