Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] CONDOR_IDS = 0.0 and "user" jobs
- Date: Thu, 19 Jun 2025 19:22:33 +0000
- From: Jaime Frey <jfrey@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] CONDOR_IDS = 0.0 and "user" jobs
I believe the ARC-CE documentation is mistaken. CONDOR_IDS sets what effective uid the HTCondor daemons will have most of the time. By default, this will be the âcondorâ user account, which is almost always the correct setting. When necessary, the daemons will switch their euid to ârootâ for operations that require it (e.g. accessing system credentials) or to the job ownerâs account to access job-related files or execute the job.
Submitting jobs as ârootâ isnât allowed because jobs are owned by (and executed as) the account that submitted them and HTCondor has a hard restriction to not run jobs as root.
- Jaime
> On Jun 18, 2025, at 5:29âAM, Dirk Sammel <dirk.sammel@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Dear experts,
>
> we're operating an ARC-CE with HTCondor as LRMS.
> According to the ARC documentation "CONDOR_IDS has to be 0.0, so that Condor will be run as root and can then access the Grid jobâs session directories (needed to extract various information from the job log)." (https://urldefense.com/v3/__https://www.nordugrid.org/arc/arc6/admins/details/lrms.html*id5__;Iw!!Mak6IKo!Lmr05BSi2G6xEdxJTEGVdf3iMlk0yYbVRQA1dojO3_TUb0jTk5hztcIfJh0hqYtg4ACMAtCDRCq8D7_igmBDGSejDZnrK9WVIqMs$ )
>
> Now we wanted to submit some test jobs directly to HTCondor, but we see this in the ShadowLog:
>
> 06/18/25 06:49:15 (1565096.0) (1241574): ERROR: Attempt to initialize user_priv with root privileges rejected
> 06/18/25 06:49:15 (1565096.0) (1241574): init_user_ids() failed as user dsadmin
> 06/18/25 06:49:15 (1565096.0) (1241574): ERROR "Programmer Error: attempted switch to user privilege, but user ids are not initialized" at line 1605 in file /var/lib/condor/execute/slot1/dir_2606725/userdir/build-qRBc1D/BUILD/condor-24.0.7/src/condor_utils/uids.cpp
>
>
> We also tried to submit as root, but then we get
>
> ERROR: Failed to commit job submission into the queue.
> ERROR: Setting job owner to "root" is not permitted
>
>
> I found an old mail thread (https://www-auth.cs.wisc.edu/lists/htcondor-users/2017-March/msg00113.shtml ) and if I understand it correctly, the source of our issue is CONDOR_IDS = 0.0.
> It is also mentioned in the mail thread (and in the HTCondor documentation), that HTCondor switches to root if necessary.
>
> So my question is: is the claim in the ARC-CE documenation (still) valid, that CONDOR_IDS = 0.0 is necessary or is HTCondor able to read the session directories anyway?
> And if this is really necessary, is there any other solution to our problem?
>
> Cheers
> Dirk
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
>
> Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!Lmr05BSi2G6xEdxJTEGVdf3iMlk0yYbVRQA1dojO3_TUb0jTk5hztcIfJh0hqYtg4ACMAtCDRCq8D7_igmBDGSejDZnrKzI-Nw--$
> The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/