Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
On 10/4/2018 6:54 AM, Sean Crosby wrote:
> Hi all,
>
> As I'm sure most of you are aware, there is a security bug with the RHEL
> kernels (CVE-2018-14634) which needs to be patched.
>
> As there is no new kernel for RHEL 6 yet, the mitigation is to reduce
> the stack size ulimit (ulimit -Hs 16000000)
>
> I have tried adding the stack size ulimit to profile.d on the worker
> node, but jobs run via HTCondor are not picking this value up.
>
> Does anyone have an easy way to ensure jobs (and their child processes)
> pick up the new stack size hard limit?
>
> Jobs are being submitted via ARC-CE, if that helps.
>
> Cheers,
> Sean
>
Hi Sean,
For the above, assuming you installed HTCondor from system packages, here is the CVE-2018-14634 mitigation for HTCondor that I recommend -
** For HTCondor v8.6.x+ installed from RPMs on RHEL6, SL6, Centos6 (i.e. distros running init):
As root run the following commands:
 Âsed -i 's/ULIMIT_FLAGS=.*/ULIMIT_FLAGS="-Hs 16000000"/' /etc/sysconfig/condor
 Âservice condor restart
** For HTCondor v8.6.x+ installed from RPMs or DEBs on RHEL7, Centos7, SL7, Debian, or Ubuntu (i.e. distros running systemd):
As root run the following commands:
 mkdir /etc/systemd/system/condor.service.d
 echo -e '[Service]\nLimitSTACK=16G\n' > /etc/systemd/system/condor.service.d/CVE-2018-14634.conf
 systemctl restart condor
Comments/concerns welcome. Hope the above helps.Â
regards,
Todd
--
Todd Tannenbaum <tannenba@xxxxxxxxxxx> University of Wisconsin-Madison
Center for High Throughput Computing ÂDepartment of Computer Sciences
HTCondor Technical Lead        1210 W. Dayton St. Rm #4257