Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Condor doesn't appear to respect X509_USER_PROXY
- Date: Tue, 24 Aug 2010 15:18:17 -0400
- From: Peter Doherty <doherty@xxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] Condor doesn't appear to respect X509_USER_PROXY
On Aug 24, 2010, at 14:03 , Jaime Frey wrote:
> On Aug 24, 2010, at 12:50 PM, Ian Stokes-Rees wrote:
>
>> On 8/24/10 12:56 PM, Jaime Frey wrote:
>>> On Aug 24, 2010, at 10:56 AM, Ian Stokes-Rees wrote:
>>>
>>>> I have my X509_USER_PROXY pointing to a valid proxy cert in my
>>>> NFS-mounted home directory (/nfs/home/ijstokes/.globus/x509up_u1004),
>>>> but condor seems to insist on looking for it in /tmp, despite what the
>>>> docs say here:
>>>>
>>>> http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html
>>>>
>>>> I can copy the proxy cert to /tmp, but I need it in the NFS location for
>>>> other services on other hosts, and copying it around is just asking for
>>>> problems later, when one expires, and the other is renewed/updated.
>>>>
>>>> Is this a bug, or am I doing something wrong? Trace below.
>>>
>>> The problem is that by default, the environment variables that exist when you run condor_submit aren't propagated to the environment that the condor_dagman job runs under. So when condor_dagman runs condor_submit to run jobs in the dag, condor_submit doesn't see X509_USER_PROXY.
>>>
>>> You have two options:
>>> 1) Do as Zach suggests and set x509userproxy in the dag node submit files.
>>
>> I should have mentioned that I already do this in the classad files referenced by the DAG:
>>
>> X509userproxy = /nfs/home/ijstokes/.globus/x509up_u1004
>>
>> So that doesn't solve the problem, although perhaps if I took the intermediate DAG classad, modified it to include this, and submitted that, then it would work.
>
> If your submit files contain the x509userproxy attribute, then that's the file Condor will use, regardless of the default proxy or X509_USER_PROXY environment variable.
>
>>> 2) Use the -import_env argument to condor_submit_dag.
>>
>> I'll give it a try. Why wouldn't this be the default? The sub-processes squash the environment they automatically inherit from their parent?
>
> Maybe it should be the default. But it won't happen automatically, because condor_dagman is spawned by condor_schedd. There's no direct connection back to your user environment. condor_submit_dag needs to explicitly copy your environment into the job description of the dagman job.
>
> Thanks and regards,
> Jaime Frey
> UW-Madison Condor Team
What does "_CONDOR_X509USERPROXY=" in the environment control?
Peter