Hi Zoltan,
> Is it possible to disable the fork jobamanager on an lcg-CE or to
> restrict its usage to prevent users running jobs on the CE? I think
> some sites have done this but is there a documentation on how to do
> this available?
The following patch to /opt/globus/lib/perl/Globus/GRAM/JobManager/fork.pm
would restrict its use to the grid monitor functionality needed by Condor-G
as used e.g. by the WMS:
-----------------------------------------------------------------------------
--- fork.pm.orig 2010-03-02 16:07:40.000000000 +0100
+++ fork.pm 2010-03-02 16:12:38.000000000 +0100
@@ -201,6 +201,8 @@
close( EXEC );
}
+ return Globus::GRAM::Error::JOBTYPE_NOT_SUPPORTED() unless $is_grid_monitor;
+
if($is_grid_monitor && $ENV{GLOBUS_GMA}) {
push(@cmdline, "$ENV{GLOBUS_LOCATION}/libexec/grid_monitor_lite.sh");
} elsif($description->executable() =~ m:^(/|\.):) {
-----------------------------------------------------------------------------
WARNING: this is _untested_!
The globus-job-manager-marshal (and globus-gma) would need to be restarted.
If the patch works, /opt/globus/setup/globus/fork.in would need the same fix,
such that YAIM will not wipe it out. We then can consider getting it into
the "official" code, but it would have to be made configurable and more
flexible, e.g. with a configuration file listing the DNs that are allowed
to run other commands on the CE (e.g. for debugging).
|