Condor: Firewall Mirroring - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Condor: Firewall Mirroring

Description:

Since Condor needs each submit node to be able to talk to every potential ... be used for private networks by pretending they have a firewall and declaring ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 12
Provided by: me18
Category:

less

Transcript and Presenter's Notes

Title: Condor: Firewall Mirroring


1
Condor Firewall Mirroring
UK Condor Week 2004
2
Outline
  • Problem of Firewalls within a Condor Pool
  • Options to alleviate these problems
  • Our Solution

3
Firewalls within a Condor Pool
  • Some resource owners have firewalls on their
    personal workstations
  • Since Condor needs each submit node to be able to
    talk to every potential execute node, this does
    not scale well.

4
Job Startup
Central Manager
Collector
Negotiator
Execute Machine
Submit Machine
Schedd
Startd
Starter
Shadow
Submit
Condor Syscall Lib
Slide based on one from the University of
Wisconsin-Madison
5
What if the firewall is out-of-step?
  • A Job may still match for the newly added machine
    to the firewalled resource.
  • This job will not be able to run
  • Parts of the system jam as a result.
  • condor_q on submitting node
  • The other parts of the submit script
  • (maybe also parts of the central node)

6
A Related problem
  • Similar jams occur if part of your pool (or
    flock of pools) is on a network that is
    unavailable to some of the other nodes
  • How can we permit jobs from submit nodes that can
    access the private network to run on these nodes
    whilst preventing Condor sending jobs from other
    submit nodes there?

7
How can we get round this?
  1. Restrict the number of submit nodes
  2. Automatically update the firewall files
  3. Ensure everything is up-to-date
  4. Permit pool to evolve whilst persuading Condor to
    avoid going to nodes where the job cant run

8
Firewall Mirroring (1)
  • Each machine with a firewall declares the fact in
    its ClassAds
  • HAS_FIREWALL TRUE
  • Also, which machines and/or subnets it permits to
    access its Condor ports (mirroring FW table
    settings)
  • FW_ALLOWS_113 TRUE
  • FW_ALLOWS_rjavig6 TRUE
  • Finally, it needs to export these settings
  • STARTD_EXPRS HAS_FIREWALL, FW_ALLOWS_113, \
    FW_ALLOWS_rjavig6

9
Firewall Mirroring (2)
  • To ensure that jobs can only go to resources they
    can reach.
  • Ensure that they declare their subnet and
    hostname
  • MY_SUBNET 113
  • MY_HOST condor
  • Use these value in the following macro which is
    added to all REQUIREMENTS for jobs from this
    machine
  • OK_FOR_THIS_MACHINE ( \
  • (HAS_FIREWALL ! TRUE) \
  • (FW_ALLOWS_(MY_HOST) TRUE) \
  • (FW_ALLOWS_(MY_SUBNET) TRUE) )
  • APPEND_REQUIREMENTS (OK_FOR_THIS_MACHINE)

10
And Private Networks?
  • Same solution can be used for private networks by
    pretending they have a firewall and declaring
    which other nodes have access to that network

11
Conclusion
  • While this solution does not solve the firewalled
    workstation problem, it does make it nicer to
    live in their presence!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Condor: Firewall Mirroring" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!