[HTCondor-users] systemd: drop-ins for Condor job slice?

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

Hi all,

I had just been playing around a bit with a drop-in unit for the condor 
service and noticed, that the drop-in seems not to be inherited by the 
jobs' slice.

I had added a drop-in to the condor.service unit block some IPs [1]. 
nsenter'ing the condor master looks good.
Laso as a test, I had set up a test unit with a drop-in to block traffic 
like [2], which works and the ping process in the unit could not access 
the blocked IPs.

However, this drop-in does not seem to get propagated to the actual job 
slice. I.e., we set the base cgroup for jobs like [3] and the job 
hierarchy is spawned underneath it (separately from condor.service).
But when I run a test job or condor_ssh into a slot, the IPs are not 
blocked and I am able to reach the IPs denied for the actual condor service.

So, I guess that the drop-in is only evaluated by systemd for starting 
the condor service unit, but as the job slice is realized by condor 
itself, the drop-in additions are not actually inherited, or?

I am not sure, if I would actually be able to use systemd unit semantics 
in some way to influence the job slice?

Cheers,
  Thomas

[1]
> cat condor.service.d/02-condor-network-filters.conf
[Service]
IPAccounting=yes
#IPAddressDeny=DESYIPs
IPAddressDeny=8.8.8.8 8.8.4.4


[2]
> cat ip-deny-ping.service
[Service]
ExecStart=/usr/bin/ping 8.8.4.4
IPAccounting=yes

> cat ip-deny-ping.service.d/01-network-filter.conf
[Service]
# IPAddressDeny=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
IPAddressDeny=8.8.8.8 2001:4860:4860::8888 2001:4860:4860::8844

[3]
condor_config_val BASE_CGROUP
system.slice/condor.slice

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature