Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] feasibility of Condor job slice with systemd IP ruleset applied?

Date: Wed, 28 May 2025 12:23:40 +0200
From: Thomas Hartmann <thomas.hartmann@xxxxxxx>
Subject: [HTCondor-users] feasibility of Condor job slice with systemd IP ruleset applied?

Hi all,

I would like to constrain jobs wrt IPs, i.e., deny jobs access tocertain IPs but which are necessary for the EP system as such (e.g.,infrastructure servers).

For systemd units, I can apply such rule sets with the `IPAddressDeny`directive. For example with "IPAddressDeny=8.8.8.8 8.8.4.4" by a drop-into the condor.service, the condor master would not be able to reachthese Google DNS IPs.However, these rule sets are not applied to the Condor job slice asCondor is creating a dedicated slice next to the systemd service slices(based on BASE_CGROUP).

As I do not dare to fiddle around myself with nftables or so, I wouldlike to use systemd as toolkit for also constraining the Condor jobslice wrt network rules.

In principle, one could move the job slice under the service slice withsomething like `BASE_CGROUP=condor.service/condorjob.slice` - however,this would mix service and jobs, which might be a tad shabby.

As an alternative idea, one might define a pseudo systemd service [1]just to use it as an "interface" and put the job slice beneath it with`BASE_CGROUP=pseudocondor.service/condorjob.slice`.

Maybe somebody has attempted something in such a direction and hasexperiences with it?

I would assume, that cgroup resource constraints etc. follow thehierarchy in the file system and are properly(?) bequeathed downwards.But as the network constraints are not pseudo-fs based(??) like cgroups,I am unsure if systemd would actually apply such network rules to a newset of PIDs, that appear under one of its service slices??

Alternatively, maybe someone knows a tool, that could "easily" applynetwork rules to a tree of PIDs out of band of Condor or systemd?


Cheers and thanks for ideas,
  Thomas



[1]
[root@naf-htc-preprod-batch001 system]# systemctl cat pseudocondor.service
[Unit]
#After=sshd.service

[Service]
ExecStart=/usr/bin/tail -f /dev/null
Delegate=yes
Restart=no
RemainAfterExit=yes
StandardOutput=null
StandardErr=null

CPUAccounting=true
MemoryAccounting=true
IPAccounting=yes
IPAddressDeny=8.8.8.8 8.8.4.4

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Prev by Date: Re: [HTCondor-users] condor_chirp throwing error from interactive jobs
Next by Date: Re: [HTCondor-users] condor_chirp throwing error from interactive jobs
Previous by thread: [HTCondor-users] failing to start job does not get held
Next by thread: [HTCondor-users] HTC25 Starting Next Week - Registration for Remote Attendance Open
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

[HTCondor-users] feasibility of Condor job slice with systemd IP ruleset applied?