Dear colleagues,
we have identified a problem in the way the latest YAIM
configures the ownership of the VO software area.
First, for the time being, sites are advised to keep using
their _existing_ users.conf and groups.conf on the _VOBOX_.
This means that on the VOBOX "sgm" users will remain mapped
to their original static accounts, so that all sgm users in
a VO can manage the VO services running on the VOBOX.
Unfortunately YAIM's config_sw_dir function changes the
ownership of the software area to the first sgm pool account
found for the VO. This means that the original sgm account
can no longer write in that area, since it does not belong
to the new group for sgm accounts.
We advise sites to override the config_sw_dir function by
creating $GLITE_LOCATION/yaim/functions/local/config_sw_dir
with these contents:
------------------------------------------------------------
function config_sw_dir () {
return 0
}
------------------------------------------------------------
We also advise ensuring the software area for a VO remains
owned by the original static sgm account for that VO, while
at the same time making it group-writable for the new group
of sgm accounts (so that software may be installed by jobs
running on WNs).
For example, suppose the ALICE software area is under
/opt/exp_soft/alice, its original owner was the static
"alicesgm" account, and the new UNIX group for the sgm pool
accounts for ALICE is called "alicesgm" as well.
Then the site admin should run the following commands once:
------------------------------------------------------------
chown -R alicesgm:alicesgm /opt/exp_soft/alice
chmod -R 775 /opt/exp_soft/alice
------------------------------------------------------------
At the moment YAIM calls config_sw_dir for every VOBOX
(which a site may not have) and, what is worse, for every WN.
We are thinking about how to ensure that the function will
be called exactly once. For the moment it would have to be
for the site admin to run the necessary commands explicitly.
Thanks,
Maarten
|