Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7

Date: Wed, 27 Feb 2019 09:57:12 +0100
From: Oliver Freyermuth <freyermuth@xxxxxxxxxxxxxxxxxx>
Subject: Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7

Good morning,

Am 27.02.19 um 09:43 schrieb Steffen Grunewald:
>> - The argument "-a" to nsenter not being present on CentOS 7
> 
> also not in Debian Stretch (and now that I check it with Jessie, 
> it hasn't been there too - why dod nobody notice?)

It's present in Ubuntu 18.04 LTS, maybe all container users (apart from us) have that on their servers,
or have not upgraded yet. 

> 
>> - and somehow attaching to the user namespace failing on CentOS 7
> 
> I'm lacking a test case at the moment, but I'm fearing the worst.
> Still nobody has attempted to run containers, it seems (or they failed
> and failed to report it?)

I think Greg is correct and "-U" only fails with setuid root Singularity
(the code "only" affects Singularity users in any case). Probably "-a" would do the correct thing,
since Singularity with setuid root does not create a new user namespace so there's no need to attach. 

I'll have to investigate how things turn out when we disable setuid root (which should now that we don't run sshd inside the container anymore finally be possible)
at a later stage. 

I have now, finally (after the rollback) managed to get an upgraded test workernode attached to the same pool
which exclusively accepts jobs from us administrators. 

I'll try to find out the best working combination in the next days. Potentially, disabling the automatic killing of the "sleep" job
before nsenter attaches, wrappering nsenter correctly for CentOS 7 and setting some environment variables to have a well-defined PATH and working
bash initialization when attaching could work around all discovered issues. 
At least, now our users are out of the game and there's less stress from people flooding me with mails since their interactive jobs don't start,
and we have a good way to test out such things before rolling them out to the full cluster ;-). 

Cheers and thanks,
	Oliver

> 
> - S
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
  - From: Steffen Grunewald

References:
- [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
  - From: Oliver Freyermuth
- Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
  - From: Oliver Freyermuth
- Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
  - From: Oliver Freyermuth
- Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
  - From: Oliver Freyermuth
- Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
  - From: Steffen Grunewald

Prev by Date: Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
Next by Date: Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
Previous by thread: Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
Next by thread: Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] condor_ssh_to_job broken with 8.8 on CentOS 7