How To Mix Firewalls And Ht Condor

Not logged in

• Browse
• Help
• Home
• Login
• Reports
• Search
• Timeline
• Wiki

• Contents
• No-Diff
• Text

 **How to get HTCondor and a NAT Firewall to Cooperate**
 
-The setup here is that you have a HTCondor machine on which you want to do useful work either as a submit node or an execute node.  You also would like to share your new computer resources with others outside your department or division, but you do not want crooks using your systems to wreak havoc.  So, you install a firewall between your HTCondor resource and the Internet.  In the setup below, we will assume that the firewall is a separate host from the HTCondor resource. Indeed, will assume explicitly that it is a bastion host running Linux, and the firewall is iptables, with Network Address Translation (NAT); this is to be explicit about which commands to run.  Either you, or your firewall admin, should be able to translate these instructions to your firewall installation.  We are also assuming that you are not going to be using CCB.
+For an HTCondor machine on which you want to do useful work either as a submit node or as an execute node, you also would like to share your new computer resources with others outside your department or division. But, you do not want crooks using your systems to wreak havoc.  So, you install a firewall between your HTCondor resource and the Internet.  In this description, we assume that the firewall is a separate host from the HTCondor resource. We further assume explicitly that the firewall is a bastion host running Linux, and the firewall is iptables, with Network Address Translation (NAT); this assumption allows the description to contain explicit commands to run.  You or your firewall administrator should be able to translate these instructions as needed to your particular firewall installation.  We are also assuming that you are not going to be using CCB.
 
-Let us first assume that you have HTCondor installed and running.  For this, you should follow the instructions in {link: http://research.cs.wisc.edu/htcondor/manual/v7.9/3_2Installation.html section 3.2 of the HTCondor manual}.
+Assume that HTCondor is installed and running with the following set up:
 
-Let us assume you have the following setup.  The HTCondor schedd is installed on a machine (named S) with IP address 192.168.0.1; this is your submit machine.  An HTCondor startd is installed on a machine (named E) at 192.168.0.2; this is your execute node.  The firewall has an external---that is, facing the Internet---IP address of 10.0.0.1, and an internal---that is, facing toward your local network---IP address of 192.168.0.250; we will call this machine F. We know 10.0.0.1 is actually not a routable address, but pretend that it is for the duration of this document. S and E are in the domain =mydomain.net=.
+The submit machine, which runs the condor_schedd is installed on a machine named S with IP address 192.168.0.1.
+
+The execute machine, which runs the condor_startd is installed on a machine named E with IP address 192.168.0.2.
+
+The firewall has an Internet-facing, external IP address of 10.0.0.1.
+Its internal, ---that is, facing toward your local network---IP address of 192.168.0.250; we will call this machine F. We know 10.0.0.1 is actually not a routable address, but pretend that it is for the duration of this document. S and E are in the domain =mydomain.net=.
 
 Then we will make the following changes to =condor_config.local= on S (the schedd).  To find your HTCondor configuration files, the command =condor_config_val -dump= will be a big help, as the files are listed in the header of the output
 

This work is supported by NSF under Cooperative Agreement OAC-2030508 as part of the PATh Project. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF. Site built using CVSTrac.