Versions Compared

    Key

    • This line was added.
    • This line was removed.
    • Formatting was changed.
    Comment: Published by Scroll Versions from this space and version 1.0

    ...

    • The worker process is usually started at system boot time and runs as long as the system is up
    • The worker process runs as either a Windows service or a daemon owned by the root user on OS X and linux.
    • The worker process will run jobs under a user other than root or the system service. This user is determined by the proxy_execution_mode value:
      • proxy_execution_mode = proxy 
        means it will always authenticate as the user defined in proxy_account.
      • proxy_execution_mode = user 
        means  means it will always authenticate as the user who submitted the job.
      Note

      The worker process will be unable to access screenspace on Windows and OS X; no processes will be able to render to a hardware buffer, applications that can only run by displaying their full GUI will usually not be able to start, etc.

    ...

    When the Worker launches a remote job as dispatched by the Supervisor, it can potentially create several processes, all controlled by the Worker. Since Qube is designed to emulate a user executing jobs on a remote host, the Worker will have to run these processes as some user.

    Unix  & OS X

    Under Unix-based operating systems, the Worker does a setuid in order to switch user identities before starting the process.  One implication of this is that the user's shell environment is not set up (tcshrc or equivalent is not run), so the job's environment may not be identical to an actual login by that user.

    ...

    Note
    titleConsiderations when running "User" mode on Windows

    The Worker creates an authentication token when it creates a new process, and the Windows Operating System then permits the process access to the user's environment and files.  For this reason, if running with proxy_execution_mode = user  on Windows, every Windows user will need to register (and keep current) their password with Qube!  Most facilities choose  proxy_execution_mode = proxy  when running in service mode on Windows.

    Authenticating on Windows using an Active Directory Domain account

    It's possible to use an AD account as the proxy account; this allows the proxy account to be added to the ACL's on networked filesystem, be centrally managed, etc.

    You set the proxy_account to the user name, but without the Active Directory portion, and then specify the Active Directory domain name with worker_host_domain.

    For example, if you have a domain account that I would login as MyCorp\someuser, where the AD domain name is "MyCorp", and the user's name is "someuser", you would configure it as follows:

     

    • proxy_account = someuser
    • worker_host_domain = MyCorp

     These values can be set either in the worker's local qb.conf, but a best practice is to set in the supervisor's central worker configuration file.

    See Also

    How to switch a worker from Service mode to Desktop User mode

    proxy_account

    proxy_password

    proxy_execution_mode

    worker_host_domain