Re: [Condor-users] Restrict pool to a single submit machine

[Jaime Frey <jfrey@xxxxxxxxxxx>]

On Aug 21, 2006, at 12:02 PM, Pascal Jermini wrote:

> I would like to know if it is possible to have only one submit  
> machine per
> Condor pool. In other words, what we want to do is to avoid having  
> rogue
> submit machines in our pool, since we would like to have all our  
> users to log
> into our single submit machine for accounting purpose.
>
> Six months ago someone suggested
> (https://lists.cs.wisc.edu/archive/condor-users/2006-February/ 
> msg00270.shtml)
> to put a restriction in the START expressions, in order to restrict  
> the
> execution of jobs coming from a known schedd (by the way, I guess  
> that with
> the new support of regexps it becomes trivial to perform the proposed
> check...).
> We are not sure if this method is reliable enough to avoid rogue  
> submit
> machines, as the job classad can easily be altered in order to make  
> it likes
> the job comes from a legitimate submit host...

You use the hostallow_write config parameter and/or X509 or kerberos  
to restrict which machines can join the pool. If you restrict  
hostallow_write on the execute machines to only include the central  
manager and submit machine, then the execute machines won't talk to  
any rogue submit machines.

+--------------------------------+-----------------------------------+
|           Jaime Frey           | I used to be a heavy gambler.     |
|       jfrey@xxxxxxxxxxx        | But now I just make mental bets.  |
| http://www.cs.wisc.edu/~jfrey/ | That's how I lost my mind.        |
+--------------------------------+-----------------------------------+