Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Simplest way to change ulimit for all new jobs


The HTCondor team will be releasing a mitigation for HTCondor jobs very soon.  From what we understand, this USER_JOB_WRAPPER approach will work. One could also set the stack ulimit on the condor_master in the init script for el6 or in the systemd unit file for el7, and all condor daemons and jobs will inherit that limit.



On 10/04/2018 07:42 AM, Christophe DIARRA wrote:
Hello Sean,

I have used an advice from one colleague (Andrea Sartirana <sartiran@xxxxxxxxxxxx>). The idea is to use the USER_JOB_WRAPPER variable.

In your condor config file on the execute nodes (example /etc/condor/config.d/<your config file>.conf), please add:

USER_JOB_WRAPPER=/usr/local/user_job_wrapper.sh

In /usr/local/user_job_wrapper.sh, in my case I have:

#!/bin/bash
ulimit -Ss 16000000
ulimit -Hs 16000000
exec "$@"

N.B.: When I used only 'ulimit -Hs 16000000', I had the error message "limit: stack size: cannot modify limit: Invalid argument" because by default on the exec nodes the soft and hard limit were both set to 'unlimited'. Because the hard limit can't be lowered while the soft limit remains unlimited, I had to change the soft limit before the hard one.

There may be are better solutions, but the above seems to work.

Hope this will help,

Cheers,

Christophe.


Le 04/10/2018 13:54, Sean Crosby a écrit :
Hi all,

As I'm sure most of you are aware, there is a security bug with the RHEL kernels (CVE-2018-14634) which needs to be patched.

As there is no new kernel for RHEL 6 yet, the mitigation is to reduce the stack size ulimit (ulimit -Hs 16000000)

I have tried adding the stack size ulimit to profile.d on the worker node, but jobs run via HTCondor are not picking this value up.

Does anyone have an easy way to ensure jobs (and their child processes) pick up the new stack size hard limit?

Jobs are being submitted via ARC-CE, if that helps.

Cheers,
Sean

--
Sean Crosby
Research Computing | CoEPP | School of Physics
Senior System Administrator | HPC | Research Platform Services
University of Melbourne


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


-- 
Christophe DIARRA
Institut de Physique Nucleaire
15 Rue Georges Clemenceau
S2I/D2I - Bat 100A - Piece A108
F91406 ORSAY Cedex
Tel:    +33 (0)1 69 15 65 60 / +33 (0)6 31 26 23 69
Fax:    +33 (0)1 69 15 64 70 / E-mail: diarra@xxxxxxxxxxxxx



_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/