Tools box
From PRAGMAgridWIKI
Contents |
SGE job termination script and setup by Blair Bethwaite
When SGE kills a job, e.g. at user or admin request (this includes kill requests via Globus) the default behaviour is that it simply sends a SIGKILL to the process leader (the job script). This in many cases is inappropriate because it does not give jobs the chance to clean up - particularly if they have forked children. Fortunately though there are configuration options which let you change the default behaviour. Below I've included an example of a "terminate method" script. You can configure your SGE queues to use it as the terminate method.
SGE job termination script setup
- Copy the script (see below) to a file, for example <SGE-install-directory>/utilbin/custom-terminate.sh, make it executable.
- Run "qconf -mq <qname>" and edit the line for "terminate_method" to
terminate_method <SGE-install-directory>/utilbin/custom-terminate.sh $job_pid $job_owner
The change will take effect for jobs submitted thereafter.
SGE job termination script
####################################
#!/bin/bash
# Use this script as the termination method for SGE queues rather than the
# default which just does SIGKILL and therefore does not give jobs that have
# forked worker children the chance to kill them.
# The termination_method of the queue config can pass in other arguments to
# variations of this script such as $job_owner $queue $host
if [ $# -ne 2 ] ; then
echo "Usage:" $0 job_pid job_owner
exit 1
fi
job_pid=$1
job_owner=$2
# try and kill the session group - the group leader is the shell
# executing the job script
pkill -s $job_pid if [ $? -ne 0 ] ; then
kill $job_pid
fi
# cleanup grace period
sleep 10
pkill -9 -s $job_pid
if [ $? -ne 0 ] ; then
kill -9 $job_pid
fi
# check for detached children that weren't killed by session
# sanity check first...
#if [ $job_owner = "root" ] ; then
# exit
#else
# look for processes belonging to the user with PPID 1
# pgrep -u $job_owner -P 1
# det=$?
# while [ $det -eq 0 ] ; do
# pkill -9 -u $job_owner -P 1
# sleep 2
# pgrep -u $job_owner -P 1
# det=$?
# done
#fi
####################################
Debian OpenSSL vulnerability info and check
Sites using NAREGI CA software are NOT effected, since NAREGI CA software does not use random number generator in Debian system. Other sites should check all issued certificates. CAs should also check all future CSRs before signing to certificates.
Below is a script to check issued certificates. The blacklist can be downloaded from http://www.lysator.liu.se/~kent/ob/openssl-blacklist-0.1%2bkent-0.2.tar.gz.
Script to check issued certificates
#!/bin/sh
for f in `ls -1` ; do
tag=`openssl x509 -noout -modulus -in $f|sha1sum|cut -d ' ' -f 1|cut -c21-41`;
serial=`basename $f .pem` ;
if [ `fgrep -c $tag \
/tmp/openssl-blacklist-0.1+kent-0.2/blacklist.RSA-1024` \
-ne 0 -o \
`fgrep -c $tag \
/tmp/openssl-blacklist-0.1+kent-0.2/blacklist.RSA-2048` \
-ne 0 ] ; then
dn=`openssl x509 -noout -subject -in $f| sed -e 's/subject= //'` ;
caid=`awk '/Tag:/ { print $NF}' $f` ;
echo "$serial $caid $dn" ;
fi ;
done
