Skip to content

Running with glexec

graciani edited this page Apr 12, 2013 · 2 revisions

When running with generic pilots, DIRAC offers the possibility to execute the user's payload switching to a different local user identity by means of glexec. This mode avoids possible security concerns arising from payloads from different users executing simultaneously on the same worker node under the same local id.

To activate this mode the CEType option of the JobAgent has to be set to glexec, instead of the default InProcess. In this way the glexecComputingElement module takes care of the execution. To run in this mode several conditions must be met on the worker node (WN):

  • DIRAC needs to be able to find the glexec executable. It looks sequentially at the following locations: $OSG_GLEXEC_LOCATION, $GLITE_LOCATION/sbin/glexec and in any directory in the provided $PATH.
  • DIRAC needs to create a secure directory for the execution of the payload. This is done inside the working directory given to the pilot. This requires a proper user/group mapping by glexec of the payload credentials with respect to the permissions of this directory on the WN.
  • Finally, before the actual user's payload is executed, a test execution is attempted.

If all the above checks are OK, DIRAC will use glexec for the execution of the user's payload in the secure directory created above, using the standard DIRAC JobWrapper and Watchdog that are also executed inside glexec.

In case that due to some local misconfiguration any of the above conditions are not met, DIRAC will either reschedule the payload for a new execution attempt or proceed to its execution using the InProcess mechanism, without any identity switch, depending on the value of the DIRAC glexec option RescheduleOnError.

Clone this wiki locally