Message boards :
ATLAS application :
Question for the comment in Ubuntu's boinc-client.service unit file about Atlas
Message board moderation
| Author | Message |
|---|---|
|
Send message Joined: 14 Sep 08 Posts: 52 Credit: 64,094,999 RAC: 11,566   
|
I just realized the boinc-client.service unit file shipped with Ubuntu 22.04 contained the following comments specific to Atlas. I am not aware of other Atlas applications among BOINC projects, so I assume this is referring to LHC's ATLAS. [Service] Type=simple ProtectHome=true ProtectSystem=full ProtectControlGroups=true ReadWritePaths=-/var/lib/boinc -/etc/boinc-client Nice=10 User=boinc WorkingDirectory=/var/lib/boinc ExecStart=/usr/bin/boinc ExecStop=/usr/bin/boinccmd --quit ExecReload=/usr/bin/boinccmd --read_cc_config ExecStopPost=/bin/rm -f lockfile IOSchedulingClass=idle # The following options prevent setuid root as they imply NoNewPrivileges=true # Since Atlas requires setuid root, they break Atlas # In order to improve security, if you're not using Atlas, # Add these options to the [Service] section of an override file using # sudo systemctl edit boinc-client.service #NoNewPrivileges=true #ProtectKernelModules=true #ProtectKernelTunables=true #RestrictRealtime=true #RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX #RestrictNamespaces=true #PrivateUsers=true #CapabilityBoundingSet= #MemoryDenyWriteExecute=true #PrivateTmp=true #Block X11 idle detection Based on my rudimentary understanding of these options, I have a feeling they only apply for native ATLAS. If I only run the vbox version, can I enable these options safely? 
|
|
Send message Joined: 14 Sep 08 Posts: 52 Credit: 64,094,999 RAC: 11,566
|
Well, I have some answer now. Vbox doesn't work with these options on, even for Theory. The WUs error out right away not able to manage VM, just like when ProtectSystem is set to strict (default on Ubuntu 22.04). So regardless whether these options are specific to native ATLAS or not, I am not going to enable them. 🤣
|
©2025 CERN