Re: [HTCondor-users] HTCondor 23.0.24, 23.10.24, 24.0.7, and 24.7.3 Released

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

Hi Greg,

yes, my intention was less from the performance but from the security 
perspective.
E.g., I had played around with the IPAccessDeny knob in systemd to feed 
in a number of IPs and subnet ranges, that the jobs definitively would 
not need to reach (like the infrastructure management or internal authz 
endpoints). A somewhat generic drop-in (that could be reused for other 
services beyond Condor) might be more flexible for us, but on the other 
hand maybe a Condor knob for the same might be useful on the broader 
scale for the community?

As for IPAccounting, it might be useful to us as we are having some 
upcoming cases, where some external jobs will access our storage - and a 
detailed information about their I/O could be interesting (however, here 
the problem is, that these are matryoshka Condor jobs within another 
LRMS, so that they might not have their own explicit systemd slices to 
play around...)

Cheers,
  Thomas

> Hi Thomas:
>
> Interesting ideas -- the use case we had in mind here was glidein, where 
> an administrator is willing to let a glided-in condor use the network to 
> fetch the job, report status, etc., but they don't want the job to use 
> any of the bandwidth. Perhaps the bandwidth at the site is very 
> limited. I suspect setting a deny list might be better security, but 
> harder to maintain over time?
>
> -greg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature