Hi all,
To echo everyone else, thank you for the help, lesson learnt, and Iâll
look at the feature release changelogs as well as the LTS release!
Many thanks,
Tom
*From: *HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of
Jose Caballero <jcaballero.hep@xxxxxxxxx>
*Date: *Tuesday, 9 May 2023 at 08:41
*To: *HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
*Cc: *Petr Vokac <Petr.Vokac@xxxxxxx>, condor-users@xxxxxxxxxxx
<condor-users@xxxxxxxxxxx>
*Subject: *Re: [HTCondor-users] Missing `x509UserProxyVOName` ClassAd in
Condor 10.0.3
Yeah, I can confirm it works.
Thanks a lot!!
Cheers,
Jose
El lun, 8 may 2023 a las 16:27, Jaime Frey via HTCondor-users
(<htcondor-users@xxxxxxxxxxx <mailto:htcondor-users@xxxxxxxxxxx>>) escribiÃ:
Thank you for that reminder. I was forgetting about that change in
the default configuration.
Â- Jaime
On May 6, 2023, at 4:35 AM, Petr Vokac <Petr.Vokac@xxxxxxx
<mailto:Petr.Vokac@xxxxxxx>> wrote:
Everybody should be already aware that HTCondor is very
progressive piece of software that tries to move us in future.
One should be careful with upgrades / definitely read release
notes (not just for LTS but also previous feature releases),
because HTCondor is changing default configuration values:
Version 9.10.0
...
* The default value of configuration parameter
|USE_VOMS_ATTRIBUTES|has been changed to |False|.
(HTCONDOR-1161)
<https://opensciencegrid.atlassian.net/browse/HTCONDOR-1161>
When it comes to the jobs with delegated X.509 proxy it is also
necessary to add in HTCondor-CE 6 configuration
"USE_VOMS_ATTRIBUTES = True".
OSG HTCondor-CE release depends on voms-clients-cpp, but non-OSG
release comes with java dependency, because according SPEC file
* Wed Jul 15 2020 MÃtyÃs Selmeci<matyas@xxxxxxxxxxx> <mailto:matyas@xxxxxxxxxxx> - 4.4.1-2
- Change voms-clients-cpp requirement to voms-clients for non-OSG builds,
 because voms-clients-java works equally well
To be honest this statement is not true anymore, because
HTCondor-CE compiled without GSI can't really dlopen JAVA VOMS
library. So in my view dependencies of non-OSG HTCondor-CE
packages are broken and needs to be fixed by HTCondor-CE package
maintainers.
Because LHC experiments are not as progressive as HTCondor
developers I'm personally not very concerned about accounting
which rely on x509UserProxyVOName, because only negligible
fraction of short test jobs are submitted without delegated
proxy and we don't plan to change that in a near future.
Unfortunately we have to ask all sites to configure HTCondor-CE
6 with non-default USE_VOMS_ATTRIBUTES.
Fermilab is in different position, because they are pushing
tokens hard, but their gracc accounting doesn't as far as I know
rely on site configuration and they should be fine even without
USE_VOMS_ATTRIBUTES. Still job routing will be affected if sites
don't update configuration to rely on AuthTokenIssuer classAds
instead of x509* ... actually can somebody from FNAL explain me
how to route NOvA jobs submitted with tokens, because from token
classAds I can't really determine individual experiments
aggregated in Fermilab VO
AuthTokenGroups = "/fermilab,/fermilab/pilot"
AuthTokenId ="https://cilogon.org/oauth2/4b43d9cf935ca4f531a4c41cfb326ee1?type=accessToken&ts=1683307232137&version=v2.0&lifetime=10800000"; <https://cilogon.org/oauth2/4b43d9cf935ca4f531a4c41cfb326ee1?type=accessToken&ts=1683307232137&version=v2.0&lifetime=10800000>
AuthTokenIssuer ="https://cilogon.org/fermilab"; <https://cilogon.org/fermilab>
AuthTokenScopes = "compute.create,compute.read,compute.cancel,compute.modify"
AuthTokenSubject ="fermilabpilot@xxxxxxxx" <mailto:fermilabpilot@xxxxxxxx>
It is a bit unfortunate that AuthTokenGroups use just
"/fermilab" while in case of x509UserProxyFirstFQAN jobs are
submitted with "/fermilab/nova", it is not clear to me why
Fermilab decided to use such inconsistent group configuration
for tokens vs. x509.
