Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True

Date: Sun, 15 Apr 2018 03:06:53 +0000 (UTC)
From: TarotApprentice <tarotapprentice@xxxxxxxxx>
Subject: Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True

If iptables is set on the this execute-only node to allow it to talk to itself netstat shows two condor_shared_p instances on different ports. One of them is on 9618 and the other on some random port. If I don't use iptables there is only a single instance shown on port 9618. This is using the same condor config.

I assume from that that if you use iptables then one has to allow at least 2 ports, one of which will be 9618 and I can limit the range for the other one. Is there a macro I can use to specify the other port number rather than using a range? That way I can have iptables allow 2 ports rather than a range. I realise one can limit the port range to two ports which means the other port is +1 or -1 from the shared port (default of 9618).

MarkJ

________________________________
From: Todd L Miller <tlmiller@xxxxxxxxxxx>
To: TarotApprentice <tarotapprentice@xxxxxxxxx> 
Cc: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Sent: Thursday, 12 April 2018, 1:09
Subject: Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True

> sudo netstat -tlp
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
> tcp        0      0 0.0.0.0:9618            0.0.0.0:*               LISTEN      2190/condor_shared_
> tcp        0      0 0.0.0.0:54011           0.0.0.0:*               LISTEN      2190/condor_shared_

> SharedPortLog attached

    The only time the shared port daemon needs to contact another 
daemon on the same machine on its own behalf is to tell the condor_master 
daemon that it's alive.  Normally, the shared port daemon would accept a 
connection on the shared port and then pass it along to the target daemon, 
but when it's acting on its own behalf, there isn't an existing 
connection... so it makes one.  For various reasons, it does so by 
connecting to itself at, in your case, 192.168.1.8, /not/ 127.0.0.1. 
Your firewall needs allow connections from itself to itself on any port, 
and if I'm reading the rules right, it doesn't.  You may be able to use 
the IN_LOWPORT and IN_HIGHPORT macros to define a range; you may need to 
make sure the range includes port 9618.

    Sorry for all the trouble.

- ToddM

Follow-Ups:
- Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
  - From: Todd L Miller

References:
- [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
  - From: TarotApprentice
- Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
  - From: Todd L Miller
- Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
  - From: TarotApprentice
- Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
  - From: Todd L Miller

Prev by Date: [HTCondor-users] HTCondor Week talk submission deadline extended to April 20
Next by Date: [HTCondor-users] 14th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob 2018): Last Call for Workshop Proposals
Previous by thread: Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
Next by thread: Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] Issues with firewall when USE_SHARED_PORT = True