Re: [HTCondor-users] Problems with condor_ssh_to_job

[Oliver Freyermuth <o.freyermuth@xxxxxxxxxxxxxx>]

Hi Todd, 

Am 03.08.2017 um 19:02 schrieb Todd Tannenbaum:
> Yes, you can use shared_port on your submit (schedd) machine, setup your firewall to only allow port 9618, and still have condor_ssh_to_job work with CCB.  To make it all work together this way requires that you change the permissions on the directory used by shared_port like so:
> 
>    chmod 1777 /var/lock/condor/daemon_sock
> 
> (/var/lock/condor is the default, you may need to do "condor_config_val LOCK" to get the actual path HTCondor lock directory).
> 
> To understand why this is needed and why it works, read the wisdom for knob DAEMON_SOCKET_DIR in the HTCondor Manual, available at URL http://bit.ly/2u4Jt1F

Wow - thanks for that link, and also for the quick reply!
I totally missed that in the documentation, I was looking around in the more general parts (CCB and network configuration, and condor_ssh_to_job options and manpage),
but never checked there. Really good news we can keep the firewall up with just this (known and needed) hole for usage by HTCondor. 

> 
>> 2) SELinux policies prevent running ssh-keygen on the startd machine. SELinux denies permission to write the generated keys to /pool/condor/dir_<PID>/.condor_ssh_to_job_1/ .
>>     Is this already fixed in a new version of HTCondor?
>>     This breaks on CentOS 7 out of the box.
>>
> 
> Ugh.  Thank you for investigating and reporting this. We will make a ticket on the wiki.htcondor.org to address this for the next release, and include a work-around in the ticket until the new version is released.   Tim T will post the ticket URL here shortly.
Thanks for taking care of that! 

Best regards, 
Oliver


-- 
Oliver Freyermuth
Physikalisches Institut der UniversitÃt Bonn
NuÃallee 12
53115 Bonn
--