HTCondor Networking Concepts

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
The Future of HTCondor's Networking or: How I Learned to Stop Worrying and Love IPv6 Alan De Smet
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Application Layer PART VI.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Lecture Week 7 Implementing IP Addressing Services.
Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Middleboxes & Network Appliances EE122 TAs Past and Present.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Network Address Translation (NAT) CS-480b Dick Steflik.
Sales Kickoff - ARCserve
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
CCI through Firewall TNG 2.4 Updated April 16, 2002.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.
Personal Cloud Controller (PCC) Yuan Luo 1, Shava Smallen 2, Beth Plale 1, Philip Papadopoulos 2 1 School of Informatics and Computing, Indiana University.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
The Glidein Service Gideon Juve What are glideins? A technique for creating temporary, user- controlled Condor pools using resources from.
Implementing IP Addressing Services Accessing the WAN – Chapter 7.
1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.
DHCP Meha Modi. “Dynamic Host Configuration Protocol” Automatically assigns IP addresses to devices (I.e. hosts) on your network. -Prevents to enter data.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
RTCWEB Considerations for NATs, Firewalls and HTTP proxies draft-hutton-rtcweb-nat-firewall- considerations A. Hutton, T. Stach, J. Uberti.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Pilot Factory using Schedd Glidein Barnett Chiu BNL
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Computer Communication: An example What happens when I click on
Computer Networks & FirewallsUniversity IT Security Office - Tom Davis, CISSP University IT Security Officer Office of the Vice.
22 nd Oct 2008Euro Condor Week 2008 Barcelona 1 Condor Gotchas III John Kewley STFC Daresbury Laboratory
Dan Bradley Condor Project CS and Physics Departments University of Wisconsin-Madison CCB The Condor Connection Broker.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
1 K. Salah Application Layer Module K. Salah Network layer duties.
Gabi Kliot Computer Sciences Department Technion – Israel Institute of Technology Adding High Availability to Condor Central Manager Adding High Availability.
CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)
VMware Solutions To Access EXSi Server & Virtual Machine Consoles Presented By: Opvizor
Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.
An Analysis on NAT Security
NAT、DHCP、Firewall、FTP、Proxy
NAT (Network Address Translation)
NET 536 Network Security Firewalls and VPN
HTCondor Networking Concepts
Quick Architecture Overview INFN HTCondor Workshop Oct 2016
Dynamic Deployment of VO Specific Condor Scheduler using GT4
Outline Expand via Flocking Grid Universe in HTCondor ("Condor-G")
Network Address Translation
High Availability in HTCondor
CS 3700 Networks and Distributed Systems
Socket Programming Cal Poly Pomona Young CS380.
Introducing To Networking
Building Grids with Condor
Hiding Network Computers Gateways
How do You attend the meetings?
Implementing IP Addressing Services
CS 3700 Networks and Distributed Systems
Basic Grid Projects – Condor (Part I)
TCP/IP Networking An Example
Implementing IP Addressing Services
Chapter 11: Network Address Translation for IPv4
Condor: Firewall Mirroring
Office 365 – How NOT to do it UKNOF43.
Virtual Private Network
Job Submission Via File Transfer
Presentation transcript:

HTCondor Networking Concepts

Disclaimers Not about configuration macros Not about host or daemon lookups Not about HTCondor internals Hopefully this is the last time I say those two words. [“configuration macros”]

Asking the Right Questions There will be a quiz at the end Start by reviewing fairy-tale networking … then add IPv6 … then add schedd firewalls … then add startd firewalls End by passing the quiz (open-manual)

Fairy-tale Networking Single network protocol All addresses publically routable No firewalls Fewer than ~25k simultaneous running jobs

Working in a Fairy Tale negotiator collector schedd startd shadow* starter* * One shadow, starter per running job

IPv6 negotiator collector schedd startd shadow starter IPv4 IPv6

IPv6 + IPv4 negotiator collector schedd startd shadow starter startd

Shared Port Problem: Firewall Problem: only ~60k TCP ports Admin willing to open only one port Problem: only ~60k TCP ports Need one per shadow Shared Port Service Listens on single port for incoming connections Hands each connection to intended recipient

Shared Port Internet Fire wall schedd startd shared_port starter

Firewalled Submit Node negotiator collector schedd Wall startd shared port starter shadow Fire

TCP Forwarding Host Problem: Private network with NAT Traverse firewall via port forwarding Allocate a public IP address Connections to public address forwarded by NAT to machine on private network Common in the Cloud

Condor Connection Broker Problem: Private network with NAT Or firewall with no opening for HTCondor Traverse firewall by reversing connection Client sends connection request via broker Server initiates TCP connection to client Only bypasses one firewall Client and broker (CCB server) must have publically routable addresses

CCB: Condor Connection Broker Internet Outbound firewall schedd startd schedd

NATd Execute Nodes negotiator collector/CCB schedd shared port startd Wall NAT shared port Fire startd shadow starter

Port Usage (Digression) Shadow for each running job In fairy-tale setup Each shadow uses two ports Limit of ~25k running jobs With shared port and CCB Shadow use no ports No network limit on number of running jobs

Quiz Why do schedds and central managers need to be mixed-mode in a pool split between IPv4 and IPv6 nodes? Why use CCB on execute nodes? Why use both CCB and shared port? If both the schedd and the execute nodes are NATd, what do you do? 4 -- fewer schedds; CCB’d schedds may not be able to flock; for NAT use port forwarding and set TCP_FORWARDING_HOST on schedd. HTCondor solutions may scale better than VPN (CCB does not actually forward); if schedd & execute nodes NATd on same network, can use PrivNet and PrivName.

Question 1 Why do schedds and central managers need to be mixed-mode in a pool split between IPv4 and IPv6 nodes? They need to be able to talk to all execute nodes

Question 2 Why use CCB on execute nodes (and not submit nodes)? Easier to make submit nodes publically accessible (fewer of them)

Question 3 Why use both CCB and shared port? Can’t use CCB for both schedd and startd No ports used for shadow, so no limit on number of running jobs

Question 4 If both the schedd and the execute nodes are NATd, what do you do? If same NAT, no problem TCP Forwarding Host for schedd

Congratulations! HTCondor Administrator Networking