Copy in osg-ce-condor image contents (SOFTWARE-4300)

brianhlin · brianhlin · commit 84569c01785c · 2021-02-17T08:24:57.000-06:00
diff --git a/osg-ce-condor/Dockerfile b/osg-ce-condor/Dockerfile
@@ -0,0 +1,21 @@
+# Specify the opensciencegrid/compute-entrypoint image tag
+ARG BASE_YUM_REPO=release
+
+FROM opensciencegrid/compute-entrypoint:$BASE_YUM_REPO
+
+ARG BASE_YUM_REPO=release
+
+LABEL maintainer "OSG Software <help@opensciencegrid.org>"
+
+RUN if [[ $BASE_YUM_REPO = release ]]; then \
+       yumrepo=osg-upcoming; else \
+       yumrepo=osg-upcoming-$BASE_YUM_REPO; fi && \
+     yum install -y --enablerepo=$yumrepo \
+                   osg-ce-condor && \
+    yum clean all && \
+    rm -rf /var/cache/yum/
+
+COPY etc/osg/image-config.d/* /etc/osg/image-config.d/
+COPY etc/condor/config.d/* /etc/condor/config.d/
+COPY usr/local/bin/* /usr/local/bin/
+COPY etc/supervisord.d/* /etc/supervisord.d/
diff --git a/osg-ce-condor/etc/condor/config.d/01-misc.conf b/osg-ce-condor/etc/condor/config.d/01-misc.conf
@@ -0,0 +1,4 @@
+# Copied from https://github.com/htcondor/htcondor
+
+# Can't tune the kernel in a container
+ENABLE_KERNEL_TUNING=False
diff --git a/osg-ce-condor/etc/condor/config.d/01-security.conf b/osg-ce-condor/etc/condor/config.d/01-security.conf
@@ -0,0 +1,44 @@
+# Copied from https://github.com/htcondor/htcondor
+
+# Require authentication and integrity checking by default.
+use SECURITY : With_Authentication
+
+# Host-based security is fine in a container environment, especially if
+# we're also using a pool password or a token.
+use SECURITY : Host_Based
+# We also want root to be able to do reconfigs, restarts, etc.
+ALLOW_ADMINISTRATOR = root@$(FULL_HOSTNAME) condor@$(FULL_HOSTNAME) $(ALLOW_ADMINISTRATOR)
+
+# TOKEN-based auth is the preferred method starting with the HTCondor
+# 8.9 series.
+if version >= 8.9.7
+    SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
+else
+    SEC_DEFAULT_AUTHENTICATION_METHODS = FS, TOKEN
+endif
+
+if $(USE_POOL_PASSWORD:no)
+    SEC_DEFAULT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS), PASSWORD
+
+    ALLOW_ADVERTISE_STARTD = condor_pool@*/* $(ALLOW_ADVERTISE_STARTD)
+    ALLOW_ADVERTISE_SCHEDD = condor_pool@*/* $(ALLOW_ADVERTISE_SCHEDD)
+endif
+
+# Allow public reads; in this case, no need for authentication.
+ALLOW_READ = *
+SEC_READ_AUTHENTICATION = OPTIONAL
+
+ALLOW_ADVERTISE_MASTER = \
+    $(ALLOW_ADVERTISE_MASTER) \
+    $(ALLOW_WRITE_COLLECTOR) \
+    dockerworker@example.net
+
+ALLOW_ADVERTISE_STARTD = \
+    $(ALLOW_ADVERTISE_STARTD) \
+    $(ALLOW_WRITE_COLLECTOR) \
+    dockerworker@example.net
+
+ALLOW_ADVERTISE_SCHEDD = \
+    $(ALLOW_ADVERTISE_STARTD) \
+    $(ALLOW_WRITE_COLLECTOR) \
+    dockersubmit@example.net
diff --git a/osg-ce-condor/etc/condor/config.d/50-container.conf b/osg-ce-condor/etc/condor/config.d/50-container.conf
@@ -0,0 +1,9 @@
+DAEMON_LIST = MASTER, SCHEDD
+
+# Tell clients to contact the local schedd on the hostname used to
+# advertise to other daemons
+TCP_FORWARDING_HOST = $(NETWORK_HOSTNAME)
+
+# Force container daemons to talk over the container IP
+PRIVATE_NETWORK_NAME = $(UTSNAME_NODENAME)
+PRIVATE_NETWORK_INTERFACE = $(IP_ADDRESS)
diff --git a/osg-ce-condor/etc/osg/image-config.d/25-setup-condor-submit.sh b/osg-ce-condor/etc/osg/image-config.d/25-setup-condor-submit.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Adapted from https://github.com/htcondor/htcondor
+
+set -xe
+
+prog=${0##*/}
+
+fail () {
+    echo "$prog:" "$@" >&2
+    exit 1
+}
+
+add_values_to () {
+    config=$1
+    shift
+    printf "%s=%s\n" >> "/etc/condor/config.d/$config" "$@"
+}
+
+# Create a config file from the environment.
