OSG 3.6 News¶

Upcoming OSG 3.6 end-of-support dates

OSG 3.6 reaches the "End of Regular Support" on March 31, 2024 and will only receive critical bug-fix and security updates until its end-of-life on June 30, 2024. See our Release Series documentation for more details.

Note that the OSG 3.6 end-of-life coincides with the wider Enterprise Linux 7 end-of-life. We recommend upgrading to OSG 23 and an Enteprise Linux 9 distribution at your earliest convenience.

Supported OS Versions: EL7, EL8, EL9

The OSG 3.6 release series is a major overhaul of the OSG software stack compared to previous release series with changes to core protocols used for authentication and data transfer: bearer tokens, such as SciTokens or WLCG tokens, are used for authentication instead of GSI proxies and HTTP is used for data transfer instead of GridFTP.

To support these new protocols, OSG 3.6 includes HTCondor 9.0, HTCondor-CE 5, GlideinWMS 3.9, and XRootD 5.4. We also dropped support for the GridFTP, GSI authentication, and Hadoop.

Known Issues¶

The following issues are known to currently affect packages distributed in OSG 3.6:

Preparing for HTCondor 10.0¶

We have released HTCondor version 10.0 into the OSG repositories.

Note

The condor-upgrade-checks RPM version 10.0.5 works with existing HTCondor 9.0.x installations. It can be installed with either HTCondor version 9 or 10.

HTCondor-CE and HTCondor pool administrators should install the condor-upgrade-checks RPM and run the condor_upgrade_check script to check for actions that need to be taken before upgrading to HTCondor version 10. This script checks for three possible issues:

HTCondor upgrade causing a change in TRUST_DOMAIN which would invalidate existing IDTOKENS
Recent and current GPU jobs that will no longer match, because the new require_gpus condor_submit command must be used for GPU matching
HTCondor map files that have regular expressions that the new PCRE2 library will not accept

To check your Access Point configuration run:

root@access-point # condor_upgrade_check

To check your Compute Entrypoint configuration run:

root@htcondor-ce # condor_upgrade_check -ce

Note

Don't forget to check to HTCondor batch system as well

For more information, consult the HTCondor documentation

CA Certificates on EL9¶

EL9 operating systems have a tighter default cryptographic policy that can cause services to reject certificates issued by SHA-1 signed CAs. Some CAs in the igtf-ca-certs and osg-ca-certs packages are affected and you may see service issues if your server certificate or certificates presented by clients are issued by these CAs. The Software Team is investigating solutions but in the meantime, we recommend running the following command on XRootD hosts to accept certificates issued by SHA-1 signed CAs:

root@host # update-crypto-policies --set DEFAULT:SHA1

Do I need to run this on my Compute Entrypoint (CE) hosts?

No. At this time, the Software Team believes that CE hosts are unaffected since their clients only present tokens and token issuers present modern CAs.

rrdtool¶

To improve support for Python 3 based GlideinWMS in EL7, the EL7 OSG Yum repositories contain a newer version of rrdtool than the operating system repositories. This may cause dependency solving issues with non-OSG packages. Therefore, on EL7 hosts that are not running GlideinWMS, we suggest adding the following line under the [osg] section of /etc/yum.repos.d/osg.repo:

excludepkgs=rrdtool

Latest News¶

March 21, 2024: osg-scitokens-mapfile 13-2, vo-client 135-1¶

osg-scitokens-mapfile 13-2
- Add the new CERN IAM instances for ATLAS and CMS to the default CE token to local user mapfiles
vo-client 135-1
- Adds LSC files for new LHC IAM hosts for ALICE, ATLAS, CMS, DTEAM, and LHCb

March 14, 2024: IGTF 1.128, osg-xrootd 3.6-23¶

CA certificates based on IGTF 1.128
- Update CRL download URL for ArmeSFo (AM)
osg-xrootd 3.6-23
- Automatically log DN of incoming user

February 29, 2024: XRootD 5.6.8¶

XRootD 5.6.8
- Fix automatic renewal of server certificate with OpenSSL>=1.1
- Other minor bug fixes

February 27, 2024: VO Package v134, osg-pki-tools 3.7.1, osg-xrootd 3.6-22, GlideinWMS 3.10.6¶

VO Package v134
- Update OSG VOMS certificate used by the LIGO VO
osg-pki-tools 3.7.1
- Fix osg-incommon-cert-request to work on Enterprise Linux 9
osg-xrootd 3.6-22
- Enable HTTP directory listings for authenticated caches and all origins
GlideinWMS 3.10.6: Enterprise Linux 7 and 9
- Knobs to overload memory and CPU
- HTCondor tarball downloader
- Advertising of Factory's HTCondor submit parameters
- Fixed match policy_file import failure
- Fixed syntax error in ClassAd used for gangliad configuration
- Fixed writing of missing dict files during upgrade

February 22, 2024: XRootD 5.6.7, xrdcl-pelican 0.9.3, IGTF 1.127, VOMS 2.10.0-0.31.rc3.1; Upcoming: osg-token-renewer 0.9.0, oidc-agent 5.1.0¶

XRootD 5.6.7
- Add pelican:// support
- Fix potential segmentation fault in third-party copy
xrdcl-pelican 0.9.3
- A Pelican platform-based plugin for the XrdCl interface
CA certificates based on IGTF 1.127
- added supplementary issuing CA Issuing CA IGTF - C5 - 1 for eMudhra (IN)
- removed discontinued QuoVadis CAs: QuoVadis-Grid-ICA-G2, QuoVadis-Root-CA2G3, QuoVadis-Root-CA2, and QuoVadis-Root-CA3G3 (BM)
VOMS 2.10.0-0.31.rc3.1
- Rebuild with latest source to get Enterprise Linux 9 support
Upcoming
- osg-token-renewer 0.9.0
  - Utilize oidc-agent 5.1.0 to use new '--skip-check' option
- oidc-agent 5.1.0
  - Fix issue where osg-token-renewer would get 'No scopes found' error
  - Note: This is in upcoming because it requires redoing OIDC token authentication for any existing refresh tokens

February 8, 2024: Frontier-squid 5.9-2.1, HTCondor 23.0.4, htvault-config 1.16, vault 1.15.4, osg-configure 4.1.1-3¶

Frontier-squid 5.9-2.1
- Fixed several security vulnerabilities
- Improved support for SELinux
HTCondor 23.0.4 LTS
- NVIDIA_VISIBLE_DEVICES environment variable lists full uuid of slot GPUs
- Fix problem where some container jobs would see GPUs not assigned to them
- Restore condor keyboard monitoring that was broken since HTCondor 23.0.0
- In condor_adstash, the search engine timeouts now apply to all operations
- Ensure the prerequisite perl modules are installed for condor_gather_info
htvault-config 1.16
- Support rate limits
- Support '@' in ssh authentication key names
vault 1.15.4
- Update to latest upstream version
osg-configure 4.1.1-3
- Create necessary directories for CE on Enterprise Linux 8 and 9

January 4, 2024: IGTF 1.126, ospool-ep 1.0¶

CA certificates based on IGTF 1.126
- Removed replaced InCommon IGTF Server CA and associated Comodo RSA CA (US)
- Removed discontinued UNLPGrid CA (CL)
ospool-ep 1.0
- Automatically manage the OSPool EP Docker container with systemd

December 14, 2023: XRootD 5.6.4, XCache 3.6.0, xrootd-multiuser 2.2.0¶

XRootD 5.6.4
- Fix segfault with macaroons
- Fix segfault if pss.origin uses https protocol with no port
- Switch from using a certificate file to a certificate chain file
XCache 3.6.0
- Allow overriding redirector in caches with the environment variable XC_REDIRECTOR
- Allow adding local additions to Authfile and scitokens.conf file in /etc/xrootd
xrootd-multiuser 2.2.0
- Add ability to enable/disable xrootd-multiuser with the XC_ENABLE_MULTIUSER environment variable

