Hi Ken, Trey, the following itch is a recurring one, thanks for touching it!
On Aug 22, 2014, at 10:59 PM, Kenneth Hoste wrote: >> So far everything installed is 2755/0644 except for the "easybuild" >> directories. I'm wondering if other sites use a dedicated "easybuild" user >> for building software? AFAIK, easybuild sites DO use a dedicated user, for a number of reasons, not least of which is to avoid shooting yourself in the foot... :) > We've been using a dedicated user for building/installing software, which we > share with multiple people. Which is a bad idea, for practical purposes. :-) > The proper way to do it is what you're suggesting: give users the required > permissions, and maybe also make them act under a common 'easybuild' (POSIX) > group. While at a Juelich meeting in Feb'14, we picked up the following concept: - once an installation software set is finalized, it gets "frozen" & ownership goes from sw group to sys group. This is an interesting idea and, one step further in avoiding shooting yourself in the foot! It's very likely an explicit separation of roles, coming out of who knows what war story. I find these practices really wise, given that nearly any HPC build step implies downloading & running 3rd-party software, whereby many things could go awry. As users keep coming with software setup requests, it's easy to be "lured away"! (LOL: "please install for me the package HackTree/v3" :) At some point you need to call your setup fixed and hit the "production" button, which is in effect what the Juelich fellows do. An applause for the practice! I suspect that mount namespaces could be a nice way to go about it under linux: http://www.ibm.com/developerworks/linux/library/l-mount-namespaces/index.html (never tried it, still in the todo list) If you have improvements upon the above ideas, please swap the subject and throw them in the list. enjoy, Fotis -- echo "sysadmin know better bash than english" | sed s/min/mins/ \ | sed 's/better bash/bash better/' # Yelling in a CERN forum
