Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [condor-users] Flocking problems
- Date: Wed, 07 Apr 2004 07:11:51 +0100
- From: Mark Calleja <mcal00@xxxxxxxxxxxxx>
- Subject: Re: [condor-users] Flocking problems
Dan Bradley wrote:
James Wilgenbusch wrote:
I have a two condor pools and would like to allow each pool equal
access to the other's resources. One pool consists of a 16 machines
in the 192.168.0 name space (let's call this pool A). The 16 machines
are attached to a central manager that is open to the world. All the
nodes in the other pool (say pool B) are visible to the world. I've
configured both pools to using the FLOCK_TO/FLOCK_FROM config flags
but still I'm having some problems.
A solution for this scenario (flocking into private networks) is
currently in development. Until it is released, there is essentially
no way to flock into a pool with nodes that are inaccessible to the
submitter.
One solution is to set up a Globus gatekeeper on a public node that
has access to the private pool and submit jobs directly to the
gatekeeper via Condor-G.
An alternative which we are also using is a dedicated Virtual Private
Network (VPN) based on secnet [1], with all participating machines
having an (additional) IP address in this VPN. Only a single machine
(the VPN gateway) from a particular pool (your 198.168. pool) needs to
have external access, and then only via a single UDP port for a
relatively small number of machines (the other VPN gateways, one each
for any other flocked pool). All other machines belonging to your
198.168 pool now tunnel their ‘Condor traffic’ through that gateway,
regardless of whether they have a private IP addresses. An added bonus
is that traffic between different gateways is automatically encrypted,
adding a layer of security to the model. However, running such a VPN
raises its own security issues, since institutional firewalls are
effectively bypassed by this mechanism, so extreme care needs to be
taken both in administering the gateway and in formulating an
appropriate security model.
We also run a Globus interface as Dan's mentioned, but the model
mentioned above keeps it 'purely' Condor.
[1] http://www.chiark.greenend.org.uk/~secnet/
Cheers,
Mark
--
Dr Mark Calleja
Department of Earth Sciences, University of Cambridge
Downing Street, Cambridge CB2 3EQ, UK
Tel. (+44/0) 1223 333408, Fax (+44/0) 1223 333450
http://www.esc.cam.ac.uk/~mcal00
Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>