Re: [Condor-users] How to reach NAT'ed resources?

["Kewley, J \(John\)" <j.kewley@xxxxxxxx>]

> Hello condor-users,
> 
> there is an external resource (a single system) which we want 
> to integrate into our pool. It is behind a NAT router. 
> In the machine ClassAd, the private IP address is advertised 
> in StartdIpAddr, PublicNetworkIpAddr, and MyAddress. 
> Is it generally possible with condor to simply rewrite those 
> advertised addresses (and put a corresponding port-forwarding 
> in place), so that requests sent to that resource will be 
> directed at the public IP?
> Or am i forced to apply advanced techniques such as GCB? Are 
> there alternatives?

I haven't tried port-forwarding myself, but what you need to do is to
ensure that all submit machines can "see" all execute machines and vice 
versa. Of course, all machines need to "see" central node as well.

By "see", I mean - tcp and udp for a range of advertised ephemeral
ports,
the central node might need fixed port as well, but I don't think so.

NATs and firewalls are the 2 way to preclude the above.

Alternatives could include:
* If NAT routed nodes are workers for a cluster, then you could put a 
  submit node on that cluster's head node and only job submitted there
could
  go to the NAT routed nodes. There would be some setup though to get
condor
  to avoid sending other jobs there. One way to do this is described in
paper below.
* Setting up a separate condor installation on the cluster and then use
condor-c to
  get jobs there. Note that flocking would have the same problems as
described above
* Use GCB or some sort of port-forwarding, being aware of course that
the latter 
  could bottleneck if cluster is large (and lots of daa is transferred,
or jobs are small
  with large data).
* Utilising additional network connections in the cluster so that they
don't appear behind 
  a NAT.

paper and accompanying presentation are on:
http://epubs.cclrc.ac.uk/work-details?w=34452

Cheers

JK