Hi, we are experiencing something strange with the permissions in the repository when a job is created.
When a job is submitted by a user, the folder that is created that has the name of the Job ID in the DeadlineRepository/jobs folder, is owned only by that user, and no one else can access it. Therefore, no other slave can render the job except for the slave on the users machine.
When we manually change the permissions on the specific folder, all of the files in /Queued/ get deleted, and recreated in the /Rendering/ folder. So that Monitor shows all of the incomplete frames as “Rendering”, but nothing is happening.
Either there is an option somewhere that I am missing that is setting explicit permissions on folders created by users in the DeadlineRepository/jobs/ folder, or it is a bug, and folders created there should have access permissions for everyone by default.
The repository root folder and all subfolders need to have no owner and no group, and the permissions need to be completely open. An easy way to do this is run the following commands on the root:
Our Repository is properly chowned and chmodded for access by everyone already, but we use a general permission for general access, for example “frender:fgroup”.
The problem is that when a new job is submitted, the folder created by deadline in the /jobs/ folder becomes owned by “f:f:” (where “” = the submitters username). How how can we make deadline not set the permission explicitly to the user, but to our general access user and group?
That seems to work well for us, but we are using nobody:nogroup (not sure if that plays a part or not).
Deadline shouldn’t be explicitly setting the owner of any file it creates to a particular user. I imagine that is handled by the file system itself. What happens when you open up Word, for example, and save a text document to the Repository folder? Is it saved under a particular user?
There is no way we can use NFS with nobody:nogroup, as it leaves file security completely open which is a big no-no.
Files created manually into the repository directory get created with “f:fgroup”, but job files created by deadline become “f:f”. It seems like Deadline is not respecting group ownership properly, in fact, we have been doing tests all day today, and we are sure Deadline is not respecting the same file creation ownerships that should occur normally. Interestingly we did do a short test of setting the repository to “nobody:nogroup:”, but still any new files created by Deadline over NFS from Linux to Linux where each user has their own username, have the same file ownership problems.
Would it be possible to have an option in Deadline to manually set the user and group in a configuration file so that we can override Deadline’s choice?
We couldn’t reproduce this. We set up a new share with a specific “owner:group” setup and while we ran into some permission problems (the /repository/reports/history.txt couldn’t be appended to because of it’s current owner:group), new files/folders created through Deadline were created with nobody:nogroup (as opposed to user:user). This may be related to our NFS settings - are yours similar to the ones I posted previously?
We couldn’t reproduce this either (see above). In fact, switching to nobody:nogroup removed all permission problems, such as appending to the history.txt file.
It is a requirement of the Deadline Repository share to be completely open. Just the repository needs to be open though, nothing else on the system (if the machine is hosting anything else). Are you concerned that someone might corrupt the repository be editing or deleting files directly? That is a legitimate concern, but when Deadline was originally designed, it was more or less assumed that some trust would be involved.
It may be possible, but this would require significant code changes. I’m just surprised that Deadline would be mucking up permissions, because we’re not explicitly telling the file system to use a particular user or group, so you would think it would just default to the correct permissions.
Out of curiosity, have you tried setting up a samba share to see if you get similar results? This is more to see if the setup you want is possible over a samba share.
Actually, we managed to get it working by switching to CIFS and giving the repository it’s own mount. So basically it is removed from our NFS system, which is not the best solution, but it is close to it. Actually, I rather like Deadline having it’s own mount now as we can apply special attention to it when it needs it.
Deadline was still setting file ownerships incorrectly in CIFS, so we just overrode them with some settings (similar to samba but with a few more features). Now we can get Deadline using the groups that we want.