[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] ShadowLog not accessible for Shadows, jobs not starting/not ending up in the right slot for their Shadow
- Date: Tue, 04 Feb 2020 16:39:58 +0000
- From: Michael Pelletier <michael.v.pelletier@xxxxxxxxxxxx>
- Subject: Re: [HTCondor-users] ShadowLog not accessible for Shadows, jobs not starting/not ending up in the right slot for their Shadow
Check to see if someone changed the permissions of /var/log/condor to root:root instead of condor:condor. The ShadowLog is created and written as condor:condor, so if some overzealous security remediation script locked down /var/log/condor, that'd prevent it from being created, and if it changed the ownership of the ShadowLog file to root:root, it would prevent access to it.
On systems where I have this problem due to a strict and militant interpretation of security configuration standards for /var/log, or where the audit subsystem records a failure warning every time a user-owned shadow (run_as_owner=True) attempts to write to it and causes a raft of spurious audit fail events, I change the SHADOW_LOG configuration to point to /dev/shm/ShadowLog instead, or just discard it.
Michael V. Pelletier
Digital Transformation & Innovation
Integrated Defense Systems