Thanks Todd.
Yes we are currently using wildcards already. Our organisation spans the country (Australia) and
consists of 7 different subnet. So at the moment it is something like:
NETWORK_INTERFACE = aaa.bbb.*, xxx.yyy.*, ddd.eee.*, etc.
The issue we have is that we want to exclude VPN connections. The address ranges for these are
within a specific range of the same subnets, something like:
aaa.bbb.192.1 â aaa.bbb.192.254
which corresponds to aaa.bbb.192.0/19
We currently use DENY_READ and DENY_WRITE on the Central Managers to achieve this, so that
VPN machines are never part of the pool of resources.
DENY_READ = aaa.bbb.192.0/19
DENY_WRITE = aaa.bbb.192.0/19
This works OK, but logs tons of PERMISSION DENIED messages. No biggie, but we would rather
it happen at the NETWORK_INTERFACE level, as this means that the HTCondor service would not
even start.
This has become an issue for one particular research group that work onboard the ship RV Investigator
which is part of the MNF - Marine National Facility. They have limited network bandwidth via satellite
(which connects into our network via VPN) and claim that scientists laptops with HTCondor installed
are chewing into that bandwidth as the HTCondor service keeps trying to contact the Central Managers,
which then deny access.
Without the use of subnet notation, this makes it really kludgy to try and implement this via NETWORK_INTERFACE,
NETWORK_INTERFACE = /
aaa.bbb.0.* /
aaa.bbb.1.* /
aaa.bbb.2.* /
etc.
aaa.bbb.191.* /
#(exclude aaa.bbb.192.*)
aaa.bbb.193.* /
aaa.bbb.194.* /
etc.
aaa.bbb.254.*
So a total of 250+ entries for this one subnet. And we have 3 different VPN subnets in total. Not even sure
if HTCondor will handle a list this long anyway?
Is there any clever way to kludge this somehow?
It would have also been easy if there was an ALLOW/DENY for NETWORK_INTERFACE, similar to READ/WRITE.
Thanks for any help/info/advice/comments anyone can provide.
Cheers
Greg
From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Sent: Saturday, 13 November 2021 6:38 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Hitchen, Greg (IM&T, Kensington WA) <Greg.Hitchen@xxxxxxxx>; Tim Theisen <tim@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] NETWORK_INTERFACE - IP address subnet notation not working
On 11/11/2021 6:48 PM, Hitchen, Greg (IM&T, Kensington WA) wrote:
Hi everyone
Is someone able to confirm that an IP address of the form:
128.104.0.0/16
does NOT work for:
NETWORK_INTERFACE = 128.104.0.0/16
Hi Greg,
The documentation for NETWORK_INTERFACE is here:
https://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html#NETWORK_INTERFACE
Looks like using subnet notation is not allowed, butusing a wildcard is, so maybe you could achieve what you want via:
NETWORK_INTERFACE = 128.104.*
regards,
Todd
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}