Re: [Condor-users] Condor execute node behind NAT

["David J. Herzfeld" <herzfeldd@xxxxxxxxx>]

Hi Hermann:
On Fri, 2012-03-02 at 12:42 +0100, Hermann Fuchs wrote:
> Hi
> 
> We have a condor grid operating at our university. I am now trying to
> add another execution only node which is located behind a NAT.
> Using shared ports we managed to restrict port usage to one port. 
> 
> SHARED_PORT_ARGS = -p 9618
> DAEMON_LIST = $(DAEMON_LIST), SHARED_PORT
> COLLECTOR_HOST = $(CONDOR_HOST)?sock=collector
> USE_SHARED_PORT = TRUE
> 
> Using port forwarding of port 9618, the execution node successfully
> connects to the condor master. 
> However as it sends its internal IP (the one behind the NAT) condor
> master can not talk back e.g. assign calculations.
> 
> I already tried setting 
> NETWORK_INTERFACE = <publicIPofTheNATrouter>
> but this only makes things worse.
> 
> Usage of VPN or other stuff is not an option. 
> Basically I only need the condor master to talk to the execution node.
> File transfer etc. is done via NFS which works fine using port
> forwarding..
> Do you have any suggestions?

We have many execute machines behind their own private NATs (Pools of
Virtual Boxes project). In order to get them taking to the central
manager, we use Condor Connection Brokering (CCB) - no need to do any
port forwarding.

Take a look in the manual at Networking Configuration settings
<http://research.cs.wisc.edu/condor/manual/v7.7/3_3Configuration.html#SECTION00436000000000000000>.

Since we have individual machines each behind their own NAT, we set
PRIVATE_NETWORK_NAME to be something unique and then pass the address of
the central manager in CCB_ADDRESS.

This configuration works quite well for execute nodes behind a NAT, but
if, at some time in the future, you need to have submit nodes behind the
NAT, I would likely continue down you shared-port path.

Have a great day,
DJH

> Cheers,
> Hermann