get_htcondor
Install and configure HTCondor on Linux machines.
Synopsis
get_htcondor <-h | --help>
get_htcondor [–[no-]dry-run] [--channel name] [--minicondor | [--central-manager | --submit | --execute] central-manager-name] [--shared-filesystem-domain filesystem-domain-name]
get_htcondor --dist
Description
This tool installs and configure HTCondor on Linux machines. See https://htcondor.readthedocs.io/en/latest/getting-htcondor for detailed instructions. This page is intended as a quick reference to its options; it also includes a section about the reasons for the configurations it installs.
Options
- -help
Print a usage reminder.
- --dry-run
Do not issue commands, only print them. [default]
- --no-dry-run
Issue all the commands needed to install HTCondor.
- --channel name
Specify channel name to install; name may be
current
, the most recent release with new features [default] orstable
, the most recent release with only bug-fixes- --dist
Display the detected operating system and exit.
- --minicondor
Configure as a single-machine (“mini”) HTCondor. [default]
--central-manager central-manager-name
--submit central-manager-name
--execute central-manager-name
Configure this installation with the central manager, submit, or execute role.
--shared-filesystem-domain filesystem-domain-name
Configure this installation to assume that machines specifying the same filesystem-domain-name share a filesystem.
Exit Status
On success, exits with code 0. Failures detected by get_htcondor will result in exit code 1. Other failures may have other exit codes.
Installed Configuration
This tool may install four different configurations. We discuss the single-machine configuration first, and then the three parts of the multi-machine configuration as a group. Our goal is to document the reasoning behind the details, because the details can obscure that reasoning, and because the details will change as we continue to improve HTCondor.
As a general note, the configurations this tool installs make extensive
use of metaknobs, lines in HTCondor configuration files that look like
use x : y
. To determine exactly what configuration a metaknob sets, run
condor_config_val use x:y
.
Single-Machine Installation
The single-machine installation performed by get_htcondor uses the
minicondor
package. (A “mini” HTCondor is a single-machine HTCondor
system installed with administrative privileges.) Because the different
roles in the HTCondor system are all on the same machine, we configure
all network communications to occur over the loopback device, where we don’t
have to worry about eavesdropping or requiring encryption. We
use the FS
method, which depends on the local filesytem, to identify
which user is attempting to connect, and restrict access correspondingly.
The get_htcondor tool installs the standard minicondor package from the
HTCondor repositories; see the file it creates,
/etc/condor/config.d/00-minicondor
, for details.
Multi-Machine Installation
Because the three roles must communicate over the network to form a complete
pool in this case,, security is a much bigger concern; we therefore require
authentication and encryption on every connection. Thankfully, almost all
of the network communication is daemon-to-daemon, so we don’t have to burden
individual users with that aspect of security. Instead, users submit jobs on
the submit-role machine, using FS
to authenticate. Users may also need to
contact the central manager (when running condor_status
, for example),
but they never need to write anything to it, so we’ve configured
authentication for read-only commands to be optional.
Daemon-to-daemon communication is authenticated with the IDTOKENS method.
(If a user needs to submit jobs remotely, they can also use the IDTOKENS
method, it’s just more work; see condor_token_fetch
.) Each role
installed by this tool has a copy of the password, which is used to
generate an IDTOKEN, which is used for all daemon-to-daemon authentication;
both the password and the IDTOKEN can only be read by privileged processes.
An IDTOKEN can only be validated by the holder of the corresponding
password, so each daemon in the pool has to have both.
This tool installs the role-specific configuration in the files
/etc/condor/config.d/01-central-manager.config
,
/etc/condor/config.d/01-submit.config
, and
/etc/condor/config.d/01-execute.config
; consult them for details.