Message boards : Questions and problems : Silent operation issue.
Message board moderation
Author | Message |
---|---|
Send message Joined: 2 Oct 05 Posts: 401 |
At home, BOINC runs on my machines, and I am here to watch them and perform any necessary actions. At another site with several machines, I want BOINC to run, but, I don't want it popping up strange messages etc. on those machines, it wants to be absolutely silent, running in the background without anyone seeing anything. Things I see from time to time here are "new version available" etc. which would not be acceptable there. New versions etc. I'd know about anyway because I'd be getting that at home anyway, it is unusual or unexpected notices that I am concerned about. An ideal situation would be e-mailing me if something needed to be done. The machines are in public libraries, and I would not want the staff being pestered by members of the public asking about a "strange message" they've got on their machine whilst working. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 29 Aug 05 Posts: 15554 |
Solution: run only the client (boinc.exe), not the manager (boincmgr.exe). Then you won't have any pop-ups or notices or balloons or bubbles. Under Windows, the client can be run from the command line using <code>"C:\Program Files\BOINC\boinc.exe" --detach_console</code>. The quotes are needed when BOINC is installed in any of the Program Files directories or another directory with a space in the name. The 'detach_console' attribute closes the command line window but keeps BOINC running. |
Send message Joined: 2 Oct 05 Posts: 401 |
That is certainly a way forward, but, how would I know if anything was going wrong? BTW, the machines in the library here are MAC's. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 29 Aug 05 Posts: 15554 |
You can check the progress of the machines from the project's website. If any throw errors, then you'll have to go there, or log in remotely to see why it does that. In the case of Mac's, I'm not sure if it can run with just the client. I'd say, test that out locally first, if you have the possibility. |
Send message Joined: 5 Oct 06 Posts: 5124 |
The machines are in public libraries, and I would not want the staff being pestered ...What's your relationship with those public libraries? If you have persuaded the staff to let you perform 'run as administrator' installations on the machines, I assume you have some sort of trust relationship with their employers. In that case, what I've done in the past (not for BOINC - more directly for the work needs of a commercial employer without onsite tech support) is to set up a secure VPN termination on the site's router which allows me to 'dial in' (in practice over broadband) from a machine on my home LAN and become a member of the remote site's LAN. When that's up and running, you could visit each remote machine using BOINC Manager and Remote GUI RPC. Except I still wouldn't do that. BOINC Manager's once-per-second fixed update interval is too fast for use over a WAN, so instead I'd use BoincTasks to consolidate all the remote machines onto one monitoring display, and set the update interval to something low enough not to saturate the VPN at either end. From what I know of public library computers, they won't be high enough specification to run GPU applications, and will be switched off when not in use. In which case, a service installation will be adequate and will silence the messages. |
Send message Joined: 20 Nov 12 Posts: 801 |
Tools for Mac OS X tells how to run the client as daemon and how to disable autostarting the Manager. |
Send message Joined: 2 Oct 05 Posts: 401 |
>>> What's your relationship Currently, I am in a, somewhat typical, backwards and forwards discussion with the local council who operate the libraries. There are a number of libraries, each with a varying number of public machines, some have 4 others 10+. I agree, these machines are not super number crunchers, but they are there, they are online and they are switched on for 8-10 hours a day, and, Monday to Friday at least, are sitting there without anybody looking at them. I figured they could be set up with a smallish group of projects which have reasonably short run times, and by sheer weight of numbers, be able to make a contribution. I thought the idea of getting an IN however small, might allow me to get BOINC into the councils realms of thought. I could then do the same with the neighbouring council and create a little bit of interest with "who is doing best" type things. That could proliferate and I could get these hosts of little machines, plus maybe a few not so little ones, crunching - but I need to be able to manage it. I need to know if there is a problem somewhere, ideally what the problem is, and even more ideally, some way of fixing it by remote means. Right now, I'd regard it as a step forward just to get the machines in the local library, the door of which I walk past 4-5 times a week, crunching. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 2 Oct 05 Posts: 401 |
>>> Tools for Mac OS X tells how to run the client Cheers, I'll need that, I don't operate MAC's. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 2 Oct 05 Posts: 401 |
Interestingly, they are basically saying that BOINC is a security issue for their systems. I suspect the person I have been "speaking" too is an official at the library and not an IT professional. Right now, however, they are not interested in putting BOINC on their machines. I have said I will take the matter up with the mayor's office who, hopefully will push the issue onto their IT department. They, at least, should understand the issues and not just trot out standard phrases. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 23 Feb 12 Posts: 198 |
|
Send message Joined: 2 Oct 05 Posts: 401 |
It is a question of definitions. The main library in the commune is built in an old factory building of an old ship building complex at sea level, ie. it is less than a metre above sea level, indeed, the library entrance is opposite one of the former slipway ramps. That could easily be described as a security issue. Do you have a specific security issue with BOINC in mind? Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 23 Feb 12 Posts: 198 |
Do you work in IT? BOINC requires certain ports to be open in a firewall that allows potential intrusion attempts. BOINC by its nature downloads executables from a 3rd part site that you have bestowed faith in to not deliver you malicious content. Even with executables that are trusted, it can still cause a system to become unstable. How about privacy? Applications could be coded to essentially keylog or just collect traffic data. Someone would have to constantly monitor the applications being ran within BOINC to make sure someone at the project hasn't become malicious. Or perhaps they have become compromised themselves. I think when someone discusses security issues with BOINC, it is pretty much assumed IT related security issues. It only takes one rogue system to bring the entire network down. What do you think the library IT or "officials" would say if a BOINC project started encrypting their HDD's and then later held them ransom? You may trust BOINC projects. But it only takes one person to ruin it all. Anyone in IT should be aware of the potential problems something like this could bring up. |
