[GE users] Setup with CSP differs from docs(?)

Joshua Baker-LePain jlb at salilab.org
Thu Nov 1 00:00:52 GMT 2007


In its current configuration, our cluster uses standard SGE (no CSP) with 
a single submit host.  I'm looking into implementing CSP in order to allow 
hosts outside the immediate cluster to submit jobs in a vaguely secure 
manner.

It seems like I've got things working (I'm testing with 6.1u2), but it 
*also* seems like the Installation Guide is overly broad in some places 
and flat wrong in others.  I'm wondering if something in my setup will 
come back to bite me.  Places where my setup differs from the docs seem to 
be:

1) In Chapter 4, step 6 of "How to Install a CSP-Secured System" says
    that if you do not want to put the CSP security information on the
    shared filesystem (i.e., under $SGE_ROOT), then you must tar up all of
    /var/sgeCA/sge_qmaster/$CELL/private,
    /var/sgeCA/sge_qmaster/$CELL/userkeys/root, and
    /var/sgeCA/sge_qmaster/$CELL/userkeys/$SGEUSER
    and transfer that to all exec hosts.  In my mind, I'd like to limit
    the dissemination of /var/sgeCA/sge_qmaster/$CELL/private as much as
    possible.  Through experimenatation, it seems that the only file from
    that directory that's necessary for sgeexecd to successfully start and
    accept jobs is key.pem.  Is this a true statement?

2) Also in Chapter 4, step 4 of "How to Generate Certificates and Private
    Keys for Users" says that each user must run
    $SGE_ROOT/util/sgeCA/sge_ca -copy
    to copy their keys into their ~/.sge directory.  There are several
    issues with this:
    a) On the master host, the command errors out with
       Error: Can not find local userkey directory.
    b) But this is OK, because qstat and qsub work anyway.
    c) On a submit host, the command errors out with
       Error: You can install your private key and certificate only on the
       master host.
    d) But copying /var/sgeCA/sge_qmaster/$CELL/userkeys/$USER from the
       master host to the submit host lets $USER happily qsub.
    Is there anything wrong with my "solution" here?

Thanks for any insights on these or any other issues with CSP.  As an 
aside, there doesn't seem to be much traffic on the list about this.  Do 
people not use this much?

-- 
Joshua Baker-LePain
QB3 Shared Cluster Sysadmin
UCSF

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list