Gcb tutorial
Download
1 / 23

GCB Tutorial - PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on

GCB Tutorial. What is GCB?. GCB is the Generic Connection Broker Included in Condor 6.7.13 (Nov 2005) and later Linux-only It solves the “firewall traversal problem” So what is the firewall traversal problem?. Communication is initiated in two directions. Matchmaker. Executor.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' GCB Tutorial' - vance-pace


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

What is gcb
What is GCB?

  • GCB is the Generic Connection Broker

    • Included in Condor 6.7.13 (Nov 2005) and later

    • Linux-only

  • It solves the “firewall traversal problem”

  • So what is the firewall traversal problem?


A simple condor pool

Communication is initiated

in two directions

Matchmaker

Executor

Submitter

A Simple Condor Pool

Note: This is a subset of

communication in Condor


What if there is a firewall
What If There Is A Firewall?

  • Firewalls usually block incoming traffic on most ports

  • “Incoming” depends on your perspective:

    • Organizations have firewalls to protect from computers outside the organization

    • Individual computers have firewalls to protect from other computers


A condor pool with firewall

X

Matchmaker

X

Executor

Submitter

A Condor Pool With Firewall


How can you traverse firewalls
How Can You Traverse Firewalls?

  • Punch a hole

    • Configure firewall to allow traffic on certain ports to come through

    • Condor can use many ports

    • Punching holes is a security risk and makes people nervous


How can you traverse firewalls1
How Can You Traverse Firewalls?

  • Use Condor-C

  • Put host on network edge

  • Open a couple of ports for it

  • Delegate jobs to this host

Matchmaker

Executor

Re-Submitter

Submitter


How can you traverse firewalls2
How Can You Traverse Firewalls?

  • Change Condor to always use outgoing traffic

    • What if there are two firewalls or private networks?

    • Which direction is “outgoing”?

  • GCB automates this solution

    • It knows which direction is outgoing

    • It can proxy if there are two firewalls


Gcb contacting executor one possible scenario

2

1

4

3

5

GCB: Contacting Executor(One Possible Scenario)

1. Executor registers with GCB (Permanent TCP connection)

2. Executor advertises to matchmaker (GCB IP address)

GCB

Matchmaker

3. After match, submitter contacts executor, via GCB

Executor

4. GCB tell executor to open connection

5. Executor opens connection to submitter

Submitter


Gcb acting as proxy

1

3

Matchmaker

4

2

5

Executor

Submitter

GCB(Acting as Proxy)

1. Assume 1 port open for matchmaker. (Can avoid…)

2. Executor advertises with GCB (permanent connection)

GCB

3. Executor advertises to matchmaker (GCB IP address)

4. After match, submitter contacts executor, via GCB

5. Communication flows through GCB, using both connections

Note: Can avoid firewall

hole by setting up second GCB


Gcb advantages
GCB Advantages

  • Good connectivity

    • Works with multiple private networks

    • Works with network address translation

  • Don’t need to punch holes in firewall

  • GCB does not need to be run as root

  • No changes to firewall configuration


Gcb disadvantages
GCB Disadvantages

  • GCB is a point of failure

    • All communications through GCB, so if GCB fails…

  • Computers behind a firewall share an IP address (of GCB)

    • Makes host-based security difficult

  • Doesn’t work with Kerberos security

  • Can slow down network performance

  • Scalability issues

    • A single GCB server is limited by number of ports available on computer

  • Complex to configure and debug



Setting up gcb
Setting Up GCB

  • Install GCB

  • Configure GCB

  • Configure Condor to use GCB


Install gcb
Install GCB

  • GCB comes with Condor

  • GCB has two programs

    • gcb_broker: The “big brains” of GCB

    • gcb_relay_server: proxy for private net to private net communication

  • GCB was written independently of Condor

    • Can’t read condor_config directly

    • So create environment in condor_config

    • GCB reads from environment


Install gcb1
Install GCB

  • GCB should be on computer with no other services

    • GCB can use lots of ports, so avoid port competition with other programs

    • Using GCB can slow down communication, so keeping GCB on its own computer helps speed

  • GCB needs to be on edge of network

    • On public network and private network

    • At least one GCB per private network


Configure gcb
Configure GCB

  • To run from condor_master:

    # Specify that you only want the master

    # and the broker running

    DAEMON_LIST = MASTER, GCB_BROKER

    # Define the path to the broker binary

    # for the master to spawn

    GCB_BROKER=$(RELEASE_DIR)/libexec/gcb_broker


Configure gcb1
Configure GCB

  • GCB expects configuration in environment. Sample:

    GCB_BROKER_ENVIRONMENT =

    # Provide the full path to the gcb_relay_server

    GCB_BROKER_ENVIRONMENT = GCB_RELAY_SERVER=$(GCB_RELAY)

    # Tell GCB to write all log files into the Condor log

    # directory

    GCB_BROKER_ENVIRONMENT=(GCB_BROKER_ENVIRONMENT);GCB_LOG_DIR=$(LOG)

    # Tell GCB it can connect to private network

    GCB_BROKER_ENVIRONMENT=$(GCB_BROKER_ENVIRONMENT);GCB_ACTIVE_TO_CLIENT=yes

    # Set public IP address for GCB broker

    GCB_BROKER_ARGS = -i 123.123.123.123

# Provide the full path to the gcb_relay_server

GCB_BROKER_ENV = GCB_RELAY_SERVER=$(GCB_RELAY)

# Tell GCB to write all log files into the

# Condor log directory

GCB_BROKER_ENV=$(GCB_BROKER_ENV);GCB_LOG_DIR=$(LOG)

Note: more configuration options are available. See manual for details

# Tell GCB it can connect to private network

GCB_BROKER_ENV = $(GCB_BROKER_ENV);GCB_ACTIVE_TO_CLIENT=yes

# Set public IP address for GCB broker

GCB_BROKER_ARGS = -i 123.123.123.123


Configure condor to use gcb
Configure Condor to Use GCB

  • In condor_config:

    Turn on GCB:

    NET_REMAP_ENABLE = true

    NET_REMAP_SERVICE = GCB

    # Point to GCB

    NET_REMAP_INAGENT = 123.123.123.123

    # Routing Table

    NET_REMAP_ROUTE = /full/path/gcbroutes


Set up routing table
Set Up Routing Table

Public Network

123.123.123.*

Private Network

192.168.2.*

GCB Broker

123.123.123.123

Routing Table

123.123.123.123/32 GCB

*/0 direct


Set up routing table1
Set Up Routing Table

Public Network

123.123.123.*

Private Network

192.168.2.*

GCB Broker

123.123.123.65

GCB Broker

123.123.123.66

Private Network

192.168.2.*

Routing Table

123.123.123.65/32 GCB

123.123.123.66/32 GCB

*/0 direct


Security implications
Security Implications

  • Hosts in private network look like they share a single IP Address (the address of the GCB broker)

  • If you use host-based security, you can’t distinguish hosts in the private network


More information
More Information

  • Section 3.8 of the Condor manual “Networking”

  • http://www.cs.wisc.edu/~sschang/firewall/gcb


ad