I believe the ARC-CE documentation is mistaken. CONDOR_IDS sets what effective uid the HTCondor daemons will have most of the time. By default, this will be the âcondorâ user account, which is almost always the correct setting. When necessary, the daemons will switch their euid to ârootâ for operations that require it (e.g. accessing system credentials) or to the job ownerâs account to access job-related files or execute the job.
Submitting jobs as ârootâ isnât allowed because jobs are owned by (and executed as) the account that submitted them and HTCondor has a hard restriction to not run jobs as root.
- Jaime
On Jun 18, 2025, at 5:29âAM, Dirk Sammel <dirk.sammel@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Dear experts,
we're operating an ARC-CE with HTCondor as LRMS.
According to the ARC documentation "CONDOR_IDS has to be 0.0, so that Condor will be run as root and can then access the Grid jobâs session directories (needed to extract various information from the job log)." (https://urldefense.com/v3/__https://www.nordugrid.org/arc/arc6/admins/details/lrms.html*id5__;Iw!!Mak6IKo!Lmr05BSi2G6xEdxJTEGVdf3iMlk0yYbVRQA1dojO3_TUb0jTk5hztcIfJh0hqYtg4ACMAtCDRCq8D7_igmBDGSejDZnrK9WVIqMs$ )
Now we wanted to submit some test jobs directly to HTCondor, but we see this in the ShadowLog:
06/18/25 06:49:15 (1565096.0) (1241574): ERROR: Attempt to initialize user_priv with root privileges rejected
06/18/25 06:49:15 (1565096.0) (1241574): init_user_ids() failed as user dsadmin
06/18/25 06:49:15 (1565096.0) (1241574): ERROR "Programmer Error: attempted switch to user privilege, but user ids are not initialized" at line 1605 in file /var/lib/condor/execute/slot1/dir_2606725/userdir/build-qRBc1D/BUILD/condor-24.0.7/src/condor_utils/uids.cpp
We also tried to submit as root, but then we get
ERROR: Failed to commit job submission into the queue.
ERROR: Setting job owner to "root" is not permitted
I found an old mail thread (https://www-auth.cs.wisc.edu/lists/htcondor-users/2017-March/msg00113.shtml ) and if I understand it correctly, the source of our issue is CONDOR_IDS = 0.0.
It is also mentioned in the mail thread (and in the HTCondor documentation), that HTCondor switches to root if necessary.
So my question is: is the claim in the ARC-CE documenation (still) valid, that CONDOR_IDS = 0.0 is necessary or is HTCondor able to read the session directories anyway?
And if this is really necessary, is there any other solution to our problem?
Cheers
Dirk
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!Lmr05BSi2G6xEdxJTEGVdf3iMlk0yYbVRQA1dojO3_TUb0jTk5hztcIfJh0hqYtg4ACMAtCDRCq8D7_igmBDGSejDZnrKzI-Nw--$
The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
Join us in June at Throughput Computing 25: https://osg-htc.org/htc25
The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}