[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Jobs that require root permissions

On Tue, Mar 19, 2013 at 9:03 PM, Michael Hanke <michael.hanke@xxxxxxxxx> wrote:
On Tue, Mar 19, 2013 at 1:50 PM, Brian Bockelman <bbockelm@xxxxxxxxxxx> wrote:
Condor is complaining about sandbox cleaning (I think) because it is finding files owned by root in the job sandbox (there are assumptions littered throughout the code, especially sandbox cleanup, that there is only one UID for files in a sandbox; we hit similar issues when using glexec).

It sounds like the root-owned files are all from filesystems which are remounted / bind-mounted into the sandbox by pbuilder (/proc, /dev/pts).  By enabling MOUNT_UNDER_SCRATCH, HTCondor will put the job in a separate "mount namespace" that makes mounts in the job invisible to the rest of the system; this is required to give the job a private /tmp, but the private /tmp is a side-effect in this case.

Hence, /proc and /dev/pts would be invisible to the condor_starter and wouldn't be cleaned up.

This makes sense -- I'll test that out. 

Just to wrap this up: It worked beautifully!