November 30, 2023: VO Package v133, IGTF 1.125¶

VO Package v133
- Update certificates for FNAL and GlueX VOMS servers
CA certificates based on IGTF 1.125
- Updated root certificate ArmeSFo CA with extended validity (AM)

November 16, 2023: VO Package v132, XRootD 5.6.3, osg-system-profiler 1.7.0¶

VO Package v132
- Update certificates for FNAL and SLAC VOMS servers
- Update certificates for CLAS12, EIC, GLOW, and HCC
- Drop stale certificates for nanohub, STAR, and wisc.edu lz
XRootD 5.6.3
- Fix parsing of chunked PUT requests
- Add HTTP TPC packet marking
- Differentiate between push and pull TPC error messages
- Use configured CA path for the SciTokens plugin
osg-system-profiler 1.7.0
- Add system cryptographic policy
- Better XRootD configuration information for generated profile

November 2, 2023: IGTF 1.124, CVMFS 2.11.2, cvmfs-x509-helper 2.4¶

CA certificates based on IGTF 1.124
- Updated contact meta-data for ArmeSFo authority (AM)
- Removed discontinued AEGIS authority (RS)
- Removed suspended KENET Root and issuing CAs (KE)
- Removed suspended SDG-G2 authority (CN)
- Removed suspended CNIC authority (CN)
- Removed all four discontinued DigitalTrust CAs operated by their issuer (AE)
CVMFS 2.11.2
- Bug fix release
cvmfs-x509-helper 2.4
- Important bug fix for reading credentials from within an unprivileged user namespace such as unprivileged apptainer users. This is needed due to a change in recent el8 & el9 kernels.

October 26, 2023: CVMFS 2.11.1-1.3, XRootD 5.6.2-2.3, HTCondor-CE 6.0.1, osg-update-vos 1.4.2-2¶

CVMFS 2.11.1-1.3
- Important fix to bug impacting osgstorage.org repositories introduced in 2.11.0 -- all 2.11.0 installations should upgrade urgently
- Fix race conditions on concurrent fuse3 mounts
XRootD 5.6.2-2.3
- Update to -2.3 release to avoid confusion with upstream -2 release
- Fix a bug with parsing compound IDs in authfiles
HTCondor-CE 6.0.1
- Add grid CA and host certificate/key locations to default SSL search paths
- Verifies that HTCondor-CE can access the local HTCondor's SPOOL directory
- Can use condor_ce_trace without SciToken to test batch system integration
- condor_ce_upgrade_check checks compatibility with HTCondor 23.0
- Adds deprecation warnings for old job router configuration syntax
osg-update-vos 1.4.2-2
- tarballs now contain cpio, so osg-update-vos will work

October 5, 2023: HTCondor 10.0.9, HTCondor 10.9.0, XRootD 5.6.2, GlideinWMS 3.10.5, CVMFS 2.11.0, cvmfs-x509-helper 2.3, osg-pki-tools 3.6.1, oidc-agent 4.5.2¶

HTCondor 10.0.9: EL7, EL8
- The condor_upgrade_check script now provides guidance on updating to 23.0
- Avoid kernel panic on some Enterprise Linux 8 systems
- Fix bug where early termination of service nodes could crash DAGMan
- The htchirp Python binding now properly locates the chirp configuration
- Limit email about long file transfer queue to once daily
- Various fixes to condor_adstash
HTCondor 10.9.0: EL7 Upcoming, EL8 Upcoming, EL9
- Fold the classads, blahp, and procd RPMs into the main condor RPM
- On Linux, the default configuration enforces memory limits with cgroups
- condor_status -gpus shows nodes with GPUs and the GPU properties
- condor_status -compact shows a row for each slot type
- New ENV command controls which environment variables are present in DAGMan
- All the fixes from HTCondor 10.0.9 (listed above)
XRootD 5.6.2
- New feature release: XRootD 5.6.0 with many improvements
- Plus two bug fix releases: XRootD 5.6.1 and XRootD 5.6.2
GlideinWMS 3.10.5
- Enterprise Linux 9 and Python 3.9 support
- Added structured logging
CVMFS 2.11.0
- Support for symlink kernel caching
- A new reference-counted cache manager mode that reduces the number of open file descriptors
- A bug fix for an issue that could slow down client startup
- A new telemetry option to send client performance counters to influx
cvmfs-x509-helper 2.3
- Fixes to support Enterprise Linux 9
- Fix for tokens that are bigger than 1024 bytes
- Fix usage of $BEARER_TOKEN when accessing data
osg-pki-tools 3.6.1
- Add configuration file for osg-incommon-cert-request
- Update default CSR key length to 4096, add CLI option
oidc-agent 4.5.2
- Update to a recent release that has timeouts to prevent hangs

September 8, 2023: IGTF 1.123-2¶

Warning

If you updated to osg-ca-certs-1.114-1.1 or igtf-ca-certs-1.123-1.1, update to osg-ca-certs-1.114-2 or igtf-ca-certs-123-2 as soon a possible. Java-based services may need to be restarted to pick up the new certificates.

Reverted work around for supporting SHA1-signed CA certificates on systems with tight cryptographic policies (i.e., the EL9 default)

September 7, 2023: IGTF 1.123, htgettoken 1.20, Pegasus 5.0.6¶

CA certificates based on IGTF 1.123
- Add ECC private trust hierarchy for GEANT (Research and Education) TCS (EU)
- Added accredited private trust eMudhra IGTF root and issuers (IN)
- Resolved issue on EL9 with SHA1 signed Certificate Authorities
htgettoken 1.20
- Adds httokensh command to automatically renew access tokens as long a subshell runs
- Update httokensh to by default set the minimum vault token time to live to 6 days, and to make sure that the background refresh never gets a new vault token
- Changed the preferred name of httokendecode to htdecodetoken, keeping links in the opposite direction
- Add man pages for httokensh, htdestroytoken, and htdecodetoken
Pegasus 5.0.6: Bug fix release

August 10, 2023: frontier-squid 5.9-1.1, xrootd-multiuser 2.1.3-1.3¶

frontier-squid 5.9-1.1
- Improvement of debug logging related to the reply_body_max_size parameter
- Consistent with squid5, disallow the combination of multiple workers, ufs cache, and memory_cache_shared even if collapsed_forwarding is off.
- Limit the maximum number of file descriptors to 65536 even if the OS would allow a higher number
xrootd-multiuser 2.1.3-1.3
- Add support for supplementary groups
First release of worker node tarballs for EL9

August 8, 2023: IGTF 1.122¶

CA certificates based on IGTF 1.122
- Added private trust hierarchy for GEANT (Research and Education) TCS (EU) (RSA variants only)
- Added accredited eMudhra joint public trust root and issuing CAs (IN)
- Added private trust eMudhra IGTF root and issuers as experimental (IN, US)

August 2, 2023: HTCondor 10.0.7; Upcoming: HTCondor 10.7.0¶

Danger

The format of the HTCondor job queue log has changed. Once you have updated the Access Point and HTCondor-CE (i.e., hosts with a condor_schedd daemon) to HTCondor 10.7.0, you may only downgrade to a version that can parse this new format. (LTS: 10.0.4 and later, feature: 10.5.0 and later)

We recommend upgrading your Access Points and HTCondor-CE hosts to the latest 10.0.x release or 10.5.0 first, then proceeding with an upgrade to 10.7.0.

HTCondor 10.0.7: EL7, EL8
- Fixed bug where held condor cron jobs would never run when released
- Improved daemon IDTOKENS logging to make useful messages more prominent
- Remove limit on certificate chain length in SSL authentication
- condor_config_val -summary now works with a remote configuration query
- Prints detailed message when condor_remote_cluster fails to fetch a URL
- Improvements to condor_preen
HTCondor 10.7.0: EL7 Upcoming, EL8 Upcoming, EL9
- Can run defrag daemons with different policies on distinct sets of nodes
- Added want_io_proxy submit command
- Apptainer is now included in the HTCondor tarballs
- Fix 10.5.0 bug where reported CPU time is very low when using cgroups v1
- Fix 10.5.0 bug where .job.ad and .machine.ad were missing for local jobs

July 19, 2023: HTCondor 10.0.6, osg-xrootd 3.6-20, XCache 3.5.0-2, osg-ca-scripts 1.2.4-2; Upcoming: HTCondor 10.6.0¶

Danger

The format of the HTCondor job queue log has changed. Once you have updated the Access Point and HTCondor-CE (i.e., hosts with a condor_schedd daemon) to HTCondor 10.6.0, you may only downgrade to a version that can parse this new format. (LTS: 10.0.4 and later, feature: 10.5.0 and later)

We recommend upgrading your Access Points and HTCondor-CE hosts to the latest 10.0.x release or 10.5.0 first, then proceeding with an upgrade to 10.6.0.

HTCondor 10.0.6: EL7, EL8
- In SSL Authentication, use the identity instead of the X.509 proxy subject
- Can use environment variable to locate the client's SSL X.509 credential
- ClassAd aggregate functions now tolerate undefined values
- Fix Python binding bug where accounting ads were omitted from the result
- The Python bindings now properly report the HTCondor version
- remote_initial_dir works when submitting remote grid batch jobs via ssh
- Add a ClassAd stringlist subset match function
osg-xrootd 3.6-20
- Allow create_macaroon_secret to be run as a non-root user
XCache 3.5.0-2
- Add dependency on the xrdcl-http package
osg-ca-scripts 1.2.4-2
- Update package dependencies for Enterprise Linux 9
HTCondor 10.6.0: EL7 Upcoming, EL8 Upcoming, EL9
- Administrators can enable and disable job submission for a specific user
- Work around memory leak in libcurl on EL7 when using the ARC-CE GAHP
- Container images may now be transferred via a file transfer plugin
- Add submit file macro $(JobId) which expands to full ID of the job
- The job's executable is no longer renamed to condor_exec.exe

June 29, 2023: XRootD 5.5.5-1.2, osdf-client 6.12.1, hosted-ce-tools 1.0¶

XRootD 5.5.5-1.2
- Patched to allow Diffie-Hellman key exchange between Enterprise Linux 7 clients and Enterprise Linux 9 servers
osdf-client 6.12.1
- Bug fixes and improvements, notably with regard to authenticated access
hosted-ce-tools 1.0
- Dereference hardlinks when extracting the cvmfsexec tarball
- More aggressively kill timed out rsync processes
- Convert update worker node client scripts to Python 3

June 20, 2023: IGTF 1.121¶

CA certificates based on IGTF 1.121
- Added accredited (classic) InCommon RSA IGTF Server CA 3 under the Sectigo USERTrust RSA root, for which namespaces have been updated (US)

June 9, 2023: HTCondor 10.0.5¶

HTCondor 10.0.5: EL7, EL8
- Rename upgrade9to10checks.py script to condor_upgrade_check
- Fix spurious warning from condor_upgrade_check about regular expression that contain a space

Note

The condor-upgrade-checks RPM version 10.0.5 works with existing HTCondor 9.0.x installations. It can be installed with either HTCondor version 9 or 10.

June 8, 2023: HTCondor 10.0.4, XCache 3.5.0, frontier-squid 5.8, IGTF 1.120; Upcoming: HTCondor 10.5.1¶

HTCondor 10.0.4: EL7, EL8
- Users can prevent runaway jobs by specifying an allowed duration
- Able to extend submit commands and create job submit templates
- Initial implementation of htcondor command line interface
- Initial implementation of Job Sets in the htcondor CLI tool
- Users can supply a container image without concern for which container runtime is used
- Add the ability to select a particular model of GPU when the execution points have heterogeneous GPU cards installed or cards that support nVidia MIG
- File transfer error messages are now returned and clearly indicate where the error occurred
- HTCondor now utilizes ARC-CE's REST interface
- Support for ARM and PowerPC for Enterprise Linux 8
- Security Enhancements
  - For IDTOKENS, signing key not required on every execution point
  - Trust on first use ability for SSL connections
  - Improvements against replay attacks
XCache 3.5.0
- The authfile updater pulls a grid-mapfile from Topology
frontier-squid 5.8
- Add predefined ACL named to_linklocal
- Bug fix for the cache manager returning mgr_index rather than data
CA certificates based on IGTF 1.120
- Added transitional CDP mirror URLs for retiring DigitalTrust CAs (AE)
- Removed discontinued NIIF-Root-CA-2 (HU)
- Removed expiring GermanGrid (GridKA CrossGrid) CA (DE)
htgettoken 1.18
- Fixes bug with --nobearertoken when invoked by HTCondor
- EL9 support
osg-token-renewer 0.8.3-2: Remove X11 UI dependencies
osg-update-vos 1.4.1: Remove Python 2 dependencies
cigetcert 1.21: Remove warning on EL9
HTCondor 10.5.1: EL7 Upcoming, EL8 Upcoming, EL9
- Can now define DAGMan save points to be able to rerun DAGs from there
- Expand environment variables passed by default to the DAGMan manager
- Administrators can prevent users using "getenv = true" in submit files
- Improved throughput when submitting a large number of ARC-CE jobs
- Execute events contain the slot name, sandbox path, resource quantities
- Can add attributes of the execution point to be recorded in the user log
- Enhanced condor_transform_ads tool to ease offline job transform testing
- Fix bug where memory limits over 2 GiB might not be correctly enforced

May 30, 2023: HTCondor 9.0.17-3, osdf-client 6.11.0¶

HTCondor 9.0.17-3
- Provides script to assist updating from HTCondor version 9 to version 10
osdf-client 6.11.0
- Distinguish between slow and stopped transfers
- Fix token finding bug introduced in 6.10.0

May 18, 2023: XRootD 5.5.5, vault 1.13.2, htvault-config 1.15, VOMS 2.0.6-1.6 + 2.1.0-0.14.rc2.6¶

XRootD 5.5.5: Bug fix release
Vault 1.13.2, htvault-config 1.15
- Update to latest upstream plugin versions
- Add new API for token exchange
- Fix bug where kerberos policydomain was ignored
VOMS 2.0.16-1.6 (el7), 2.1.0-0.14.rc2.6 (el8)
- More detailed error messages to help diagnose CA or certificate issues

May 4, 2023: XRootD 5.5.4, VO Pacakge v131¶

XRootD 5.5.4
- Bug fix release
- Enabled xrdcl-http, an HTTP plugin to the XRootD clients
VO Package v131
- New CLAS2 and EIC certificates

April 20, 2023: HTCondor-CE 6.0.0, htgettoken 1.17; Upcoming: HTCondor 10.4.0¶

HTCondor-CE 6.0.0
- Align HTCondor-CE security configuration with HTCondor defaults
- Add example configuration on how to ban users
- Add condor_ce_transform_ads command
- Improve essential directory checking and creation at startup
htgettoken 1.17
- Make --showbearerurl work properly in combination with --nobearertoken
- httokendecode's error message for missing token file now goes to stderr
EL7/EL8 upcoming and EL9 release: HTCondor 10.4.0 - new feature release
- Please review the upgrade documentation for any manual steps

March 30, 2023: EL9 and Gratia Probe 2.8.4 (all operating systems)¶

No tarball client updates

This release does not contain any tarball client updates for EL7 or EL8. Initial EL9 tarballs will be released at a later date.

