[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Simplest way to change ulimit for all new jobs

Hi Todd,

Thanks for the hint about sysconfig. That's fantastic.

I've implemented the profile.d change (mine was trying to source it, but as Christophe mentioned, you also have to lower the soft limit first), and have also implemented the sysconfig measure so that when I drain the nodes, it will be a permanent fix.


Sean Crosby
Research Computing | CoEPPÂ| School of Physics
Senior System Administrator |ÂHPC | Research Platform Services
University of Melbourne

On Fri, 5 Oct 2018 at 03:38, Todd Tannenbaum <tannenba@xxxxxxxxxxx> wrote:
On 10/4/2018 6:54 AM, Sean Crosby wrote:
> Hi all,
> As I'm sure most of you are aware, there is a security bug with the RHEL
> kernels (CVE-2018-14634) which needs to be patched.
> As there is no new kernel for RHEL 6 yet, the mitigation is to reduce
> the stack size ulimit (ulimit -Hs 16000000)
> I have tried adding the stack size ulimit to profile.d on the worker
> node, but jobs run via HTCondor are not picking this value up.
> Does anyone have an easy way to ensure jobs (and their child processes)
> pick up the new stack size hard limit?
> Jobs are being submitted via ARC-CE, if that helps.
> Cheers,
> Sean

Hi Sean,

For the above, assuming you installed HTCondor from system packages, here is the CVE-2018-14634 mitigation for HTCondor that I recommend -

** For HTCondor v8.6.x+ installed from RPMs on RHEL6, SL6, Centos6 (i.e. distros running init):

As root run the following commands:

 Âsed -i 's/ULIMIT_FLAGS=.*/ULIMIT_FLAGS="-Hs 16000000"/' /etc/sysconfig/condor
 Âservice condor restart

** For HTCondor v8.6.x+ installed from RPMs or DEBs on RHEL7, Centos7, SL7, Debian, or Ubuntu (i.e. distros running systemd):

As root run the following commands:

 mkdir /etc/systemd/system/condor.service.d
 echo -e '[Service]\nLimitSTACK=16G\n' > /etc/systemd/system/condor.service.d/CVE-2018-14634.conf
 systemctl restart condor

Comments/concerns welcome. Hope the above helps.Â


Todd Tannenbaum <tannenba@xxxxxxxxxxx> University of Wisconsin-Madison
Center for High Throughput Computing ÂDepartment of Computer Sciences
HTCondor Technical Lead        1210 W. Dayton St. Rm #4257