Page History
- 2013-Jan-14 14:01 smoler
- 2013-Jan-14 13:57 smoler
- 2013-Jan-14 13:38 smoler
- 2013-Jan-14 13:30 smoler
- 2013-Jan-14 12:50 smoler
- 2013-Jan-14 12:16 smoler
- 2013-Jan-14 12:09 smoler
- 2013-Jan-14 12:06 smoler
- 2013-Jan-14 12:03 smoler
- 2013-Jan-14 12:00 smoler
- 2013-Jan-14 11:56 nwp
- 2013-Jan-14 11:52 nwp
- 2013-Jan-14 11:52 smoler
- 2013-Jan-11 16:43 nwp
The setup here is that you have a HTCondor machine on which you want to do useful work either as a submit node or an execute node. You also would like to share your new computer resources with others outside your department or division, but you do not want crooks using your systems to wreak havoc. So, you install a firewall between your HTCondor resource and the Internet. In the setup below, we will assume that the firewall is a separate host from the HTCondor resource. Indeed, will assume explicitly that it is a bastion host running Linux, and the firewall is iptables, with Network Address Translation (NAT); this is to be explicit about which commands to run. Either you, or your firewall admin, should be able to translate these instructions to your firewall installation. We are also assuming that you are not going to be using CCB.
Let us first assume that you have HTCondor installed and running. For this, you should follow the instructions in section 3.2 of the HTCondor manual.
Let us assume you have the following setup. The HTCondor schedd is installed on a machine (named S) with IP address 192.168.0.1; this is your submit machine. An HTCondor startd is installed on a machine (named E) at 192.168.0.2; this is your execute node. The firewall has an external---that is, facing the Internet---IP address of 10.0.0.1, and an internal---that is, facing toward your local network---IP address of 192.168.0.250; we will call this machine F. We know 10.0.0.1 is actually not a routable address, but pretend that it is for the duration of this document. S and E are in the domain mydomain.net.
Then we will make the following changes to condor_config.local on S (the schedd). To find your HTCondor configuration files, the command condor_config_val -dump will be a big help, as the files are listed in the header of the output
USE_SHARED_PORT = True SHARED_PORT_ARGS = -p 9617 PRIVATE_NETWORK_NAME = mydomain.net PRIVATE_NETWORK_INTERFACE = eth0 TCP_FORWARDING_HOST = 10.0.0.1
TCP_FORWARDING_HOST must match the external address of the collector.
On the execute node E, we have similar configuration changes, except for the shared port:
USE_SHARED_PORT = True SHARED_PORT_ARGS = -p 9616 PRIVATE_NETWORK_NAME = mydomain.net PRIVATE_NETWORK_INTERFACE = eth0 TCP_FORWARDING_HOST = 10.0.0.1
PRIVATE_NETWORK_NAME on S and E allow them to communicate directly without going through the firewall F.
Now, on the firewall F, we run the following commands to redirect connections from the Internet to ports 9617 and 9616 on F to the corresponding ports on S and E:
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 9617 -j DNAT --to-destination 192.168.0.1 iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 9616 -j DNAT --to-destination 192.168.0.2 iptables -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.1
Finally, run condor_reconfig on S and E to incorporate the configuration changes.
One may well ask how this works for HTCondor. Simply put, HTCondor wraps all the information in a "sinful string". condor_status -schedd -l will return a Schedd ClassAd, which will contain a line that looks something like:
MyAddress = "<10.0.0.1:9617?PrivAddr=%3c192.168.0.1:9617%3fsock%3d936_480b_8%3e&PrivNet=mydomain.net&noUDP&sock=936_480b_8>"