Critical Gratia Probe 2.8.4 update for HTCondor APs for all operating systems, fixing issues with gratia-probe-condor-ap 2.8.1 through 2.8.3. If you have any of these versions, please update and perform the following steps to process
```
# By default, this will bring you to /var/lib/condor-ce/gratia/data/
root@host # cd $(condor_config_val PER_JOB_HISTORY_DIR)
root@host # mv quarantine/history* .
```
Too many files for mv

If you have a busy AP, you may encounter too many files in the quarantine directory to move all at once. In this case, we suggest moving the history files to the data directory in batches. The Gratia Probe will handle history files in the data directory in bundles so you do not need to wait for processing to complete before moving the next batch over.
This is the initial release of OSG Software Stack for EL9! Notable differences between EL9 and EL7/EL8 include:
- Frontier Squid 5.8-2.1
  
  If you've already installed frontier-squid-5.8-1.1 on an EL9 host...
  
  You will need to uninstall frontier-squid and remove /etc/init.d. If you have any other packages that have files in /etc/init.d, they may also need to be reinstalled and cleaned up in a similar fashion.
- HTCondor 10.3.0: see upstream documentation for manual update steps.
- HTCondor-CE 6.0.0: see upstream documentation for manual update steps.
- Missing packages to be released at a later date:
  - hosted-ce-tools
  - htgettoken
  - osg-update-data

March 16, 2023: OSDF Client 6.10.0¶

OSDF Client 6.10.0
- The stashcp client, when run in a terminal, can acquire a new token via OAuth2 if supported by the upstream origin
- The use of the http_proxy can now be disabled via setting the OSDF_DISABLE_HTTP_PROXY environment variable
- The OSDF client can now handle HTTP 206 Partial Content responses
- stash_plugin -get-caches <prefix> will print out the caches to be used for a given prefix

March 14, 2023: IGTF 1.119, osg-scitokens-mapfile 12, XCache 3.4.0-3¶

CA certificates based on IGTF 1.119
- Updated UKeScience Root (2007) with consistent string encodings (UK)
- Removed obsolete SHA1 subordinates DigiCertGridTrustCA-Classic and DigiCertGridCA-1-Classic from DigiCert, reflected in RPDNC namespaces
- Experimental (non-accredited) new InCommon RSA IGTF Server CA 2 (ICA under Sectigo USERTrust RSA root, for which namespaces have been updated) (US)
- Updated GridCanada CA with re-issued SHA-2 based root (CA)
- Updated CILogon basic, silver, and openid with re-issued SHA-2 certs (US)
- Updated UKeScience Root (2007) re-issued with SHA-2, retired 2A ICA (UK)
osg-scitokens-mapfile 12
- New token for USCMS local pilots
XCache 3.4.0-3
- Add xrootd-tcp-stats to osdf-cache

March 9, 2023: XRootD 5.5.3-1.2, frontier-squid 5.7-2.1, CVMFS 2.10.1¶

XRootD 5.5.3-1.2
- Fix bug where GFAL davs writes fail on EL7 redirectors after eight hours
- XRootD 5.5.2 was not released because of critical bugs that are fixed in XRootD 5.5.3
frontier-squid-5.7-2.1
- Uses first destination IP address that responds (dns_v4_first removed)
- Add MAJOR_CVMFS sites cvmfs-stratum-one.cc.kek.jp, cvmfs*.sdcc.bnl.gov
- Remove obsolete sites frontier*.racf.bnl.gov from ATLAS_FRONTIER
- Fix bug where old caches may not be cleaned up

Note

Manual intervention is needed to downgrade frontier-squid.

# Downgrade instructions
root@host # rpm -e --nodeps frontier-squid
root@host # yum install 'frontier-squid < 11:5

CVMFS 2.10.1
- Minor bug fixes and improvements

March 2, 2023: gratia-probe 2.8.2, osg-flock 1.9¶

gratia-probe 2.8.2

CRITICAL bug fix for sites that have installed gratia-probe-htcondor-ce-2.8.2 or gratia-probe-condor-ap-2.8.2. After updating to 2.8.2, perform the following manual steps for a CE:

# By default, this will bring you to /var/lib/condor-ce/gratia/data/
root@host # cd $(condor_ce_config_val PER_JOB_HISTORY_DIR)
root@host # mv quarantine/history*.0 .

And for an AP:

# By default, this will bring you to /var/lib/condor-ce/gratia/data/
root@host # cd $(condor_config_val PER_JOB_HISTORY_DIR)
root@host # mv quarantine/history* .

osg-flock 1.9
- Adds the "OSPool" attribute to the job ad based on the EP configuration

February 21, 2023: VO Package v130¶

VO Package v130
- Update DN for voms2.fnal.gov

February 16, 2023: gratia-probe 2.8.1, python-scitokens 1.7.4¶

gratia-probe 2.8.1
- gratia-probe-condor-ap: important reporting update for APs with access to multiple pools (e.g., flocking)
python-scitokens 1.7.4
- Remove aud enforcement from deserialize function

February 7, 2023: VO Package v129¶

VO Package v129
- Update DN for voms1.fnal.gov

Note

The CA/Browser Forum has changed DN formats again this year. This will affect certificates issued by IGTF CAs.

February 2, 2023: GlideinWMS 3.10.1, osg-client 6.9.5, htvault-config 1.14¶

GlideinWMS 3.10.1
- Production release supporting tokens and Python 3
- Fix monitoring by including Glidein IDs with SciTokens
- Add Python module to help with custom scripts
- Custom setup scripts written in shell should always use the gconfig_* functions introduced in 3.9.6 to read and write glidein configuration. See the release notes for details.
osdf-client 6.9.5
- Better handling of failures and broken proxies
- Various token handling bug fixes
- Add support for specifying token name in URL
htvault-config 1.14
- Add auditlog option to move the audit log to a different location

January 17, 2023: VO Package v128¶

VO Package v128
- Update HCC, GLOW, and OSG VOMS certificates

January 3, 2023: htgettoken 1.16¶

htgettoken 1.16
- Fix httokendecode -H functionality to only attempt to convert a parsed word if it is entirely numeric, not if it just contains one digit
- At the same time, rewrite this functionality in native bash instead of using grep and sed
- Add htdestroytoken command
- Add htdecodetoken symbolic link that points to httokendecode

December 22, 2022: VO Package v127¶

VO Package v127
- Update VOMS certificates for DESY VOs (IceCube, Belle, ILC, and others)
Rebuild packages and sign with new repository key (no software changes)
- cigetcert
- cilogon-openid-ca-cert
- cvmfs-config-osg
- cvmfs-gateway
- javascriptrrd
- osg-ca-certs-updater
- osg-ca-scripts
- osg-system-profiler
- osg-update-vos
- python-jwt
- scitokens-credmon

December 8, 2022: osg-scitokens-mapfile 11, XRootD 5.5.1, CVMFS 2.10.0, GlideinWMS 3.9.6, XCache 3.3.0, Vault 1.12.1¶

osg-scitokens-mapfile 11
- Support HEPCloud factory
XRootD 5.5.1
- Fixes critical issue with XRootD FUSE mounts via xrdfs
CVMFS 2.10.0
- Support for proxy sharding with the new client option CVMFS_PROXY_SHARD={yes|no}
- Improved use of the kernel page cache resulting in significant client performance improvements in some scenarios
- Fix for a long-standing open issue regarding the concurrent reading of changing files
- Support for unpacking container images through Harbor registry proxies in the container conversion tools
GlideinWMS 3.9.6
- Adds token (and hybrid) support for Clouds (AWS/GCE)
XCache 3.3.0
- Removed X.509 proxy requirement for an unauthenticated stash-cache instance
Vault 1.12.1
- Includes a fix to prevent a potential denial of service attack for HA installations

November 21, 2022: VO Package v126¶

VO Package v126
- Update VOMS certificates for DESY VOs (IceCube, Belle, ILC, and others)

Note

Any sites supporting "IceCube", "Belle", or "ILC" must update. If not, pilots will not arrive or jobs will have storage access issues.