Petr
On 5/6/23 00:10, Steven C Timm via HTCondor-users wrote:
I can assure you that this is not the case. In htcondor 10
the voms attributes are not being populated.
Steve
------------------------------------------------------------------------
*From:*ÂHTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
<mailto:htcondor-users-bounces@xxxxxxxxxxx>Âon behalf of
Maarten Litmaath <Maarten.Litmaath@xxxxxxx>
<mailto:Maarten.Litmaath@xxxxxxx>
*Sent:*ÂFriday, May 5, 2023 4:41 PM
*To:*ÂJames Frey <jfrey@xxxxxxxxxxx> <mailto:jfrey@xxxxxxxxxxx>
*Cc:* condor-users@xxxxxxxxxxx
<mailto:condor-users@xxxxxxxxxxx> <condor-users@xxxxxxxxxxx>
<mailto:condor-users@xxxxxxxxxxx>; HTCondor-Users Mail List
<htcondor-users@xxxxxxxxxxx> <mailto:htcondor-users@xxxxxxxxxxx>
*Subject:*ÂRe: [HTCondor-users] Missing
`x509UserProxyVOName` ClassAd in Condor 10.0.3
Hi Jaime,
with HTCondor CE v5 it appears one gets the VOMS
libraryÂautomatically
through dependencies: I never had to think about it...
I browsed the admin docs and could not find a mention of
VOMS either:
did I manage to overlook the right place?
------------------------------------------------------------------------
*From:*ÂJaime Frey <jfrey@xxxxxxxxxxx>
<mailto:jfrey@xxxxxxxxxxx>
*Sent:*ÂFriday, May 5, 2023 11:06 PM
*To:*ÂMaarten Litmaath <Maarten.Litmaath@xxxxxxx>
<mailto:Maarten.Litmaath@xxxxxxx>
*Cc:*ÂHTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
<mailto:htcondor-users@xxxxxxxxxxx>;
condor-users@xxxxxxxxxxx <mailto:condor-users@xxxxxxxxxxx>
<condor-users@xxxxxxxxxxx> <mailto:condor-users@xxxxxxxxxxx>
*Subject:*ÂRe: [HTCondor-users] Missing
`x509UserProxyVOName` ClassAd in Condor 10.0.3
Thereâs really nothing to suggest thatâs different than for
HTCondor 9.0. When the schedd attempts to extract
information from the jobâs proxy at submission time (if
provided in the input sandbox), it tries to dlopen() the
VOMS client library. If that succeeds, it uses the library
to extract VOMS attributes.
Â- Jaime
On May 5, 2023, at 3:37 PM, Maarten Litmaath
<Maarten.Litmaath@xxxxxxx>
<mailto:Maarten.Litmaath@xxxxxxx>Âwrote:
Hi Jaime,
that is good news, thanks!
The absence of that library is not fatal then, but is
there a suggestion for admins to consider installing it?
------------------------------------------------------------------------
*From:*ÂHTCondor-users
<htcondor-users-bounces@xxxxxxxxxxx>
<mailto:htcondor-users-bounces@xxxxxxxxxxx>Âon behalf of
Jaime Frey via HTCondor-users
<htcondor-users@xxxxxxxxxxx>
<mailto:htcondor-users@xxxxxxxxxxx>
*Sent:*ÂFriday, May 5, 2023 10:25 PM
*To:*ÂHTCondor-Users Mail List
<htcondor-users@xxxxxxxxxxx>
<mailto:htcondor-users@xxxxxxxxxxx>
*Cc:*ÂJames Frey <jfrey@xxxxxxxxxxx>
<mailto:jfrey@xxxxxxxxxxx>; condor-users@xxxxxxxxxxx
<mailto:condor-users@xxxxxxxxxxx>
<condor-users@xxxxxxxxxxx> <mailto:condor-users@xxxxxxxxxxx>
*Subject:*ÂRe: [HTCondor-users] Missing
`x509UserProxyVOName` ClassAd in Condor 10.0.3
HTCondor 10.X still supports the VOMS library, which
doesnât rely on GSI, and delegation of an X.509 proxy
during job submission. If a proxy file is provided for
the jobâs use (via the x509userproxy submit command),
the VOMS attributes should be populated in the job ad.
