⇐ ↙ ↓ ⇑ ⇒ Contents Index
11.2 Development Release Series 8.9
This is the development release series of HTCondor. The details of each version are described below.
- HTCondor version 8.9.0 released on February 28, 2019.
This release may require configuration changes to work as before. During this release series, we are making
changes to make it easier to deploy secure pools. This release contains two security related configuration
- Absent any configuration, the default behavior is to deny authorization to all users.
- In the configuration files, if ALLOW_DAEMON or DENY_DAEMON are omitted, ALLOW_WRITE or DENY_WRITE
are no longer used in their place.
On most pools, the easiest way to get the previous behavior is to add the following to your configuration:
ALLOW_READ = *
ALLOW_DAEMON = $(ALLOW_WRITE)
The main configuration file (/etc/condor/condor_config) already implements the above change by calling
use SECURITY : HOST_BASED.
With the addition of the automatic security session for a family of HTCondor daemons and
the existing match password authentication between the execute and submit daemons, most
hosts in a pool may not require changes to the configuration files. On the central manager, you
do need to ensure DAEMON level access for your submit nodes. Also, CCB requires DAEMON level
- Changed the default security behavior to deny authorization by default. Also, neither ALLOW_DAEMON
nor DENY_DAEMON fall back to using the corresponding ALLOW_WRITE or DENY_WRITE when reading
configuration files. (Ticket #6824).
- A family of HTCondor daemons can now share a security session that allows them to trust each other
without doing a security negotiation when a network connection is made amongst them. This “family”
security session can be disabled by setting the new configuration parameter SEC_USE_FAMILY_SESSION
to False. (Ticket #6788).
- Scheduler Universe jobs now start in order of priority, instead of random order. This is most typically
used for DAGMan. When running condor_submit_dag against a .dag file, you can use the -priority
<N> flag to set the priority for the overall condor_dagman job. When the condor_schedd is starting
new Scheduler Universe jobs, the highest priority queued job will start first. If all queued Scheduler
Universe jobs have equal priority, they get started in order of submission. (Ticket #6703).
- Normally, HTCondor requires the user to specify their credentials when using EC2 (via the grid universe
or via condor_annex). This allows users to use different accounts from the same machine. However, if a
user started an EC2 instance with the privileges necessary to start other instances, and ran HTCondor
in that instance, HTCondor was unable to use that instance’s privileges; the user still had to specify
their credentials. Instead, the user may now specify FROM INSTANCE instead of the name of a credential
file to indicate that HTCondor should use the instance’s credentials.
By default, any user with access to a privileged EC2 instance has access to that instance’s privileges.
If you would like to make use of this feature, please read 6.4.1 before adding privileges (an instance
role) to an instance which allows access by other users, specifically including the submitting of jobs to
or running jobs on that instance. (Ticket #6789).
- The condor_now tool now supports vacating more than one job; the additional jobs’ resources will be
coalesced into a single slot, on which the now-job will be run. (Ticket #6694).
- In the Python bindings, the JobEventLog class now has a close method. It is also now its own iterable
context manager (implements __enter__ and __exit__). The JobEvent class now implements __str__
and __repr__. (Ticket #6814).
- the condor_hdfs daemon which allowed the hdfs daemons to run under the condor_master has been
removed from the contributed source. (Ticket #6809).
- Fixed potential authentication failures between the condor_schedd and condor_startd when multiple
condor_startds are using the same shared port server. (Ticket #5604).
⇐ ↙ ↑ ⇑ ⇒ Contents Index