I can no longer resist not participating in this lenghty thread, sorry.
On 22-04-10 13:37, Jeff Templon wrote:
Hi Sander
given that we already allow many different forms of outbound connectivity, i do not see a strong objection. i am sure there is somebody out there that objects, on the other hand we have the same thing with glexec ... somebody did not want to deploy any suid program that had ever had a security issue. we are deploying it anyway.
in my opinion, one of the main advantages of VMs, is it allows you to make assumptions about many things being exactly the same, on all sites. Why else would you go to the trouble?? So this:
On 22 Apr 2010, at 13:30, Sander Klous wrote:
So, I see what you mean by banned now: the policy indeed bans the possibility to impose a specific way of obtaining your workload on every site. I think that is a good thing.
is to me turning off one of the main advantages of VMs, and for a weak reason.
I don't agree. The benefit of using VMs for users lies in a consistent software environment for the job (payload, pilot content, whatever). Of course, it would be *convenient* for those users if the mechanism to get the job started would be the same everywhere, but that is a system thingy.
Reality is that sites (and their admins) have implemented their own policies about network traffic etc. Those policies operate on a different level than the software environment for the job (payload). You should not ignore that if you want a workable common policy for VMs. And we all know that trying to chase site admins into a harness created by end users is not going to work!
So there is still a clear benefit for users, even if they cannot define all the rules.
Ronald