Local condor cluster technical setup

HTCondor configuration

Pre-requisites

Global Pool resources need to authenticate with the local condor collector. This will require GSI authentication, so please make sure you have the following on your condor system available:

  • A grid-mapfile and CA certificates updated.
  • Optional: A condor_mapfile if only specific user DNs want to be allowed (rather than any user with VO CMS proxy certificates).

grid-mapfile and CA certificates

  • If you don't have a grid-mapfile (usually in: /etc/grid-security/grid-mapfile), please follow  these instructions in order to enable a grid-mapfile of VOs in your system.
  • If you don't have CA certificates (usually in: /etc/grid-security/certificates), please follow this guide.
    • Note: If your host has CVMFS available you can also use the CA certificates from there. More details on the condor configuration.

condor_mapfile

This is used by condor to allow the authentication of specific DNs. Create this if you would like to restrict the authentication to a certain group of users only.

These Distinguished Names (DN) can be obtained as followed:

$ voms-proxy-info -identity
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=khurtado/CN=764581/CN=Kenyi Paolo Hurtado Anampa

Please, backslack special characters like spaces, =, /, etc.

/etc/grid-security/condor_mapfile
GSI "^\/DC\=ch\/DC\=cern\/OU\=Organic\ Units\/OU\=Users\/CN\=khurtado\/CN\=764581\/CN\=Kenyi\ Paolo\ Hurtado\ Anampa" uscms01
GSI (.*) anonymous
FS (.*) \1

Note: If no condor_mapfile is created, the whole grid-mapfile will be used for the authentication table. Then e.g any CMS user mapped to uscms01 can be allowed. This is the default authentication procedure when no condor_mapfile is created.

/etc/grid-security/condor_mapfile
# GSS_ASSIT_GRIDMAP will
# map users from grid-mapfile
GSI (.*) GSS_ASSIST_GRIDMAP 
FS (.*) \1 
FS_REMOTE (.*) \1 
SSL (.*) ssl@unmapped 
KERBEROS ([^/]*)/?[^@]*@(.*) \1@\2 
NTSSPI (.*) \1 
CLAIMTOBE (.*) \1 
PASSWORD (.*) \1 

Configuration

We will need to specify that condor daemons will require GSI authentication.

Condor configuration
## Add this to your condor configuration.
# This is to authenticate CMS proxies or specific DNs with the collector

# Specify CA directory
GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
# Use this if you have CVMFS available and would like to use the certificates from OASIS instead.
# GSI_DAEMON_TRUSTED_CA_DIR  = /cvmfs/oasis.opensciencegrid.org/mis/osg-wn-client/3.3/current/el6-x86_64/etc/grid-security/certificates

# Specify your grid-mapfile location
GRIDMAP = /etc/grid-security/grid-mapfile

# If you plan to use condor_mapfile, specify the location here
CERTIFICATE_MAPFILE = /etc/grid-security/condor_mapfile

# Allow GSI authentication for condor daemons
SEC_DAEMON_AUTHENTICATION_METHODS = REQUIRED	
SEC_DAEMON_AUTHENTICATION_METHODS = GSI, FS, CLAIMTOBE

# Allow users with CMS proxies
ALLOW_DAEMON = $(ALLOW_DAEMON), uscms01@$(UID_DOMAIN)/*