olifre
commented
3 years ago It worked fine in testing, i.e. the proxy was successfully renewed and successfully transferred into the job(s). Also, the SElinux denials are gone.
It does not seem to be easily possible to check if transfers still happen too often, since the file modification times would be kept — but from the HTCondor code, transfers should not happen anymore (unless a new proxy is created) and we also see less problems with the starters which had freezing issues from the many transfers.,
This changes proxy renewal to only recreate the proxy (72 hours lifetime) if the remaining lifetime drops below 24 hours. In addition, it is copied to /var/run/condor/proxy which is now used in the pilot JDLs for HTCondor local batch systems.
This significantly reduces the number of filetransfers into HTCondor drones, and fixes an SELinux issue (shadow needs to access the proxy).
Note: This is still marked WIP until properly tested ;-).