Re: [Xgrid] Tiger Server Controller/Leopard Client Agent and NFS

 
List, 

Kudos to Bradley for figuring this out.  We edited the sandbox file (as described in the link Bradley sent) for the xgrid agent, restarted the agent, and the job ran.  Fantastic.  Is there any documentation, other than the man pages, on this added functionality to Leopard? 

Bradley, if you are ever in Calgary, give us a call.  We'll buy you a beer for this one. 

Dale Schack 
Thrust Belt Imaging 

 
On Friday, December 07, 2007, at 10:14AM, "Bradley Lowekamp" <email@hidden> wrote:
  

I have tried a couple times to submit to the list server and my  
message seems to just disappear. Here is what I have been trying to  
post:

Hey all,

I have run into the same problem. I use the NFS to read and write a  
large number of image files, and I can't with the leopard clients  
anymore. This has nothing to due with the Kerberos NFS. It has to do  
with the new leopard sandbox/seatbelt security.

Here is a page which explains it:
http://codm.genhex.org/2007/10/macosx-leopard-sandbox-seatbel.html

I tracked this down by looking into the system log and it was saying  
things about seatbelt. Some files that look like /usr/share/sandbox/ 
xgridagentd* look like they could be hacked to fixed it. This would be  
my first:

$ cat /usr/share/sandbox/xgridagentd_task_nobody.sb
;;
;; _xgridtask_nobody - sandbox profile
;; Copyright (c) 2006-2007 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any  
time and
;; without notice. The contents of this file are also auto-generated  
and not
;; user editable; it may be overwritten at any time.
;;
(version 1)

(debug deny)

(deny default)

(allow process* sysctl* mach* network*)
(allow signal (target pgrp))

(allow file-read* (regex "^/(bin|dev|(private/)?(etc|tmp|var)|usr| 
System|Library)(/|$)"))
(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)"))


I haven't bothered hacking this yet. The WARNING made me wonder how  
often it would be overwritten and how big of a pain it will be to  
maintain. When I tried used the XML Xgrid communications for the image  
file I kept crashing the XGrid server.

Hope this help, if you hack it let us know how it works :)
On Dec 7, 2007, at 12:05 PM, Dale Schack wrote:

    

Mike,

Thanks for the response.  We have done some additional testing, and  
it looks as though NFS is not our problem.  It seems as though the  
xgrid agent job is being started with increased restrictions as  
compared with Tiger.

We tested this by doing the following:

1) We created a /scratch directory on the agent machine, and place a  
data file in the directory.
2) We then submitted a job that tried to copy the file to the local  
xgrid working directory.

This job runs successfully on Tiger, but on Leopard, we get  
permission issues.  In addition, this test would run correctly on  
Tiger if the directory was hosted on NFS, whereas the same  
permission issue occurs on Leopard.

So, my questions have been morphed into the following: has Leopard  
increased the restrictions on the shell that is used to run the job  
on the agent? Is there anyway to modify the way that the xgrid agent  
job is started?  How are the priviledges set  for the job?

This may be a moot point once we move to a complete Leopard shop and  
make use of Kerberos, but we'd like to test this prior to moving the  
whole cluster over to Leopard.

Dale Schack
Thrust Belt Imaging Inc.


On Thursday, December 06, 2007, at 10:54AM, "Mike Mackovitch" <email@hidden 
      

wrote:
On Wed, Dec 05, 2007 at 06:05:04PM -0800, Ernest Prabhakar wrote:
        

Hi Dale,

On Dec 5, 2007, at 5:47 PM, Dale Schack wrote:
          

It turns out that the user "nobody" no longer has the ability to  
read the
NFS mounted directories.  My question to the group is this: has  
anyone
tried using Xgrid on Tiger Server, with Leopard clients, reading  
data via
NFS?  Have there been any changes with respect to NFS and  
security that
may be the cause of this change?
            

I can't be sure this is _your_ issue, but NFS in Leopard now users  
Kerberos
for authentication instead of userid. I'm not sure which is the  
default,
          

Kerberized NFS is not on by default on NFS exports.
It needs to be explicitly configured on the export.
So this wouldn't be causing any problem unless the
Leopard NFS client was explicitly requiring Kerberos
with the mount option: -o sec=krb5

Dale,

We'll need some more details to try to figure out what the
problem is in your case.

Is the NFS file system mounting successfully on the client
or is the mount failing?  How is it being mounted?  Is it
automounted?  What mount options are used?  Are there any
NFS messages in /var/log/system.log on the client or server?

Does the "nobody" user have the same UID/GID on the client and
the server?

Would it be possible to get a tcpdump capture file showing the
full network packets when it isn't working?  Start the following
command on the server (where the last argument is the actual name
or IP address of the client):

sudo tcpdump -ns0 -w /tmp/packets.pcap host CLIENT_NAME_OR_IP

Reproduce the problem, then Ctrl-C the tcpdump command and forward me
the packets.pcap file (don't send it everyone on the mailing  
list)....
or attach it to a bug report: http://bugreporter.apple.com

Thanks!
--macko


        

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xgrid-users/email@hidden

This email sent to email@hidden
      

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xgrid-users/email@hidden

This email sent to email@hidden