How to Use Pool Passwords and CCB
In the following scenario, you're running a submit node (collector, negotiator, schedd) on a local machine you control, and starting virtual machines on a cloud to provide cycles to your pool. We assume those VMs are behind a NAT -- that is, they have outbound but not inbound connectivity. We will configure these startds to use CCB (to allow full communications) and a pool password (for security).
In this scenario, a pool password is useful because it allows nodes to participate in secure communications without establishing any particular individual identity. Since you'll be creating many identical instances of your VM, this can very much simplify management. Conversely, you will be storing the (encrypted) pool password on the VM's disk, so anyone who can access your VM can simply run it in order to join your pool.
You may need to enable UDP in your firewall to make this configuration work, even if you have USE_TCP_UPDATES set.
You should not enable CCB (that is, set CCB_ADDRESS) on the submit node. This will cause file transfer to fail.
Further Assumptions
We will assume that your submit node is 'cloudtest.example', and it permits inbound connections on TCP and UDP ports 20,000 to 30,000.
Execute Node
CONDOR_HOST = cloudtest.example # Daemons using the pool password authenticate as the 'condor_pool' user. ALLOW_WRITE = condor_pool@* SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, FS # Generate this file w/ 'condor_store_cred -f /path/to/password/file'. # It should be owned by root and mode 0400. SEC_PASSWORD_FILE = /etc/condor/password_file SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED HIGHPORT = 30000 LOWPORT = 20000 COLLECTOR_HOST=$(CONDOR_HOST):29660 CCB_ADDRESS = $(COLLECTOR_HOST)
Submit Node
CONDOR_HOST = $(FULL_HOSTNAME) ALLOW_WRITE = condor_pool@*/* SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, FS SEC_PASSWORD_FILE = /etc/condor/password_file # Ensures that you can submit jobs. QUEUE_SUPER_USERS = condor, condor_pool SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED HIGHPORT = 30000 LOWPORT = 20000 COLLECTOR_HOST=$(CONDOR_HOST):29660