This assumes the VOMS client library is installed on the
machine.
Â- Jaime
On May 5, 2023, at 2:59 AM, Maarten Litmaath
<Maarten.Litmaath@xxxxxxx>
<mailto:Maarten.Litmaath@xxxxxxx>Âwrote:
Hi JosÃ,
in 10.x there is no code that looks into the VOMS
extensions that an X509 proxy may have
and hence there are no variables defined anymore for
the VO and the FQANs.
We will need to decide on sustainable ways for the
accounting to keep working...
------------------------------------------------------------------------
*From:*ÂHTCondor-users
<htcondor-users-bounces@xxxxxxxxxxx>
<mailto:htcondor-users-bounces@xxxxxxxxxxx>Âon
behalf of Jose Caballero <jcaballero.hep@xxxxxxxxx>
<mailto:jcaballero.hep@xxxxxxxxx>
*Sent:*ÂFriday, May 5, 2023 9:33 AM
*To:*ÂHTCondor-Users Mail List
<htcondor-users@xxxxxxxxxxx>
<mailto:htcondor-users@xxxxxxxxxxx>
*Cc:* condor-users@xxxxxxxxxxx
<mailto:condor-users@xxxxxxxxxxx>
<condor-users@xxxxxxxxxxx>
<mailto:condor-users@xxxxxxxxxxx>
*Subject:*ÂRe: [HTCondor-users] Missing
`x509UserProxyVOName` ClassAd in Condor 10.0.3
Hi,
if I understand correctly what I see, the classAd
mentioned by Tom, "x509UserProxyVOName", is added to
the jobs at the schedd level.
Picking one random job on a schedd 9.0.5, this is
the submit file from the CE middleware (ARC) [1] and
these are the classad of the submitted job [2].
So clearly the classAds x509* have been added by our
local Schedd.
However, on a schedd 10.0.3, some of those classAds
are missing [3].
I have downloaded the code from GITHUB, and a simple
grep gives me the same results for the main branch
and tag V9_0_5.
Also, the classAd x509UserProxyVOName is still
mentioned in the documentation.
So I am quite lost as well. Why suddenly the jobs
submitted from schedd 10.x are missing these classads?
Any comment/question is more than welcome.
Cheers,
Jose
[1]
[root@arc-ce04
PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm]# cat condorjob.jdl
# HTCondor job description built by arex
Executable = condorjob.sh
Input = /dev/null
Log =
/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm/log
Output =
/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm.comment
Error =
/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm.comment
+NordugridQueue = "EL7"
Description = gridjob
Universe = vanilla
Notification = Never
Requirements = (NumJobStarts == 0) && ( (OpSys ==
"LINUX" && OpSysMajorVer >= 7) )
Priority = 0
x509userproxy =
/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm/user.proxy
request_cpus = 1
request_memory=4000
+JobMemoryLimit = 4096000
should_transfer_files = YES
When_to_transfer_output = ON_EXIT_OR_EVICT
Transfer_input_files =
/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm
Periodic_remove = (JobStatus == 1 && NumJobStarts >
0) || ((ResidentSetSize isnt undefined ?
ResidentSetSize : 0) > JobMemoryLimit)
Queue
[2]
[root@arc-ce04
PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm]# condor_q -l 2479042 | grep ^x509
x509userproxy =
"/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm/user.proxy"
x509UserProxyEmail = "lb.pilot@xxxxxxx
<mailto:lb.pilot@xxxxxxx>"
x509UserProxyExpiration = 1683605339
x509UserProxyFirstFQAN =
"/lhcb/Role=pilot/Capability=NULL"
x509UserProxyFQAN = "/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=lbpilot/CN=693025/CN=Robot: LHCb
pilot,/lhcb/Role=pilot/Capability=NULL,/lhcb/Role=NULL/Capability=NULL"
x509userproxysubject = "/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=lbpilot/CN=693025/CN=Robot: LHCb
pilot"
x509UserProxyVOName = "lhcb"
[3]
[root@arc-ce-test01 ~]# condor_history -l 605625.0 |
grep ^x509
x509UserProxyEmail = "Andrea.Sciaba@xxxxxxx
<mailto:Andrea.Sciaba@xxxxxxx>"
x509UserProxyExpiration = 1682927827
x509userproxy =
"/var/spool/arc/grid05/ZPsKDmZFHD3n61QDjqWNiMpoABFKDmABFKDmAaFKDmAEFKDmDzgJen/user.proxy"
x509userproxysubject = "/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba"
El mar, 2 may 2023 a las 10:33, Thomas Hartmann
(<thomas.hartmann@xxxxxxx
<mailto:thomas.hartmann@xxxxxxx>>) escribiÃ:
Hi Thomas,
from Condor 10 on GSI is not supported anymore
but only token authz.
