[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] feasibility of Condor job slice with systemd IP ruleset applied?



Hi all,

I would like to constrain jobs wrt IPs, i.e., deny jobs access to certain IPs but which are necessary for the EP system as such (e.g., infrastructure servers).

For systemd units, I can apply such rule sets with the `IPAddressDeny` directive. For example with "IPAddressDeny=8.8.8.8 8.8.4.4" by a drop-in to the condor.service, the condor master would not be able to reach these Google DNS IPs. However, these rule sets are not applied to the Condor job slice as Condor is creating a dedicated slice next to the systemd service slices (based on BASE_CGROUP).

As I do not dare to fiddle around myself with nftables or so, I would like to use systemd as toolkit for also constraining the Condor job slice wrt network rules.

In principle, one could move the job slice under the service slice with something like `BASE_CGROUP=condor.service/condorjob.slice` - however, this would mix service and jobs, which might be a tad shabby.

As an alternative idea, one might define a pseudo systemd service [1] just to use it as an "interface" and put the job slice beneath it with `BASE_CGROUP=pseudocondor.service/condorjob.slice`.

Maybe somebody has attempted something in such a direction and has experiences with it?

I would assume, that cgroup resource constraints etc. follow the hierarchy in the file system and are properly(?) bequeathed downwards. But as the network constraints are not pseudo-fs based(??) like cgroups, I am unsure if systemd would actually apply such network rules to a new set of PIDs, that appear under one of its service slices??

Alternatively, maybe someone knows a tool, that could "easily" apply network rules to a tree of PIDs out of band of Condor or systemd?

Cheers and thanks for ideas,
  Thomas



[1]
[root@naf-htc-preprod-batch001 system]# systemctl cat pseudocondor.service
[Unit]
#After=sshd.service

[Service]
ExecStart=/usr/bin/tail -f /dev/null
Delegate=yes
Restart=no
RemainAfterExit=yes
StandardOutput=null
StandardErr=null

CPUAccounting=true
MemoryAccounting=true
IPAccounting=yes
IPAddressDeny=8.8.8.8 8.8.4.4

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature