Subject: [Condor-users] Dynamic firewall rules for WAN-based Condor implementations
Happy New Year -
I am considering a Condor implementation over a series of private networks spread over a WAN. Each private network is individually protected by a gateway server using dynamic firewalls (specifically, the fwknop utility developed by cipherdyne). The fwknop daemon closes off all ports on a server using iptables rules until the daemon sniffs an encrypted packet originating from a fwknop client that contains authentication information as well as new firewall definitions (i.e. opening ports for specific communication). I intend to use the condor_shared_port daemon to reduce port usage and
most job submissions will be handled in the 'vanilla' universe (in case
this matters). The following specific questions arose in planning the implementation: 1) Can I configure Condor to invoke a fwknop client (or other script) each time network communication is required (to open the gateway's firewall)?
2) If (1) is feasible, can I configure Condor to maintain a persistent TCP connections among pooled machines to leverage existing connections and avoid establishing new connections (which are relatively expensive tasks)?
3) Has anyone implemented Condor over an already-open SSH tunnel and use the SSH daemon with/ in place of Condor's shared port daemon and encryption methods? (not huge, but I'm trying to avoid additional SSL certificate management).
Please note: - Virtually all machines within the Condor pool run Linux (Fedora Core [releases 10-14]). - I am new to Condor and have only started to delve through all the available documentation (about half the user guide so far, including the security and networking sections of the administrator's guide).