Re: [HTCondor-users] Simplest way to change ulimit for all new jobs

[Christophe DIARRA <diarra@xxxxxxxxxxxxx>]

Hello Todd,

I will therefore use your suggestion which brings more protection. But 
it will require to drain the exec nodes first.

Thanks,

Christophe.

Le 04/10/2018 19:44, Todd Tannenbaum a écrit :
> On 10/4/2018 7:42 AM, Christophe DIARRA wrote:
> > Hello Sean,
> >
> > I have used an advice from one colleague (Andrea Sartirana
> > <sartiran@xxxxxxxxxxxx>). The idea is to use the USER_JOB_WRAPPER variable.
> Hi Christophe,
>
> I strongly suggest the init / systemd based mitigation I just posted to this group (copied again below for convenience) instead of a USER_JOB_WRAPPER approach.
>
> The reason is the USER_JOB_WRAPPER is literally only applied to the job itself, and will not be applied to job pre or post scripts (that can come from the user), ssh_to_job sessions, DAGMan pre/post scripts, or scheduler universe jobs.
>   
> regards,
> Todd
>
>
> ** For HTCondor v8.6.x+ installed from RPMs on RHEL6, SL6, Centos6 (i.e. distros running init):
>
> As root run the following commands:
>
>     sed -i 's/ULIMIT_FLAGS=.*/ULIMIT_FLAGS="-Hs 16000000"/' /etc/sysconfig/condor
>     service condor restart
>
> ** For HTCondor v8.6.x+ installed from RPMs or DEBs on RHEL7, Centos7, SL7, Debian, or Ubuntu (i.e. distros running systemd):
>
> As root run the following commands:
>
>    mkdir /etc/systemd/system/condor.service.d
>    echo -e '[Service]\nLimitSTACK=16G\n' > /etc/systemd/system/condor.service.d/CVE-2018-14634.conf
>    systemctl restart condor


--
Christophe DIARRA
Institut de Physique Nucleaire
15 Rue Georges Clemenceau
S2I/D2I - Bat 100A - Piece A108
F91406 ORSAY Cedex
Tel:    +33 (0)1 69 15 65 60 / +33 (0)6 31 26 23 69
Fax:    +33 (0)1 69 15 64 70 / E-mail: diarra@xxxxxxxxxxxxx