Instead of messing with the qrsh mechanism, why don't you just change
the local port range, if you want a smaller range for your firewall?
/etc/sysctl.conf, add a line like (or if there is one modify it)
net.ipv4.ip_local_port_range = 32768 61000
(replacing the limits with ones you like).
Tina
On 25/08/16 09:32, William Hay wrote:
On Thu, Aug 25, 2016 at 09:15:26AM +0100, William Hay wrote:
On Wed, Aug 24, 2016 at 09:07:44PM +0200, Alexander Hasselhuhn wrote:
Dear Reuti,
thanks for the reply, indeed at the moment there is a login node, but we have
plans to remove it (by setting up a route through our gateway, which makes some
administrative tasks more smooth) and restricting access using firewalls. I
like your idea of restricting the address range instead of the port range.
Yours,
Alex
On 08/24/2016 08:51 PM, Reuti wrote:
Hi,
Am 24.08.2016 um 19:33 schrieb Alexander Hasselhuhn:
does anyone know which ports I would have to insert into my firewall config for
qrsh to work? It seems qrsh opens a port on the submit host and listens on it.
The ports seem to change randomly for each execution of qrsh.
An alternative would be something like using a qrsh_command that invokes ssh -w
to connect to the port in question.
Something like:
#!/bin/sh
HOST=$3
PORT=$2
ssh -w ${HOST}:${PORT} ${HOST}
Which would access the remote host via the regular sshd then connect to the
destination host and port.
You then need an rshd_command that upon receiving a connection executes the
qrsh_starter:
Something like:
#!/bin/sh
su "$(sed -n -e 's/^job_owner=//p' ${SGE_JOB_SPOOL_DIR}')" -c
"${SGE_ROOT}/utilbin/${SGE_ARCH}/qrsh_starter ${SGE_JOB_SPOOL_DIR}" -
The above is thoroughly untested and probably has syntax errors and security
holes.
Then all you need is some means of passwordless ssh authentication, a suitably
nailed down sshd on the receiving host,
port 22 open to the world and the dynamic port range accessible from the
localhost.
William
ooops, thought you were talking about the destination host for some reason.
My trick won't work for the random port on the submit host.
William
_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users
--
Tina Friedrich, Computer Systems Administrator, Diamond Light Source Ltd
Diamond House, Harwell Science and Innovation Campus - 01235 77 8442
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users