Yes we are currently using wildcards already. Our organisation spans the country (Australia) and
consists of 7 different subnet. So at the moment it is something like:
NETWORK_INTERFACE = aaa.bbb.*, xxx.yyy.*, ddd.eee.*, etc.
The issue we have is that we want to exclude VPN connections. The address ranges for these are
within a specific range of the same subnets, something like:
aaa.bbb.192.1 â aaa.bbb.192.254
which corresponds to aaa.bbb.192.0/19
We currently use DENY_READ and DENY_WRITE on the Central Managers to achieve this, so that
VPN machines are never part of the pool of resources.
DENY_READ = aaa.bbb.192.0/19
DENY_WRITE = aaa.bbb.192.0/19
This works OK, but logs tons of PERMISSION DENIED messages. No biggie, but we would rather
it happen at the NETWORK_INTERFACE level, as this means that the HTCondor service would not
This has become an issue for one particular research group that work onboard the ship RV Investigator
which is part of the MNF - Marine National Facility. They have limited network bandwidth via satellite
(which connects into our network via VPN) and claim that scientists laptops with HTCondor installed
are chewing into that bandwidth as the HTCondor service keeps trying to contact the Central Managers,
which then deny access.
Without the use of subnet notation, this makes it really kludgy to try and implement this via NETWORK_INTERFACE,
NETWORK_INTERFACE = /
So a total of 250+ entries for this one subnet. And we have 3 different VPN subnets in total. Not even sure
if HTCondor will handle a list this long anyway?
Is there any clever way to kludge this somehow?
It would have also been easy if there was an ALLOW/DENY for NETWORK_INTERFACE, similar to READ/WRITE.
Thanks for any help/info/advice/comments anyone can provide.
From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
On 11/11/2021 6:48 PM, Hitchen, Greg (IM&T, Kensington WA) wrote: