1condor_ssh_to_job(1) General Commands Manual condor_ssh_to_job(1)
2
3
4
6 condor_ssh_to_jobcreate an ssh session to a running job
7
9 condor_ssh_to_job[-help]
10
11 condor_ssh_to_job[-debug] [-name schedd-name] [-pool pool-name] [-ssh
12 ssh-command] [-keygen-options ssh-keygen-options] [-shells
13 shell1,shell2,...] [-auto-retry] [-remove-on-interrupt] cluster | clus‐
14 ter.process | cluster.process.node [remote-command]
15
17 condor_ssh_to_jobcreates an sshsession to a running job. The job is
18 specified with the argument. If only the job clusterid is given, then
19 the job processid defaults to the value 0.
20
21 condor_ssh_to_jobis available in Unix HTCondor distributions, and works
22 with two kinds of jobs: those in the vanilla, vm, java, local, or par‐
23 allel universes, and those jobs in the grid universe which use EC2
24 resources. It will not work with other grid universe jobs.
25
26 For jobs in the vanilla, vm, java, local, or parallel universes, the
27 user must be the owner of the job or must be a queue super user, and
28 both the condor_scheddand condor_starterdaemons must allow con‐
29 dor_ssh_to_jobaccess. If no remote-commandis specified, an interactive
30 shell is created. An alternate sshprogram such as sftpmay be specified,
31 using the -sshoption, for uploading and downloading files.
32
33 The remote command or shell runs with the same user id as the running
34 job, and it is initialized with the same working directory. The envi‐
35 ronment is initialized to be the same as that of the job, plus any
36 changes made by the shell setup scripts and any environment variables
37 passed by the sshclient. In addition, the environment variable _CON‐
38 DOR_JOB_PIDSis defined. It is a space-separated list of PIDs associated
39 with the job. At a minimum, the list will contain the PID of the
40 process started when the job was launched, and it will be the first
41 item in the list. It may contain additional PIDs of other processes
42 that the job has created.
43
44 The sshsession and all processes it creates are treated by HTCondor as
45 though they are processes belonging to the job. If the slot is pre‐
46 empted or suspended, the sshsession is killed or suspended along with
47 the job. If the job exits before the sshsession finishes, the slot
48 remains in the Claimed Busy state and is treated as though not all job
49 processes have exited until all sshsessions are closed. Multiple ssh‐
50 sessions may be created to the same job at the same time. Resource con‐
51 sumption of the sshdprocess and all processes spawned by it are moni‐
52 tored by the condor_starteras though these processes belong to the job,
53 so any policies such as PREEMPTthat enforce a limit on resource con‐
54 sumption also take into account resources consumed by the sshsession.
55
56 condor_ssh_to_jobstores ssh keys in temporary files within a newly cre‐
57 ated and uniquely named directory. The newly created directory will be
58 within the directory defined by the environment variable TMPDIR. When
59 the ssh session is finished, this directory and the ssh keys contained
60 within it are removed.
61
62 See the HTCondor administrator's manual section on configuration for
63 details of the configuration variables related to condor_ssh_to_job.
64
65 An sshsession works by first authenticating and authorizing a secure
66 connection between condor_ssh_to_joband the condor_starterdaemon, using
67 HTCondor protocols. The condor_startergenerates an ssh key pair and
68 sends it securely to condor_ssh_to_job. Then the condor_starterspawns
69 sshdin inetd mode with its stdin and stdout attached to the TCP connec‐
70 tion from condor_ssh_to_job. condor_ssh_to_jobacts as a proxy for the
71 sshclient to communicate with sshd, using the existing connection
72 authorized by HTCondor. At no point is sshdlistening on the network for
73 connections or running with any privileges other than that of the user
74 identity running the job.If CCB is being used to enable connectivity to
75 the execute node from outside of a firewall or private network, con‐
76 dor_ssh_to_jobis able to make use of CCB in order to form the sshcon‐
77 nection.
78
79 The login shell of the user id running the job is used to run the
80 requested command, sshdsubsystem, or interactive shell. This is hard-
81 coded behavior in OpenSSHand cannot be overridden by configuration.
82 This means that condor_ssh_to_jobaccess is effectively disabled if the
83 login shell disables access, as in the example programs /bin/trueand
84 /sbin/nologin.
85
86 condor_ssh_to_jobis intended to work with OpenSSHas installed in typi‐
87 cal environments. It does not work on Windows platforms. If the sshpro‐
88 grams are installed in non-standard locations, then the paths to these
89 programs will need to be customized within the HTCondor configuration.
90 Versions of sshother than OpenSSHmay work, but they will likely require
91 additional configuration of command-line arguments, changes to the
92 sshdconfiguration template file, and possibly modification of the
93 $(LIBEXEC)/condor_ssh_to_job_sshd_setup script used by the con‐
94 dor_starterto set up sshd.
