[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Setting policy using Linux Groups?

I know what you're getting at, as I've dealt with this situation before.

Back when I was using my Perl qsub script during the Grid Engine migration, one of the steps it took was to check for membership in a Linux group which matched one of the names found in the GROUP_NAMES config value, so someone in the "flighttest" Linux group would have their jobs submitted with +AccountingGroup = "group_flighttest", or after I upgraded from 7.x, accounting_group = "group_flighttest".

Of course, that's only possible if your script is what's actually generating your submit description.

One might think of using a prepare_job hook, but that won't do the trick because it only runs after the job is matched, and that's too late - you need to set the accounting group before the job runs so that it will be handled appropriately by the negotiator when allocating resources.

To administratively put something into a job submission, you have the SUBMIT_ATTRS directive, which specifies attribute names which will be inserted into all job ClassAds. However the trouble there is that the value of a configuration macro is only created when the configuration is read, not each time a submission is made. You'd want something that would run a script at submission time to check Linux group membership to generate the appropriate accounting group, but from what I can tell the only place that script output is read is at the "queue in" syntax. And that's a good thing, for security reasons.

So you may be stuck simply insisting that the users specify the appropriate accounting group in their submissions, unless you want to go to the lengths of writing a wrapper for condor_submit or aliasing in the shell to add an "-append" argument that runs a suitable script.

I've found that it helps if you set the default priority factor to something fairly high, so that people who don't specify a group get a much smaller share of resources than those who do. Depending on how ornery your users are you may also want to write something to check to be sure they're using the appropriate groups by checking their Linux group membership against their jobs' accounting groups.


Michael V. Pelletier
IT Program Execution
Principal Engineer
978.858.9681 (5-9681)
339.293.9149 cell