[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] limiting Condor & CondorCE systemd exec capabilities?

Hi Thomas:

This is an interesting idea. The minimal set of capabilities required depends on the condor daemon in question. For example, the starter, on the execute side, needs CAP_SYS_ADMIN, to manipulate the cgroups. Unfortunately, CAP_SYS_ADMIN grants a broad array of powers, and once you have it, I'm not sure it makes much sense to limit the other capabilities.

Other HTCondor roles requires fewer capabilities. I'm not sure how much we'd want to change the systemd configurations based on the HTCondor role of that machine.


On 6/23/20 8:06 AM, Thomas Hartmann wrote:
Hi all,

is it reasonable to try to limit the condor.service (and/or
condor-ce.service) units in their exec capabilities, i.e,
CapabilityBoundingSet [1]? ð

I guess that condor needs a broad set of capabilities to switch users
etc. but maybe dropping some of the network related capabilities?



HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: