Creating a Condor pool with no firewalls up is quite a simple task. Before the condor_shared_port daemon, doing the same with firewalls was a bit painful.
Condor uses dynamic ports for everything except the Collector. The Collector endpoint is the bootstrap. This means a Schedd might start up on a random ephemeral port, and each of its shadows might as well. This causes headaches for firewalls as large ranges of ports need to be opened for communication. There are ways to control the ephemeral range used. Unfortunately, doing so just reduced the port range some, did not guarantee Condor was on the ports, and could limit scale.
The condor_shared_port daemon allows Condor to use a single inbound port on a machine.
Again, using Fedora 15. I had no luck with firewalld and firewall-cmd. Instead I fell back to using straight iptables.
The first thing to do is pick a port for Condor to use on your machines. The simplest thing to do is pick 9618, the port typically known as the Collector’s port.
On all machines where Condor is going to run, you want to –
# lokkit --enabled # service iptables start Starting iptables (via systemctl): [ OK ] # service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
If you want to ssh to the machine again, be sure to insert rules above the “REJECT ALL — …” –
# iptables -I INPUT 4 -p tcp -m tcp --dport 22 -j ACCEPT
And open a port, both TCP and UDP, for the shared port daemon –
# iptables -I INPUT 5 -p tcp -m tcp --dport condor -j ACCEPT # iptables -I INPUT 6 -p udp -m udp --dport condor -j ACCEPT
Next you want to configure Condor to use the shared port daemon, with port 9618 –
# cat > /etc/condor/config.d/41shared_port.config SHARED_PORT_ARGS = -p 9618 DAEMON_LIST = $(DAEMON_LIST), SHARED_PORT COLLECTOR_HOST = $(CONDOR_HOST)?sock=collector USE_SHARED_PORT = TRUE ^D
In order, SHARED_PORT_ARGS tells the shared port daemon to listen on port 9618, DAEMON_LIST tells the master to start the shared port daemon, COLLECTOR_HOST specifies that the collector will be on the sock named “collector”, and finally USE_SHARED_PORT tells all daemons to register and use the shared port daemon.
After you put that configuration on all your systems, run service condor restart, and go.
You will have the shared port daemon listening on 9618 (condor), and all communication between machines will around through it.
# lsof -i | grep $(pidof condor_shared_port) condor_sh 31040 condor 8u IPv4 74105 0t0 TCP *:condor (LISTEN) condor_sh 31040 condor 9u IPv4 74106 0t0 UDP *:condor
That’s right, you have a condor pool with firewalls and a single port opened for communication on each node.
November 10, 2011 at 7:53 am |
[…] will listen on an ephemeral port by default. You could restrict it to a port range or use condor_shared_port. For simplicity, just force a non-ephemeral port of […]