How To Mix Firewalls And Ht Condor

Not logged in

• Browse
• Help
• Home
• Login
• Reports
• Search
• Timeline
• Wiki

• Contents
• No-Diff
• Text

 **How to get HTCondor and a NAT Firewall to Cooperate**
 
-There is an HTCondor machine on which you want to do useful work either as a submit node or an execute node.  You also would like to share your new computer resources with others outside your department or division, but you do not want crooks using your systems to wreak havoc.  So, you install a firewall between your HTCondor resource and the Internet.  In the setup below, we will assume that the firewall is a separate host from the HTCondor resource. Indeed, will assume explicitly that it is a bastion host running Linux, and the firewall is iptables, with Network Address Translation (NAT); this is to be explicit about which commands to run.  Either you, or your firewall admin, should be able to translate these instructions to your firewall installation.  We are also assuming that you are not going to be using CCB.
+There is an HTCondor machine which is a submit node or an execute node, and you would like to share your new computer resources with others outside your department or division. But, you do not want crooks using your systems to wreak havoc.  So, there is a firewall between your HTCondor resource and the Internet.  Assume that the firewall is a separate host from the HTCondor resource. Indeed, will assume explicitly that it is a bastion host running Linux, and the firewall is iptables, with Network Address Translation (NAT); this is to be explicit about which commands to run.  Either you, or your firewall admin, should be able to translate these instructions to your firewall installation.  We are also assuming that you are not going to be using CCB.
 CCB allows communication between HTCondor daemons in a private network (outgoing connections only) with daemons in a public network (bidirectional connections allowed).  It therefore is not a complete solution for a case where you need daemons in two separate private networks to communicate---one or the other network must allow bidirectional connections for CCB to help.  In the case described below, we want a submit node, which is in a private network, to communicate with execute nodes in other private networks, such as Open Science Grid.  This is the private-to-private case that cannot be solved with CCB alone.  The solution below uses port-forwarding to make the submit node effectively public.  This allows the execute nodes in the remote private network to use CCB to have bidirectional connectivity with your submit node.  Bidirectional connectivity could also be achieved without CCB by also applying the port-forwarding solution below to the execute nodes of the remote private network, which may not be possible, either because of your own security concerns or because you do not administer machines on the remote network.
 
 Let us first assume that you have HTCondor installed and running.  For this, you should follow the instructions in {link: http://research.cs.wisc.edu/htcondor/manual/v7.9/3_2Installation.html section 3.2 of the HTCondor manual}.

This work is supported by NSF under Cooperative Agreement OAC-2030508 as part of the PATh Project. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF. Site built using CVSTrac.