Also IIRC has ATLAS recently switched Harvester
submission to Condor 10
as well, so that their jobs do not get submitted
anymore with X509 ads.
Probably the only option on the midterm run
would be to add cases for
routes, that evaluate the Auth* ads similar as
for X509 ads.
Cheers,
 ÂThomas
On 02/05/2023 10.07, Thomas Birkett - STFC UKRI
via HTCondor-users wrote:
> Hi Condor community,
>
> I hope you are all keeping well, hopefully a simple fix but Iâve
> recently upgraded our test Condor pool from 9.0.15 to 10.0.3 (LTS) and I
> notice that jobs no longer show the ClassAd âx509UserProxyVONameâ. The
> following x509 classads are present when running a `condor_q -l *jobid*`
>
> x509UserProxyEmail
>
> x509UserProxyExpiration
>
> x509userproxy
>
> x509userproxysubject
>
> however, ` x509UserProxyVOName` is missing.
>
> This is a problem for us as a large proportion of our Job Transforms use
> this missing ClassAd `x509UserProxyVOName`. Downgrading to Condor
> 9.0.15, the ClassAd is then applied to new incoming jobs. Any help in
> debugging this issue would be gratefully received.
>
> Many thanks,
>
> *Thomas Birkett*
>
> Senior Systems Administrator
>
> Scientific Computing Department
>
> Science and Technology Facilities Council (STFC)
>
> Rutherford Appleton Laboratory, Chilton, Didcot
> OX11 0QX
>
> signature_609518872
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
<mailto:htcondor-users-request@xxxxxxxxxxx>with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=Ii-vGINPPvYO_OB8j9kwzo37FRrU5emX9TVwSScU0b5nC8T25o6WIN8rUD13T7Lz&s=v41IBNAzKvgHwuhqoiOcaB8X9TFFkqfdfh9Nf9D5_kI&e=>
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=Ii-vGINPPvYO_OB8j9kwzo37FRrU5emX9TVwSScU0b5nC8T25o6WIN8rUD13T7Lz&s=y8Q3ULTcx-kPtwmnEoLdxTVM8AdXeT6v9vjFUpIvvw4&e=>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx
<mailto:htcondor-users-request@xxxxxxxxxxx>Âwith a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=Ii-vGINPPvYO_OB8j9kwzo37FRrU5emX9TVwSScU0b5nC8T25o6WIN8rUD13T7Lz&s=v41IBNAzKvgHwuhqoiOcaB8X9TFFkqfdfh9Nf9D5_kI&e=>
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=Ii-vGINPPvYO_OB8j9kwzo37FRrU5emX9TVwSScU0b5nC8T25o6WIN8rUD13T7Lz&s=y8Q3ULTcx-kPtwmnEoLdxTVM8AdXeT6v9vjFUpIvvw4&e=>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx
<mailto:htcondor-users-request@xxxxxxxxxxx>Âwith a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwQF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=Ii-vGINPPvYO_OB8j9kwzo37FRrU5emX9TVwSScU0b5nC8T25o6WIN8rUD13T7Lz&s=v41IBNAzKvgHwuhqoiOcaB8X9TFFkqfdfh9Nf9D5_kI&e=>
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwQF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=Ii-vGINPPvYO_OB8j9kwzo37FRrU5emX9TVwSScU0b5nC8T25o6WIN8rUD13T7Lz&s=y8Q3ULTcx-kPtwmnEoLdxTVM8AdXeT6v9vjFUpIvvw4&e=>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message tohtcondor-users-request@xxxxxxxxxxx <mailto:htcondor-users-request@xxxxxxxxxxx> with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users <https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users>
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/ <https://lists.cs.wisc.edu/archive/htcondor-users/>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
<mailto:htcondor-users-request@xxxxxxxxxxx> with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
<https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users>
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
<https://lists.cs.wisc.edu/archive/htcondor-users/>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}