Here we have created special user(s) for Condor to own and run the job.
the policy is one user per CPU, namely condor_user1, condor_user2 and so
on. So, whoever submits the job (and/or mapped to whatever pool user),
when jobs go to execute nodes (WNs), jobs run as one of the
condor_users. Below is the working directory of a ops job. Piotr Nyczyk
mapped to ops004 here:
Notice: 5: "/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217" mapped to ops004 (18004/2788)
LCMAPS 6: 2007-01-26.09:03:53.882750.0000002525.0000003699 : lcmaps_plugin_posix_enf-log_cred(): uid=18004(ops004):pgid=2788(ops)
Notice: 5: Authorized as local user: ops004
and this is what we get on the WN the job is running.
[root@farm002 ops004]# ll /home/ops004
total 16
drwx------ 5 condor_user1 cd677 4096 Jan 26 09:10 globus-tmp.farm002.31375.0
drwx------ 2 condor_user1 cd677 4096 Jan 26 09:10 globus-tmp.farm002.31375.1
drwx------ 2 condor_user1 cd677 4096 Jan 26 09:10 globus-tmp.farm002.31375.2
drwxr-xr-x 10 condor_user1 cd677 4096 Jan 26 09:10 WMS_farm002_031845_https_3a_2f_2frb113.cern.ch_3a9000_2fr8p-iRllZxekprg55_5fECUQ
condor_user1, condor_user2 etc. belong to the group cd677 (which is dedicated to condor_user) and the home directories are group writable.
cheers,
Santanu
On Fri, 2007-01-26 at 06:34 +0000, Gordon, JC (John) wrote:
> So who do the jobs run as? Who will own any files they create? How will
> you keep track for audit purposes?
>
> John
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Santanu Das
> Sent: 26 January 2007 00:44
> To: [log in to unmask]
> Subject: pool accounts on WNs
>
> Hi all,
>
> I was doing some experiments with pool accounts and Condor here and I
> ended up seeing that jobs can run pretty well on a WN only with the home
> directory space (e.g. /home/atlas001 etc.) without having the actual
> pool account on the node i.e. in the end, I deleted the pool account,
> keeping only the home directory, and jobs were still fine; at lest for
> atlas jobs, we didn't see any problem.
>
> Frederic (Brochu) I tried with couple of Atlas jobs and all of them
> completed successfully. In fact, last couple of jobs from Steve Lloyd
> finished that way too. (Steve, did you see any problem from your side?)
>
> Dose anybody know any possible side effect(s) of doing this? Or any
> other suggestions/warnings from anybody?
>
> Cheers,
> Santanu
>
>
--
Santanu Das <[log in to unmask]>
HEP, Cavendish Laboratory
|