Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
Thank you all, thank you Greg, these are good guidelines, explanations ! Gergely From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
On Behalf Of Greg Thain On 6/13/19 4:14 PM, Gergely Debreczeni via HTCondor-users wrote:
Gergley: There's a couple of reasons it is disabled by default in HTCondor. First, Docker Universe bind-mounts the condor scratch sandbox directory into the container. This allows condor filetransfer, condor_tail and other familiar condor tools and mechanisms to
work. Without additional configuration, if we let the container run as root, a bad container could do things through the volume mount that show up in the host machine's filesystem. Second, at the time of Docker Universe creation, we weren't 100% convinced
that a docker container running as root could escape to the host. There have been a couple of documented escapes, which the docker engineers have quickly patched. If you trust your containers in your environment, on the worker node, you can set DOCKER_DROP_ALL_CAPABILITIES = false and then the containers will be able to run setuid binaries. Try setting this knob, and making your package installer inside your container (yum, apt-apt) sudo'able or maybe setuid, and you should be able to install package from within the container. -greg This e-mail and any files transmitted with it contain confidential and may contain privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized use, copying, disclosure or distribution of the material in this e-mail is strictly forbidden. |