#!/usr/bin/python3 """ Scan through the various HTCondor config knobs looking for potential issues caused by 9.0 having different default behavior than 8.8. A big focus of this script is the secure-by-default changes for 9.0 """ import argparse import os import pathlib import re import sys import tempfile import htcondor g_color_output = os.isatty(sys.stdout.fileno()) def format_red_terminal_text(text): if g_color_output: return "\033[1m\033[91m%s\033[0m" % text return text def check_allow_daemon(): """ Look for missing ALLOW_DAEMON and ALLOW_ADVERTISE_* At least one of which is needed for the collector """ allow_write = 'ALLOW_WRITE' in htcondor.param if not allow_write : allow_write = 'ALLOW_WRITE_COLLECTOR' in htcondor.param #print(allow_write) allow_daemon = 'ALLOW_DAEMON' in htcondor.param #print(allow_daemon) allow_advertise = 'ALLOW_ADVERTISE_STARTD' in htcondor.param if not allow_advertise : allow_advertise = 'ALLOW_ADVERTISE_SCHEDD' in htcondor.param if not allow_advertise : allow_advertise = 'ALLOW_ADVERTISE_MASTER' in htcondor.param #print(allow_advertise) allow_daemon_or_advertise = allow_daemon or allow_advertise if allow_write and not allow_daemon_or_advertise : return """ALLOW_WRITE is configured, but ALLOW_DAEMON is not : You must configure ALLOW_DAEMON or ALLOW_ADVERTISE_STARTD, ALLOW_ADVERTISE_MASTER, and ALLOW_ADVERTISE_COLLECTOR Or none of the HTCondor daemons will be able to send ads to the collector. In 8.8 ALLOW_DAEMON and ALLOW_ADVERTISE_* would inherit from ALLOW_WRITE, but in 9.0 ALLOW_WRITE is used only by the Schedd to control who can submit jobs. """ def check_dead_allow_write(): """ Look for extraneous ALLOW_WRITE_ """ allow_write = '' if 'ALLOW_WRITE_COLLECTOR' in htcondor.param : allow_write += 'ALLOW_WRITE_COLLECTOR ' if 'ALLOW_WRITE_STARTD' in htcondor.param : allow_write += 'ALLOW_WRITE_STARTD ' if len(allow_write) : return """obsolete %s : In 8.8 ALLOW_DAEMON_ would inherit from ALLOW_WRITE_, but in 9.0 this no longer happens. You should use condor_config_val -verbose -dump ALLOW_WRITE_ To find obsolete uses of ALLOW_WRITE and either delete them, or change them to ALLOW_DAEMON """ % allow_write.rstrip() def main(): # parser = argparse.ArgumentParser(description="Examine HTCondor configuration, looking for parameters that may not work for 9.0") # parser.add_argument("key", nargs="*", help="Specific key files to examine; if not given, then the defaults are used from the HTCondor configuration") # parser.add_argument("--truncate", default=False, help="When a potentially insecure key is encountered, truncate it to match the behavior prior to 8.9.12", action="store_true") # args = parser.parse_args() Issues = 0 message = check_allow_daemon() if message: print(message) Issues = 1 message = check_dead_allow_write() if message: print(message) Issues = 1 sys.exit(Issues) if __name__ == '__main__': main()