Local condor cluster technical setup

HTCondor configuration

Pre-requisites

Global Pool resources need to authenticate with the local condor collector. This will require GSI authentication, so please make sure you have the following on your condor system available:

  • A grid-mapfile and CA certificates updated.
  • Optional: A condor_mapfile if only specific user DNs want to be allowed (rather than any user with VO CMS proxy certificates).

grid-mapfile and CA certificates

  • If you don't have a grid-mapfile (usually in: /etc/grid-security/grid-mapfile), please follow  these instructions in order to enable a grid-mapfile of VOs in your system.
  • If you don't have CA certificates (usually in: /etc/grid-security/certificates), please follow this guide.
    • Note: If your host has CVMFS available you can also use the CA certificates from there. More details on the condor configuration.

condor_mapfile

This is used by condor to allow the authentication of specific DNs. Create this if you would like to restrict the authentication to a certain group of users only.

These Distinguished Names (DN) can be obtained as followed:

Please, backslack special characters like spaces, =, /, etc.

Note: If no condor_mapfile is created, the whole grid-mapfile will be used for the authentication table. Then e.g any CMS user mapped to uscms01 can be allowed. This is the default authentication procedure when no condor_mapfile is created.

Configuration

We will need to specify that condor daemons will require GSI authentication.