Using generic per-node pool accounts or a shared map database
A way to deploy gLExec on the worker node is by using (VO-agnostic) generic pool accounts that are local to each worker node. This way, you can be sure that a gLExec'ed job does not "escape" from the node, and it limits the number of pool accounts needed.
For this configuration, you
- create at least as many pool accounts as you have job slots on a WN
- assign a worker node local gridmapdir (suggestion: /var/local/gridmapdir)
- create local pool accounts with a local home directory (suggestion: account names wnpool00 etc, and home directories in a local file system that has enough space, e.g., /var/local/home/poolwn00, etc.)
- configure the lcmaps.db configuration used by glexec to refer to this gridmapdir
Note that the /var/run/glexec directory is used to maintain the mapping between the target and the originator account for easy back-mapping for running jobs. This information is of course also logged to syslog(3).
If you like shared pool accounts, you can use a shared atomic state database (implemented as an NFS directory) to host the gridmapdir. All operations on the gridmapdir are atomic, even over NFS, and it scales really well (remember that NFS is still the file sharing mechanism of choice for many large installations)
Detailed documentation is given at http://www.nikhef.nl/grid/lcaslcmaps/glexec/glexec-install-procedure.html.
To test your setup then you can find more information on the page for Debugging hints.