1 / 23

GCB Tutorial OGF 2007

GCB Tutorial OGF 2007 What is GCB? GCB is the Generic Connection Broker Included in Condor 6.7.13 (Nov 2005) and later Linux-only It solves the “firewall traversal problem” So what is the firewall traversal problem? Communication is initiated in two directions Matchmaker Executor

bernad
Download Presentation

GCB Tutorial OGF 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GCB TutorialOGF 2007

  2. What is GCB? • GCB is the Generic Connection Broker • Included in Condor 6.7.13 (Nov 2005) and later • Linux-only • It solves the “firewall traversal problem” • So what is the firewall traversal problem?

  3. Communication is initiated in two directions Matchmaker Executor Submitter A Simple Condor Pool Note: This is a subset of communication in Condor

  4. What If There Is A Firewall? • Firewalls usually block incoming traffic on most ports • “Incoming” depends on your perspective: • Organizations have firewalls to protect from computers outside the organization • Individual computers have firewalls to protect from other computers

  5. X Matchmaker X Executor Submitter A Condor Pool With Firewall

  6. How Can You Traverse Firewalls? • Punch a hole • Configure firewall to allow traffic on a certain range of ports to come through • Tell Condor to restrict itself to use only this range • Bummer: Condor can use many ports • Bummer: Punching holes makes people nervous

  7. How Can You Traverse Firewalls? • Use Condor-C • Put host on network edge • Open a couple of ports for it • Delegate jobs to this host Matchmaker Executor Re-Submitter Submitter

  8. How Can You Traverse Firewalls? • Change Condor to always use outgoing traffic • What if there are two firewalls or private networks? • Which direction is “outgoing”? • GCB automates this solution • It knows which direction is outgoing • It can proxy if there are two firewalls

  9. 2 1 4 3 5 GCB: Contacting Executor(One Possible Scenario) 1. Executor registers with GCB (Permanent TCP connection) 2. Executor advertises to matchmaker (GCB IP address) GCB Matchmaker 3. After match, submitter contacts executor, via GCB Executor 4. GCB tell executor to open connection 5. Executor opens connection to submitter Submitter

  10. 1 3 Matchmaker 4 2 5 Executor Submitter GCB(Acting as Proxy) 1. Assume 1 port open for matchmaker. (Can avoid…) 2. Executor advertises with GCB (permanent connection) GCB 3. Executor advertises to matchmaker (GCB IP address) 4. After match, submitter contacts executor, via GCB 5. Communication flows through GCB, using both connections

  11. GCB Advantages • Good connectivity • Works with multiple private networks • Works with network address translation • Don’t need to punch holes in firewall • GCB does not need to be run as root • No changes to firewall configuration

  12. GCB Disadvantages • GCB is a point of failure • All communications through GCB, so if GCB fails… • Computers behind a firewall share an IP address (of GCB) • Makes host-based security difficult • Doesn’t work with Kerberos security • Can slow down network performance • Scalability issues • A single GCB server is limited by number of ports available on computer • Complex to configure and debug

  13. Now for the Nitty Gritty…

  14. Setting Up GCB • Install GCB • Configure GCB • Configure Condor to use GCB

  15. Install GCB • GCB comes with Condor • GCB has two programs • gcb_broker: The “big brains” of GCB • gcb_relay_server: proxy for private net to private net communication • GCB was written independently of Condor • Can’t read condor_config directly • So create environment in condor_config • GCB reads from environment

  16. Install GCB • GCB should be on computer with no other services • GCB can use lots of ports, so avoid port competition with other programs • Using GCB can slow down communication, so keeping GCB on its own computer helps speed • GCB needs to be on edge of network • On public network and private network • At least one GCB per private network

  17. Configure GCB • To run from condor_master: # Specify that you only want the master # and the broker running DAEMON_LIST = MASTER, GCB_BROKER # Define the path to the broker binary # for the master to spawn GCB_BROKER=$(RELEASE_DIR)/libexec/gcb_broker

  18. Configure GCB • GCB expects configuration in environment. Sample: GCB_BROKER_ENVIRONMENT = # Provide the full path to the gcb_relay_server GCB_BROKER_ENVIRONMENT = GCB_RELAY_SERVER=$(GCB_RELAY) # Tell GCB to write all log files into the Condor log # directory GCB_BROKER_ENVIRONMENT=(GCB_BROKER_ENVIRONMENT);GCB_LOG_DIR=$(LOG) # Tell GCB it can connect to private network GCB_BROKER_ENVIRONMENT=$(GCB_BROKER_ENVIRONMENT);GCB_ACTIVE_TO_CLIENT=yes # Set public IP address for GCB broker GCB_BROKER_ARGS = -i 123.123.123.123 # Provide the full path to the gcb_relay_server GCB_BROKER_ENV = GCB_RELAY_SERVER=$(GCB_RELAY) # Tell GCB to write all log files into the # Condor log directory GCB_BROKER_ENV=$(GCB_BROKER_ENV);GCB_LOG_DIR=$(LOG) Note: more configuration options are available. See manual for details # Tell GCB it can connect to private network GCB_BROKER_ENV = $(GCB_BROKER_ENV);GCB_ACTIVE_TO_CLIENT=yes # Set public IP address for GCB broker GCB_BROKER_ARGS = -i 123.123.123.123

  19. Configure Condor to Use GCB • In condor_config: Turn on GCB: NET_REMAP_ENABLE = true NET_REMAP_SERVICE = GCB # Point to GCB NET_REMAP_INAGENT = 123.123.123.123 # Routing Table NET_REMAP_ROUTE = /full/path/gcbroutes

  20. Set Up Routing Table Public Network 123.123.123.* Private Network 192.168.2.* GCB Broker 123.123.123.123 Routing Table 123.123.123.123/32 GCB */0 direct

  21. Set Up Routing Table Public Network 123.123.123.* Private Network 192.168.2.* GCB Broker 123.123.123.65 GCB Broker 123.123.123.66 Private Network 192.168.2.* Routing Table 123.123.123.65/32 GCB 123.123.123.66/32 GCB */0 direct

  22. Security Implications • Hosts in private network look like they share a single IP Address (the address of the GCB broker) • If you use host-based security, you can’t distinguish hosts in the private network • GCB does not authenticate who it is providing its proxy service for.

  23. More Information • Section 3.8 of the Condor manual “Networking” • http://www.cs.wisc.edu/~sschang/firewall/gcb Thank You!!!

More Related