Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] limiting Condor & CondorCE systemd exec capabilities?
- Date: Wed, 24 Jun 2020 13:58:36 +0200
- From: Thomas Hartmann <thomas.hartmann@xxxxxxx>
- Subject: Re: [HTCondor-users] limiting Condor & CondorCE systemd exec capabilities?
Hi Greg and Brian,
many thanks for the info - at least it seems to be not completely aloof ;)
Maybe I will find some time later and play around with capabilities -
the not "~" might be the easiest way to test one capability after the
other for their relevance. (maybe if I find more time, I should also do
the exercise for other services...)
Cheers and thanks,
Thomas
On 23/06/2020 16.07, Brian Lin wrote:
> On the other hand, the role of the CE is well-known so this is something
> we may be able to do for HTCondor-CE.
>
> - Brian
>
> On 6/23/20 8:55 AM, Gregory Thain wrote:
>>
>> Hi Thomas:
>>
>> This is an interesting idea. The minimal set of capabilities required
>> depends on the condor daemon in question. For example, the starter,
>> on the execute side, needs CAP_SYS_ADMIN, to manipulate the cgroups.Â
>> Unfortunately, CAP_SYS_ADMIN grants a broad array of powers, and once
>> you have it, I'm not sure it makes much sense to limit the other
>> capabilities.
>>
>> Other HTCondor roles requires fewer capabilities. I'm not sure how
>> much we'd want to change the systemd configurations based on the
>> HTCondor role of that machine.
>>
>>
>> -greg
>>
>> On 6/23/20 8:06 AM, Thomas Hartmann wrote:
>>> Hi all,
>>>
>>> is it reasonable to try to limit the condor.service (and/or
>>> condor-ce.service) units in their exec capabilities, i.e,
>>> CapabilityBoundingSet [1]? ð
>>>
>>> I guess that condor needs a broad set of capabilities to switch users
>>> etc. but maybe dropping some of the network related capabilities?
>>>
>>> Cheers,
>>> Thomas
>>>
>>>
>>>
>>> [1]
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html
>>>
>>> _______________________________________________
>>> HTCondor-users mailing list
>>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
>>> subject: Unsubscribe
>>> You can also unsubscribe by visiting
>>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>>>
>>> The archives can be found at:
>>> https://lists.cs.wisc.edu/archive/htcondor-users/
>>
>> _______________________________________________
>> HTCondor-users mailing list
>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
>> subject: Unsubscribe
>> You can also unsubscribe by visiting
>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>>
>> The archives can be found at:
>> https://lists.cs.wisc.edu/archive/htcondor-users/
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature