-
Notifications
You must be signed in to change notification settings - Fork 175
Running with glexec
When running with generic pilots, DIRAC offers the possibility to execute the user's payload switching to a different local user identity by means of glexec. This mode avoids possible security concerns arising from payloads from different users executing simultaneously on the same worker node under the same local id.
To activate this mode the CEType option of the JobAgent has to be set to glexec, instead of the default InProcess. In this way the glexecComputingElement module takes care of the execution. To run in this mode several conditions must be met on the worker node (WN):
- DIRAC needs to be able to find the glexec executable. It looks sequentially at the following locations: $OSG_GLEXEC_LOCATION, $GLITE_LOCATION/sbin/glexec and in any directory in the provided $PATH.
- DIRAC needs to create a secure directory for the execution of the payload under the after-glexec identity. This directory is created inside the working directory given to the pilot to ensure enough disk space is available and also proper clean-up after the execution even in the event of error. To do so, the after-glexec identity has to be able to reach the pilot directory. Pilots will try to grant access permissions if possible.
- Finally, before the actual user's payload is executed, a test glexec execution is attempted.
If all the above checks are OK, DIRAC will use glexec for the execution of the user's payload in the secure directory created above, using the standard DIRAC JobWrapper and Watchdog that are also executed inside glexec.
In case that due to some local misconfiguration any of the above conditions is not met, DIRAC will either reschedule the payload for a new execution attempt or proceed to its execution using the InProcess mechanism, without any identity switch, depending on the value of the DIRAC glexec option RescheduleOnError.