On Wed, Aug 24, 2016 at 09:07:44PM +0200, Alexander Hasselhuhn wrote: > Dear Reuti, > > thanks for the reply, indeed at the moment there is a login node, but we have > plans to remove it (by setting up a route through our gateway, which makes > some administrative tasks more smooth) and restricting access using > firewalls. I like your idea of restricting the address range instead of the > port range. > > Yours, > Alex > > On 08/24/2016 08:51 PM, Reuti wrote: > >Hi, > > > >Am 24.08.2016 um 19:33 schrieb Alexander Hasselhuhn: > > > >>does anyone know which ports I would have to insert into my firewall config > >>for qrsh to work? It seems qrsh opens a port on the submit host and listens > >>on it. The ports seem to change randomly for each execution of qrsh. > > An alternative would be something like using a qrsh_command that invokes ssh -w to connect to the port in question.
Something like:
#!/bin/sh
HOST=$3
PORT=$2
ssh -w ${HOST}:${PORT} ${HOST}
Which would access the remote host via the regular sshd then connect to the
destination host and port.
You then need an rshd_command that upon receiving a connection executes the
qrsh_starter:
Something like:
#!/bin/sh
su "$(sed -n -e 's/^job_owner=//p' ${SGE_JOB_SPOOL_DIR}')" -c
"${SGE_ROOT}/utilbin/${SGE_ARCH}/qrsh_starter ${SGE_JOB_SPOOL_DIR}" -
The above is thoroughly untested and probably has syntax errors and security
holes.
Then all you need is some means of passwordless ssh authentication, a suitably
nailed down sshd on the receiving host,
port 22 open to the world and the dynamic port range accessible from the
localhost.
William
signature.asc
Description: Digital signature
_______________________________________________ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
