Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] local HTCondor set-up to submit to remote CEs

Hi John,
I will give that a try, thanks!

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of John M Knoeller via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Tuesday, August 1, 2023 6:07 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; condor-users@xxxxxxxxxxx <condor-users@xxxxxxxxxxx>
Cc: John Knoeller <johnkn@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] local HTCondor set-up to submit to remote CEs
 

Setting NETWORK_INTERFACE to 127.0.0.1 restricts *all* communication to that interface.  This includes outgoing communication from tools and daemons.

 

What you want is to restrict incoming communication only, but there is no way to configure that in HTCondor.   The closest you could come is to restrict NETWORK_INTERFACE for daemons, but not for tools, like this

 

NETWORK_INTERFACE = 127.0.0.1

TOOL.NETWORK_INTERFACE = *

SUBMIT.NETWORK_INTERFACE = *

GRIDMANAGER.NETWORK_INTERFACE = *

-tj

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Maarten Litmaath
Sent: Thursday, July 27, 2023 2:24 PM
To: condor-users@xxxxxxxxxxx
Subject: [HTCondor-users] local HTCondor set-up to submit to remote CEs

 

Dear HTCondor experts,

I have a use case in which grid universe jobs are submitted to a local

HTCondor set-up that then handles the submission to remote CEs.

 

As the local set-up should only serve the given use case,

I would like to have port 9618 listened on from localhost only,

instead of relying on blocking that port in the host firewall...

 

I tried to take inspiration from a mini HTCondor on a single host,

which comes with these configuration lines:

 

NETWORK_INTERFACE = 127.0.0.1

BIND_ALL_INTERFACES = False

CONDOR_HOST = 127.0.0.1

 

That protects the local HTCondor quite nicely, but it also causes

a condor_ping of a remote CE to hang for a while and then fail:

 

ERROR: couldn't locate remote-ce.remote-domain!

 

With "strace" it became clear what is happening:

 

bind(3, {sa_family=AF_INET, sin_port=htons(0), 

sin_addr=inet_addr("127.0.0.1")}, 16) = 0

[...]

connect(3, {sa_family=AF_INET, sin_port=htons(9619), 

sin_addr=inet_addr("123.45.67.89")}, 16) = -1 EINVAL 

(Invalid argument)

 

A socket bound to localhost cannot be used to reach a remote host.

 

Such commands work fine with an unrestricted NETWORK_INTERFACE.

 

I have browsed the admin docs and tried various settings to no avail:

who has a suggestion?

 

Thanks!