Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Migrating to version 8
- Date: Mon, 22 Jun 2020 12:11:48 +0200
- From: Xavier OUVRARD <xavier.ouvrard@xxxxxxx>
- Subject: Re: [HTCondor-users] Migrating to version 8
Dear Todd (and all),
thank you very much for your answer; it
has helped me to dig into what was happening. With a fresh install
of the 8.8.9 with the rpm, when the condor user does not exists,
its uid and gid are no more the same than before.
In all other installs: the uid of
condor is 64 and same for gid.
In fresh install: the uid of condor is
985 and gid is 879.
So using FS_REMOTE does not work
anymore with the file that was adequate for the condor user of the
other machines unless you create a new file for this user; and
that may help me to solve part of my problems.
Is there a particular reason for this
change in uid / gid of condor?
Best regards,
Xavier
On 19/06/2020 19:39, Todd Tannenbaum
wrote:
On
6/19/2020 11:44 AM, Xavier OUVRARD wrote:
Dear all,
I am in the process of migrating to version 8. Some of the nodes
are already in version 8.6.11, and everything works perfectly
even with the central manager in the latest 7 version.
condor_status and condor_q commands work on that machine
If I push to version 8.8.9 then I am unable to submit jobs; I
get errors when submitting of type:
ERROR: Failed to connect to local queue manager
SECMAN:2007:Failed to end classad message.
Is the condor_schedd running on the same machine where you are
running condor_submit, or is it remote?
While logged onto the submit machine (presumably the same place
where condor_submit gave you the above errors), try the following
troubleshooting commands:
First, is the condor_schedd running? Check with "ps auxw | grep
condor_schedd" assuming you are on Linux...
Next, condor_ping is a useful tool for debugging this. What do
the following commands have to say?
ÂÂÂ condor_ping -table READ WRITE
and
ÂÂÂ condor_ping -verbose READ WRITE
With condor_ping, it can show what authentication methods the
client (condor_submit) is trying, and what method the server is
accepting, which could provide some clues...
Also it may be handy if you sent along what sort of
security/authentication you are expecting, and/or a dump of your
security configuration via the output from the command:
ÂÂ condor_config_val -v -dump SEC
I have already disable all security
settings in the config.d condor file of the node with:
SEC_CLIENT_AUTHENTICATION=OPTIONAL
SEC_DEFAULT_AUTHENTICATION=OPTIONAL
Note that write operations with the job queue (e.g. submitting
jobs with condor_submit) will always be authenticated unless you
explicitly set QUEUE_ALL_USERS_TRUSTED=True in the condor_config
file(s) on the submit host. ** I DO NOT RECOMMEND THIS, ESP IF
HTCONDOR WAS STARTED AS ROOT, UNLESS YOU REALLY UNDERSTAND THE
IMPLICATIONS **, as this could enable anybody with access to the
schedd to impersonate other users without any credentials. See
the Manual for more info here.
What has changed between 8.6.11 and 8.8.9
on the security side (what has been enforced)?
The Version History and Release Notes section of the manual will
always have a section on highlights when upgrading from one stable
release to the next; see
https://htcondor.readthedocs.io/en/latest/version-history/upgrading-from-86-to-88-series.html
Hope the above helps,
Todd
--
Xavier Ouvrard-Brunet
(Fellow â HSE-RP-CS) @ CERN
Office 892/2A-12, Prevessins-MoÃns site
CERN, Esplanade des Particules, 1
CH-1211 Geneva 23
TÃl: +41 22 766 38 92
Personal research page: www.infos-informatique.net