Well, you don't want VMs connecting back to the batch system. At CERN this is the common way to get work inside your VM. So, a VM banned at Nikhef would be perfectly fine for CERN. You want to allow VMs connecting to pilot job frameworks, but other sites have severe restrictions on outbound IP. So, a VM banned from these sites, would be perfectly fine for Nikhef. There is no common denominator so there is no way we can specify it in the policy. I don't understand what you mean with: "do not ban it in the policy". It is not banned, it is kept as a site contextualization issue. As far as I can see, it is the only reasonable option for cross-site images.
On Apr 22, 2010, at 10:16 AM, Jeff Templon wrote:
Hi
On 22 Apr 2010, at 09:58, Sander Klous wrote:
The point is that "you don't see anything wrong with that", but other sites might. So, we don't want to specify it in the policy. That's why it is left a site contextualization issue, so each
I argue VERY strongly against this. If there is a good reason to ban it, then state the reason and ban it. "Other sites might see something wrong with it". If they see something wrong with it, let them speak up and make a case for it. Otherwise, do not ban it in the policy.
This is a principle we've tried to follow since HEPCAL days ... "it might be" isn't good enough.
JT