RE: [Condor-users] private networks, submit nodes and flocking

["Kewley, J \(John\)" <j.kewley@xxxxxxxx>]

> We have a pool on an internal network, and a workstation pool on an 
> external network, and would jobs on the internal pool to be able to 
> flock to the external pool.  (Linux/UNIX machines for now)

We have had this situation!
 
> The submit nodes on the internal pool all have both internal 
> & external 
> interfaces, and the head nodes of each have both internal & external 
> interfaces, so that negotiation cycles complete successfully, 
> but jobs 
> never start on the external compute nodes.

How about the execute nodes?
 
the bottom line is that all submit nodes must be "visible" to all
execute nodes and vice versa. By visible I mean, they must be able to address
each other and if there are firewalls on either machine and/or in between the
machines, they must have approriate holes for the high port range and also the 9614
and 9618 ports (all of this for UDP and TCP). Also every machine needs to be 
able to see the condor master node and vice versa in a similar manner.
This situation is pretty much the same regardless of whether it is a single
pool or multiple pools flocking.

You can add classads to stop your jobs going to machines which your machine
cannot "see", even if the central node can. You can also tell condor to use 
a different network address to advertise each machine rather than the default one.

I have previously setup the following:
1. 1 pool outside our site firewall, worker nodes on private network
2. 1 pool inside our firewall, some with personal firewalls.

Jobs could flock to outside network, but only to the headnode since that was the only
one with a) a hole enabled in out firewall for it and b) a a non-private network address.
It could be flocked to from anywhere inside, but only as long as the firewalls were all opened to allow this traffic!

I hope that gives you a few clues.

JK