Condor Firewall Mirroring UK Condor Week 2004 John
- Slides: 11
Condor: Firewall Mirroring UK Condor Week 2004 John Kewley
Outline • Problem of Firewalls within a Condor Pool • Options to alleviate these problems • Our Solution John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
Firewalls within a Condor Pool • Some resource owners have firewalls on their personal workstations • Since Condor needs each submit node to be able to talk to every potential execute node, this does not scale well. John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
Job Startup Central Manager Negotiator Submit Machine Collector Execute Machine Schedd Starter Submit Shadow Slide based on one from the University of Wisconsin-Madison Job Condor Syscall Lib John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
What if the firewall is out-of-step? • A Job may still match for the newly added machine to the firewalled resource. • This job will not be able to run • Parts of the system jam as a result. – condor_q on submitting node – The other parts of the submit script – (maybe also parts of the central node) John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
A Related problem • Similar “jams” occur if part of your pool (or flock of pools) is on a network that is unavailable to some of the other nodes • How can we permit jobs from submit nodes that can access the private network to run on these nodes whilst preventing Condor sending jobs from other submit nodes there? John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
How can we get round this? 1. 2. 3. 4. Restrict the number of submit nodes Automatically update the firewall files Ensure everything is up-to-date Permit pool to evolve whilst persuading Condor to “avoid” going to nodes where the job can’t run John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
Firewall Mirroring (1) 1. Each machine with a firewall declares the fact in its Class. Ads: HAS_FIREWALL = TRUE 2. Also, which machines and/or subnets it permits to access its Condor ports (mirroring FW table settings): FW_ALLOWS_113 = TRUE FW_ALLOWS_rjavig 6 = TRUE 3. Finally, it needs to export these settings: STARTD_EXPRS = HAS_FIREWALL, FW_ALLOWS_113, FW_ALLOWS_rjavig 6 John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
Firewall Mirroring (2) To ensure that jobs can only go to resources they can reach. 1. Ensure that they declare their subnet and hostname: MY_SUBNET = 113 MY_HOST = condor 2. Use these value in the following macro which is added to all REQUIREMENTS for jobs from this machine: OK_FOR_THIS_MACHINE = ( (HAS_FIREWALL =!= TRUE) || (FW_ALLOWS_$(MY_HOST) == TRUE) || (FW_ALLOWS_$(MY_SUBNET) == TRUE) ) APPEND_REQUIREMENTS = $(OK_FOR_THIS_MACHINE) John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
And Private Networks? • Same solution can be used for private networks by pretending they have a firewall and declaring which other nodes have access to that network John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
Conclusion • While this solution does not solve the firewalled workstation problem, it does make it nicer to live in their presence! John Kewley Grid. Presenter Technology Group Name e-Science Facility Name. Centre
Stateful vs stateless firewall
What is personal firewall and distributed firewall.
Mirroring listening
Active listening in negotiation
Técnicas “striping” y “mirroring”
Mirror neuron
Week by week plans for documenting children's development
El significado de los símbolos patrios
Fernanda valle desnuda
The condor experience
Condor aero club
Condor soaring
