Todd Tannenbaum wrote:
> Rob wrote:
>
>> I want to introduce Condor to our university library.
>
> Fantastic!
>
>> In that system, I will use one Linux central master for all the
>> administration and job submissions; the pool consists of all
>> the public Windows PCs.
>>
>> * On central master I need to open the Linux firewall for
>> incoming UDP port 9618, if I only want to collect availability
>> information, without job submissions.
>
> and TCP 9618 - although updates are sent via UDP by default, queries
> to the collector (e.g. condor_status) will use TCP to port 9618.
Hmmm, the TCP 9618 port id necessary only if I need a working
condor_status on the Windows pool PCs. Right? But I don't need that.
Only getting condor_status output on the central master is good enough.
For the central master ONLY to collect the pool PCs availability, I do
not need to open TCP port 9618 (assuming the collector also run on
the central master). Is that right too?
At least, this appears to work fine with such firewall settings on
my little test system (a Linux central master + 3 Windows pool PCs).
>> Submitting jobs from the central master, I also have to open
>> incoming TCP ports in the 9600-9700 range.
>> (The linux firewall allows all outgoing communication!).
>
>
> Sounds good. BTW, how large is your pool? Note that currently in
> Condor each running job uses X number of ports on your submitting
> machine. Back of the napkin, I'd say with the above configuration
> of giving your central manager+submit machine 100 ports, figure on
> safely running ~15 jobs at once. So I would suggest adding the
> following to your central manager condor_config:
> MAX_JOBS_RUNNING = 15
The library has a little over 500 public Windows PCs.
At first (for one semester or so) I will install Condor ONLY for
doing statistics on the idle times of the pool PCs, to show the IT
management how much CPU time is wasted.
I suppose the 9600-9700 port range is sufficient for that, isn't it?
>> 2) If I'm right with the Windows firewall, then I'm confused
>> about the firewall exceptions modifications by installing
>> the Condor msi package:
>> condor_dagman.exe allowed with any computer
>> condor_master.exe allowed with any computer
>> condor_startd.exe allowed with any computer
>>
>> I'm inclined to completely remove the condor_master.exe
>> and the condor_dagman.exe firewall exceptions.
>> But why are they there in the first place???
>
> Also, I do not think it is the MSI installer package that is adding
> these exceptions. I think it is the condor_master.exe itself adding
> these firewall rules by default when the Condor service is started.
> To disable this behavior, in condor_config add:
>
> ADD_WINDOWS_FIREWALL_EXCEPTION = False
Indeed, this prevents firewall modifications at condor startup,
but I have not seen any documentation on this particular parameter!?!
Rob.
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}