[prev in list] [next in list] [prev in thread] [next in thread]
List: npaci-rocks-discussion
Subject: Re: [Rocks-Discuss] Access to license server across compute nodes
From: "Bart Brashers" <bbrashers () Environcorp ! com>
Date: 2010-08-26 21:09:41
Message-ID: 1B8D1B9BF4DCDC4A90A42E312FF3085204A0374B () irvine01 ! irvine ! environ ! local
[Download RAW message or body]
Assuming that "raid system" and "external NFS server" are synonyms, you can allow all \
traffic from that IP address by using Larry's suggestion. After reverting to the \
original iptables file, just add the line
-A INPUT -s 172.16.255.236 -j ACCEPT
somewhere above the "# Standard rules" section.
For Rocks clusters, you never know what you going to get when you use some GUI \
program to change settings. These programs often change other stuff, and don't \
always read the original setting correctly. It's far better to simply edit the \
settings file and re-start the service.
Bart
> The extra ip address 172.16.255.236 is there to attach a raid system.
> We had to be able to have the raid system mounted on the head node and
> the compute nodes. We also had to have this raid system available to
> mount on a room full of Macs. The raid system is using an internal
> link to the cluster and another network link to the rest of the
> network.
>
> I don't remember where the 128.148.124.210 or 128.148.19.206 entries
> were added.
>
> > From the mac systems:
> map -static 0 0 0 100% /Volumes/bigdisk1
>
> On the cluster
> nas-0-0:/bigdisk1 7240091520 1795657408 5444434112 25% /bigdisk1
>
> 172.16.255.236 nas-0-0.local nas-0-0 NULL0-0
>
> I will try
>
> # cd /etc/sysconfig
> # cp iptables iptables.not.natting
> # co iptables
>
> editing the information about bigdisk back in and then restarting the
> iptables in the morning.
>
> Thanks for all the information so far. I am always learning from you all.
>
>
>
> On Thu, Aug 26, 2010 at 4:08 PM, Bart Brashers
> <bbrashers@environcorp.com> wrote:
> > Looks like you used /sbin/iptables-save to over-write your original
> file. Not sure why you have a couple of hard-coded IP addresses in there
> either.
> >
> > See if your original copy is in the file
> "/etc/sysconfig/RCS/iptables,v". Except for some header lines, that should
> contain the original. You might consider doing this:
> >
> > # cd /etc/sysconfig
> > # cp iptables iptables.not.natting
> > # co iptables
> >
> > Then edit /etc/sysconfig/iptables by hand, to include the lines you need
> for the hard-coded IPs. There must be some reason why those are
> there. After the edit, a "service iptables restart" will re-read the file.
> >
> > Bart
> >
> > > On Thu, Aug 26, 2010 at 3:19 PM, Tim Carlson <tim.carlson@pnl.gov> wrote:
> > > > On Thu, 26 Aug 2010, Bart Brashers wrote:
> > > >
> > > > All Rocks clusters (back to at least 3.0) do NAT forwarding. The lines
> you
> > > > need are (on the head node)
> > > >
> > > > *nat
> > > > -A POSTROUTING -o eth1 -j MASQUERADE
> > > > COMMIT
> > > >
> > > > Sounds like your turned this off at some point.
> > >
> > > I have this line in the iptables
> > >
> > > # Generated by iptables-save v1.2.11 on Fri Apr 10 14:16:36 2009
> > > *nat
> > > > PREROUTING ACCEPT [31:4042]
> > > > POSTROUTING ACCEPT [4:273]
> > > > OUTPUT ACCEPT [5:389]
> > > -A POSTROUTING -o eth1 -j MASQUERADE
> > > COMMIT
> > > # Completed on Fri Apr 10 14:16:36 2009
> > > # Generated by iptables-save v1.2.11 on Fri Apr 10 14:16:36 2009
> > > *filter
> > > > INPUT DROP [20:3401]
> > > > FORWARD DROP [0:0]
> > > > OUTPUT ACCEPT [622:199195]
> > > -A INPUT -i lo -j ACCEPT
> > > -A INPUT -i eth0 -j ACCEPT
> > > -A INPUT -i ib0 -j ACCEPT
> > > -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
> > > -A FORWARD -d 128.148.19.206 -i eth0 -p tcp -j ACCEPT
> > > -A FORWARD -d 128.148.124.210 -i eth0 -p tcp -j ACCEPT
> > > -A FORWARD -s 128.148.19.206 -i eth1 -p tcp -m state --state
> > > RELATED,ESTABLISHED -j ACCEPT
> > > -A FORWARD -s 128.148.124.210 -i eth1 -p tcp -m state --state
> > > RELATED,ESTABLISHED -j ACCEPT
> > > -A FORWARD -s 172.16.255.236 -i eth0 -j ACCEPT
> > > -A FORWARD -d 172.16.255.236 -i eth1 -m state --state
> > > RELATED,ESTABLISHED -j ACCEPT
> > > COMMIT
> > > # Completed on Fri Apr 10 14:16:36 2009
> > >
> > > >
> > > > Tim
> > > >
> > > > > I don't know if in Rocks 4.2 the frontend acted as a router for the
> > > compute nodes. Check the contents of /etc/sysconfig/iptables. It should
> > > have lines like this:
> > > > >
> > > > > # Preamble
> > > > > -A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j
> > > ACCEPT
> > > > > ...snip...
