[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Help on running HTCondor as root



(sorry if it is a double posting, I have multiple email addresses and often I mistake them ...)
ciao, thanks a lot.
I need some more time to identify the problem: for the moment it is not even clear which command is problematic.
I wouldÂbetÂon 'su': condor runs as root, receives a payload and want to run it. In order to do so it probably wants to change used, using either 'su' or 'sudo'.
fact is that client side I do not see error too clearly, so I need collector operators' help and that is slowing down the things quite a bit.

investigating ...
Thanks for the moment

tom

On Mon, Oct 19, 2015 at 3:21 PM, Douglas Thain <dthain@xxxxxx> wrote:
Tom, Greg, and all -

Regarding parrot+cvmfs+condor as root:

If I understand correctly, the problem is that parrot complains that
some particular program cannot be run, because it is setuid-root.
And so, you are trying to run everything as root. I wouldn't go this
way, since Condor (and many other tools) are not designed to deal with
this.

This issue has come up before, and in each case, the program
attempting to setuid was entirely unnecessary to the desired
application, and with slight changes, the problem could be avoided.

As an example, on some (old) systems, /usr/bin/xterm is setuid root,
so that it has permission to log the user's name to /var/log/lastlog.
But, xterm still works even if it cannot write to the file.

So, the workaround was to copy /usr/bin/xterm to /tmp/myxterm and then
run parrot like this:

parrot_run -M/usr/bin/xterm=/tmp/myxterm . . .

In any case, I think we can solve this problem with some help from parrot.
Please go ahead and file an issue on parrot, and I'm sure we can come
up with a good solution.

Best,
Doug


-------------------

Date: Fri, 16 Oct 2015 20:46:13 +0200
From: Tommaso Boccali <tommaso.boccali@xxxxxxxxxx>
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Help on running HTCondor as root
Message-ID:
    <CADGftETfi4vdKn4hfyK-
7EYZWHkC=pOspWCXtLvcb800iqmFnA@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

so, since also /bin is under cvmfs here, and hence under parrot, the system
needs to start as root in order to build a working system (see uCERNVM
documentation). once I am root, parrot forbids setuid execs to run, so I
can only stay root.
the cms sw has no problem with that, it runs happily. it seems instead
htcondor is not happy. please note you are root in a parrot + cvmfs ,
so not really a powerful root. you can hardly screw up the system in the
container, let alone the host one.

tom
Il 16/ott/2015 17:36, "Greg Thain" <gthain@xxxxxxxxxxx> ha scritto:

> On 10/16/2015 07:58 AM, Tommaso Boccali wrote:
>
>
> Ciao,
> I am experimenting an opportunistic workflow for CMS, in which condor
> starts in a docker container using uCERNVM + Parrot.
> basically, the image contains just the kernel, and also /usr, /bin etc are
> provided via CVMFS via Parrot.
> One of the limitations of this environment is thas setuid commands do not
> work (trapped by Parrot), so eventually you are root and cannot become any
> other user.
>
> Perhaps I'm missing something, but can you start Condor as a non-root user?
>
> -greg
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
> a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/