Mailing List Archives
Authenticated access
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] "include command : " in configuration files
- Date: Mon, 6 Nov 2017 22:58:57 +0000
- From: John M Knoeller <johnkn@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] "include command : " in configuration files
The problem here is that you should not let just anyone make the cached config files.
You should instead make sure that ONLY a HTCondor daemon creates that cache file, all other config readers should just use the cache file.
The reason for this your config files provide a way to get HTCondor daemons (probably running as root!) to run arbitrary code. This means
that if any of your config files (including the cache files) is writable by non-root then you have created a root exploit.
You should ONLY use cached config files with the following pattern
if $(IsMaster)
include ifexist command into $(LOCAL_DIR)/stuff.config : perl $(LOCAL_DIR)/stuff.pl
else
include ifexist : $(LOCAL_DIR)/stuff.config
endif
You could use $(IsStartd) or $(CondorIsAdmin) instead. These all guarantee that only a daemon running as root
(or Admin on Windows) will create the cache file.
Of course, once you do this it becomes clear why having a timeout on the cache file doesn't do much good. The master
doesn't re-parse the config unless you reconfig or restart it - so a timeout isn't going to do much good unless you have
a cron job reconfig-ing the master regularly - and if you do you might as well have the cron job delete the stuff.config file
just before it reconfigs the master.
-tj
-----Original Message-----
From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf Of Oliver Freyermuth
Sent: Friday, November 3, 2017 2:15 PM
To: htcondor-users <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] "include command : " in configuration files
Dear Michael,
many thanks for your reply!
Am 03.11.2017 um 20:05 schrieb Michael Pelletier:
> Oliver,
>
> It does indeed run every time the config is read, including when condor_submit or condor_config_val are run by any user.
>
> This caused some issues with condor_gpu_discovery in an earlier version which emitted a CUDA error which tripped up the configuration. I don't recall my support ticket number on that, but it should show up in the recent release notes.
>
> The workaround I did is to set up any config-included script to cache the persistent results and display the cached value if it's fresh enough.
This is a very good idea to allow to define the caching period ourselves!
I'll go with a similar solution, then, once the script gets more complicated (as of now, it just does a "stat()" and a "cat" of a file).
Since it appears this is not only affecting me, but also others,
it might be a good idea though (for the long run) to have something like (with maxage 1200 specifying a 20 minute caching):
include ifexist command into $(LOCAL_DIR)/stuff.config maxage 1200 : perl $(LOCAL_DIR)/stuff.pl
in HTCondor (which will do just the same we are right now doing with external workarounds).
Since HTCondor has to check for the existence of the cache-file in any case, this should be very straightforward to implement in the code.
Is this mailing list also the suitable place to collect such ideas / feature requests?
Cheers and many thanks,
Oliver
>
> -Michael Pelletier.
>
>
>
>> -----Original Message-----
>> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
>> Of Oliver Freyermuth
>> Sent: Friday, November 03, 2017 1:05 PM
>> To: htcondor-users <htcondor-users@xxxxxxxxxxx>
>> Subject: [External] [HTCondor-users] "include command : " in configuration
>> files
>>
>> Dear HTCondor experts,
>>
>> I am now using a statement like:
>> include command : /some/shell/script
>> (i.e. without cache) in a configuration file to set a variable which is
>> later used to define SINGULARITY_IMAGE_EXPR, i.e. the images used for
>> jobs.
>> We want these to be updated according to an external file stored on CVMFS,
>> which is edited on a different host, so the "polling" is actually
>> necessary.
>>
>> I am wondering, though, how often "/some/shell/script" is actually called.
>> The documentation only states:
>> "If the into option is not used, the command line will be executed every
>> time the configuration file is referenced. "
>> From this, I would have guessed this happens as often as a daemon is
>> restarted (in this case, the condor_startd).
>>
>> However, it seems that this happens more often - does it happen each time
>> *any* configuration parameter is queried?
>> Is there a regular, minimal refresh interval?
>>
>> Many thanks and all the best,
>> Oliver
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>