[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Simplest way to change ulimit for all new jobs

Restarting HTCondor on a Worker Node kills all currently running jobs. That is my only concern with this method.


On 10/4/2018 1:38 PM, Todd Tannenbaum wrote:
On 10/4/2018 6:54 AM, Sean Crosby wrote:
Hi all,

As I'm sure most of you are aware, there is a security bug with the RHEL
kernels (CVE-2018-14634) which needs to be patched.

As there is no new kernel for RHEL 6 yet, the mitigation is to reduce
the stack size ulimit (ulimit -Hs 16000000)

I have tried adding the stack size ulimit to profile.d on the worker
node, but jobs run via HTCondor are not picking this value up.

Does anyone have an easy way to ensure jobs (and their child processes)
pick up the new stack size hard limit?

Jobs are being submitted via ARC-CE, if that helps.


Hi Sean,

For the above, assuming you installed HTCondor from system packages, here is the CVE-2018-14634 mitigation for HTCondor that I recommend -

** For HTCondor v8.6.x+ installed from RPMs on RHEL6, SL6, Centos6 (i.e. distros running init):

As root run the following commands:

    sed -i 's/ULIMIT_FLAGS=.*/ULIMIT_FLAGS="-Hs 16000000"/' /etc/sysconfig/condor
    service condor restart

** For HTCondor v8.6.x+ installed from RPMs or DEBs on RHEL7, Centos7, SL7, Debian, or Ubuntu (i.e. distros running systemd):

As root run the following commands:

   mkdir /etc/systemd/system/condor.service.d
   echo -e '[Service]\nLimitSTACK=16G\n' > /etc/systemd/system/condor.service.d/CVE-2018-14634.conf
   systemctl restart condor

Comments/concerns welcome. Hope the above helps.