Re: [Condor-users] Condor doesn't appear to respect X509_USER

Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

On Aug 24, 2010, at 12:50 PM, Ian Stokes-Rees wrote:

On 8/24/10 12:56 PM, Jaime Frey wrote:

On Aug 24, 2010, at 10:56 AM, Ian Stokes-Rees wrote:

I have my X509_USER_PROXY pointing to a valid proxy cert in my
NFS-mounted home directory (/nfs/home/ijstokes/.globus/x509up_u1004),
but condor seems to insist on looking for it in /tmp, despite what the
docs say here:

http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html

I can copy the proxy cert to /tmp, but I need it in the NFS location for
other services on other hosts, and copying it around is just asking for
problems later, when one expires, and the other is renewed/updated.

Is this a bug, or am I doing something wrong? Trace below.

The problem is that by default, the environment variables that exist when you run condor_submit aren't propagated to the environment that the condor_dagman job runs under. So when condor_dagman runs condor_submit to run jobs in the dag, condor_submit doesn't see X509_USER_PROXY.

You have two options:

1) Do as Zach suggests and set x509userproxy in the dag node submit files.

I should have mentioned that I already do this in the classad files referenced by the DAG:

X509userproxy = /nfs/home/ijstokes/.globus/x509up_u1004

So that doesn't solve the problem, although perhaps if I took the intermediate DAG classad, modified it to include this, and submitted that, then it would work.

If your submit files contain the x509userproxy attribute, then that's the file Condor will use, regardless of the default proxy or X509_USER_PROXY environment variable.

2) Use the -import_env argument to condor_submit_dag.

I'll give it a try. Why wouldn't this be the default? The sub-processes squash the environment they automatically inherit from their parent?

Mailing List Archives

Public Access

Re: [Condor-users] Condor doesn't appear to respect X509_USER_PROXY