[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] automatic selection of advertised IP



In 8.6, metaknobs allow arguments, and they can be optional  So how about something like this:

 

use SECURITY : HOST_BASED_PRIVATE_NETWORK(192.168.0.0/21)

  or

use SECURITY : HOST_BASED_PRIVATE_NETWORK(192.168.0.0/21, NEMONET)

 

which would expand to

 

    use SECURITY : HOST_BASED

    ALLOW_WRITE = $(1) $(ALLOW_WRITE)

    ALLOW_READ = $(1) $(ALLOW_READ)

    BIND_ALL_INTERFACES = false

    If $(2?)

       PRIVATE_NETWORK_INTERFACE = $(1)

       PRIVATE_NETWORK_NAME = $(2)

       # set this just so that we can easily reference the private network ip range in other config knobs.

       $(2)_SUBNET = $(1)

    Endif

 

Iâm told that setting NETWORK_INTERFACE can be left at the default of * when PRIVATE_NETWORK_INTERFACE is set.

 

-tj

 

From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf Of Tom Downes
Sent: Friday, February 17, 2017 5:12 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] automatic selection of advertised IP

 

Aha.

 

 

I realize IP-based security is more a security blanket than a security posture, but I'd wager it's the dominant model in use. Worth making the simple cases simple to configure.


--

Tom Downes
Senior Scientist and Data Center Manager
Center for Gravitation, Cosmology and Astrophysics
University of Wisconsin-Milwaukee
414.229.2678

 

On Fri, Feb 17, 2017 at 4:50 PM, Tom Downes <downes@xxxxxxx> wrote:

I swear a put together a ticket which suggested whittling down these knobs so that you could effectively do

 

use SECURITY:HOST_BASED

PRIVATE_SUBNET = 172.20.0.0/23

 

and be "done" in the sense of having implemented something that is marginally better than nothing but also reliable.


--

Tom Downes
Senior Scientist and Data Center Manager
Center for Gravitation, Cosmology and Astrophysics
University of Wisconsin-Milwaukee
414.229.2678

 

On Fri, Feb 17, 2017 at 4:43 PM, Todd L Miller <tlmiller@xxxxxxxxxxx> wrote:

# ensure all communication occurs over private network
# may need to tweak when setting up flocking
BIND_ALL_INTERFACES = False
NETWORK_INTERFACE   = 172.20.*
PRIVATE_NETWORK_NAME      = NEMONET
PRIVATE_NETWORK_INTERFACE = 172.20.*


        You probably don't actually need the PRIVATE_NETWORK_* bits with BIND_ALL_INTERFACES and NETWORK_INTERFACE set that way.  I think the reverse is true as well (that HTCondor prefers matching named private networks over everything else), but I guess getting a 172.20.* address everywhere is less confusing/worrisome.



- ToddM
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/