November 3, 2022: HTCondor-CE 5.1.6, osdf-client 6.9.2, xrootd-multiuser 2.1.2, XCache 3.2.3; Upcoming: HTCondor 9.12.0¶

HTCondor-CE 5.1.6
- HTCondor-CE now uses the C++ Collector plugin for payload job traceability
- Fix HTCondor-CE mapfiles to be compliant with PCRE2 and HTCondor 9.10.0+
- Add support for multiple APEL accounting scaling factors
- Suppress spurious log message about a missing negotiator
- Fix crash in HTCondor-CE View
osdf-client 6.9.2 (includes stashcp and condor_stash_plugin)
- Add support for osdf:// URLs
- Fix zero-byte file upload error
xrootd-multiuser 2.1.2
- Fix advertising of files not readable by the "xrootd" user
XCache 3.2.3
- Update XCache systemd overrides for xrootd-multiuser 2.1.2
Upcoming: HTCondor 9.12.0
- Provide a mechanism to bootstrap secure authentication within a pool
- Add the ability to define submit templates
- Administrators can now extend the help offered by condor_submit
- Add DAGMan ClassAd attributes to record more information about jobs
- On Linux, advertise the x86_64 micro-architecture in a slot attribute
- Added -drain option to condor_off and condor_restart
- Administrators can now set the shared memory size for Docker jobs
- Multiple improvements to condor_adstash
- HAD daemons now use SHA-256 checksums by default

October 13, 2022: HTCondor 9.0.17¶

HTCondor 9.0.17
- Fix file descriptor leak when schedd fails to launch scheduler universe jobs
- Fix failure to forward batch grid universe job's refreshed X.509 proxy
- Fix DAGMan failure when the DONE keyword appeared in the JOB line
- Fix HTCondor's handling of extremely large UIDs on Linux
- Fix bug where OAUTH tokens lose their scope and audience upon refresh
- Support for Apptainer in addition to Singularity

September 29, 2022: XCache 3.2.2¶

XCache 3.2.2
- Allow specifying separate export paths for unauthenticated and authenticated origin instances
- Allow local scitokens.conf additions
- Fix authfile generation on origins that serve no public data

Note

XRootD services should be restarted after this update

September 16, 2022: VO Package v125¶

VO Package v125
- DN changes for Gluex VO

September 15, 2022: XRootD 5.5.0, stashcp 6.8.1, osg-token-renewer 0.8.3¶

XRootD 5.5.0: Multiple new features and bug fixes
stashcp 6.8.1
- Fix WLCG token discovery
- Dynamically obtain list of caches based on the source file's namespace
osg-token-renewer 0.8.3
- Doesn't check for password file when --pw-fd is being used

September 9, 2022: VO Package v124¶

VO Package v124
- Add voms1.slac.stanford.edu VOMS server for LSST and SuperCDMS

August 30, 2022: VO Package v123, IGTF 1.117¶

VO Package v123
- Update Virgo DNs
CA certificates based on IGTF 1.117
- Add new intermediate ICA DigiCert Grid-TLS (US)
- Add new intermediate ICA DigiCert Grid-Client-RSA2048-SHA256-2022-CA1 (US)
- Removed discontinued NCSA-slcs-2013 following end of XSEDE (US)
- Removed discontinued PSC-Myproxy-CA following end of XSEDE (US)

August 25, 2022: gratia-probe 2.7.1, HTCondor 9.11.0¶

gratia-probe 2.7.1
- Fix condor-ap probe bugs in resource name detection
Upcoming: HTCondor 9.11.0
- Modified GPU attributes to support the new require_gpus submit command
- Add PREEMPT_IF_DISK_EXCEEDED and HOLD_IF_DISK_EXCEEDED configuration templates
- ADVERTISE authorization levels now also provide READ authorization
- Periodic release expressions no longer apply to manually held jobs
- If a #! interpreter doesn't exist, a proper hold and log message appears
- Can now set the Singularity target directory with container_target_dir
- If SciToken and X.509 available, uses SciToken for arc job authentication
- Singularity now mounts /tmp and /var/tmp under the scratch directory
- Fix bug where Singularity jobs go on hold at the first checkpoint
- Report resources provisioned by the Slurm batch scheduler when available
- Fix bug where gridmanager deletes the X.509 proxy file instead of the copy
  - Fixes jobs going on hold in the HTCondor-CE with the following message:
```
HoldReason:Failed to get expiration time of proxy: unable to read proxy file
```

August 18, 2022: HTCondor 9.0.16, xrootd-monitoring-shoveler 1.1.2¶

HTCondor 9.0.16
- Singularity now mounts /tmp and /var/tmp under the scratch directory
- Fix bug where Singularity jobs go on hold at the first checkpoint
- Fix bug where gridmanager deletes the X.509 proxy file instead of the copy
  - Fixes jobs going on hold in the HTCondor-CE with the following message:
```
HoldReason:Failed to get expiration time of proxy: unable to read proxy file
```
xrootd-monitoring-shoveler 1.1.2
- Fix bug that affects those using the auto-renewal of tokens

July 28, 2022: gratia-probe 2.7.0, blahp 2.2.1, HTCondor 9.0.15, CVMFS 2.9.3¶

gratia-probe 2.7.0
- Fix issue with accounting for whole node Slurm pilots by reporting allocated CPUs if available
- Fix broken dcache-transfer probe
- Improve mechanism to extract Resource Name
- Add back missing gratia-probe-services package
blahp 2.2.1
- Report allocated CPUs of Slurm jobs in status result
- Disable email notifications for blahp->condor jobs
HTCondor 9.0.15
- Report resources provisioned by the Slurm batch scheduler when available
- SciToken mapping failures are now recorded in the HTCondor daemon logs
- Fix bug that stopped file transfers when output and error are the same
- Ensure that the Python bindings version matches the installed HTCondor
- $(OPSYSANDVER) now expand properly in job transforms
- Fix bug where context managed Python htcondor.SecMan sessions crash
- Fix bug where remote CPU times would rarely be set to zero
CVMFS 2.9.3
- Bug fix for a type of client crash
- Bug fix for server garbage collection unreleased locks
osg-xrootd 3.6-18
- Enable VOMS support in authenticated stash caches and origins
- Add ability to turn off VOMS support via environment variable
XRootD 5.4.3-1.2
- Improve logging for xrootd-scitokens
htgettoken 1.15
- Improve support for vault service using round-robin DNS
Upcoming: HTCondor 9.10.1
- ActivationSetupDuration is now correct for jobs that checkpoint
- With collector administrator access, can manage HTCondor pool daemons
- SciTokens can now be used for authentication with ARC CE servers
- Prevent negative values when using huge files with file transfer plugins

June 16, 2022: HTCondor-CE 5.1.5, gratia-probe 2.6.1, GlideinWMS 3.9.5, HTCondor 9.0.13¶

