Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Windows - Encrypt_Execute_Directory

For SUBMIT_ATTRS there's no log to look at, but for the Schedd transform,  The SchedL should show the transform being loaded shortly after the Schedd is started up

08/16/21 10:20:45.217 (pid:4972) (D_ALWAYS) JOB_TRANSFORM_Encrypt setup as transform rule #1 :
        NAME Encrypt
        SET EncryptExecuteDirectory = true

And it should show the transform being applied when the job is submitted.

08/16/21 10:21:53.560 (pid:4972) (D_ALWAYS) job_transforms for 15893.0: 1 considered, 1 applied (Encrypt)

-tj


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Hitchen, Greg (IM&T, Kensington WA) <Greg.Hitchen@xxxxxxxx>
Sent: Thursday, August 12, 2021 8:57 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Windows - Encrypt_Execute_Directory
 

Thanks John and Todd

 

 

What I had already tried was:

EncryptExecuteDirectory = true

SUBMIT_ATTRS = EncryptExecuteDirectory

on the submit node, which didn’t work.

 

This, suggested by John, also doesn’t seem to work:

EncryptExecuteDirectory = true

SUBMIT_ATTRS = $(SUBMIT_ATTRS) EncryptExecuteDirectory

after a condor_reconfig, or even stopping and starting condor.

 

condor_q -l for the submitted job always shows:

EncryptExecuteDirectory = false

 

This is what condor_config_val -dump -verbose shows:

EncryptExecuteDirectory = True

# at: C:\PROGRA~1\condor/condor_config.local, line 4

# expanded: True

SUBMIT_ATTRS =  EncryptExecuteDirectory

# at: C:\PROGRA~1\condor/condor_config.local, line 5

# expanded:  EncryptExecuteDirectory

 

 

The job transform doesn’t seem to work either:

JOB_TRANFORM_NAMES = $(JOB_TRANFORM_NAMES) Encrypt

JOB_TRANSFORM_Encrypt @=end

     SET EncryptExecuteDirectory = true

     # optionally also force match to nodes that can encrypt.  (not all Linux nodes can encrypt)

     #SET Requirements = ( $(MY.Requirements) ) && TARGET.HasEncryptExecuteDirectory

@end

 

with condor_q -l for the submitted job again showing:

EncryptExecuteDirectory = false

 

condor_config_val -dump -verbose shows:

JOB_TRANFORM_NAMES =  Encrypt

# at: C:\PROGRA~1\condor/condor_config.local, line 5

# expanded:  Encrypt

JOB_TRANSFORM_Encrypt = SET EncryptExecuteDirectory = true

# at: C:\PROGRA~1\condor/condor_config.local, line 10

# expanded: SET EncryptExecuteDirectory = true

 

 

Any suggestions? Is there anything, e.g. logs I can look at? Have I done something dumb?

 

Thanks

 

Cheers

 

Greg

 

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Todd Tannenbaum
Sent: Friday, 13 August 2021 2:55 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; John M Knoeller <johnkn@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Windows - Encrypt_Execute_Directory

 

On 8/12/2021 10:32 AM, John M Knoeller wrote:

If you want to force encryption on the submit,  then you would instead add that as a submit transform in the schedd.

 

Add something like this to the configuration of the schedd

 

   JOB_TRANFORM_NAMES = $(JOB_TRANFORM_NAMES) Encrypt

   JOB_TRANSFORM_Encrypt @=end

        SET EncryptExecuteDirectory = true

        # optionally also force match to nodes that can encrypt.  (not all Linux nodes can encrypt)

        SET Requirements = ( $(MY.Requirements) ) && TARGET.HasEncryptExecuteDirectory 

   @end

 

This will override the value of the Job's attribute at submit time.


Hi Greg,

In addition to the above, you may want to consider adding the following line to your config if you want to deny users the ability to edit this attribute after submission:

   # Do not allow users to edit the value of EncryptExecuteDirectory after submission
   # via tools like condor_qedit or chirp.
   IMMUTABLE_JOB_ATTRS = $(IMMUTABLE_JOB_ATTRS) EncryptExecuteDirectory

regards,
Todd