Hi Jeff, No sorry, it is not clear to me yet. I don't see how we "ban" the waking up of the "alicepilot" script with the current policy. The way I see it, a user should be able to specify a startup script in the JDL. If a site supports it, it can call this startup script by contextualizing the VM.
Let's make this very concreet: - The VO software contains a script called /opt/bin/alicepilot. - The user specifies in the JDL that this script should be called on boot. - The site contextualizes the images, in this case it means that a boot script is inserted that calls /opt/bin/alicepilot with user priviliges.
So, it is perfectly possible to get work from a pilot job framework with site contextualization. What am I missing? Thanks, Sander
On Apr 22, 2010, at 11:29 AM, Jeff Templon wrote:
Hi,
so what you have told me, is that the VM should make no assumptions on what site services it can connect to. this is not the same as not being able to pick up a workload. having the VM instantiated so that at boot time, one of the things it does is to wake up the "alicepilot" account, which then contacts the alien task queue and picks up a workload ... this is *banned* by your current version of the policy, but there is no good reason to ban it, as it does not rely at all on the VM connecting back to the batch system.
there are some sites that have severe restrictions on outbound ip, but I don't think we should design the policy around this. we already have issues like this, the VO box ... where they are supposed to specify to us which ports will be used, and we make sure they are open. we can do the same thing here.
Does this make it more clear? I think the confusion, is that you were equating "getting a workload" with "connecting to the batch system".
JTOn 22 Apr 2010, at 10:25, Sander Klous wrote:
Well, you don't want VMs connecting back to the batch system. At CERN this is the common way to get work inside your VM. So, a VM banned at Nikhef would be perfectly fine for CERN. You want to allow VMs connecting to pilot job frameworks, but other sites have severe restrictions on outbound IP. So, a VM banned from these sites, would be perfectly fine for Nikhef. There is no common denominator so there is no way we can specify it in the policy. I don't understand what you mean with: "do not ban it in the policy". It is not banned, it is kept as a site contextualization issue. As far as I can see, it is the only reasonable option for cross-site images.
On Apr 22, 2010, at 10:16 AM, Jeff Templon wrote:
Hi
On 22 Apr 2010, at 09:58, Sander Klous wrote:
The point is that "you don't see anything wrong with that", but other sites might. So, we don't want to specify it in the policy. That's why it is left a site contextualization issue, so each
I argue VERY strongly against this. If there is a good reason to ban it, then state the reason and ban it. "Other sites might see something wrong with it". If they see something wrong with it, let them speak up and make a case for it. Otherwise, do not ban it in the policy.
This is a principle we've tried to follow since HEPCAL days ... "it might be" isn't good enough.
JT