Re: [HTCondor-users] Simplest way to change ulimit for all new jobs

[Todd Tannenbaum <tannenba@xxxxxxxxxxx>]

On 10/4/2018 7:42 AM, Christophe DIARRA wrote:
> Hello Sean,
> 
> I have used an advice from one colleague (Andrea Sartirana 
> <sartiran@xxxxxxxxxxxx>). The idea is to use the USER_JOB_WRAPPER variable.
>

Hi Christophe,

I strongly suggest the init / systemd based mitigation I just posted to this group (copied again below for convenience) instead of a USER_JOB_WRAPPER approach.  

The reason is the USER_JOB_WRAPPER is literally only applied to the job itself, and will not be applied to job pre or post scripts (that can come from the user), ssh_to_job sessions, DAGMan pre/post scripts, or scheduler universe jobs.  
 
regards,
Todd


** For HTCondor v8.6.x+ installed from RPMs on RHEL6, SL6, Centos6 (i.e. distros running init):

As root run the following commands:

   sed -i 's/ULIMIT_FLAGS=.*/ULIMIT_FLAGS="-Hs 16000000"/' /etc/sysconfig/condor
   service condor restart

** For HTCondor v8.6.x+ installed from RPMs or DEBs on RHEL7, Centos7, SL7, Debian, or Ubuntu (i.e. distros running systemd):

As root run the following commands:

  mkdir /etc/systemd/system/condor.service.d
  echo -e '[Service]\nLimitSTACK=16G\n' > /etc/systemd/system/condor.service.d/CVE-2018-14634.conf
  systemctl restart condor