[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Problems with ENCRYPT_EXECUTE_DIRECTORY on Windows
- Date: Fri, 24 Apr 2020 11:23:41 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Problems with ENCRYPT_EXECUTE_DIRECTORY on Windows
On 4/23/2020 11:56 PM, Hitchen, Greg (IM&T, Kensington WA) wrote:
I've been having a play with encryption on a small test pool that consists of one linux Central Manager,
one windows 2016 server Submit Node, and one windows 10 Execute Node. All are running htcondor 8.8.7 64 bit versions.
Enabling encryption for communications works OK using:
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_CRYPTO_METHODS = 3DES, BLOWFISH
Enabling encryption of the execute directory using:
ENCRYPT_EXECUTE_DIRECTORY = True
produces errors about permission denied to the execute folder.
To make sure I'm not doing anything dumb I have a couple of questions:
Should the encrypt execute directory statement be on the submit node, execute node, or both?
You put "encrypt_execute_directory = True" into the configuration on an *execute* node if you want every job that lands
on that node to have its execute directory (i.e. the "job scratch directory) encrypted. The documentation for this knob
from the Manual is copied below (*) - I will update it to make clear it is a knob examined by the execute node to help
the next person reading it... thank you for pointing out the ambiguity. Regardless of if you do this or not, any
individual job can request for an encrypted execute directory via putting "encrypt_execute_directory = True" into the
job submission file.
Regardless of that I still get permission denied errors. Condor runs as a system service and SYSTEM
has full access permissions on the execute folder.
Is the execute folder located on a local volume on the execute machine, or is it mounted via a shared fileserver?
Is the execute folder an NTFS filesystem ?
What specific version of Windows 10 are we talking about, i.e. Windows 10 Professional, Home, Enterprise, ? You can run
"winver" at the command prompt to get details.
Any clues (error messages) in the StarterLog for the slot on your Windows 10 execute machine via the following command:
findstr /I encrypt StarterLog*
Meanwhile I will try running a job with an encrypted execute directory on my laptop with Windows 10 Pro Ver 1909....
(*) From the HTCondor Manual
A boolean value that, when True, causes the execute directory for jobs on Linux or Windows platforms to be
encrypted. Defaults to False. Note that even if False, the user can require encryption of the execute directory on a
per-job basis by setting encrypt_execute_directory to True in the job submit description file. Enabling this
functionality requires that the HTCondor service is run as user root on Linux platforms, or as a system service on
Windows platforms. On Linux platforms, the encryption method is ecryptfs, and therefore requires an installation of the
ecryptfs-utils package. On Windows platforms, the encryption method is the EFS (Encrypted File System) feature of NTFS.