[gridengine users] How to export an X11 back to the client?
Mun.Johl at wdc.com
Fri May 15 01:00:35 UTC 2020
I just thought I'd report that I was finally able to get X11 forwarding to work. The final step was for us to disable SELinux. Once I did that (and turned off the firewall) X11 forwarding worked great. So now I'll work with IT for a workable solution that they are happy with.
Thank you very much for all the great advice and support!
> Hi Reuti,
> Thank you kindly for your response.
> I have provided comments below.
> > -----Original Message-----
> > Hi,
> > Am 12.05.2020 um 23:27 schrieb Mun Johl:
> > > Hi,
> > >
> > > Just some additional testing results ...
> > >
> > > Our IT guy turned off the firewall on a Submit Host and Execution Host for experimental purposes. That got me further but not all
> > the way. Here is the verbose log from qrsh:
> > >
> > > waiting for interactive job to be scheduled ...
> > > Your interactive job 460937 has been successfully scheduled.
> > > Establishing /usr/bin/ssh -X session to host sim.domain.com ...
> > > ssh_exchange_identification: Connection closed by remote host
> > > /usr/bin/ssh -X exited with exit code 255
> > > reading exit code from shepherd ... 129
> > >
> > > We aren't yet able to get around the ssh -X error. Any ideas?
> > But a plain `ssh`to the nodes work?
> [Mun] Yes, I can ssh into the nodes. I can also 'ssh -X' into the nodes from a terminal and open X11 apps.
> > In case a different hostname must be used, there is an option "HostbasedUsesNameFromPacketOnly" in "sshd_config".
> [Mun] I don't _think_ that is/should be required.
> > > But even if we could, we still need to figure out which ports of the firewall need to be opened up. Every time we ran an
> > the port number that was used for SSH was different. I hope we don't have to open up too big a range of ports.
> > Unfortunately the port is randomly chosen with any new connection.
> [Mun] Yes, unfortunate; I thought I read that somewhere.
> > But wouldn't it be possible to adjust the firewall to allow all ports only when connecting from the nodes in the cluster (are the
> > in a VLAN behind a head node or all submit machines and nodes also connected to the Internet?)
> [Mun] The nodes are on their own subnet, so what you suggest might be possible. I'll check with our IT guy about that since I'm not
> very well versed with firewall configuration.
> > Also in SSH itself it is possible with the "match" option in "sshd_config" to allow only certain users from certain nodes.
> [Mun] Good to know; thank you.
> > Nevertheless: maybe adding "-v" to the `ssh` command will output additional info, also the messages of `sshd` might be in some log
> > file.
> [Mun] We had tried that but unfortunately it was not much help to me. In case it is useful to anyone on this reflector, here is the log:
> waiting for interactive job to be scheduled ...
> Your interactive job 460968 has been successfully scheduled.
> Establishing /usr/bin/ssh -X -vv session to host sim.domain.com ...
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to sim.domain.com [10.203.224.81] port 43929.
> debug1: Connection established.
> debug1: identity file /home/mun/.ssh/identity type -1
> debug1: identity file /home/mun/.ssh/identity-cert type -1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /home/mun/.ssh/id_rsa type 1
> debug1: identity file /home/mun/.ssh/id_rsa-cert type -1
> debug1: identity file /home/mun/.ssh/id_dsa type -1
> debug1: identity file /home/mun/.ssh/id_dsa-cert type -1
> debug1: identity file /home/mun/.ssh/id_ecdsa type -1
> debug1: identity file /home/mun/.ssh/id_ecdsa-cert type -1
> ssh_exchange_identification: Connection closed by remote host
> /usr/bin/ssh -X -vv -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no exited with exit code 255
> reading exit code from shepherd ... 129
> Best regards,
More information about the users