[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor-CE problem with condor_ce_router_q



Hi Stewart,

Try running `condor_ce_config_val -v SEC_CLIENT_AUTHENTICATION_METHODS`; that'll tell you which file is setting that configuration.

- Brian

On 10/18/19 4:08 AM, Stewart Martin-Haugh wrote:
Hi Brian,

I tried this but I still don't see the changed value - I've reconfigured and restarted, and I see:

condor_ce_config_val -dump | grep SEC_CLIENT_AUTHENTICATION_METHODS
SEC_CLIENT_AUTHENTICATION_METHODS = GSI,FS

grep SEC_CLIENT_AUTHENTICATION_METHODS /etc/condor-ce/config.d/ -r
/etc/condor-ce/config.d/01-common-auth.conf:SEC_CLIENT_AUTHENTICATION_METHODS = FS,GSI
/etc/condor-ce/config.d/01-common-auth.conf:SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD

I also tried putting it in a different file just in case, same result.

Cheers,
Stewart



Cheers,
Stewart



On Thu, 17 Oct 2019 at 19:34, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,

I suspect that you may need to configure HTCondor-CE to use the same pool password as the condor pool (as well as enabling PASSWORD auth).

1) So set the following in `/etc/condor-ce/config.d/:

    SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD
    SEC_PASSWORD_FILE = /etc/condor/private/poolpassword

2) Then run condor_ce_reconfig.

If that doesn't work, we'll need to debug further:

On your central manager, set `COLLECTOR_DEBUG = $(COLLECTOR_DEBUG) D_CAT D_ALWAYS:2 D_SECURITY` and start tailing the log. On your CE host, run `condor_ce_router_q` and you should be able to see corresponding authorization messages in your CM's CollectorLog.

- Brian

On 10/10/19 3:00 PM, Stewart Martin-Haugh wrote:
Hi Brian,

Thanks for the quick response.

rpm -q htcondor-ce condor
htcondor-ce-3.2.2-1.el7.noarch
condor-8.8.4-1.el7.x86_64

No errors on the CE. On the CM I don't see any recent PERMISSION DENIED errors - there are some from earlier today but we've been working on the configuration. Those errors are, for completeness:

/var/log/condor/CollectorLog:10/10/19 10:59:13 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: ADVERTISE_SCHEDD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
/var/log/condor/CollectorLog:10/10/19 12:54:24 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: ADVERTISE_SCHEDD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
/var/log/condor/NegotiatorLog:10/10/19 14:59:57 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 421 (Reschedule), access level DAEMON: reason: DAEMON authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444

condor_config is as follows:

ALLOW_DAEMON = condor_pool@xxxxxxxxxxxxxxx/*.gridpp.rl.ac.uk, $(FULL_HOSTNAME), submit-side@matchsession, condor_pool@xxxxxxxxxxxxxxx/host-111-222-333-444.nubes.stfc.ac.uk, 111.222.333.444
CES = condor_pool@xxxxxxxxxxxxxxx/arc.gridpp.rl.ac.uk,condor_pool@xxxxxxxxxxxxxxx/host-111-222-333-444.nubes.stfc.ac.uk
COLLECTOR.ALLOW_ADVERTISE_MASTER = $(CES), $(CMS), $(WNS)
COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(CES)
COLLECTOR.ALLOW_ADVERTISE_STARTD = $(WNS)

Cheers,
Stewart


On Thu, 10 Oct 2019 at 16:40, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,

Which HTCondor and HTCondor-CE versions/packages are you running, e.g. `rpm -q htcondor-ce condor`?

Do you see any corresponding PERMISSION_DENIED errors in `/var/log/condor/SchedLog` on your CE host or `/var/log/condor/CollectorLog` on your central manager?

Thanks,
Brian

On 10/10/19 10:24 AM, Stewart Martin-Haugh wrote:
Hi,

We're setting up a HTCondor-CE instance at RAL Tier-1, and we're trying to submit to a central manager.

Checking the job routing gives an error:
condor_ce_router_q
   JOBS ST Route                GridResource
Error: Couldn't contact the condor_collector on

 condor_ce_status -any returns the expected daemons. We can't see anything else obviously wrong with the configuration.

Cheers,
Stewart

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/