[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Problems with ENCRYPT_EXECUTE_DIRECTORY on Windows



On 4/23/2020 11:56 PM, Hitchen, Greg (IM&T, Kensington WA) wrote:
Hi All

I've been having a play with encryption on a small test pool that consists of one linux Central Manager,
one windows 2016 server Submit Node, and one windows 10 Execute Node. All are running htcondor 8.8.7 64 bit versions.

Enabling encryption for communications works OK using:
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_CRYPTO_METHODS = 3DES, BLOWFISH

Enabling encryption of the execute directory using:
ENCRYPT_EXECUTE_DIRECTORY = True
produces errors about permission denied to the execute folder.

To make sure I'm not doing anything dumb I have a couple of questions:

Should the encrypt execute directory statement be on the submit node, execute node, or both?


You put "encrypt_execute_directory = True" into the configuration on an *execute* node if you want every job that lands on that node to have its execute directory (i.e. the "job scratch directory) encrypted. The documentation for this knob from the Manual is copied below (*) - I will update it to make clear it is a knob examined by the execute node to help the next person reading it... thank you for pointing out the ambiguity. Regardless of if you do this or not, any individual job can request for an encrypted execute directory via putting "encrypt_execute_directory = True" into the job submission file.


Regardless of that I still get permission denied errors. Condor runs as a system service and SYSTEM
has full access permissions on the execute folder.


Is the execute folder located on a local volume on the execute machine, or is it mounted via a shared fileserver?

Is the execute folder an NTFS filesystem ?

What specific version of Windows 10 are we talking about, i.e. Windows 10 Professional, Home, Enterprise, ? You can run "winver" at the command prompt to get details.

Any clues (error messages) in the StarterLog for the slot on your Windows 10 execute machine via the following command:

  findstr /I encrypt StarterLog*

?

Meanwhile I will try running a job with an encrypted execute directory on my laptop with Windows 10 Pro Ver 1909....

best regards,
Todd

(*) From the HTCondor Manual

ENCRYPT_EXECUTE_DIRECTORY
A boolean value that, when True, causes the execute directory for jobs on Linux or Windows platforms to be encrypted. Defaults to False. Note that even if False, the user can require encryption of the execute directory on a per-job basis by setting encrypt_execute_directory to True in the job submit description file. Enabling this functionality requires that the HTCondor service is run as user root on Linux platforms, or as a system service on Windows platforms. On Linux platforms, the encryption method is ecryptfs, and therefore requires an installation of the ecryptfs-utils package. On Windows platforms, the encryption method is the EFS (Encrypted File System) feature of NTFS.