Send message Joined: 2 Oct 05 Posts: 401 |
So you obviously don'y run those crazy risks... oh, but I see from your sig that you do. And, yes, I was a professional software engineer for almost 40 years, but worked on embedded systems in the public transport arena, from railway signalling, platform and bus ticket automats etc., to shipping arenas where I programmed VDR systems for container ships etc., BOINC was not available for the hardware platforms I programmed, they tended not to have operating systems for example. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 5 Oct 06 Posts: 5124 |
Yes, the possibility of attaching to a malicious project, or for malicious actors to insert code into a normal project, is probably the greatest risk you face. Your proposed plan of denying access to the Manager (and I'd suggest boinccmd too) would make it much harder for a library user to attach to a malicious project, and if you limit the range of pre-attached projects you set up to those with a proven academic sponsor and a track-record of reliable operation, you'll have exercised due diligence. If you also install BOINC 'as a service', the enhanced sandbox security (special limited-permission accounts) would make it almost impossible for anyone else to tamper with the installation without access to an administrative account on the machine. The point about opening firewall ports is a complete red herring. The only ports required are 80 and 443, the standard ports used by browsers to access the WWW. Any computer placed in the public access area of a library will have those open for the public to use anyway. You might find that the library browsers are configured to use a proxy server for access: BOINC can handle that, but you may have to supply proxy configuration details when you set them up. You may also need to get agreement for the authorised project servers to be whitelisted. The only non-standard port you might need to consider is the control port for remote monitoring. If you use the 'VPN termination on router' approach I suggested earlier, even that doesn't require a separate port: your monitoring machine will appear as a trusted insider on the network. You'll have to convince the authorities to allow you that, though. |
Send message Joined: 2 Oct 05 Posts: 401 |
Mmmm, I figured a small portfolio of things like Rosetta, Einstein, World Community Grid etc. would be my preferred situation. I have those on the computers here and they are trouble free. The way the machines are set up, the library users would not be able to see it anyway. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 23 Feb 12 Posts: 198 |
So you obviously don'y run those crazy risks... oh, but I see from your sig that you do. On my own systems and systems that I was given permission to run on yes. But that does not mean there isn't a risk nor does that mean it is not a security concern. I also do not recommend the advice many BOINC users give out to exclude the data directory in anti-virus programs neither. False positive or not, you have to put your faith on the side of caution. I work in the banking industry in IT. I can assure you if we installed BOINC on any of our devices, we would get hammered by our auditors and 3rd party auditors for security concerns. Richard, my point that ports needed to be open was to show that there is IT related security concerns in the first place. Those 2 ports may be the most commonly open for internet usage, but does not mean they are safe by any means. Security needs to be considered for the traffic passing through. However, adrianxw, have you tried just disabling the BOINC notifications balloon within the client? Then you wouldn't get those popups but you could still leave the BOINC Manager running as normal. (Though I do not recommend doing that.) I agree with Richard that the better route would be to run the client but not the manager. EDIT: Windows - in BOINC 7.6.29 from advanced view click options then click other options. You should have the option to change the notice reminder interval to never. This is also where you would go to tell the BOINC Manager to start or not at login. |
Send message Joined: 2 Oct 05 Posts: 401 |
I have finally reached the airy upper echelons of the council. The guy that has written back saying why they will not have BOINC on the library computers are given as such: >>> · As mentioned above – basic security (and this is really the only reason we need) · Specifically, the projects that BOINC offer, are not guaranteed – according to the webstites disclaimer - to be without backdoors, malware or other malicious code. · Secondary issue: The power usage of a computer that runs this program is a lot higher, since the system resources are maxed out. · Secondary issue: When the system resources are maxed out by BOINC, the user of the computer will have a poor userexperience, since it will appear slow. <<< I was to reply to these points but would welcome any facts here. 1. Security - an overused and under justified word used to say no without having to justify it. 2. A standard disclaimer commonly added to much software. With a portfolio of long running respectable projects from respectable institutions, I'm thinking Rosetta, Einstein, WCG type things, are there instances where any of these things could be said to apply? 3. Probably true. 4. Certainly on Windows, because of the low priority BOINC runs at, this is not the case, but I do not run MAC's. I would assume that the same case would apply. True or not? I'm thinking of suggesting he try it on his own machine and see. Comments welcome. Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 25 May 09 Posts: 1300 |
If the man at the council says "NO" and you keep digging he will find more and more excuses and reasons for not allowing you to load BOINC onto the council's computers. You've tried a couple of times, but have effectively hit his brick wall, and he can build it very much faster than you can knock it down. One card he hasn't played is the "If I let you do this I then have to let everyone else load their stuff onto the council computers" - that is probably the aspect of security he is really thinking about. |
Send message Joined: 2 Oct 05 Posts: 401 |
That is very probably true, but I didn't want to leave it that way. What I was going to do was say "fair enough - your machines" but then address each of his points, except 3 which I acknowledge, and continue by suggesting he try it on a machine in his office. He might just do that, and get to learn a bit more about what it is all about. A card I keep in my back pocket is that the council is there to serve the members of the council area who are the ones that are paying for the computers! Wave upon wave of demented avengers march cheerfully out of obscurity into the dream. |
Send message Joined: 25 May 09 Posts: 1300 |
That would almost certainly get is back up and make his next response more assertive. The door has been locked and bolted, and no reasoning in the near future will open it. |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.