Instead of messing with the qrsh mechanism, why don't you just change the local port range, if you want a smaller range for your firewall?

/etc/sysctl.conf, add a line like (or if there is one modify it)

net.ipv4.ip_local_port_range = 32768 61000

(replacing the limits with ones you like).

Tina

On 25/08/16 09:32, William Hay wrote:
On Thu, Aug 25, 2016 at 09:15:26AM +0100, William Hay wrote:
On Wed, Aug 24, 2016 at 09:07:44PM +0200, Alexander Hasselhuhn wrote:
Dear Reuti,

thanks for the reply, indeed at the moment there is a login node, but we have 
plans to remove it (by setting up a route through our gateway, which makes some 
administrative tasks more smooth) and restricting access using firewalls. I 
like your idea of restricting the address range instead of the port range.

Yours,
Alex

On 08/24/2016 08:51 PM, Reuti wrote:
Hi,

Am 24.08.2016 um 19:33 schrieb Alexander Hasselhuhn:

does anyone know which ports I would have to insert into my firewall config for 
qrsh to work? It seems qrsh opens a port on the submit host and listens on it. 
The ports seem to change randomly for each execution of qrsh.

An alternative would be something like using a qrsh_command that invokes ssh -w 
to connect to the port in question.

Something like:
#!/bin/sh
HOST=$3
PORT=$2
ssh -w ${HOST}:${PORT} ${HOST}

Which would access the remote host via the regular sshd then connect to the 
destination host and port.

You then need an rshd_command that upon receiving a connection executes the 
qrsh_starter:
Something like:
#!/bin/sh
su "$(sed -n -e 's/^job_owner=//p' ${SGE_JOB_SPOOL_DIR}')" -c 
"${SGE_ROOT}/utilbin/${SGE_ARCH}/qrsh_starter ${SGE_JOB_SPOOL_DIR}" -

The above is thoroughly untested and probably has syntax errors and security 
holes.

Then all you need is some means of passwordless ssh authentication, a suitably 
nailed down sshd on the receiving host,
port 22 open to the world and the dynamic port range accessible from the 
localhost.

William

ooops,  thought you were talking about the destination host for some reason.  
My trick won't work for the random port on the submit host.

William




_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users



--
Tina Friedrich, Computer Systems Administrator, Diamond Light Source Ltd
Diamond House, Harwell Science and Innovation Campus - 01235 77 8442

--
This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users

Reply via email to