Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Myproxy usage clarification

Hello Brian, Jamie and Steven,

Thank you for your replies, I found them quite instructive.
The suggestion about VOMS escalation by Brian can actually do the trick in this case, Iâm going to test it.
Following Jamie reply I think I should have pointed out that I am trying to do everything in the vanilla universe. At this point the integrated use of MyProxy might be out of reach.
I am more on the suggestion by Steven, avoiding putting on the heads of the users the hassle of renewing correctly the delegation. I think performing the renewal on the startd side would be better for our needs, tho. I suppose that this approach can work on any universe. Is it correct?

Thank you in advance and read you soon!

Gabriele Gaetano Fronzà - PhD
gabriele.fronze@xxxxxxxxxx / gfronze@xxxxxxx


INFN, CERN and Elemento Modular Cloud
LinkedIn Github Stack Overflow Spotify


Il giorno 3 dic 2019, alle ore 17:54, Steven C Timm <timm@xxxxxxxx> ha scritto:

We use myproxy at Fermilab but we do it on the schedd side.  We have a dedicated myproxy server from which only our condor_schedd's can 
do myproxy-get-delegation and there is a cron that runs on the schedd to get a new proxy every 12 hours or so, we then let htcondor transmit the
updated proxy to the worker node when the job is running.  This way the users don't have to make sure every job has the right myproxy delegation syntax
in their job.

Steve Timm


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Gabriele Fronzà <gabriele.fronze@xxxxxxxxxx>
Sent: Monday, December 2, 2019 9:18 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Myproxy usage clarification
 
Hello everyone,

This is my first message to this users mailing list, so Iâd like to say hello to everybody!
I work in the Virgo-LIGO collaboration from the Virgo side and I handle the infrastructural part of offline computing and storage.

I am working on porting a computing task that used to (and still does) run on LSF towards running on an HTC cluster installed in Bologna (CNAF).
One issue I was dealing with was the certificate expiration before computing ended, caused by un-extendible and expiring VOMS extensions.
I just started testing it using the CNAF MyProxy server to delegate proxy renewal and Iâd like to know wether I setup everything correctly or not.

The steps I followed are:
  • myproxy-init on the submit node, picking my custom password (e.g. dummypasswd). The command returns "A proxy valid for 168 hours (7.0 days) for user gfronze now exists on myproxy.cnaf.infn.itâ so I suppose gfronze is my MyProxyCredentialName value.
  • The submit file contains all the following settings:
use_x509userproxy = true
MyProxyCredentialName = gfronze
MyProxyPassword = dummypasswd
MyProxyNewProxyLifetime = 2880
MyProxyRefreshThreshold = 600

  • The line "use_x509userproxy = trueâ was necessary to be able to submit the jobs. My understanding is that I should still launch the jobs using my own proxy, while HTC should contact MyProxy whenever needed to rearm the personal proxy. Am I correct?
  • voms-proxy-init on the submit node.
  • Launch the computing job via "condor_submit -pool ce02-htc.cr.cnaf.infn.it:9619 -remote ce02-htc.cr.cnaf.infn.it -spool test-cw-myproxy.subâ

Is the workflow I am following the right one to make use of MyProxy in HTC?
Do anyone has suggestions on how to handle this expiring proxies+long computation thing other than MyProxy (if MyProxy is not the ideal one)?

Thank you in advance for any reply!
Gabriele Gaetano Fronzà- PhD 
gabriele.fronze@xxxxxxxxxx / gfronze@xxxxxxx

INFN, CERN and Elemento Modular Cloud

Attachment: smime.p7s
Description: S/MIME cryptographic signature