[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Flocking / ports / firewalls



John,

One way round the firewall saga is to use a VPN, as we have experimented 
with here at Cambridge. This also solves the problem of "private" IP 
addresses. However, this model raises its own security concerns so you may 
well find it unsuitable. Our results are being published in this year's AHM 
proceedings in September; if you want I'll send you a copy of the article.

Note that Condor should have implemented solutions for this problem by next 
year, and they have been testing two different models: Dynamic Port 
Forwarding (DPF) and Generic Connection Brokering (GCB). The main man at 
Wisconsin working on this is Sonny (Sechang) Son.

Any comments on DPF/GCB progress Sonny?

Cheers,
Mark

> I have two condor pools separated by a firewall (in actual fact, both
> central nodes have
> their own firewalls IN ADDITION to the site firewall between the 2 
subnets).
> 
> 1 pool is a heterogenous pool. The plan is for it to flock out through 
the
> firewall
> to the 2nd pool.
> 
> This 2nd pool consists of a head node and some workers. The workers are 
on a
> local
> network to the head node and cannot be seen directly from the other pool.
> 
> Some questions:
> 
> [sorry I previously sent this in another thread, having forgotten to 
change
> the
> subject]
> 
> 1. How big a port range should be opened for communications? (this has to 
be
> done in
>    the firewalls and also in the condog_config.local of the firewalled
> nodes).
>    9614 and 9618 have to be opened as well.
> 
> 2. As the worker nodes don't have reachable names except from their 
central
> node, can they
>    participate in the flock?
> 
> and finally (slightly different topic I'm afraid)
> 3. In general if you have a bunch of machines at 2 different sites, what
> advantages are there
>    in having one pool flocking to another as opposed to having one big 
pool?
> 
>    Reasons may include:
>    a) Political - this is my pool, but you may share it!
>    b) Firewall implications (do you only need ports opened between the 2
> central nodes in a flock?)
>    c) Hierarchy - 1 way flocking
>    d) efficiency (I guess big pool is faster), although for distant sites
> and jobs with
>       large data, maybe it is better for jobs to be done locally if
> possible.
> 
> Cheers
> 
> JK
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> http://lists.cs.wisc.edu/mailman/listinfo/condor-users


---------------------------------------------
Department of Earth Sciences
University of Cambridge
Downing Street
Cambridge CB2 3EQ
Phone: ( +44 ) 1223 333400
Fax: ( +44 ) 1223 333450