Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
Dear Developers, many thanks for your work and the new releases. I found
[HTCONDOR-2967] intriguing. I had played a bit with systemd IPAddress{Allow,Deny} directives with the ulterior motive to constrain all the Condor hierarchy's network chattering, i.e., block Condor daemons as well as job children from reaching critical but not for the LRMS per se relevant infrastructure (like infrastructure management instances, some authz infrastructure,...). As there seemed to be some problems with the systemd release currently in use, I had put my efforts on hold for the moment. But seeing the announcement, I would be curious about your experiences, and if shaping IPAddress{Allow,Deny} drop-ins for all the Condor units would be the way to go for an admin or maybe if an extension of the network control within the job namespaces would be a reasonable idea? I.e., Condor knobs for admins to control which IP ranges daemons or starters are allowed/denied to talk to?Changes in 24.7.3 include: - EP administrators can enforce no outbound networking for jobs
Cheers, Thomas
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature