Factory does not submit glideins corresponding to your jobSymptoms:User job stays idle and there are no glideins submitted to the glidein queue that correspond to your job.
However, the VO frontend does detect the job and attempts to advertise to the factory
Useful Files: GLIDEINWMS_GFACTORY_HOME/<entry>/log
Once the frontend identifies potential entry points that can run your job, it will reflect this information in the glideclient classad in WMS collector for that corresponding entry point. You can find this information by running “condor_status -any -pool <wms collector>” Glidein factory looks up the glideclient classad, queries the wms collector to find out distribution of existing glideins in the glidein queues and submits additional glideins as required. Once the factory has submitted the required glideins, you can see them by queering glideins queue using command, “condor_q -g -pool <wms collector>”
If you do not see any glideins corresponding to your job,
- Check if the factory is running. If not start it.
- Check if the entry point is enabled in the factory, configuration file, GLIDEINWMS_GFACTORY_HOME/glideinWMS.xml
- Check for error messages in logs located in GLIDEINWMS_GFACTORY_HOME/<entry>/log
- Look for possible error messages in the glideins queue (condor_schedd). Based on the actual condor scheduler, you can find scheduler logfile, SchedLog, in one of the sub directories of directory listed by “condor_config_val local_dir”
- Check security settings. The WMS factory will drop requests from the VO frontends if settings do not match correctly. There will usually be lines in the vofrontend that useful factories exist, but the factory logs will have warnings/errors related to security settings.
- The first line in frontend.xml must match the name in security-frontends-frontend in the factory's glideinWMS:
<frontend advertise_delay="5" frontend_name="exampleVO-cms-xen25-v1_0" loop_delay="60">Must match the factory's settings:
<frontend name="exampleVO-cms-xen25" identity="firstname.lastname@example.org">Note that the identity line must have the username that the frontend is running as. The security_class tag in glideinWMS.xml shortly after the above line will map the user to a new local user. This must match the condor_mapfile.
- Make sure to do a reconfig after you modify anything (ie):
./frontend_startup reconfig ../instance_v1_0.cfg/frontend.xml
- Whitelist error: (WARNING: Client NAME.main (secid: IDENTITY) not in white list. Skipping request). Verify that the security_name (in the frontend config <frontend><collector><security security_name="foo">) must match the frontend name (<frontend name="foo">) in the factory config.
Also, if you have enabled allowed_vos for whitelist functionality, make sure this security class is listed.
- Frontend not coming from a trusted source: (WARNING: Client name.main (secid: identity) is not coming from a trusted source; AuthenticatedIdentity email@example.comfirstname.lastname@example.org. Skipping for security reasons.). There is a mismatch between <frontend><collector my_identity> in the frontend config and <frontend identity> in the factory config. If you are running on the same machine, this can be caused if Condor is using filesystem (FS) authentication instead of GSI authentication.
- No mapping for security class: (WARNING: No mapping for security class frontend of x509_proxy_0 for frontend_service-v2_4_3.main (secid: frontend_identity), skipping and trying the others). The frontend config's proxy element security_class attribute does not match the factory config's security_class element name attribute.
- Client provided invalid ReqEncIdentity: (Client X provided invalid ReqEncIdentity ( email@example.com!= firstname.lastname@example.org). Skipping for security reasons. When the VOFrontend contacts the WMS Collector using the frontend configuration file's security element proxy_DN/classad_proxy attribute, the WMS Collector Condor uses the certs/condor_mapfile to map the VOFrontend to a name. This name identifies how the factory knows the VOFrontend on the Factory node. This must match with the factory configuration file's frontend element identity attribute.
Verify that the proxy_dn in the security section of the frontend config matches the condor_mapfile on the WMS collector node. This identity (with machine name) should map the frontend identity in the factory config. Also, if you running all services on the same machine, make sure that condor is using GSI authentication and not file system (FS) authentication.
Security OverviewFor a visual representation of the configuration that must match, see the below:
<security security_name="frontend_identity" proxy_DN=" /DC=org/DC=doegrids/OU=Services/CN=glidein/cms-xen22.fnal.gov "
<frontend name="frontend_identity" identity="email@example.com"
<security_class name="frontend" username="vo_cms"
GSI " ^ \/DC\=org\/DC\=doegrids\/OU\=Services\/CN\=glidein\/cms\-xen22\.fnal\.gov$ " frontend_identity
Once the glideins are submitted, they should start running on the remote sites. Time taken for them to enter the running state could vary based on the site, how busy the site is, priority your glideins have on the site.
If the glideins stay idle for quite some time,
- Check if the glidein has been submitted to the remote site. You can find this information either from the condor_activity log found in the GLIDEINWMS_GFACTORY_HOME/<entry>/log or by queering glideins queue using “condor_q -globus -g -pool <wms collector>”. If the glidein job was submitted to the remote site, its quite possible that it is waiting for a worker node to be available to run it.
- Check condor logs in GLIDEINWMS_WMSCOLLECTOR_HOME/condor_local/logs.
Each DN should map to a user on this system.
The glidein will use the proxy/cert of the frontend to submit a glidein and the two will need to trust each other. If this is the problem, there will usually be something like this in the SchedLog:
05/05 10:30:11 (pid:21711) OwnerCheck(userschedd) failed in SetAttribute for job 1243.0
- Check the Grid manager log. Note that some configurations put this file in /tmp. This will let you know if there is a problem submitting to grid entry points.
source GLIDEINWMS_WMSCOLLECTOR_HOME/condor.sh condor_q -g condor_q -globus -gIf idle and unsubmitted, the job has not made it to the grid, and there is probably an issue with the condor_mapfile or proxy.
If held, then check the grid manager logs for errors. Also, check condor_gridmanager status in GLIDEINWMS_WMSCOLLECTOR_HOME/condor_local/log/SchedLog
If you find an error such as:
Error 7: authentication failed with remote server.Make sure the proxy/cert is correct. Try the following to make sure the user is authorized to run jobs on the site.
X509_USER_CERT=/tmp/x509up_u<UID> globus-job-run -a -r <gatekeeper in factory config>
If you recieve the following error, then check the job logs to see whether this could be a problem with the setup scripts. If the proxy is valid less than 12 hours (eg a Fermilab KCA cert), then the x509_setup script will fail.
Error 17: the job failed when the job manager attempted to run it
- If you expect that the worker nodes are available, check if the glidein is getting periodically held. You can find this information either from the condor_activity log found in the GLIDEINWMS_GFACTORY_HOME/<entry>/log or by queering glideins queue using “condor_q -pool <wms collector> -name <scheddname> <jobid> -format NumGlobusSubmits” Check for error messages in condor_activity logs if your glidein job is being periodically held.
Once the glidein starts running, the glidein startup script downloads condor files and other relevant files from the factories web area. It then does the required checks, generates condor configuration files and starts condor_startd daemon. This condor_startd reports to the user collector as a resource on which the user job is supposed to run. If the glidein job exists and you never see a resource in the user collector, the problem is generally related to bootstrapping the processes on the worker nodes.
If the glidein job has completed, you should be able to look for output and error logs for the glidein job in directory GLIDEINWMS_GFACTORY_HOME/<entry>/log. The files are named are job.<glidein jobid>.out and job.<glidein jobid>.err. Most common cause for the failures is mismatch in the architecture of condor binaries used and that of the worker nodes. Starting in glideinWMS 2.2, you can configure entry points to use different condor binaries. In case condor daemons are crashing, you can browse the logs of condor daemons by using tools available in the /glideinWMS/factory/tools
Other issues that can cause this symptom:
- GLIBC incompatibilities:
One possible error that can appear at this point is a problem due to the version of GLIBC:
Starting monitoring condor at Fri Jun 18 10:11:27 CDT 2010 (1276873887)In this case, the version of glibc on the worker node is less than the glibc that condor is using. For instance, this can happen if the factory is on SL5, but the worker node is SL4. Condor has special binaries for glib2.3, so you can re-install/re-compile using these binaries. For advanced users, you can configure multiple tarballs for various architectures in the factory config.
/usr/local/osg-ce/OSG.DIRS/wn_tmp/glide_rP2945/main/condor/sbin/condor_master: /lib/tls/i686/nosegneg/libc.so.6: version `GLIBC_2.4' not found (required by /usr/local/osg-ce/OSG.DIRS/wn_tmp/glide_rP2945/main/condor/sbin/condor_master)
- Collector authentication issues:
Another error that can happen and cause these symptoms is if authentication is failing. First, verify that the certificates for all services exist and are owned by the proper users. In particular, make sure that the user collector certificate is owned by the user running the user colelctor instance (this can be a non-root user). Another tool to debug errors is to enable the option:
CONDOR_DEBUG = D_SECURITY.You should be able to find errors in the User pool collector logs USER_COLLECTOR/condor_local/log/CollectorLog For instance,
03/25/11 15:36:43 authenticate_self_gss: acquiring self credentials failed. Please check your Condor configuration file if this is a server process. Or the user environment variable if this is a user process.Or:
globus_sysconfig: File is not owned by current user: /etc/grid-security/glideincert.pem is not owned by current user
- Gridmap issues:
If the problem is not with the user pool resources (collector and/or schedd), a problem could exist with the gridmap on the glidein itself. Symptoms of this could include errors in the startd logs:
03/18 13:06:42 (pid:13094) ZKM: successful mapping to anonymousIf this happens, the gridmap file used by the startd (ie the glidein) does not contain the DN for either the user collector or the user submit node. Make sure the information in the <collectors> tag and the <schedds> tags in the frontend.xml are correct and reconfig.
03/18 13:06:42 (pid:13094) PERMISSION DENIED to anonymous@fnpc3061 from host 220.127.116.11 for command 442 (REQUEST_CLAIM), access level DAEMON: reason: DAEMON authorization policy denies IP address 18.104.22.168
03/18 13:07:43 (pid:13094) PERMISSION DENIED to anonymous@fnpc3061 from host 22.214.171.124 for command 442 (REQUEST_CLAIM), access level DAEMON: reason: cached result for DAEMON; see first case for the full reason
On some versions of Condor, there is a problem with the swap. Make sure that GLIDEINWMS_USERSCHEDD_HOME/etc/condor_config.local contains RESERVED_SWAP=0
source GLIDEINWMS_USERSCHEDD_HOME/condor.shThe above should return 0.
Once the glidein starts running on the worker node and successfully starts required condor daemons, condor_startd registers as a resource in the user pool collector. If your job does not start running on the resource, check that the requirements expressed by the user job can be satisfied by the resource. If not, understand the constraints that are not satisfied and tweak the requirements.
You can get further information on this by running:
source GLIDEINWMS_POOLCOLLECTOR_HOME/condor.shThere will be one "machine" that will act as the monitor and will reject the job due to its own requirements (it is the OWNER). If 1 is rejected by your jobs requirements, check GLIDEINWMS_USERSCHEDD_HOME/condor_local/log/ShadowLog for errors.
condor_q -g -analyze
2.000: Run analysis summary. Of 2 machines,
1 are rejected by your job's requirements
1 reject your job because of their own requirements
0 match but are serving users with a better priority in the pool
0 match but reject the job for unknown reasons
0 match but will not currently preempt their existing job
0 are available to run your job
You can also run the following to get more information about the classads:
If the job is held, make sure the user schedd is running as root (if getting permission denied). Run "condor_q -analyze" to see what is holding the process.
ERROR: Failed to create base clientlog dir (user xxx_cms):Debugging steps: This indicates a problem with privilege separation. Verify that the username in the security_class in the factory config is listed in /etc/condor/privsep_config as a valid-target-uid. Also, condor requires specific permissions on directories for privsep, so similar errors can be triggered if directory permissions are not set correctly.
Error running '/usr/local/glideins/v2_4_3_alpha_1/condor-wms/bin/../sbin/condor_root_switchboard mkdir 0 2'
code 256:["option 'user-uid' has an invalid uid in file:
Reconfiguring the factory [FAILED]
Useful Files: Condor logs, glidein logs
When the Frontend sees user jobs in the queue, it requests glideins on behalf of those users. The Frontend provides a proxy (possibly one
shared by multiple members of the VO) that is authorized to submit those glideins to a site. The glideins then report back to the local
Condor collector as slots that are available to run jobs.
If a site uses gLExec, the user must provide a proxy as part of their job submission. Once the user job gets matched to a glidein by the local Condor collector, this proxy is then used for authorization and to map the user to a local account. This mapping prevents the security problem introduced in pilot-based systems where there is no authentication of the actual user credentials so that the job is run on a local account. Because the jobs aren't being run explicitly as the user, it is also not obvious whose job is running at a site.
For more a more detailed explanation of the issues and for more information on integrating gLExec with glideinWMS, see here. It is recommended that you always set x509userproxy in user job submission since the glidein may or may not run on a site with gLExec enabled. A proxy may also be required for other reasons, such as having the job stage data.
If the glideins have completed
If the glideins have completed, a factory admin can find the glidein logs in the client logs directory on the factory. The Condor logs are automatically included in the glidein logs sent back to the factory. glideinWMS provides tools for viewing these Condor logs in glideinWMS/factory/tools/:
- cat_logs.py glidien_log
- cat_MasterLog.py glidien_log
- cat_StartdLog.py glidien_log
- cat_StarterLog.py glidien_log
If the glideins are still running
The user proxy DN is located in the Startd Condor logs as the x509UserProxyFQAN. The site admin can access this log
on the node under glide_*/log. The location of the glide_* directory will change if gLExec is used.
If gLExec is enabled on the site, you can also look in the gLExec logs.