[GE users] reserved ports in SGE 6.0

Andy Schwierskott andy.schwierskott at sun.com
Mon Nov 22 10:22:44 GMT 2004


> I noticed that the install scripts for SGE 6.0u1 claim to support the
> '-resport' option, for having SGE require reserved ports.  The
> 'source/security/security.html' file also refers to this option.
> Unfortunately, I couldn't find any reference to it in the install docs,
> and taking a closer look at the install scripts leads me to believe they
> mostly ignore the option.

That's a bug.

> So, did SGE 6.0 drop support for reserved ports?  If so, why?  Is there
> any chance at it coming back?

The reason to drop support for it was the problem that it requires switching
the user to root (from admin user) to get a socket below 1024 with the
rresvport() call.

Since qmaster (and indirectly all clients using commlib) now use multiple
threads and the euid/euid is process global it's not possible to to switch
the user once the threads are initialized after startup without interfering
the functionality of other threads.

> I've looked at the CSP option, however its a bit of extra admin overhead
> and in my environment won't provide any additional security over what
> reserved ports would give.  As such, I'd much rather go with reserved
> ports if possible.

I agree - there an overhead but I think in terms of additional security you
can achieve it should be worth the effort for any site which needs to
address security related challenges.

On our mid-term (hopefully not long term) roadmap we want to have a better
integration with existing security infrastructures (based on LDAP). This
will allow a site to reuse the certificates without the need for setting up
a "shadow" certificate infrastructure which onyl can be uses by Grid Engine.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Andy Schwierskott           Tel: +49 (0)941 3075-200 (x60200)
N1 Grid Engine Engineering  Fax: +49 (0)941 3075-222 (x60222)
Sun Microsystems GmbH
Dr.-Leo-Ritter-Str. 7       mailto:andy.schwierskott at sun.com
D-93049 Regensburg          http://www.sun.com/gridware

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list