+# The config file needs to be on disk instead of referencing the env
+# at run time so condor_config_val can work.
+echo "# This file was created by $prog" > /etc/condor/config.d/01-env.conf
+add_values_to 01-env.conf \
+    CONDOR_HOST "${CONDOR_SERVICE_HOST:-${CONDOR_HOST:-\$(FULL_HOSTNAME)}}" \
+    NUM_CPUS "${NUM_CPUS:-1}" \
+    MEMORY "${MEMORY:-1024}" \
+    RESERVED_DISK "${RESERVED_DISK:-1024}" \
+    USE_POOL_PASSWORD "${USE_POOL_PASSWORD:-no}"
+
+
+bash -x "/usr/local/bin/update-secrets" || fail "Failed to update secrets"
+bash -x "/usr/local/bin/update-config" || fail "Failed to update config"
+
+
+# Bug workaround: daemons will die if they can't raise the number of FD's;
+# cap the request if we can't raise it.
+hard_max=$(ulimit -Hn)
+
+rm -f /etc/condor/config.d/01-fdfix.conf
+# Try to raise the hard limit ourselves.  If we can't raise it, lower
+# the limits in the condor config to the maximum allowable.
+for attr in COLLECTOR_MAX_FILE_DESCRIPTORS \
+            SHARED_PORT_MAX_FILE_DESCRIPTORS \
+            SCHEDD_MAX_FILE_DESCRIPTORS \
+            MAX_FILE_DESCRIPTORS; do
+    config_max=$(condor_config_val -evaluate $attr ||: )
+    if [[ $config_max =~ ^[0-9]+$ && $config_max -gt $hard_max ]]; then
+        if ! ulimit -Hn "$config_max" &>/dev/null; then
+            add_values_to 01-fdfix.conf "$attr" "$hard_max"
+        fi
+        ulimit -Hn "$hard_max"
+    fi
+done
+[[ -s /etc/condor/config.d/01-fdfix.conf ]] && \
+    echo "# This file was created by $prog" >> /etc/condor/config.d/01-fdfix.conf
+
+chown -R condor:condor /var/log/condor /var/lib/condor/spool
+
+set +xe
diff --git a/osg-ce-condor/etc/supervisord.d/10-htcondor.conf b/osg-ce-condor/etc/supervisord.d/10-htcondor.conf
@@ -0,0 +1,5 @@
+[program:condor_master]
+user = root
+command = /usr/sbin/condor_master -f
+autorestart=true
+startsecs=20
diff --git a/osg-ce-condor/usr/local/bin/update-config b/osg-ce-condor/usr/local/bin/update-config
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Copied from https://github.com/htcondor/htcondor
+
+# Copy extra configs from `/root/config` if any.
+if [[ -d /root/config ]]; then
+    cp /root/config/*.conf /etc/condor/config.d/
+fi
+
+if pgrep condor_master &>/dev/null; then
+    condor_reconfig
+fi
+
+# vim:et:sw=4:sts=4:ts=8
diff --git a/osg-ce-condor/usr/local/bin/update-secrets b/osg-ce-condor/usr/local/bin/update-secrets
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Copied from https://github.com/htcondor/htcondor
+
+prog=${0##*/}
+
+fail () {
+    echo "$prog:" "$@" >&2
+    exit 1
+}
+
+
+# Pool password; used for PASSWORD auth or for the collector to generate tokens from.
+if [[ -f /root/secrets/pool_password ]]; then
+    umask 077
+    install -o root -g root -m 0600 -D /root/secrets/pool_password /etc/condor/passwords.d/POOL ||\
+        fail "/root/secrets/pool_password found but unable to copy"
+    umask 022
+	(
+		cd /etc/condor/tokens.d
+		condor_config_val DAEMON_LIST | grep -q SCHEDD && (
+			condor_token_create -auth ADVERTISE_MASTER -auth ADVERTISE_SCHEDD -auth READ -identity dockersubmit@example.net > dockersubmit
+		)
+		condor_config_val DAEMON_LIST | grep -q STARTD && ( 
+			condor_token_create -auth ADVERTISE_MASTER -auth ADVERTISE_STARTD -auth READ -identity dockerworker@example.net > dockerworker
+		)
+	)
+fi
+
+# A token.
+if [[ -f /root/secrets/token ]]; then
+    umask 077
+    install -o condor -g condor -m 0600 -D /root/secrets/token /etc/condor/tokens.d/token ||\
+        fail "/root/secrets/token found but unable to copy"
+    umask 022
+fi
+
+
+# vim:et:sw=4:sts=4:ts=8
