Mailing List Archives
Public Access
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Flocking / ports / firewalls
- Date: Fri, 16 Jul 2004 15:54:27 GB
- From: mcal00@xxxxxxxxxxxxx
- Subject: Re: [Condor-users] Flocking / ports / firewalls
John,
One way round the firewall saga is to use a VPN, as we have experimented
with here at Cambridge. This also solves the problem of "private" IP
addresses. However, this model raises its own security concerns so you may
well find it unsuitable. Our results are being published in this year's AHM
proceedings in September; if you want I'll send you a copy of the article.
Note that Condor should have implemented solutions for this problem by next
year, and they have been testing two different models: Dynamic Port
Forwarding (DPF) and Generic Connection Brokering (GCB). The main man at
Wisconsin working on this is Sonny (Sechang) Son.
Any comments on DPF/GCB progress Sonny?
Cheers,
Mark
> I have two condor pools separated by a firewall (in actual fact, both
> central nodes have
> their own firewalls IN ADDITION to the site firewall between the 2
subnets).
>
> 1 pool is a heterogenous pool. The plan is for it to flock out through
the
> firewall
> to the 2nd pool.
>
> This 2nd pool consists of a head node and some workers. The workers are
on a
> local
> network to the head node and cannot be seen directly from the other pool.
>
> Some questions:
>
> [sorry I previously sent this in another thread, having forgotten to
change
> the
> subject]
>
> 1. How big a port range should be opened for communications? (this has to
be
> done in
> the firewalls and also in the condog_config.local of the firewalled
> nodes).
> 9614 and 9618 have to be opened as well.
>
> 2. As the worker nodes don't have reachable names except from their
central
> node, can they
> participate in the flock?
>
> and finally (slightly different topic I'm afraid)
> 3. In general if you have a bunch of machines at 2 different sites, what
> advantages are there
> in having one pool flocking to another as opposed to having one big
pool?
>
> Reasons may include:
> a) Political - this is my pool, but you may share it!
> b) Firewall implications (do you only need ports opened between the 2
> central nodes in a flock?)
> c) Hierarchy - 1 way flocking
> d) efficiency (I guess big pool is faster), although for distant sites
> and jobs with
> large data, maybe it is better for jobs to be done locally if
> possible.
>
> Cheers
>
> JK
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> http://lists.cs.wisc.edu/mailman/listinfo/condor-users
---------------------------------------------
Department of Earth Sciences
University of Cambridge
Downing Street
Cambridge CB2 3EQ
Phone: ( +44 ) 1223 333400
Fax: ( +44 ) 1223 333450