Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
Hi Thomas:
This is an interesting idea. The minimal set of capabilities required depends on the condor daemon in question. For example, the starter, on the execute side, needs CAP_SYS_ADMIN, to manipulate the cgroups. Unfortunately, CAP_SYS_ADMIN grants a broad array of powers, and once you have it, I'm not sure it makes much sense to limit the other capabilities.
Other HTCondor roles requires fewer capabilities. I'm not sure how much we'd want to change the systemd configurations based on the HTCondor role of that machine.
-greg
Hi all, is it reasonable to try to limit the condor.service (and/or condor-ce.service) units in their exec capabilities, i.e, CapabilityBoundingSet [1]? ð I guess that condor needs a broad set of capabilities to switch users etc. but maybe dropping some of the network related capabilities? Cheers, Thomas [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
_______________________________________________ HTCondor-users mailing list To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a subject: Unsubscribe You can also unsubscribe by visiting https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users The archives can be found at: https://lists.cs.wisc.edu/archive/htcondor-users/