Gcb tutorial ogf 2007 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

GCB Tutorial OGF 2007 PowerPoint PPT Presentation

GCB Tutorial OGF 2007 What is GCB? GCB is the Generic Connection Broker Included in Condor 6.7.13 (Nov 2005) and later Linux-only It solves the “firewall traversal problem” So what is the firewall traversal problem? Communication is initiated in two directions Matchmaker Executor

Download Presentation

GCB Tutorial OGF 2007

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Gcb tutorial ogf 2007 l.jpg

GCB TutorialOGF 2007


What is gcb l.jpg

What is GCB?

  • GCB is the Generic Connection Broker

    • Included in Condor 6.7.13 (Nov 2005) and later

    • Linux-only

  • It solves the “firewall traversal problem”

  • So what is the firewall traversal problem?


A simple condor pool l.jpg

Communication is initiated

in two directions

Matchmaker

Executor

Submitter

A Simple Condor Pool

Note: This is a subset of

communication in Condor


What if there is a firewall l.jpg

What If There Is A Firewall?

  • Firewalls usually block incoming traffic on most ports

  • “Incoming” depends on your perspective:

    • Organizations have firewalls to protect from computers outside the organization

    • Individual computers have firewalls to protect from other computers


A condor pool with firewall l.jpg

X

Matchmaker

X

Executor

Submitter

A Condor Pool With Firewall


How can you traverse firewalls l.jpg

How Can You Traverse Firewalls?

  • Punch a hole

    • Configure firewall to allow traffic on a certain range of ports to come through

    • Tell Condor to restrict itself to use only this range

    • Bummer: Condor can use many ports

    • Bummer: Punching holes makes people nervous


How can you traverse firewalls7 l.jpg

How Can You Traverse Firewalls?

  • Use Condor-C

  • Put host on network edge

  • Open a couple of ports for it

  • Delegate jobs to this host

Matchmaker

Executor

Re-Submitter

Submitter


How can you traverse firewalls8 l.jpg

How Can You Traverse Firewalls?

  • Change Condor to always use outgoing traffic

    • What if there are two firewalls or private networks?

    • Which direction is “outgoing”?

  • GCB automates this solution

    • It knows which direction is outgoing

    • It can proxy if there are two firewalls


Gcb contacting executor one possible scenario l.jpg

2

1

4

3

5

GCB: Contacting Executor(One Possible Scenario)

1. Executor registers with GCB (Permanent TCP connection)

2. Executor advertises to matchmaker (GCB IP address)

GCB

Matchmaker

3. After match, submitter contacts executor, via GCB

Executor

4. GCB tell executor to open connection

5. Executor opens connection to submitter

Submitter


Gcb acting as proxy l.jpg

1

3

Matchmaker

4

2

5

Executor

Submitter

GCB(Acting as Proxy)

1. Assume 1 port open for matchmaker. (Can avoid…)

2. Executor advertises with GCB (permanent connection)

GCB

3. Executor advertises to matchmaker (GCB IP address)

4. After match, submitter contacts executor, via GCB

5. Communication flows through GCB, using both connections


Gcb advantages l.jpg

GCB Advantages

  • Good connectivity

    • Works with multiple private networks

    • Works with network address translation

  • Don’t need to punch holes in firewall

  • GCB does not need to be run as root

  • No changes to firewall configuration


Gcb disadvantages l.jpg

GCB Disadvantages

  • GCB is a point of failure

    • All communications through GCB, so if GCB fails…

  • Computers behind a firewall share an IP address (of GCB)

