Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux

[Greg Thain <gthain@xxxxxxxxxxx>]

On 10/7/25 07:20, Alexandr Mikula wrote:
> On Thu, 2025-10-02 at 09:40 +0200, Alexandr Mikula wrote:
> > Hi fellow birdkeepers,
> > I am having the problem using condor_ssh_to_jobs (including the
> > interactive jobs), due to the combination of the per job LVM and
> > enforcing SELinux on EP.

Hi Alexandr:

As a temporary workaround, can you turn off selinux for ssh-keygen, with 
somethinglike


# semanage permissive -a ssh_keygen_exec_t

In the long run, we may need to make a code change to the mount options 
for our ephemeral LVM filesystems.

-greg


> > On EP without LVM and with SELinux it works OK.
> >
> > The condor is unable to create the ssh keypair with this in the audit
> > log:
> >
> > type=AVC msg=audit(1759390053.112:250528): avc: denied { write }
> > for
> > pid=1383020 comm="ssh-keygen"
> > path="/scratch/condor/dir_1364028/.condor_ssh_to_job_2/keygen.log"
> > dev="dm-13" ino=27 scontext=system_u:system_r:ssh_keygen_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
> >
> > condor_ssh_to_job output:
> > #condor_ssh_to_job 31194944
> > slot1_2@minis01: condor_ssh_to_job_sshd_setup failed: Failed to
> > create
> > ssh key /scratch/condor/dir_1364028/.condor_ssh_to_job_2/sshkey with
> > command "/usr/bin/ssh-keygen" "-N" "" "-C" "" "-q" "-f"
> > "/scratch/condor/dir_1364028/.condor_ssh_to_job_2/sshkey" "-t" "rsa"
> >
> >
> > Any ideas how to fix it?
> > Cheers
> > AM
> Any ideas from HTC developers?
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
>
> The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/