Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] help with MyProxy and Condor

Thank you so much for all you help. I was finally able to see the renew functionality :)
I have another MyProxy+Condor question that I'm hoping you can answer. When you submit a long running job, how do you determine the lifetime of credentials deposited 
to MyProxy?
Let's consider an example of when a user wants to submit a job but he doesn't know how long the job will run. Say, the user has a long-term credential (say valid for a year). For simplicity, let's assume that the job completes within a year (most likely shorter but again with an unknown lifetime). By default, "myproxy-init -s <host>", will generate proxy creds valid for 7days, but "-c" option can specify a lifetime and "-c 0" will create creds that are as long as the user's original creds. Ok, now I come to a question, to my understand, in order for the user to be guarantee that his credentials don't expire when his job is running, he needs to run 
"myproxy-init -c 0 <host>" and deposit a year long creds into MyProxy?

Thank you.

Emir Imamagic wrote:


Hi,

in the script you can set x509 proxy with option:
x509userproxy = /tmp/x509_proxy
Full list of job submit options can be found at the following address in Condor manual: 
http://www.cs.wisc.edu/condor/manual/v6.7/condor_submit.html

Cheers,
emir

Olga Kornievskaia wrote:
Thanks for your affirmation that the code actually works. However, I'm still unsuccessful in getting it to work.
Do you know if there is an option in the job script to tell it where to find X509 credentials?
I set X509_USER_PROXY to some location (eg., /tmp/x509_proxy_cred) that contains a certificate that is valid for 5mins. Then I submit a job (sleep 600) where I specify MyProxyHost, MyProxyCredentialName, and MyProxyPassword (prior to that I've done the myproxy-init, that now has a 7day valid proxy). When I submit the job, I look in /tmp/Gridmanager.<username> and see that it take X509_USER_PROXY to be /tmp/x509up_u<uid>. Unfortunately, there actually is a file /tmp/x509up_u<uid> that has a certificate that is used for something else and it's lifetime is longer than 5mins but I'm trying to test the renewal functionality therefore I'm trying to point Condor at a different set of credentials. 

Once again, any help would be appreciated.

Also, here some other snippets from the log
.....
4/13 11:41:50 [4745] MyProxy Refresh Threshold 240 (default)
4/13 11:41:50 [4745] MyProxy New Proxy Lifetime 12 (default)
4/13 11:41:50 [4745] Adding new MyProxy entry for proxy /tmp/x509up_u200008 : host=yoga.citi.umich.edu, cred name=condor 
.....

4/13 11:44:46 [4745] Checking proxies
4/13 11:44:46 [4745] About to RefreshProxyThruMyProxy() for /tmp/x509up_u200008 
4/13 11:44:46 [4745]  GetMyProxyPasswordFromSchedD 68, 0
4/13 11:44:46 [4745] GRIDMANAGER_TIMEOUT_MULTIPLIER is undefined, using default value of 0 
4/13 11:44:46 [4745] This process has a valid certificate & key
4/13 11:44:46 [4745] X509_USER_PROXY=/tmp/x509up_u200008
4/13 11:44:46 [4745] Calling /usr/local/globus-4.0.1/bin/myproxy-get-delegation /tmp/x509up_u200008 -v -o /tmp/x509up_u200008 -s yoga.citi.umich.edu -d -t 12 -S -l root -p -1 -k condor 



Emir Imamagic wrote:



Hi,

I've been using it for quite a while.
- First you should create MyProxy wrapper script (e.g. /usr/local/globus-4.0.1/libexec/myproxy-get-delegation.condor): 
#!/bin/sh
export LD_LIBRARY_PATH=/usr/local/globus-4.0.1/lib
/usr/local/globus-4.0.1/bin/myproxy-get-delegation $@
and set MYPROXY_GET_DELEGATION option to that instead directly to binary /usr/local/globus-4.0.1/bin/myproxy-get-delegation. 


- Create MyProxy certificate:
myproxy-init -x -r "<CertSubjectLine>" -l root -k condor -s myproxy.host


- Submit script should be similar to this one:
executable=MyTest
MyProxyHost     = myproxy.host:7512
MyProxyCredentialName = condor
MyProxyPassword = MyPa88word
universe=grid
grid_type=gt2
log=condorG.log
output=MyTest.out
error=MyTest.err
globusscheduler=mygrid.host
queue
- You can also set MyProxyRefreshThreshold option in submit script to a large value in order to force Condor to refresh certificate straight away and trace Gridmanager log (/tmp/Gridmanager.<username>) to see what will happen. 

