HTCondor Project List Archives



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-devel] first pass at starter-enforced jobs



It's snowing, and I like to program on snowy days.
It's also spring break, so I didn't want to do school stuff.

I took a first pass at having the starter restrict jobs to
known executables. If you set

ALLOWABLE_EXECUTABLE_DIRS = /some/path, /some/other/path

the starter will only run jobs if the basename of what's
specified in ATTR_JOB_CMD matches something found in 
one of the listed directories. 

I wasted a bunch of time trying to figure out why the executable
gets transfered, alas, it's not the starter taking the job ad and
saying "send me these files", but instead it's the shadow saying
"here are the files you're going to get", so we transfer the 
executable only to ignore it in some cases.

I also squash the pre and post scripts for now, since I don't know what
else to do. 

I don't know how this works with the parallel universe. 

I think it would work with Windows, so long as basename() does the
right thing.o

I did it all in jic_shadow. It wouldn't work with a Condor-C
to the local universe of a remote schedd. 

-Erik

Index: jic_shadow.C
===================================================================
RCS file: /p/condor/repository/CONDOR_SRC/src/condor_starter.V6.1/jic_shadow.C,v
retrieving revision 1.1.6.9.4.20
diff -r1.1.6.9.4.20 jic_shadow.C
210a211,215
> 	if( allowableExecutableDirs ) {
> 		free( allowableExecutableDirs );
> 	}
> 	allowableExecutableDirs = param( "ALLOWABLE_EXECUTABLE_DIRS" );  
> 	
978a984,990
> 
> 	if(allowableExecutableDirs) {
> 		// um, for now, if there's an allowable executable directory
> 		// squash any PRE or Post scripts
> 		job_ad->Delete("PreCmd");
> 		job_ad->Delete("PostCmd");
> 	}
1556a1569,1585
> 		if(allowableExecutableDirs) {
> 			xferExec = 0;
> 			sprintf(tmp, "%s=FALSE", ATTR_TRANSFER_EXECUTABLE);	
> 			job_ad->InsertOrUpdate(tmp);
> 			char *localPath = NULL;
> 			localPath = findLocalExecutable();
> 			if(localPath) {
> 				sprintf( tmp, "%s=\"%s\"", ATTR_JOB_CMD,localPath );
> 				job_ad->InsertOrUpdate( tmp );
> 				dprintf(D_FULLDEBUG, "Using %s as the local version of "
> 						"the job\n", localPath);
> 				free(localPath);
> 			} else {
> 				// This is probably not what we want to do 
> 				EXCEPT("Trying to run a job that is not allowed!");
> 			}
> 		}
1678a1708,1742
> 
> char*
> JICShadow::findLocalExecutable() {
> 	StringList directories;
> 	Directory *files;
> 	char *dirpath;
> 	char *actualPath;
> 
> 	actualPath = NULL;
> 	if(allowableExecutableDirs) { 
> 		directories.initializeFromString( allowableExecutableDirs );
> 	} else {
> 		return NULL;
> 	}
> 	directories.rewind();
> 
> 	while( (dirpath = directories.next()) ) {
> 
> 		files = new Directory(dirpath);
> 		if(files == NULL) { 
> 			dprintf(D_ALWAYS, "Cannot open %s while looking for allowed "
> 					"executables\n", dirpath);
> 		} else {
> 			if( files->Find_Named_Entry(basename(orig_job_name)) ) {
> 				// the user wants to execute something we've got
> 				actualPath = strdup(files->GetFullPath());
> 			}
> 			delete files;
> 		}
> 		
> 	}
> 
> 	// last one found wins?	
> 	return actualPath;
> }
Index: jic_shadow.h
===================================================================
RCS file: /p/condor/repository/CONDOR_SRC/src/condor_starter.V6.1/jic_shadow.h,v
retrieving revision 1.1.6.4.4.8
diff -r1.1.6.4.4.8 jic_shadow.h
350a351,357
> 		/**  given an executable name, return the local path
> 			 of the allowed executable
> 			 The caller is responsible for freeing the memory
> 		*/
> 
> 	char* findLocalExecutable(void);
> 
391a399,406
> 
> 		/** A list of directories that contain executables we will
> 			run. If it is specified, we do not transfer an executable
> 			from the submit side. We compare entries in this file to
> 			basename of the executables
> 		*/
> 
> 	char* allowableExecutableDirs;