Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] permission denied

Hi Justin,

Yes, it does matter if the domain isn't real unless you set TRUST_UID_DOMAIN:
https://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html#TRUST_UID_DOMAIN

"As an added security precaution when HTCondor is about to spawn a job, it ensures that the UID_DOMAIN of a given access point is a substring of that machineâs fully-qualified host name."

Note that if you set FILESYSTEM_DOMAIN to be the same on your APs and EPs, then condor assumes the same files exist at the same locations on both machines, and file transfer will not occur unless the job specifically asks for file transfer.

Jason

On Wed, Sep 24, 2025 at 11:57âAM Justin Killebrew via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
Thanks Benedikt. Â

I added/changed the configs on each machine so that condor_config_val UID_DOMAIN and FILESYSTEM_DOMAIN return the same thing: timehole.org. Now the jobs canât even write the output and error files and are held immediately with HOLD_REASON Failed to open [output fle] as standard output: Permission denied (errno 13).

In the central manager (CM) and execution point (EP) /etc/condor/condor_config file I added:
  ALLOW_WRITE = *.timehole.org
  UID_DOMAIN = timehole.og
  FILESYSTEM_DOMAIN = timehole.org
The CM is also the access point/submit machine.

Both EPs have CONDOR_HOST = bench9.timehole.orgÂin the /etc/condor/config.d/01-execute.config file. Both can resolve bench9.timehole.orgÂvia the /etc/host file. The CM also has CONDOR_HOST =Âbench9.timehole.orgÂin the /etc/condor/config.d/01-central-manager.config file.

The nfs/autofs configuration seems correct to me - I can login to each machine and read/write the shared home directory.

Does it matter that the domain name, timehole.org, isnât real? I manually edited the Â/etc/hosts file so the CM can resolve the fake FQDN of each EP.

JK



On Sep 24, 2025, at 10:25âAM, Benedikt Riedel <briedel@xxxxxxxxxxxxxxxx> wrote:


ÂÂÂÂÂÂExternal Email - Use CautionÂÂÂÂÂÂ




On Wed, Sep 24, 2025 at 9:19âAM Justin Killebrew via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
Hello. My blender rendering job cannot write the output to my home directory. Using whoami in the script shows the user is nobody and so the write fails with permission denied. The output and error files are written properly so I guess that is done under my account. I have autofs configured to share the home directory. Iâm able to run a simple shell script job without issues so I think it is setup properly.Â

How can I specify/control the user that executes the script? How can the output and error files be written but not the render output?

Thanks,
JK




_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/


--
Benedikt Riedel
IceCube Neutrino Observatory
Accelerated AI Algorithms for Data-Driven Discovery
University of Wisconsin-Madison

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/