Non-privilege separation broke in v3+. Continue to support it?
While testing the v3+ (master branch 5/15/12), I discovered that
the a non-privilege separation scenario was broken.
There appears to be some question as to the continued support
of a non-privilege separation use case in V3+. Before attempting
to resolve this problem, it would be helpful to know we are
continuing support for it.
If we are not, then we should modify those sections of the code to
prohibit its use.
If we are to continue support, the remainder of this issue
identifies where the error is occurring as best I can tell.
The changes that appear to be causing the problem appear to have been
introduced on 7/14/2011 with commit 670ee234a. It is these arguments
that are causing the problem with a non-privsep use case in the
submitGlideins method of glideFactoryLib.py
exe_env.append('GLIDEIN_RSL=%s' % glidein_rsl)
glidein_arguments += " -cluster $(Cluster) -subcluster $(Process)"
.. the above are added in the get_submit_environment method of the same
For privilege separation, the glidein submit is done via the condor
switchboard and all is well.
For non-privilege separation, the glidein submit is done via..
- the setting of a set of environmental variables for which the
GLIDEIN_RSL has quoting problems when set to
- then the execution of condor_submit using a set of arguments
These 2 arguments are causing shell errors:
-cluster $(Cluster) -subcluster $(Process)
#1 Updated by John Weigand over 8 years ago
- Assignee set to Anthony Tiradani
Based on the glideinWMS meeting on 6/4 and feedback from Dennis,
this is still needed.
Assigned it to Tony because he basically made all the changes.
I just tested it in both privsep and non-privsep modes to validate.
It is working fine.
#2 Updated by Anthony Tiradani over 8 years ago
- Status changed from New to Feedback
Commits that address this issue:
The changes are:
1) a couple of pylint error fixes
2) some added logging used for debugging that made sense to keep
3) escaping characters that cause problems on the command line (non-privsep)
4) getting useful error messages back from condor_root_switchboard
Change #4 doesn't fix the issue but was necessary for testing the privsep case to ensure that we didn't break it with our changes.