> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
>
> Testbed Support for GridPP member institutes
> > [mailto:[log in to unmask]] On Behalf Of Ewan MacMahon said:
> > there are other possibilities for preventing the potential
> > proxy pinching problem.
>
> Like what?
>
We had a Southgrid meeting yesterday and were discussing Cambridge's
Condor system. As it stands it runs jobs using a user account per
job slot, not per person, so even now any two jobs that run on a
single worker node run as different accounts and would be unable to
see each other's proxies (even if they were actually submitted by the
same person using an ordinary non-pilot route).
That works now, but we've also had somewhat more speculative discussions
about running jobs in some sort of per-job sandbox using VMs, containers
or polyinstantiated namespaces. I don't think anyone's seriously doing
that yet, but it's as well to avoid assumptions getting embedded
anywhere
uncomfortable.
Ewan
|