Re: [Condor-devel] CONDOR_IDS or bust!

[Erik Paulson <epaulson@xxxxxxxxxxx>]

On Wed, May 09, 2012 at 01:10:50PM -0400, Tim St Clair wrote:
> > 
> > Timothy St. Clair <tstclair@xxxxxxxxxx> wrote:
> > > Please don't!! this would be a PITA for development purposes.
> > > Right now I have several versions of condor which I control
> > > under my user account with only root controlling the main
> > > install.  This segregation it nice for development.
> > 
> > If this is a subtle enough misconfiguration that it bit us, it
> > seems worth guarding our users against it, even if the cost is
> > making development harder.
> 
> -1 
> 
> Q: How could users run a personal sandboxed condor then? (which many users do)
> A: They couldn't 
> 
> so again, please don't remove it. 
> 

I'm confused how you use it - If you start a personal condor
with something other than root, then CONDOR_IDS is largely
(entirely?) irrelevant.

If you're starting multiple "personal" condors as root, and hoping to
use CONDOR_IDS as your sandboxing technique, then I don't think it's
as much of a sandbox as you think it is. There are cases where Condor
will flip back to use root if it tries to take an action and it fails,
and I could imagine two "sandboxed" Condors escaping.

I'm not sure what I'm missing here? Certainly no one is proposing that 
Condor must always be started with root - only that if it is started 
without root, but you set CONDOR_IDS, assume that you made a mistake
and abort instead of proceeding silently. Personal Condors would not 
be affected. 

-Erik