HTCondor-CE 5.1.5
- Fix whole node job glidein CPUs and GPUs expressions that caused held jobs
- Fix bug where default CERequirements were being ignored
- Pass whole node request from GlideinWMS to the batch system
- Rename AuthToken attributes in the routed job to better support accounting
- Prevent GSI environment from pointing the job to the wrong certificates
- Fix issue where HTCondor-CE would need port 9618 open to start up
gratia-probe 2.6.1
- Log schedd cron errors with newer versions of HTCondor
- Replace AuthToken* references with routed job attributes
- Remove certinfo flie log messages
- Fix crash on send failure
GlideinWMS 3.9.5
- Support for Apptainer
- Support for CVMFS on-demand
- Configurable idtokens lifetime
- Improved frontend logging
- Improved default SHARED_PORT configuration
- Special handling of multiline condor config values
- Several bug fixes
HTCondor 9.0.13: Bug fix release
- Schedd and startd cron jobs can now log output upon non-zero exit
- condor_config_val now produces correct syntax for multi-line values
- The condor_run tool now reports submit errors and warnings to the terminal
- Fix issue where Kerberos authentication would fail within DAGMan
- Fix HTCondor startup failure with certain complex network configurations
VO Package v122
- Add new sPHENIX and EIC VO certificates
XCache 3.1.0
- Fixed library dependency issues for xcache-reporter
- Add systemd overrides for xrootd-privileged
XRootD 5.4.3: Bug fix release
stashcp 6.7.5
- Adds multi-file transfer and improved error messages
- Relax download timeouts for file transfer plugin
- Multiple bug fixes
htvault-config 1.13
- Removes support for old style secret storage; requires htgettoken >= 1.7
htgettoken 1.12
- Avoids crash when verbose output includes UTF-8
osg-pki-tools 3.5.2
- Bug fix for osg-incommon-cert-request when using host file
osg-token-renewer 0.8.2
- Use oidc-agent's built-in password file option
- Ensure tokens are renewed more frequently than their lifespan
rrdtool 1.8.0-1.2.el7
- Make Python RRDtools available to GlideinWMS
xrootd-multiuser 2.0.4
- Fix crash on Enterprise Linux 8
osg-release 3.6-5: Add osg-next yum repository
Upcoming
- HTCondor 9.9.1
  - A new authentication method for remote HTCondor administration
  - Several changes to improve the security of connections
  - Fix issue where DAGMan direct submission failed when using Kerberos
  - The submission method is now recorded in the job ClassAd
  - Singularity jobs can now pull from Docker style repositories
  - The OWNER authorization level has been folded into the ADMINISTRATOR level

May 24, 2022: VO Package v121¶

VO Package v121
- Add new VO certificates for CLAS12 and EIC

May 11, 2022: OSG Worker Node Client and Tarballs¶

OSG worker node client 3.6-5
- Add in missing stashcp and voms-client-cpp packages

Warning

The current OASIS tarball link now points to the OSG 3.6 tarball.

Packages no longer available in the OSG worker node tarball include:

fts-client (was present in EL7 only)
MyProxy
GridFTP clients (e.g. globus-url-copy)
UberFTP
SRM and GridFTP plugins for GFAL2
GSISSH client

May 5, 2022: HTCondor 9.0.12, XCache 3.0.1, gratia-probe 2.5.2¶

HTCondor 9.0.12: Bug fix release
XCache 3.0.1
- Fixed library dependency issues for xcache-reporter
gratia-probe 2.5.2
- Remove pre-routed jobs instead of quarantining them
- Always set MapUnknownToGroup
osg-flock 1.8
- Remove MapUnknownToGroup and MapGroupToRole from osg-flock
- Advertise osg-flock version in the osg-flock RPM

April 26, 2022: CVMFS 2.9.2, Upcoming: HTCondor 9.8.1¶

CA certificates based on IGTF 1.116
- Updated intermediate CERN Grid CA ICA with extended validity (CERN)
CVMFS 2.9.2: Bug fix release
cigetcert 1.20: works better with CILogon's AWS infrastructure
osg-ce 3.6-5
- Add OSG_SERIES = 3.6 as a schedd attribute
- Remove default BATCH_GAHP configuration now provided by upstream
osg-pki-tools 3.5.1: Python 3 fixes for osg-incommon-cert-request
osg-xrootd 3.6-16
- Fix stash-cache: enabling VOMS causes unauth cache to crash
vault 1.10, htvault-config 1.12 htgettoken 1.11
- Update from upstream software and change httokendecode to also verify tokens if scitokens-verify is present
VOMS 2: Update default proxy certificate key length to 2048 bits
Upcoming: HTCondor 9.8.1
- Support for Heterogeneous GPUs, some configuration required
- Allow HTCondor to use grid sites requiring multi-factor authentication
- Technology preview: bring your own resources from HPC clusters
- Fix HTCondor startup failure with complex network configurations

April 14, 2022: osg-configure 4.1.1, osg-scitokens-mapfile 8¶

OSG-Configure 4.1.1
- Fix gratia DataFolder/PER_JOB_HISTORY_DIR check for HTCondor-CE with an HTCondor batch system
osg-scitokens-mapfile 8
- New token mappings for CMS local and USCMS local pilots.
- New token mappings for HCC pilots

March 31, 2022: IGTF 1.115¶

This release contains updated CA Certificates based on IGTF 1.115

Removed obsolete CNRS2 CAs, superseded by AC-GRID-FR hierarchy (FR)
Add supplementary BCDR download location for UGRID-G2 CRL (UA)
Extended validity period of HPCI CA (JP)

March 24, 2022: XRootD 5.4.2-1.1, HTCondor 9.0.11, stashcp 6.6.0¶

XRootD 5.4.2 plus OSG patches
HTCondor 9.0.11
- The Job Router can now create an IDTOKEN for use by the job
  - Fix bug where a self-checkpointing job may erroneously be held
  - Fix bug where the Job Router erroneously substitutes a default value
  - Fix bug where a file transfer error may identify the wrong file
  - Fix bug where condor_ssh_to_job may fail to connect
stashcp 6.6.0
- Rewritten in Go
- New features
  - HTCondor File Transfer plugin interface
  - Progress bar on interactive terminals
  - Recursive downloads
  - WLCG token discovery
python-scitokens 1.7.0
osg-token-renewer 0.8.1: Add support for manual client registration
xrootd-monitoring-shoveler 1.0.0: Initial release
vault 1.9.3
htgettoken 1.10
- Upcoming
  - HTCondor 9.7.0
    - Support environment variables, application elements in ARC REST jobs
    - Container universe supports Singularity jobs with hard-coded command
    - DAGMan submits jobs directly (does not shell out to condor_submit)
    - Meaningful error message and sub-code for file transfer failures
    - Add file transfer statistics for file transfer plugins
    - Add named list policy knobs for SYSTEM_PERIODIC_ policies

March 15, 2022: High Priority Release¶

HTCondor 9.0.10 and 9.6.0 Security Release. This release contains fixes for important security issues. More details on the security issues are in the vulnerability reports:

March 3, 2022: XRootD 5.4.1 and GlideinWMS 3.9.4¶

XRootD 5.4.1: Bug fix release
osg-xrootd 3.6-15
GlideinWMS 3.9.4
- Add flexible mount points for CVMFS in the Glideins (not always /cvmfs)
- Per-Entry IDTOKENS
- Support per-group SciTokens
- Frontend and Factory check the expiration of SciTokens, other JWT tokens
- Bug Fixes:
  - IDTOKEN issuer changed from collector host to trust domain
  - X.509 proxy is now renewed also when using also tokens
- shared port is now the default in the User (VO) Collector HTCondor

February 17, 2022: VO Package v120¶

VO Package v120
- Update FNAL voms1 DN

February 10, 2022: HTCondor 9.0.9 LTS¶

HTCondor 9.0.9 LTS
- The OAUTH credmon is now available on Enterprise Linux 8
- Deprecated C-style comments no longer cause the job router to crash
VO Package v119
- Update OSG VO and GLOW VO DNs
hosted-ce-tools 0.9: new for Enterprise Linux 8
scitokens-credmon 0.8.1: new for Enterprise Linux 8

February 3, 2022: Gratia Probe 2.5.1¶

gratia-probe 2.5.1
- Fix a bug that prevented record generation for HTCondor batch systems. Manual intervention required; see this documentation for details.
- Fix ownership of the record quarantine directory
osg-flock 1.7
- Fixed capitalization of the OSG VO in the default accounting configuration (access point admins that have already updated to osg-flock-1.6 should change VOOverride="OSG" to VOOverride="osg" in /etc/gratia/condor-ap/ProbeConfig)
- Dropped configuration required for old versions of HTCondor
VO Package v118
- Update FNAL voms2 DN

January 27, 2022: VO Package v117 and OSG SciTokens mapfile 5¶

VO Package v117
- Update GlueX DN
- Update hcc-voms2 DN
- Add ATLAS IAM vomses entry
osg-scitokens-mapfile 5
- Add default SciTokens mappings for the FNAL VOs

January 20, 2022: CVMFS 2.9.0 and HTCondor 5.1.3 updates¶

CA Certificates based on IGTF 1.114
- Extend validity for SlovakGrid issuing CA (SK)
- Remove expired Let's Encrypt ROOT CA X3 and X4
CVMFS 2.9.0
- Incremental conversion of container images, resulting in a large speed-up for publishing new container image versions to unpacked.cern.ch
- Support for maintaining repositories in S3 over HTTPS (not just HTTP)
- Significant speed-ups for S3 and gateway publisher deployments
- Various bugfixes and smaller improvements (error reporting, repository statistics, network failure handling, etc.)
HTCondor-CE 5.1.3
- The HTCondor-CE central collector requires SSL credentials from client CEs
- Fix BDII crash if an HTCondor Access Point is not available
- Fix formatting of APEL records that contain huge values
- HTCondor-CE client mapfiles are not installed on the central collector
osg-xrootd 3.6-12
- Fix default location for grid-mapfile when using HTTP/WebDAV transfer
- Fix monitoring of writes
osg-ce 3.6-4
- Release the osg-ce-bosco package

January 13, 2022: XRootD 5.4.0 and Vault updates¶

XRootD 5.4.0: New feature release
- Fix problem interacting with version 5.1 or 5.2 origin servers
xrootd-tcp-stats 1.0.0: Initial release of TCP statistics plugin
vault 1.9.0, htvault-config 1.11, htgettoken 1.9
- upgrade to latest vault
- add support for ssh-agent authentication
VO Package v116
- Add second Belle2 VOMS server
oidc-agent 4.2.4
- Upgrade to new major version from version 3.3.3
- NOTE: oidc-agent must be restarted after upgrade
osg-scitokens-mapfile 4
- Add default ATLAS token mappings
osg-pki-tools 3.5.0-2: Upgrade to Python 3

December 9, 2021: XRootD and HTCondor updates¶

Problem interoperating with older origin servers

If an XRootD 5.3.4 cache interacts with a 5.1 or 5.2 origin and there is an asyncio error, it may crash the origin. Please upgrade your origin at your earliest convenience. You may turn off asyncio (async off) on either end to avoid the problem.

XRootD 5.3.4
- Fix uncorrectable checksum errors in XCache Origins
HTCondor 9.0.8 LTS
- X.509 proxy delegation now works in OSG 3.6
- Fix bug where huge values of ImageSize and others would end up negative
- Fix bug in how MAX_JOBS_PER_OWNER applied to late materialization jobs
- Fix bug where the schedd could choose a slot with insufficient disk space
- Fix crash in ClassAd substr() function when the offset is out of range
- Fix bug in Kerberos code that can crash on macOS and could leak memory
- Fix bug where a job is ignored for 20 minutes if the startd claim fails

December 1, 2021: Initial XRootD release¶

XRootD 5.3.2
- Initial release of XRootD in OSG 3.6
XCache 3.0.0
- Initial release of XCache in OSG 3.6
HTCondor 9.0.7: Bug fix release
- Fix bug where condor_gpu_discovery could crash with older CUDA libraries
- Fix bug where condor_watch_q would fail on machines with older kernels
- condor_watch_q no longer has a limit on the number of job event log files
- Fix bug where a startd could crash claiming a slot with p-slot preemption
- Fix bug where a job start would not be recorded when a shadow reconnects
VO Package v115
- Add CMS IAM vomses entry
- Update WLCG VO certificate
GlideinWMS 3.9.3
- Type validation support to the check_python3_expr.py script
- Drops the encondingSupport.py module and its unit tests
- Fixes an encoding problem affecting cloud submissions
Pegasus 5.0.1
- First OSG release of the Pegasus 5 series
Upcoming
- HTCondor 9.3.0
  - File transfer plugin sample code to aid in developing new plugins
  - Add generic knob to set the slot user for all slots

November 11, 2021: osg-flock and gratia-probes¶

osg-flock 1.6-3
- Update probe configuration to support Open Science Pool
- Overhaul configuration for HTCondor 9.0
gratia-probe 2.3.3
- Add gratia-probe-condor-ap for user job accounting of HTCondor Access Points
- Drop unused XRootD transfer probes
- Fix default HTCondor-CE probe directory configurations and ownership

October 13, 2021: Initial osg-token-renewer release¶

Initial release of the osg-token-renewer: a service to manage automatic renewal of bearer tokens from OIDC providers (e.g., CILogon, IAM), intended for use by VO managers
blahp 2.1.3: Bug fix release
- Include the more efficient LSF status script
- Fix status caching on EL7 for PBS, Slurm, and LSF

October 5, 2021: IGTF 1.113¶

This release contains updated CA Certificates based on IGTF 1.113

Suspended MD-GRID CA due to network resolution issues (MD)

September 30, 2021: Urgent Let's Encrypt CA certificate update¶

Please update osg-ca-certs as soon as possible.

Applications and tools using OpenSSL such as wget, HTCondor, and XRootD, will to fail to establish TLS/HTTPS connections to servers using Let's Encrypt certificates with a "certificate has expired" message.

This release of OSG 3.6 contains the following packages:

osg-ca-certs 1.99: Remove expired Let's Encrypt CA certificate
osg-wn-client: Fix installation issue causes by EPEL's gfal2 update
CVMFS 2.8.2: Bug fix release
cvmfs-x509-helper 2.2-2: Fix a number of issues with SciTokens support
HTCondor 9.0.6
- CUDA_VISIBLE_DEVICES can now contain GPU- formatted values
- Fix a bug that caused jobs to fail when using Singularity versions > 3.7
- Fix bugs relating to the transfer of standard output and error logs
vault 1.8.2, htvault-config 1.6, htgettoken 1.6: Minor improvements
Upcoming
- HTCondor 9.2.0
  - Add DAGMan SERVICE node, used to monitor or report on DAG workflow
  - Fix problem where proxy delegation to HTCondor versions < 9.1.3 failed
  - Jobs are now re-run if the execute directory unexpectedly disappears
  - HTCondor counts the number of files transferred at the submit node
  - Fix a bug that caused jobs to fail when using Singularity versions > 3.7

September 23, 2021: HTCondor-CE 5.1.2¶

This release of OSG 3.6 contains the following packages:

HTCondor-CE 5.1.2
- Fixed the default memory and CPU requests when using job router transforms
- Apply default MaxJobs and MaxJobsIdle when using job router transforms
- Improved SciTokens support in submission tools
- Fixed --debug flag in condor_ce_run
- Update configuration verification script to handle job router transforms
- Corrected ownership of the HTCondor PER_JOBS_HISTORY_DIR
- Fix bug passing maximum wall time requests to the local batch system

September 9, 2021: HTCondor 9.0.5 and blahp 2.1.1¶

This release of OSG 3.6 contains the following packages:

HTCondor 9.0.5: Bug fix release
- Other authentication methods are tried if mapping fails using SciTokens
- Fix rare crashes from successful condor_submit, which caused DAGMan issues
- Fix bug where ExitCode attribute would be suppressed when OnExitHold fired
- condor_who now suppresses spurious warnings coming from netstat
- The online manual now has detailed instructions for installing on MacOS
- Fix bug where misconfigured MIG devices would cause no GPUs to be detected
- The transfer_checkpoint_file list may now include input files
blahp 2.1.1: Bug fix release
- Add Python 2 support back for Enterprise Linux 7
- Allow the user to override system configuration files
- Enable flexible configuration via a configuration directory
- Fix Slurm resource usage reporting

