Bug 783267 - [RFE] ssh_to_job for VM/Java/Sched/Local universe
Summary: [RFE] ssh_to_job for VM/Java/Sched/Local universe
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor
Version: 2.1
Hardware: All
OS: Linux
medium
low
Target Milestone: 2.3
: ---
Assignee: Timothy St. Clair
QA Contact: Daniel Horák
URL:
Whiteboard:
Depends On: 807682 807686
Blocks: 877197 882405
TreeView+ depends on / blocked
 
Reported: 2012-01-19 20:08 UTC by Timothy St. Clair
Modified: 2013-03-06 18:41 UTC (History)
8 users (show)

Fixed In Version: condor-7.8.2-0.1
Doc Type: Enhancement
Doc Text:
C: The ability to debug a job while it is running on a target machine. C: Could not directly attach a debugger to a running executable. C: Add support to allow users to ssh to the job sandbox directory of the running job. R: Users can now ssh to their jobs to debug them on the target machine.
Clone Of:
: 807682 807686 877197 882405 (view as bug list)
Environment:
Last Closed: 2013-03-06 18:41:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0564 0 normal SHIPPED_LIVE Low: Red Hat Enterprise MRG Grid 2.3 security update 2013-03-06 23:37:09 UTC

Description Timothy St. Clair 2012-01-19 20:08:18 UTC 
Description of problem:
Validate the behavior of ssh_to_job when running VM/Java/Sched/Local universe jobs.
Comment 8 Timothy St. Clair 2012-03-21 20:15:26 UTC 
correct please validate vanilla, vm, java, local, and parallel
Comment 9 Daniel Horák 2012-03-23 15:41:35 UTC 
On both version of RHEL (5.8 and 6.2) with condor-7.6.5-0.12 is problem with selinux. Should it be part of this BZ, or is it candidate for new one?
(Problem is on all universes.)

# getenforce 
  Enforcing
# condor_ssh_to_job 14
  ssh_exchange_identification: Connection closed by remote host

# setenforce Permissive
# condor_ssh_to_job 14
  Welcome to HOST!
  Your condor job is running with pid(s) 8523.


RHEL 5.8: 
  selinux-policy-2.4.6-327.el5
RHEL 6.2:
  selinux-policy-3.7.19-126.el6_2.10
Comment 10 Timothy St. Clair 2012-03-23 18:42:42 UTC 
Is it at all related to the other ssh key gen bug?  We should kick back on *this one if there is an issue.
Comment 11 Daniel Horák 2012-03-26 06:59:22 UTC 
On RHEL 6.2 i386 - vanilla universe job:

# getenforce 
  Permissive

# START_DATE_TIME=$(date "+%m/%d/%Y %T")

 ... condor_ssh_to_job ...

# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
----
time->Mon Mar 26 08:50:19 2012
type=SYSCALL msg=audit(1332744619.754:4515): arch=40000003 syscall=102 success=yes exit=0 a0=7 a1=bf880380 a2=4007f7a0 a3=bf88042c items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332744619.754:4515): avc:  denied  { getattr } for  pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
----
time->Mon Mar 26 08:50:19 2012
type=SYSCALL msg=audit(1332744619.754:4516): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf8804d0 a2=4007f7a0 a3=40080a08 items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332744619.754:4516): avc:  denied  { setopt } for  pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
----
time->Mon Mar 26 08:50:19 2012
type=SYSCALL msg=audit(1332744619.755:4517): arch=40000003 syscall=102 success=yes exit=0 a0=f a1=bf87f470 a2=4007f7a0 a3=bf87f4e8 items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332744619.755:4517): avc:  denied  { getopt } for  pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
----
time->Mon Mar 26 08:50:19 2012
type=SYSCALL msg=audit(1332744619.883:4518): arch=40000003 syscall=102 success=yes exit=0 a0=7 a1=bf880250 a2=4007f7a0 a3=bf8802fc items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332744619.883:4518): avc:  denied  { getattr } for  pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
----
time->Mon Mar 26 08:50:19 2012
type=SYSCALL msg=audit(1332744619.901:4519): arch=40000003 syscall=102 success=yes exit=0 a0=f a1=bf880140 a2=4007f7a0 a3=3 items=0 ppid=14336 pid=14345 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332744619.901:4519): avc:  denied  { getopt } for  pid=14345 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
----
time->Mon Mar 26 08:50:19 2012
type=SYSCALL msg=audit(1332744619.901:4520): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf880190 a2=4007f7a0 a3=1 items=0 ppid=14336 pid=14345 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332744619.901:4520): avc:  denied  { setopt } for  pid=14345 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
Comment 13 Miroslav Grepl 2012-03-28 07:35:08 UTC 
$ ps -eZ |grep initrc

We need to add a policy for a process running as initrc_t. I guess this is condor.
Comment 16 Timothy St. Clair 2012-04-25 13:10:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
C: The ability to debug a job while it is running on a target machine.
C: Could not directly attach a debugger to a running executable.
C: Add support to allow users to ssh to the job sandbox directory of the running job.
R: Users can now ssh to their jobs to debug them on the target machine.
Comment 19 Daniel Horák 2013-01-14 08:15:03 UTC 
Tested and verified via automatic test on RHEL 5.9/6.4 - i386/x86_64 with condor-7.8.8-0.3.el6.
Tested following universes:  
  + vanilla
  + local
  + java
  + parallel

TODO: test VM universe.
Comment 21 Daniel Horák 2013-01-22 15:22:10 UTC 
Retested on VM universe on RHEL 5/6 x86_64 with KVM and RHEL 5x with XEN with condor-7.8.8-0.3.

>>> VERIFIED
Comment 23 errata-xmlrpc 2013-03-06 18:41:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0564.html
Note You need to log in before you can comment on or make changes to this bug.