    • Makes host-based security difficult

  • Doesn’t work with Kerberos security

  • Can slow down network performance

  • Scalability issues

    • A single GCB server is limited by number of ports available on computer

  • Complex to configure and debug


Now for the nitty gritty l.jpg

Now for the Nitty Gritty…


Setting up gcb l.jpg

Setting Up GCB

  • Install GCB

  • Configure GCB

  • Configure Condor to use GCB


Install gcb l.jpg

Install GCB

  • GCB comes with Condor

  • GCB has two programs

    • gcb_broker: The “big brains” of GCB

    • gcb_relay_server: proxy for private net to private net communication

  • GCB was written independently of Condor

    • Can’t read condor_config directly

    • So create environment in condor_config

    • GCB reads from environment


Install gcb16 l.jpg

Install GCB

  • GCB should be on computer with no other services

    • GCB can use lots of ports, so avoid port competition with other programs

    • Using GCB can slow down communication, so keeping GCB on its own computer helps speed

  • GCB needs to be on edge of network

    • On public network and private network

    • At least one GCB per private network


Configure gcb l.jpg

Configure GCB

  • To run from condor_master:

    # Specify that you only want the master

    # and the broker running

    DAEMON_LIST = MASTER, GCB_BROKER

    # Define the path to the broker binary

    # for the master to spawn

    GCB_BROKER=$(RELEASE_DIR)/libexec/gcb_broker


Configure gcb18 l.jpg

Configure GCB

  • GCB expects configuration in environment. Sample:

    GCB_BROKER_ENVIRONMENT =

    # Provide the full path to the gcb_relay_server

    GCB_BROKER_ENVIRONMENT = GCB_RELAY_SERVER=$(GCB_RELAY)

    # Tell GCB to write all log files into the Condor log

    # directory

    GCB_BROKER_ENVIRONMENT=(GCB_BROKER_ENVIRONMENT);GCB_LOG_DIR=$(LOG)

    # Tell GCB it can connect to private network

    GCB_BROKER_ENVIRONMENT=$(GCB_BROKER_ENVIRONMENT);GCB_ACTIVE_TO_CLIENT=yes

    # Set public IP address for GCB broker

    GCB_BROKER_ARGS = -i 123.123.123.123

# Provide the full path to the gcb_relay_server

GCB_BROKER_ENV = GCB_RELAY_SERVER=$(GCB_RELAY)

# Tell GCB to write all log files into the

# Condor log directory

GCB_BROKER_ENV=$(GCB_BROKER_ENV);GCB_LOG_DIR=$(LOG)

Note: more configuration options are available. See manual for details

# Tell GCB it can connect to private network

GCB_BROKER_ENV = $(GCB_BROKER_ENV);GCB_ACTIVE_TO_CLIENT=yes

# Set public IP address for GCB broker

GCB_BROKER_ARGS = -i 123.123.123.123


Configure condor to use gcb l.jpg

Configure Condor to Use GCB

  • In condor_config:

    Turn on GCB:

    NET_REMAP_ENABLE = true

    NET_REMAP_SERVICE = GCB

    # Point to GCB

    NET_REMAP_INAGENT = 123.123.123.123

    # Routing Table

    NET_REMAP_ROUTE = /full/path/gcbroutes


Set up routing table l.jpg

Set Up Routing Table

Public Network

123.123.123.*

Private Network

192.168.2.*

GCB Broker

123.123.123.123

Routing Table

123.123.123.123/32 GCB

*/0 direct


Set up routing table21 l.jpg

Set Up Routing Table

Public Network

123.123.123.*

Private Network

192.168.2.*

GCB Broker

123.123.123.65

GCB Broker

123.123.123.66

Private Network

192.168.2.*

Routing Table

123.123.123.65/32 GCB

123.123.123.66/32 GCB

*/0 direct


Security implications l.jpg

Security Implications

  • Hosts in private network look like they share a single IP Address (the address of the GCB broker)

  • If you use host-based security, you can’t distinguish hosts in the private network

  • GCB does not authenticate who it is providing its proxy service for.


More information l.jpg

More Information

  • Section 3.8 of the Condor manual “Networking”

  • http://www.cs.wisc.edu/~sschang/firewall/gcb

    Thank You!!!


  • Login