August 16, 2021: IGTF 1.112¶

This release contains updated CA Certificates based on IGTF 1.112

Updated ANSPGrid CA with extended validity date (BR)

August 12, 2021: Gratia probes 2.1.0¶

Gratia probes 2.1.0
- Fix a problem that caused a traceback message in the condor_meter
- Fix a traceback caused by missing LogLevel in ProbeConfig
- Ensure that Gratia accounts for SciTokens-based pilots

August 5, 2021: VOMS Update, htvault-config 1.4, htgettoken 1.3¶

VOMS 2.0.16-1.2 (EL7) and VOMS 2.1.0-0.14.rc2.2 (EL8)
- Add IAM and TLS SNI support
htvault-config 1.4 and htgettoken 1.3
- Improved security through more fine-grained vault tokens and detailed logging
- Miscellaneous improvements

July 30, 2021: High Priority Release¶

HTCondor 9.0.4 and 9.1.2 Security Release. This release contains fixes for important security issues. More details on the security issues are in the vulnerability reports:
- HTCONDOR-2021-0003
- HTCONDOR-2021-0004

July 27, 2021: High Priority Release¶

HTCondor 9.0.3 and 9.1.1 Security Release. This release contains fixes for important security issues. More details on the security issues are in the vulnerability reports:
- Unfortunately, these releases did not fully mitigate the vulnerability described in HTCONDOR-2021-0003
- HTCONDOR-2021-0003
- HTCONDOR-2021-0004

July 22, 2021: HTCondor 9.0.2 and blahp 2.1.0¶

This release of OSG 3.6 contains the following packages:

HTCondor 9.0.2-1.1: Bug fix release
- HTCondor can be setup to use only FIPS 140-2 approved security functions
- If the Singularity test fails, the job returns to the idle state
- Can divide GPU memory, when making multiple GPU entries for a single GPU
- Startd and Schedd cron job maximum line length increased to 64k bytes
- Added first class submit keywords for SciTokens
- Fixed MUNGE authentication
blahp 2.1.0: Bug fix release
- Fix bug where GPU request was not passed onto the batch script
- Fix issue where proxy symlinks were not cleaned up by not creating them
- Fix bug where output files are overwritten if no transfer output remap
- Added support for passing in extra submit arguments from the job ad

July 15, 2021: VO Package v114¶

This release contains an updated VO Package with the following changes:

Fix typo in CLAS12 and EIC VOMS certificate issuers
Add LSC files for CERN VO IAM endpoints

July 1, 2021: Frontier Squid 4.15-2.1, Vault 1.7.3, Upcoming: HTCondor 9.1.0¶

This release of OSG 3.6 contains the following packages:

Frontier Squid 4.15-2.1: Fix log rotation when not compressing
Vault 1.7.3: Bug fix release
htvault-config 1.2: Updated to match vault 1.7.3
Upcoming
- HTCondor 9.1.0: Start of next feature series

June 24, 2021: HTCondor 9.0.1, HTCondor-CE 5.1.1¶

This release of OSG 3.6 contains the following packages:

HTCondor 9.0.1-1.2: Bug fix release
- Fix problem where X.509 proxy refresh kills job when using AES encryption
- Fix problem when jobs require a different machine after a failure
- Fix problem where a job matched a machine it can't use, delaying job start
- Fix exit code and retry checking when a job exits because of a signal
- Fix a memory leak in the job router when a job is removed via job policy
- Fixed the back-end support for the bosco_cluster --add command
HTCondor-CE 5.1.1
- Improve restart time of HTCondor-CE View
- Fix bug that caused HTCondor-CE to ignore incoming BatchRuntime requests
- Fixed error that occurred during RPM installation of non-HTCondor batch systems regarding missing file batch_gahp

June 16, 2021: VO Package v113¶

This release contains an updated VO Package with the following changes:

Added new CLAS12 and EIC VO certificates
Retired old CLAS12 and EIC VO certificates

June 3, 2021: Vault security update and gratia probes¶

This release of OSG 3.6 contains the following packages:

gratia-probe 1.23.3: Fix problem that could cause pilot hours to be zero for non-HTCondor batch systems
vault 1.7.2: Security update; fixes CVE-2021-32923. (OSG configuration not vulnerable)

May 25, 2021: IGTF 1.111¶

This release contains updated CA Certificates based on IGTF 1.111

Removed discontinued NERSC-SLCS CA (US)
Removed discontinued MYIFAM CA (MY)

May 17, 2021: HTCondor-CE 5.1.0 and HTCondor 9.0.0¶

This release of OSG 3.6 contains the following packages:

HTCondor 9.0.0-1.5: Major new release with enhanced security
Blahp 2.0.2: GPU Support, Converted to Python 3
HTCondor-CE 5.1.0
- Support for Job Router Transform configuration syntax
- Credential mapping changes
- Converted to Python 3
osg-scitokens-mapfile 3: Updated to support HTCondor-CE 5.1.0
osg-ce: now requires osg-scitokens-mapfile
vault 1.7.1: Update to latest upstream release
htvault-config 1.1: Uses yaml configuration files
htgettoken 1.2: improved error message handling and bug fixes

May 13, 2021: High Priority Release¶

This release of OSG 3.6 contains the following packages:

Frontier Squid 4.15-1.2: Closes multiple security vulnerabilities
Updated CA certificates based on IGTF 1.110
osg-ca-certs 1.96: Fixed Let's Encrypt signing policy to accept cross-signing chain

April 22, 2021: CVMFS 2.8.1¶

This release of OSG 3.6 contains the following packages:

CVMFS 2.8.1: Bug fix release
gratia-probe 1.23.2: Converted to use Python 3

March 25, 2021: HTCondor 8.9.11 patches¶

This release of OSG 3.6 contains the following packages:

HTCondor 8.9.11-1.4 (EL7 only)
- Fixes a potential SchedD crash when using malformed tokens
- condor_watch_q now works on DAGs
vo-client-110-1 with updated WeNMR VOMS information

Additionally, the following packages that were already available in OSG 3.6 for EL7 were released for EL8:

osg-scitokens-mapfile-1-1 containing a new HTCondor-CE mapfile for VO token issuers
vault-1.6.2-1 and htvault-config-0.5-1 for managing tokens
cvmfs-gateway-1.2.0-1: note the upstream documentation for updating from version 0.2.5

February 26, 2021: 3.6 Released¶

Where are GlideinWMS and XRootD?

XRootD and GlideinWMS are both absent in the initial OSG 3.6 release: we expect major version updates that may require manual intervention for both of these packages so we are holding their initial releases in this series until they are ready.

This initial release of the OSG 3.6 release series is based on the packages available in OSG 3.5.31. One of the major changes in this release series is the shift to token-based authentication from GSI proxy-based authentication. Here is a list of the differences in this initial release:

GridFTP, GSI, and Hadoop are no longer available
Added packages to support token-based authentication
HTCondor 8.9.11: initial token support (8.9.12, which will contain default configuration using tokens, was delayed)
HTCondor-CE 5.0.0: support for Python 3
Gratia Probe 2.0.0: replace all batch system probes with the non-root HTCondor-CE probe
OSG-Configure 4.0.0:
- Deprecated RSV
- Dropped unused configuration modules and attributes
- Reorganized some configuration (see update instructions for more details)

In addition, we have updated our Software Release Policy to follow a rolling release model.

Finally, our Docker image releases will more closely track our OSG 3.6 repositories.

Announcements¶

Updates to critical packages also announced by email and are sent to the following recipients and lists: