condor_ssh_to_job(1)

1condor_ssh_to_job(1)        General Commands Manual       condor_ssh_to_job(1)
2
3
4

Name

6       condor_ssh_to_jobcreate an ssh session to a running job
7

Synopsis

9       condor_ssh_to_job[-help]
10
11       condor_ssh_to_job[-debug]  [-name  schedd-name] [-pool pool-name] [-ssh
12       ssh-command]     [-keygen-options     ssh-keygen-options]      [-shells
13       shell1,shell2,...] [-auto-retry] [-remove-on-interrupt] cluster | clus‐
14       ter.process | cluster.process.node [remote-command]
15

Description

17       condor_ssh_to_jobcreates an sshsession to a running  job.  The  job  is
18       specified  with  the argument. If only the job clusterid is given, then
19       the job processid defaults to the value 0.
20
21       condor_ssh_to_jobis available in Unix HTCondor distributions, and works
22       with  two kinds of jobs: those in the vanilla, vm, java, local, or par‐
23       allel universes, and those jobs in the  grid  universe  which  use  EC2
24       resources. It will not work with other grid universe jobs.
25
26       For  jobs  in  the vanilla, vm, java, local, or parallel universes, the
27       user must be the owner of the job or must be a queue  super  user,  and
28       both   the   condor_scheddand  condor_starterdaemons  must  allow  con‐
29       dor_ssh_to_jobaccess. If no remote-commandis specified, an  interactive
30       shell is created. An alternate sshprogram such as sftpmay be specified,
31       using the -sshoption, for uploading and downloading files.
32
33       The remote command or shell runs with the same user id as  the  running
34       job,  and  it is initialized with the same working directory. The envi‐
35       ronment is initialized to be the same as that  of  the  job,  plus  any
36       changes  made  by the shell setup scripts and any environment variables
37       passed by the sshclient. In addition, the  environment  variable  _CON‐
38       DOR_JOB_PIDSis defined. It is a space-separated list of PIDs associated
39       with the job. At a minimum, the  list  will  contain  the  PID  of  the
40       process  started  when  the  job was launched, and it will be the first
41       item in the list. It may contain additional  PIDs  of  other  processes
42       that the job has created.
43
44       The  sshsession and all processes it creates are treated by HTCondor as
45       though they are processes belonging to the job. If  the  slot  is  pre‐
46       empted  or  suspended, the sshsession is killed or suspended along with
47       the job. If the job exits before  the  sshsession  finishes,  the  slot
48       remains  in the Claimed Busy state and is treated as though not all job
49       processes have exited until all sshsessions are closed.  Multiple  ssh‐
50       sessions may be created to the same job at the same time. Resource con‐
51       sumption of the sshdprocess and all processes spawned by it  are  moni‐
52       tored by the condor_starteras though these processes belong to the job,
53       so any policies such as PREEMPTthat enforce a limit  on  resource  con‐
54       sumption also take into account resources consumed by the sshsession.
55
56       condor_ssh_to_jobstores ssh keys in temporary files within a newly cre‐
57       ated and uniquely named directory. The newly created directory will  be
58       within  the  directory defined by the environment variable TMPDIR. When
59       the ssh session is finished, this directory and the ssh keys  contained
60       within it are removed.
61
62       See  the  HTCondor  administrator's manual section on configuration for
63       details of the configuration variables related to condor_ssh_to_job.
64
65       An sshsession works by first authenticating and  authorizing  a  secure
66       connection between condor_ssh_to_joband the condor_starterdaemon, using
67       HTCondor protocols. The condor_startergenerates an  ssh  key  pair  and
68       sends  it  securely to condor_ssh_to_job. Then the condor_starterspawns
69       sshdin inetd mode with its stdin and stdout attached to the TCP connec‐
70       tion  from  condor_ssh_to_job. condor_ssh_to_jobacts as a proxy for the
71       sshclient to communicate  with  sshd,  using  the  existing  connection
72       authorized by HTCondor. At no point is sshdlistening on the network for
73       connections or running with any privileges other than that of the  user
74       identity running the job.If CCB is being used to enable connectivity to
75       the execute node from outside of a firewall or  private  network,  con‐
76       dor_ssh_to_jobis  able  to make use of CCB in order to form the sshcon‐
77       nection.
78
79       The login shell of the user id running the  job  is  used  to  run  the
80       requested  command,  sshdsubsystem, or interactive shell. This is hard-
81       coded behavior in OpenSSHand cannot  be  overridden  by  configuration.
82       This  means that condor_ssh_to_jobaccess is effectively disabled if the
83       login shell disables access, as in the  example  programs  /bin/trueand
84       /sbin/nologin.
85
86       condor_ssh_to_jobis  intended to work with OpenSSHas installed in typi‐
87       cal environments. It does not work on Windows platforms. If the sshpro‐
88       grams  are installed in non-standard locations, then the paths to these
89       programs will need to be customized within the HTCondor  configuration.
90       Versions of sshother than OpenSSHmay work, but they will likely require
91       additional configuration of  command-line  arguments,  changes  to  the
92       sshdconfiguration  template  file,  and  possibly  modification  of the
93       $(LIBEXEC)/condor_ssh_to_job_sshd_setup  script  used   by   the   con‐
94       dor_starterto set up sshd.
95
96       For  jobs  in the grid universe which use EC2 resources, a request that
97       HTCondor have the EC2 service create a new key  pair  for  the  job  by
98       specifying  ec2_keypair_filecauses  condor_ssh_to_jobto attempt to con‐
99       nect to the corresponding  instance  via  ssh.  This  attempts  invokes
100       sshdirectly,  bypassing the HTCondor networking layer. It supplies ssh‐
101       with the public DNS name of the instance and the name of the file  with
102       the  new  key  pair's  private  key. For the connection to succeed, the
103       instance must have started an sshserver, and its security group(s) must
104       allow  connections on port 22. Conventionally, images will allow logins
105       using the key pair on a single specific account. Because sshdefaults to
106       logging  in as the current user, the -l <username>option or its equiva‐
107       lent for other versions of sshwill be needed as part of the remote-com‐
108       mandargument.  Although the -Xoption does not apply to EC2 jobs, adding
109       -Xor -Yto the remote-commandargument can duplicate the effect.
110

