[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Problems with condor_ssh_to_job



Hi, 

looking at the ticket:
https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=6362
it's unclear to me what the current status is - is this in the pipeline for the next packaged version,
and will it also be backported to current stable versions (since this should affect all released packages)? 

Many thanks for your support, 
	Oliver

Am 03.08.2017 um 23:54 schrieb Tim Theisen:
> Here is the ticket:
> 
> https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=6362
> 
> ...Tim
> 
> 
> On 08/03/2017 11:21 AM, Oliver Freyermuth wrote:
>> Dear condor experts, 
>>
>> I have a set of two issues using condor_ssh_to_job in our htcondor 8.6.5 setup on CentOS 7. 
>> Our workers are in a private network, the central manager is "outside" of that in a public net, same for the submittor / schedd node. 
>>
>> 1) It seems condor_ssh_to_job chooses some random port on the startd machine
>>    when making the reverse connection (from startd to schedd as negotiated via the CCB). 
>>    This prevents firewalling - up to now, we have used shared_port successfully, but it seems condor_ssh_to_job ignores that completely. 
>>    Is there any way to limit the number of ports condor_ssh_to_job will listen on on the schedd side, or make it use the shared_port_daemon? 
>>    If not: How to configure a firewall on the schedd side? Is it possible at all when condor_ssh_to_job should be usable? 
>>
>> 2) SELinux policies prevent running ssh-keygen on the startd machine. SELinux denies permission to write the generated keys to /pool/condor/dir_<PID>/.condor_ssh_to_job_1/ . 
>>    Is this already fixed in a new version of HTCondor? 
>>    This breaks on CentOS 7 out of the box. 
>>
>> Many thanks for your help, 
>> 	Oliver
>>
>