[HTCondor-users] Problems with condor_ssh_to_job

[Oliver Freyermuth <o.freyermuth@xxxxxxxxxxxxxx>]

Dear condor experts, 

I have a set of two issues using condor_ssh_to_job in our htcondor 8.6.5 setup on CentOS 7. 
Our workers are in a private network, the central manager is "outside" of that in a public net, same for the submittor / schedd node. 

1) It seems condor_ssh_to_job chooses some random port on the startd machine
   when making the reverse connection (from startd to schedd as negotiated via the CCB). 
   This prevents firewalling - up to now, we have used shared_port successfully, but it seems condor_ssh_to_job ignores that completely. 
   Is there any way to limit the number of ports condor_ssh_to_job will listen on on the schedd side, or make it use the shared_port_daemon? 
   If not: How to configure a firewall on the schedd side? Is it possible at all when condor_ssh_to_job should be usable? 

2) SELinux policies prevent running ssh-keygen on the startd machine. SELinux denies permission to write the generated keys to /pool/condor/dir_<PID>/.condor_ssh_to_job_1/ . 
   Is this already fixed in a new version of HTCondor? 
   This breaks on CentOS 7 out of the box. 

Many thanks for your help, 
	Oliver

-- 
Oliver Freyermuth
Physikalisches Institut der UniversitÃt Bonn
NuÃallee 12
53115 Bonn
--