List,
Kudos to Bradley for figuring this out. We edited the sandbox file (as described in the link Bradley sent) for the xgrid agent, restarted the agent, and the job ran. Fantastic. Is there any documentation, other than the man pages, on this added functionality to Leopard?
Bradley, if you are ever in Calgary, give us a call. We'll buy you a beer for this one.
Dale Schack
Thrust Belt Imaging
On Friday, December 07, 2007, at 10:14AM, "Bradley Lowekamp" <email@hidden> wrote:
>I have tried a couple times to submit to the list server and my
>message seems to just disappear. Here is what I have been trying to
>post:
>
>Hey all,
>
>I have run into the same problem. I use the NFS to read and write a
>large number of image files, and I can't with the leopard clients
>anymore. This has nothing to due with the Kerberos NFS. It has to do
>with the new leopard sandbox/seatbelt security.
>
>Here is a page which explains it:
>http://codm.genhex.org/2007/10/macosx-leopard-sandbox-seatbel.html
>
>I tracked this down by looking into the system log and it was saying
>things about seatbelt. Some files that look like /usr/share/sandbox/
>xgridagentd* look like they could be hacked to fixed it. This would be
>my first:
>
>$ cat /usr/share/sandbox/xgridagentd_task_nobody.sb
>;;
>;; _xgridtask_nobody - sandbox profile
>;; Copyright (c) 2006-2007 Apple Inc. All Rights reserved.
>;;
>;; WARNING: The sandbox rules in this file currently constitute
>;; Apple System Private Interface and are subject to change at any
>time and
>;; without notice. The contents of this file are also auto-generated
>and not
>;; user editable; it may be overwritten at any time.
>;;
>(version 1)
>
>(debug deny)
>
>(deny default)
>
>(allow process* sysctl* mach* network*)
>(allow signal (target pgrp))
>
>(allow file-read* (regex "^/(bin|dev|(private/)?(etc|tmp|var)|usr|
>System|Library)(/|$)"))
>(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)"))
>
>
>I haven't bothered hacking this yet. The WARNING made me wonder how
>often it would be overwritten and how big of a pain it will be to
>maintain. When I tried used the XML Xgrid communications for the image
>file I kept crashing the XGrid server.
>
>Hope this help, if you hack it let us know how it works :)
>On Dec 7, 2007, at 12:05 PM, Dale Schack wrote:
>
>>
>> Mike,
>>
>> Thanks for the response. We have done some additional testing, and
>> it looks as though NFS is not our problem. It seems as though the
>> xgrid agent job is being started with increased restrictions as
>> compared with Tiger.
>>
>> We tested this by doing the following:
>>
>> 1) We created a /scratch directory on the agent machine, and place a
>> data file in the directory.
>> 2) We then submitted a job that tried to copy the file to the local
>> xgrid working directory.
>>
>> This job runs successfully on Tiger, but on Leopard, we get
>> permission issues. In addition, this test would run correctly on
>> Tiger if the directory was hosted on NFS, whereas the same
>> permission issue occurs on Leopard.
>>
>> So, my questions have been morphed into the following: has Leopard
>> increased the restrictions on the shell that is used to run the job
>> on the agent? Is there anyway to modify the way that the xgrid agent
>> job is started? How are the priviledges set for the job?
>>
>> This may be a moot point once we move to a complete Leopard shop and
>> make use of Kerberos, but we'd like to test this prior to moving the
>> whole cluster over to Leopard.
>>
>> Dale Schack
>> Thrust Belt Imaging Inc.
>>
>>
>> On Thursday, December 06, 2007, at 10:54AM, "Mike Mackovitch" <email@hidden
>> > wrote:
>>> On Wed, Dec 05, 2007 at 06:05:04PM -0800, Ernest Prabhakar wrote:
>>>> Hi Dale,
>>>>
>>>> On Dec 5, 2007, at 5:47 PM, Dale Schack wrote:
>>>>> It turns out that the user "nobody" no longer has the ability to
>>>>> read the
>>>>> NFS mounted directories. My question to the group is this: has
>>>>> anyone
>>>>> tried using Xgrid on Tiger Server, with Leopard clients, reading
>>>>> data via
>>>>> NFS? Have there been any changes with respect to NFS and
>>>>> security that
>>>>> may be the cause of this change?
>>>>
>>>> I can't be sure this is _your_ issue, but NFS in Leopard now users
>>>> Kerberos
>>>> for authentication instead of userid. I'm not sure which is the
>>>> default,
>>>
>>> Kerberized NFS is not on by default on NFS exports.
>>> It needs to be explicitly configured on the export.
>>> So this wouldn't be causing any problem unless the
>>> Leopard NFS client was explicitly requiring Kerberos
>>> with the mount option: -o sec=krb5
>>>
>>> Dale,
>>>
>>> We'll need some more details to try to figure out what the
>>> problem is in your case.
>>>
>>> Is the NFS file system mounting successfully on the client
>>> or is the mount failing? How is it being mounted? Is it
>>> automounted? What mount options are used? Are there any
>>> NFS messages in /var/log/system.log on the client or server?
>>>
>>> Does the "nobody" user have the same UID/GID on the client and
>>> the server?
>>>
>>> Would it be possible to get a tcpdump capture file showing the
>>> full network packets when it isn't working? Start the following
>>> command on the server (where the last argument is the actual name
>>> or IP address of the client):
>>>
>>> sudo tcpdump -ns0 -w /tmp/packets.pcap host CLIENT_NAME_OR_IP
>>>
>>> Reproduce the problem, then Ctrl-C the tcpdump command and forward me
>>> the packets.pcap file (don't send it everyone on the mailing
>>> list)....
>>> or attach it to a bug report: http://bugreporter.apple.com
>>>
>>> Thanks!
>>> --macko
>>>
>>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Xgrid-users mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> http://lists.apple.com/mailman/options/xgrid-users/email@hidden
>>
>> This email sent to email@hidden
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xgrid-users/email@hidden
This email sent to email@hidden
