[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] ShadowLog not accessible for Shadows, jobs not starting/not ending up in the right slot for their Shadow

Hey Thomas,

Check to see if someone changed the permissions of /var/log/condor to root:root instead of condor:condor. The ShadowLog is created and written as condor:condor, so if some overzealous security remediation script locked down /var/log/condor, that'd prevent it from being created, and if it changed the ownership of the ShadowLog file to root:root, it would prevent access to it.

On systems where I have this problem due to a strict and militant interpretation of security configuration standards for /var/log, or where the audit subsystem records a failure warning every time a user-owned shadow (run_as_owner=True) attempts to write to it and causes a raft of spurious audit fail events, I change the SHADOW_LOG configuration to point to /dev/shm/ShadowLog instead, or just discard it.

Michael V. Pelletier
Information Technology
Digital Transformation & Innovation
Integrated Defense Systems
Raytheon Company