95
96 For jobs in the grid universe which use EC2 resources, a request that
97 HTCondor have the EC2 service create a new key pair for the job by
98 specifying ec2_keypair_filecauses condor_ssh_to_jobto attempt to con‐
99 nect to the corresponding instance via ssh. This attempts invokes
100 sshdirectly, bypassing the HTCondor networking layer. It supplies ssh‐
101 with the public DNS name of the instance and the name of the file with
102 the new key pair's private key. For the connection to succeed, the
103 instance must have started an sshserver, and its security group(s) must
104 allow connections on port 22. Conventionally, images will allow logins
105 using the key pair on a single specific account. Because sshdefaults to
106 logging in as the current user, the -l <username>option or its equiva‐
107 lent for other versions of sshwill be needed as part of the remote-com‐
108 mandargument. Although the -Xoption does not apply to EC2 jobs, adding
109 -Xor -Yto the remote-commandargument can duplicate the effect.
110
112 -help
113
114 Display brief usage information and exit.
115
116
117
118 -debug
119
120 Causes debugging information to be sent to stderr, based on the
121 value of the configuration variable TOOL_DEBUG.
122
123
124
125 -name schedd-name
126
127 Specify an alternate condor_schedd, if the default (local) one is
128 not desired.
129
130
131
132 -pool pool-name
133
134 Specify an alternate HTCondor pool, if the default one is not
135 desired. Does not apply to EC2 jobs.
136
137
138
139 -ssh ssh-command
140
141 Specify an alternate sshprogram to run in place of ssh, for example
142 sftpor scp. Additional arguments are specified as ssh-command. Since
143 the arguments are delimited by spaces, place double quote marks
144 around the whole command, to prevent the shell from splitting it
145 into multiple arguments to condor_ssh_to_job. If any arguments must
146 contain spaces, enclose them within single quotes. Does not apply to
147 EC2 jobs.
148
149
150
151 -keygen-options ssh-keygen-options
152
153 Specify additional arguments to the ssh_keygenprogram, for creating
154 the ssh key that is used for the duration of the session. For exam‐
155 ple, a different number of bits could be used, or a different key
156 type than the default. Does not apply to EC2 jobs.
157
158
159
160 -shells shell1,shell2,...
161
162 Specify a comma-separated list of shells to attempt to launch. If
163 the first shell does not exist on the remote machine, then the fol‐
164 lowing ones in the list will be tried. If none of the specified
165 shells can be found, /bin/shis used by default. If this option is
166 not specified, it defaults to the environment variable SHELLfrom
167 within the condor_ssh_to_jobenvironment. Does not apply to EC2 jobs.
168
169
170
171 -auto-retry
172
173 Specifies that if the job is not yet running, condor_ssh_to_job‐
174 should keep trying periodically until it succeeds or encounters some
175 other error.
176
177
178
179 -remove-on-interrupt
180
181 If specified, attempt to remove the job from the queue if con‐
182 dor_ssh_to_jobis interrupted via a CTRL-c or otherwise terminated
183 abnormally.
184
185
186
187 -X
188
189 Enable X11 forwarding. Does not apply to EC2 jobs.
190
191
192
193 -x
194
195 Disable X11 forwarding.
196
197
198
200 % condor_ssh_to_job 32.0
201 Welcome to slot2@tonic.cs.wisc.edu!
202 Your condor job is running with pid(s) 65881.
203 % gdb -p 65881
204 (gdb) where
205 % logout
206 Connection to condor-job.tonic.cs.wisc.edu closed.
207
208 To upload or download files interactively with sftp:
209
210 % condor_ssh_to_job -ssh sftp 32.0
211 Connecting to condor-job.tonic.cs.wisc.edu...
212 sftp> ls
213 sftp> get outputfile.dat
214
215 This example shows downloading a file from the job with scp. The string
216 "remote" is used in place of a host name in this example. It is not
217 necessary to insert the correct remote host name, or even a valid one,
218 because the connection to the job is created automatically. Therefore,
219 the placeholder string "remote" is perfectly fine.
220
221 % condor_ssh_to_job -ssh scp 32 remote:outputfile.dat .
222
223 This example uses condor_ssh_to_jobto accomplish the task of running
224 rsyncto synchronize a local file with a remote file in the job's work‐
225 ing directory. Job id 32.0 is used in place of a host name in this
226 example. This causes rsyncto insert the expected job id in the argu‐
227 ments to condor_ssh_to_job.
228
229 % rsync -v -e "condor_ssh_to_job" 32.0:outputfile.dat .
230
231 Note that condor_ssh_to_jobwas added to HTCondor in version 7.3. If one
232 uses condor_ssh_to_jobto connect to a job on an execute machine running
233 a version of HTCondor older than the 7.3 series, the command will fail
234 with the error message
235
236 Failed to send CREATE_JOB_OWNER_SEC_SESSION to starter
237
239 condor_ssh_to_jobwill exit with a non-zero status value if it fails to
240 set up an ssh session. If it succeeds, it will exit with the status
241 value of the remote command or shell.
242
244 Center for High Throughput Computing, University of Wisconsin-Madison
245
247 Copyright (C) 1990-2019 Center for High Throughput Computing, Computer
248 Sciences Department, University of Wisconsin-Madison, Madison, WI. All
249 Rights Reserved. Licensed under the Apache License, Version 2.0.
250
251
252
253 date condor_ssh_to_job(1)