Hope this help,
emir


Olga Kornievskaia wrote:
I was wondering if there is anybody out there who is currently has a working setup of Condor that uses MyProxy to renew credentials. If so, I was wondering if you can share some words of wisdom as to how you've come to a working setup. I work for University of Michigan and we are very interested in using Condor with MyProxy but I have not been able to submit a "grid_type=gt2" type job which, according to the 6.7 manual is type that supports MyProxy.
I'm include local condor config file. If anybody has some suggestions please let me know. Thanks. 

# /usr/local/condor/condor_config.local
CONDOR_HOST = llnl1.citi.umich.edu
RELEASE_DIR = /nfsv4/llnl1/condor
LOCAL_DIR = /usr/local/condor
CONDOR_ADMIN = aglo@xxxxxxxxxxxxxx
MAIL = /bin/mail
UID_DOMAIN = citi.umich.edu
FILESYSTEM_DOMAIN = citi.umich.edu
CONDOR_IDS = 200007.2
LOCK = /tmp/condor-lock.$(HOSTNAME)0.486184851340116
DAEMON_LIST = COLLECTOR, CREDD, MASTER, NEGOTIATOR, SCHEDD, STARTD
MYPROXY_GET_DELEGATION = /usr/local/globus-4.0.1/bin/myproxy-get-delegation
CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir

## GSI Security
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = GSI
GSI_DAEMON_DIRECTORY = $(LOCAL_DIR)/security
GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/hostcert.pem
GSI_DAEMON_KEY            = $(GSI_DAEMON_DIRECTORY)/hostkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates
GSI_DAEMON_NAME = /C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=CITI Production KCA/CN=condor/llnl1.citi.umich.edu@xxxxxxxxxxxxxx/emailAddress=aglo@xxxxxxxxxxxxxx,/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=CITI Production KCA/CN=condor/llnl2.citi.umich.edu@xxxxxxxxxxxxxx/emailAddress=aglo@xxxxxxxxxxxxxx 
GRIDMAP = $(GSI_DAEMON_DIRECTORY)/grid-mapfile

## Debug level
ALL_DEBUG = D_SECURITY
GRIDMANAGER_DEBUG = D_FULLDEBUG
CONDOR_GAHP_DEBUG = D_FULLDEBUG
GAHP_DEBUG = D_FULLDEBUG
GT3_GAHP_DEBUG = D_FULLDEBUG
GT4_GAHP_DEBUG = D_FULLDEBUG

## GRID
GRID_MONITOR = $(SBIN)/grid_monitor.sh
GRIDMANAGER = $(SBIN)/condor_gridmanager
ENABLE_GRID_MONITOR = TRUE
GRIDMANAGER_MAX_SUBMITTED_JOBS_PER_RESOURCE=5000
GRIDMANAGER_MAX_PENDING_SUBMITS_PER_RESOURCE=5
GRIDMANAGER_MAX_PENDING_REQUESTS=1000
GRIDMANAGER_GAHP_CALL_TIMEOUT = 900
GRIDMANAGER_GLOBUS_COMMIT_TIMEOUT=3600

#GRIDMANAGER_CHECKPROXY_INTERVAL = 600
GRIDMANAGER_CHECKPROXY_INTERVAL = 180
GRIDMANAGER_MINIMUM_PROXY_TIME = 180

GRID_MONITOR_HEARTBEAT_TIMEOUT = 300
GRID_MONITOR_RETRY_DURATION = 31536000
MAX_GRIDMANAGER_LOG     = 64000

DEFAULT_CRED_EXPIRE_THRESHOLD = 60

GRIDMANAGER_GAHPCLIENT_DEBUG = TRUE
GRIDMANAGER_GAHPCLIENT_DEBUG_SIZE = 32000

CONDOR_GAHP=$(SBIN)/condor_c-gahp
CONDOR_GAHP_LOG=/tmp/CGAHPLog.$(USERNAME)
CONDOR_GAHP_WORKER_THREAD_LOG=/tmp/CGAHPWorkerLog.$(USERNAME)
GAHP = $(SBIN)/gahp_server
GAHP_LOG = /tmp/GAHPLog.$(USERNAME)
GT3_GAHP = $(SBIN)/g3_server
GT3_GAHP_LOG = /tmp/GT3_GAHPLog.$(USERNAME)
GT4_GAHP = $(SBIN)/gt4_gahp
GT4_GAHP_LOG = /tmp/GT4_GAHPLog.$(USERNAME)

_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/condor-users




_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/condor-users


_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/condor-users