[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Help on running HTCondor as root

Tom, Greg, and all -

Regarding parrot+cvmfs+condor as root:

If I understand correctly, the problem is that parrot complains that
some particular program cannot be run, because it is setuid-root.
And so, you are trying to run everything as root.  I wouldn't go this
way, since Condor (and many other tools) are not designed to deal with

This issue has come up before, and in each case, the program
attempting to setuid was entirely unnecessary to the desired
application, and with slight changes, the problem could be avoided.

As an example, on some (old) systems, /usr/bin/xterm is setuid root,
so that it has permission to log the user's name to /var/log/lastlog.
But, xterm still works even if it cannot write to the file.

So, the workaround was to copy /usr/bin/xterm to /tmp/myxterm and then
run parrot like this:

parrot_run -M/usr/bin/xterm=/tmp/myxterm . . .

In any case, I think we can solve this problem with some help from parrot.
Please go ahead and file an issue on parrot, and I'm sure we can come
up with a good solution.



Date: Fri, 16 Oct 2015 20:46:13 +0200
From: Tommaso Boccali <tommaso.boccali@xxxxxxxxxx>
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Help on running HTCondor as root
Content-Type: text/plain; charset="us-ascii"

so, since also /bin is under cvmfs here, and hence under parrot, the system
needs to start as root in order to build a working system (see uCERNVM
documentation). once I am root, parrot forbids setuid execs to run, so I
can only stay root.
the cms sw has no problem with that, it runs happily. it seems instead
htcondor is not happy. please note you are root in a parrot + cvmfs ,
so not really a powerful root. you can hardly screw up the system in the
container, let alone the host one.

Il 16/ott/2015 17:36, "Greg Thain" <gthain@xxxxxxxxxxx> ha scritto:

> On 10/16/2015 07:58 AM, Tommaso Boccali wrote:
> Ciao,
> I am experimenting an opportunistic workflow for CMS, in which condor
> starts in a docker container using uCERNVM + Parrot.
> basically, the image contains just the kernel, and also /usr, /bin etc are
> provided via CVMFS via Parrot.
> One of the limitations of this environment is thas setuid commands do not
> work (trapped by Parrot), so eventually you are root and cannot become any
> other user.
> Perhaps I'm missing something, but can you start Condor as a non-root user?
> -greg
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
> a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/