On 10/4/2018 6:54 AM, Sean Crosby wrote:
Hi all,
As I'm sure most of you are aware, there is a security bug with the RHEL
kernels (CVE-2018-14634) which needs to be patched.
As there is no new kernel for RHEL 6 yet, the mitigation is to reduce
the stack size ulimit (ulimit -Hs 16000000)
I have tried adding the stack size ulimit to profile.d on the worker
node, but jobs run via HTCondor are not picking this value up.
Does anyone have an easy way to ensure jobs (and their child processes)
pick up the new stack size hard limit?
Jobs are being submitted via ARC-CE, if that helps.
Cheers,
Sean
Hi Sean,
For the above, assuming you installed HTCondor from system packages, here is the CVE-2018-14634 mitigation for HTCondor that I recommend -
** For HTCondor v8.6.x+ installed from RPMs on RHEL6, SL6, Centos6 (i.e. distros running init):
As root run the following commands:
sed -i 's/ULIMIT_FLAGS=.*/ULIMIT_FLAGS="-Hs 16000000"/' /etc/sysconfig/condor
service condor restart
** For HTCondor v8.6.x+ installed from RPMs or DEBs on RHEL7, Centos7, SL7, Debian, or Ubuntu (i.e. distros running systemd):
As root run the following commands:
mkdir /etc/systemd/system/condor.service.d
echo -e '[Service]\nLimitSTACK=16G\n' > /etc/systemd/system/condor.service.d/CVE-2018-14634.conf
systemctl restart condor
Comments/concerns welcome. Hope the above helps.
regards,
Todd
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}