Child pages
  • Globus GRAM and Condor-G Firewall Requirements
Skip to end of metadata
Go to start of metadata

Overview

This is a rough outline of all the connections that are made to run a Condor-G job in the grid universe using the GT2/GT5 GAHP.

  1. The gridmanager launches the GT2/5 GAHP.
  2. The GAHP binds to a port in the ephemeral port range of the client (GAHP_PORT).
  3. The GAHP launches a GASS server for file transfers (stdin, stdout, stderr, others).
  4. The GASS server binds to a port in the ephemeral port range of the client (GASS_PORT).
  5. The GAHP contacts the Gatekeeper on well-known port 2119.
  6. The gatekeeper launches the jobmanager.
  7. The jobmanager binds to a port in the ephemeral port range of the server (JM_PORT).
  8. The gatekeeper sends jobmanager address to the GAHP.
  9. The GAHP contacts the jobmanager on JM_PORT.
  10. The jobmanager sends status updates to the GAHP on GAHP_PORT.
  11. When the job is done, the jobmanager sends data to GASS server on GASS_PORT.

Ephemeral Port Range

The client will need to specify a port range for services to listen on. We typically use 50000–51000.

Firewall Settings

Client

The client needs to:

  1. Accept incoming connections from the server for the designated ephemeral port range of the client.
  2. Allow outgoing connections to the server for port 2119 and anything in the server's ephemeral port range. Note: If you don't know what the server's ephemeral port range is, or if it is not set to a specific range, then you probably need to open up all ports.

Server

The server needs to:

  1. Accept incoming connections from the client to port 2119.
  2. Accept incoming connections from the client to the local ephemeral port range of the server.
  3. Allow outgoing connections to the client's ephemeral port range.

Configuration

Globus Tools

Globus command line tools such as globus-job-run look for an environment variable called GLOBUS_TCP_PORT_RANGE. It should be set like this:

    GLOBUS_TCP_PORT_RANGE=lowport,highport

for example, if the lowport is 50000 and the highport is 51000, it should be:

    GLOBUS_TCP_PORT_RANGE=50000,51000

You can also set GLOBUS_TCP_SOURCE_RANGE if you want to control the local port of outgoing connections.

Condor

Condor-G is going to use the Condor configuration variables LOWPORT and HIGHPORT to determine the local ephemeral port range. Set them in your condor_config like this:

    LOWPORT=50000

    HIGHPORT=51000

If you want to configure Condor to use a different range for outgoing ports than incoming ports, then you need to specify OUT_LOWPORT / OUT_HIGHPORT and IN_LOWPORT / IN_HIGHPORT. In this case, OUT means outgoing (client side) connections, and IN means incoming (server side) connections. If those aren't defined, then LOWPORT and HIGHPORT are used for both incoming and outgoing connections.

The gridmanager will use these to set GLOBUS_TCP_PORT_RANGE and GLOBUS_TCP_SOURCE_RANGE in the environment for the GAHP and GASS servers.

More Information

http://toolkit.globus.org/toolkit/security/firewalls/

Globus Firewall Requirements for SERVERS and CLIENTS

https://twiki.opensciencegrid.org/bin/view/Documentation/Release3/FirewallInformation

https://twiki.opensciencegrid.org/bin/view/Documentation/Release3/TroubleshootingFaq#Condor_G_What_are_the_firewall_r

  • No labels