Options

112       -help
113
114          Display brief usage information and exit.
115
116
117
118       -debug
119
120          Causes debugging information to be sent  to  stderr,  based  on  the
121          value of the configuration variable TOOL_DEBUG.
122
123
124
125       -name schedd-name
126
127          Specify  an  alternate  condor_schedd, if the default (local) one is
128          not desired.
129
130
131
132       -pool pool-name
133
134          Specify an alternate HTCondor  pool,  if  the  default  one  is  not
135          desired. Does not apply to EC2 jobs.
136
137
138
139       -ssh ssh-command
140
141          Specify  an alternate sshprogram to run in place of ssh, for example
142          sftpor scp. Additional arguments are specified as ssh-command. Since
143          the  arguments  are  delimited  by  spaces, place double quote marks
144          around the whole command, to prevent the  shell  from  splitting  it
145          into  multiple arguments to condor_ssh_to_job. If any arguments must
146          contain spaces, enclose them within single quotes. Does not apply to
147          EC2 jobs.
148
149
150
151       -keygen-options ssh-keygen-options
152
153          Specify  additional arguments to the ssh_keygenprogram, for creating
154          the ssh key that is used for the duration of the session. For  exam‐
155          ple,  a  different  number of bits could be used, or a different key
156          type than the default. Does not apply to EC2 jobs.
157
158
159
160       -shells shell1,shell2,...
161
162          Specify a comma-separated list of shells to attempt  to  launch.  If
163          the  first shell does not exist on the remote machine, then the fol‐
164          lowing ones in the list will be tried.  If  none  of  the  specified
165          shells  can  be  found, /bin/shis used by default. If this option is
166          not specified, it defaults to  the  environment  variable  SHELLfrom
167          within the condor_ssh_to_jobenvironment. Does not apply to EC2 jobs.
168
169
170
171       -auto-retry
172
173          Specifies  that  if  the  job is not yet running, condor_ssh_to_job‐
174          should keep trying periodically until it succeeds or encounters some
175          other error.
176
177
178
179       -remove-on-interrupt
180
181          If  specified,  attempt  to  remove  the  job from the queue if con‐
182          dor_ssh_to_jobis interrupted via a CTRL-c  or  otherwise  terminated
183          abnormally.
184
185
186
187       -X
188
189          Enable X11 forwarding. Does not apply to EC2 jobs.
190
191
192
193       -x
194
195          Disable X11 forwarding.
196
197
198

Examples

200       % condor_ssh_to_job 32.0
201       Welcome to slot2@tonic.cs.wisc.edu!
202       Your condor job is running with pid(s) 65881.
203       % gdb -p 65881
204       (gdb) where
205       % logout
206       Connection to condor-job.tonic.cs.wisc.edu closed.
207
208       To upload or download files interactively with sftp:
209
210       % condor_ssh_to_job -ssh sftp 32.0
211       Connecting to condor-job.tonic.cs.wisc.edu...
212       sftp> ls
213       sftp> get outputfile.dat
214
215       This example shows downloading a file from the job with scp. The string
216       "remote" is used in place of a host name in this  example.  It  is  not
217       necessary  to insert the correct remote host name, or even a valid one,
218       because the connection to the job is created automatically.  Therefore,
219       the placeholder string "remote" is perfectly fine.
220
221       % condor_ssh_to_job -ssh scp 32 remote:outputfile.dat .
222
223       This  example  uses  condor_ssh_to_jobto accomplish the task of running
224       rsyncto synchronize a local file with a remote file in the job's  work‐
225       ing  directory.  Job  id  32.0  is used in place of a host name in this
226       example. This causes rsyncto insert the expected job id  in  the  argu‐
227       ments to condor_ssh_to_job.
228
229       % rsync -v -e "condor_ssh_to_job" 32.0:outputfile.dat .
230
231       Note that condor_ssh_to_jobwas added to HTCondor in version 7.3. If one
232       uses condor_ssh_to_jobto connect to a job on an execute machine running
233       a  version of HTCondor older than the 7.3 series, the command will fail
234       with the error message
235
236       Failed to send CREATE_JOB_OWNER_SEC_SESSION to starter
237

Exit Status

239       condor_ssh_to_jobwill exit with a non-zero status value if it fails  to
240       set  up  an  ssh  session. If it succeeds, it will exit with the status
241       value of the remote command or shell.
242

Author

244       Center  for  High   Throughput   Computing,   University   of   Wiscon‐
245       sin&ndash;Madison
246

Copyright

248       Copyright  ©  1990-2019  Center for High Throughput Computing, Computer
249       Sciences Department, University of Wisconsin-Madison, Madison, WI.  All
250       Rights Reserved. Licensed under the Apache License, Version 2.0.
251
252
253
254                                     date                 condor_ssh_to_job(1)