On Fri, 2007-01-26 at 18:31 +0100, Alessandra Forti wrote:
> Hi Santanu,
>
> What is the advantage of this scheme?
Hi Alessandra,
A lot, at least for us. We are trying to run LCG/gLite jobs on any damn
available Linux boxes, which are *not so dependent* like our WNs. We
have an in-house project, we call it CamGrid, basically based on Condor
and at least 400 CPUs (another 800 dual-core Xeons will be added in few
weeks time) are available there. Those machines are belong to the
various departments; we (i.e. any other departments) are allowed to use
any of those machine, but with out the root access or installing almost
any software, which is not wanted by that particular department. We
started with "Relocatable tarball" installation but got a problem; you
need root access to setup the nfs mounts. But we already have achieved
that using Chirp/Parrot i.e. now we can mount any thing
(e.g. /experiment-software area or INSTALL_ROOT area etc.) on any
CamGrid machine without having the root permission. The next thing was
to fix that hell lot of "pool accounts on WN" issue. Therefore, I was
thinking, if jobs can run without the pool accounts, then we can try
mounting the "/home/<pool-account>" area on CamGrid nodes and lets see
what happens. Of course, there are several other stuff too to think
about in this regard, but we trying to fix things one by one.
Apart from that, I think, people - those who administrate the sites -
never agreed that putting 1000s of accounts on a WN is pretty charming -
did you ever?
Cheers,
Santanu
>
> cheers
> alessandra
>
> On Fri, 26 Jan 2007, Santanu Das wrote:
>
> > Here we have created special user(s) for Condor to own and run the job.
> > the policy is one user per CPU, namely condor_user1, condor_user2 and so
> > on. So, whoever submits the job (and/or mapped to whatever pool user),
> > when jobs go to execute nodes (WNs), jobs run as one of the
> > condor_users. Below is the working directory of a ops job. Piotr Nyczyk
> > mapped to ops004 here:
> >
> > Notice: 5: "/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217" mapped to ops004 (18004/2788)
> > LCMAPS 6: 2007-01-26.09:03:53.882750.0000002525.0000003699 : lcmaps_plugin_posix_enf-log_cred(): uid=18004(ops004):pgid=2788(ops)
> > Notice: 5: Authorized as local user: ops004
> >
> >
> > and this is what we get on the WN the job is running.
> >
> > [root@farm002 ops004]# ll /home/ops004
> > total 16
> > drwx------ 5 condor_user1 cd677 4096 Jan 26 09:10 globus-tmp.farm002.31375.0
> > drwx------ 2 condor_user1 cd677 4096 Jan 26 09:10 globus-tmp.farm002.31375.1
> > drwx------ 2 condor_user1 cd677 4096 Jan 26 09:10 globus-tmp.farm002.31375.2
> > drwxr-xr-x 10 condor_user1 cd677 4096 Jan 26 09:10 WMS_farm002_031845_https_3a_2f_2frb113.cern.ch_3a9000_2fr8p-iRllZxekprg55_5fECUQ
> >
> > condor_user1, condor_user2 etc. belong to the group cd677 (which is dedicated to condor_user) and the home directories are group writable.
> >
> > cheers,
> > Santanu
> >
> >
> >
> > On Fri, 2007-01-26 at 06:34 +0000, Gordon, JC (John) wrote:
> > > So who do the jobs run as? Who will own any files they create? How will
> > > you keep track for audit purposes?
> > >
> > > John
> > >
> > > -----Original Message-----
> > > From: Testbed Support for GridPP member institutes
> > > [mailto:[log in to unmask]] On Behalf Of Santanu Das
> > > Sent: 26 January 2007 00:44
> > > To: [log in to unmask]
> > > Subject: pool accounts on WNs
> > >
> > > Hi all,
> > >
> > > I was doing some experiments with pool accounts and Condor here and I
> > > ended up seeing that jobs can run pretty well on a WN only with the home
> > > directory space (e.g. /home/atlas001 etc.) without having the actual
> > > pool account on the node i.e. in the end, I deleted the pool account,
> > > keeping only the home directory, and jobs were still fine; at lest for
> > > atlas jobs, we didn't see any problem.
> > >
> > > Frederic (Brochu) I tried with couple of Atlas jobs and all of them
> > > completed successfully. In fact, last couple of jobs from Steve Lloyd
> > > finished that way too. (Steve, did you see any problem from your side?)
> > >
> > > Dose anybody know any possible side effect(s) of doing this? Or any
> > > other suggestions/warnings from anybody?
> > >
> > > Cheers,
> > > Santanu
> > >
> > >
> > --
> > Santanu Das <[log in to unmask]>
> > HEP, Cavendish Laboratory
> >
>
> Alessandra Forti
> NorthGrid Technical Coordinator
> University of Manchester
--
Santanu Das <[log in to unmask]>
HEP, Cavendish Laboratory
|