Project

General

Profile

Bug #4345

Support for non-privilege separation in v3+

Added by John Weigand over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Factory
Target version:
Start date:
07/16/2013
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

In v3+, if non-privilege separation is in effect, the factory fails to submit glideins to the wms collector.

In factory/glideFactoryLib.py method submitGlideins, this is where the failure is occuring:

try:
    #submit_out = condorExe.iexe_cmd('./%s "%s" "%s" "%s" "%s" %i "%s" %s -- %s' % (factoryConfig.submit_fname, entry_name, client_name,
    #x509_proxy_security_class, x509_proxy_identifier,
    #nr_to_submit, glidein_rsl, client_web_str, params_str),
    #                                 child_env=child_env)
    submit_out = condorExe.iexe_cmd("condor_submit -name %s entry_%s/job.condor" % (schedd, entry_name),
                                                   child_env=exe_env)
except condorExe.ExeError,e:
    submit_out=[]
    msg = "condor_submit failed: %s" % str(e)
    log.error(msg)
    raise RuntimeError, msg
except:
    submit_out=[]
    msg = "condor_submit failed: Unknown error: %s" % str(e)
    log.error(msg)
    raise RuntimeError, msg

Note; the 2nd except should be a "except Exception, e" but that is not the problem.

I think it may be the use of "child_env=exe_env" instead of "child_env=child_env"
but don't know why all this changed.

Stacktrace:

[2013-07-10 15:23:49,727] WARNING: condor_submit failed:
Unexpected Error running 'condor_submit -name schedd_glideins2@cms-xen21.fnal.gov entry_ress_ITB_INSTALL_TEST_1/job.condor'. Details: list indices must be integers
['Traceback (most recent call last):\n', '
File "/home/weigand/glidein/glideinwms.master/install/../
../glideinwms/lib/condorExe.py", line 92, in iexe_cmd\n    child_env=child_env)\n', '
File "/home/weigand/glidein/glideinwms.master/install/../
../glideinwms/lib/subprocessSupport.py", line 48, in iexe_cmd\n
child_env[k] = os.environ[k]\n', 'TypeError: list indices must be integers\n']

The code in glideFactoryLib.py has been changed with each update to it and, at the
present, I am unsure as to the intent.

If we are not going to support non-privilege separation in v3+, then we should probably
do some form of validation before the factory is created or re-configured to stop it.
It seems a little late to be failing when glideins are being submitted.

The following is just to document what validation is in the ini installer when privilege
separation is requested. Its a basis ... maybe... or more of a core dump for now.

verified user is root

Condor config has this (not sure it has to):
  QUEUE_SUPER_USERS = root, condor, weigand
Checks I have in the ini installer;
    #--- check for Condor switchboard ---
    if not os.path.isfile(self.switchboard_bin):
      common.logerr("Privilege separation binary (%s) does not exist. Do you have the right version of Condor?" % self.switchboard_bin)
    if os.stat(self.switchboard_bin)[stat.ST_UID] != 0:
      common.logerr("Privilege separation binary (%s) must be owned by root!" % self.switchboard_bin)
    #-- create the config file ---
    common.logit("... creating condor config file: %s" % (self.config_file))
    if not os.path.isdir(os.path.dirname(self.config_file)):
      os.mkdir(os.path.dirname(self.config_file))
    common.write_file("w",0644,self.config_file,self.config_data())
    #-- setuid on swtichboard ---
    common.logit("... changing permissions on %s to %s" % (self.switchboard_bin,"04755"))
    os.chmod(self.switchboard_bin,04755)
    #-- create factory directories ---
    #-- factory dirs done in Factory install --
    # self.factory.create_factory_dirs(self.factory.username(),0755)
    self.create_factory_client_dirs('root',0755)

John Weigand


Related issues

Is duplicate of GlideinWMS - Bug #4706: Non privilege separation is broken in v3 seriesClosed09/26/2013

History

#1 Updated by Parag Mhashilkar over 7 years ago

  • Target version changed from v3_1 to v3_x

#2 Updated by Parag Mhashilkar about 7 years ago

  • Target version changed from v3_x to v3_2

closing duplicates

#3 Updated by Parag Mhashilkar about 7 years ago

  • Status changed from New to Closed

Also available in: Atom PDF