I believe the ARC-CE documentation is mistaken. CONDOR_IDS sets what
effective uid the HTCondor daemons will have most of the time. By
default, this will be the âcondorâ user account, which is almost
always the correct setting. When necessary, the daemons will switch
their euid to ârootâ for operations that require it (e.g. accessing
system credentials) or to the job ownerâs account to access
job-related files or execute the job.
Submitting jobs as ârootâ isnât allowed because jobs are owned by
(and executed as) the account that submitted them and HTCondor has a
hard restriction to not run jobs as root.
 - Jaime
On Jun 18, 2025, at 5:29âAM, Dirk Sammel
<dirk.sammel@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Dear experts,
we're operating an ARC-CE with HTCondor as LRMS.
According to the ARC documentation "CONDOR_IDS has to be 0.0, so
that Condor will be run as root and can then access the Grid jobâs
session directories (needed to extract various information from the
job log)."
(https://urldefense.com/v3/__https://www.nordugrid.org/arc/arc6/admins/details/lrms.html*id5__;Iw!!Mak6IKo!Lmr05BSi2G6xEdxJTEGVdf3iMlk0yYbVRQA1dojO3_TUb0jTk5hztcIfJh0hqYtg4ACMAtCDRCq8D7_igmBDGSejDZnrK9WVIqMs$
)
Now we wanted to submit some test jobs directly to HTCondor, but we
see this in the ShadowLog:
06/18/25 06:49:15 (1565096.0) (1241574): ERROR: Attempt to
initialize user_priv with root privileges rejected
06/18/25 06:49:15 (1565096.0) (1241574): init_user_ids() failed as
user dsadmin
06/18/25 06:49:15 (1565096.0) (1241574): ERROR "Programmer Error:
attempted switch to user privilege, but user ids are not
initialized" at line 1605 in file
/var/lib/condor/execute/slot1/dir_2606725/userdir/build-qRBc1D/BUILD/condor-24.0.7/src/condor_utils/uids.cpp
We also tried to submit as root, but then we get
ERROR: Failed to commit job submission into the queue.
ERROR: Setting job owner to "root" is not permitted
I found an old mail thread
(https://www-auth.cs.wisc.edu/lists/htcondor-users/2017-March/msg00113.shtml
) and if I understand it correctly, the source of our issue is
CONDOR_IDS = 0.0.
It is also mentioned in the mail thread (and in the HTCondor
documentation), that HTCondor switches to root if necessary.
So my question is: is the claim in the ARC-CE documenation (still)
valid, that CONDOR_IDS = 0.0 is necessary or is HTCondor able to
read the session directories anyway?
And if this is really necessary, is there any other solution to our
problem?
Cheers
Dirk
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
with a
subject: Unsubscribe
Join us in June at Throughput Computing 25:
https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!Lmr05BSi2G6xEdxJTEGVdf3iMlk0yYbVRQA1dojO3_TUb0jTk5hztcIfJh0hqYtg4ACMAtCDRCq8D7_igmBDGSejDZnrKzI-Nw--$
The archives can be found at:
https://www-auth.cs.wisc.edu/lists/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
with a
subject: Unsubscribe
Join us in June at Throughput Computing 25: https://osg-htc.org/htc25
The archives can be found at:
https://www-auth.cs.wisc.edu/lists/htcondor-users/
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}