> > > > > # For a draconian "drop-all" firewall, uncomment the line below.
> > > > > #-A INPUT -j DROP
> > > > >
> > > > > That is, the first line in the Preamble section sets up NAT, and make
> sure
> > > the draconian firewall that shuts off everything coming in from your local
> > > public LAN is NOT turned on.
> > > > >
> > > > > Bart
> > > > >
> > > > > > I tried Tim's suggestion, but I have an older version of ROCKS running
> > > > > > on this particular cluster. 4.2 Rocks, I believe.
> > > > > >
> > > > > > I added the server's name and ip address to the /etc/hosts tables on
> > > > > > the compute nodes and the head nodes.
> > > > > >
> > > > > > added
> > > > > > /etc/hosts to /var/411/Files.mk
> > > > > >
> > > > > > rocks report host > /tmp/hosts did not exist
> > > > > >
> > > > > > and ran
> > > > > >
> > > > > > cd /var/411
> > > > > > make
> > > > > >
> > > > > > The license did not work on the compute nodes.
> > > > > >
> > > > > > The problem is one that is mentioned by Bart. I can ping the license
> > > > > > server from the head node. However, the compute nodes cannot. The
> > > > > > compute nodes can only ping the head and each other.
> > > > > >
> > > > > > ping statistics ---
> > > > > > 6 packets transmitted, 0 received, 100% packet loss, time 4999ms
> > > > > >
> > > > > >
> > > > > > Any ideas on how to create a tunnel from the compute nodes to the
> server.
> > > > > >
> > > > > > Thanks for all your help
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 26, 2010 at 11:56 AM, Bart Brashers
> > > > > > <bbrashers@environcorp.com> wrote:
> > > > > > > Alternatively, you could add the license server to
> > > > > > /var/named/rocks.domain.local and restart the named service.
> > > > > > >
> > > > > > > Or, if some external DNS server is really responsible for that
> record,
> > > add
> > > > > > that DNS server's IP as a forwarder in /etc/named.conf. Like so:
> > > > > > >
> > > > > > > options {
> > > > > > > directory "/var/named";
> > > > > > > dump-file "/var/named/data/cache_dump.db";
> > > > > > > statistics-file "/var/named/data/named_stats.txt";
> > > > > > > forwarders { 192.168.0.11; };
> > > > > > > };
> > > > > > >
> > > > > > > where 192.168.0.11 is your external (non-Rocks) DNS server.
> > > > > > >
> > > > > > > First, try to ping the license server from the frontend, then from a
> > > > > > compute node. That will prove first that the license server will
> answer
> > > > > > pings, and second that you have a route from the compute nodes to the
> > > license
> > > > > > server.
> > > > > > >
> > > > > > > Bart
> > > > > > >
> > > > > > > > No. This should just work from the compute nodes as long as they can
> > > > > > > > resolve the license server. If there is a DNS resolution problem,
> then
> > > you
> > > > > > > > can add the license server to the file /etc/hosts.local file and add
> > > > > > > > /etc/hosts to /var/411/Files.mk
> > > > > > > >
> > > > > > > > The exact procedure is
> > > > > > > >
> > > > > > > > 1) Edit /etc/hosts.local and add the license server
> > > > > > > > 2) Remake the /etc/hosts file (I'll assume the latest version of
> rocks)
> > > > > > > >
> > > > > > > > rocks report host > /tmp/hosts
> > > > > > > > (inspect /tmp/hosts to make sure it is correct)
> > > > > > > > mv /tmp/hosts /etc/hosts
> > > > > > > >
> > > > > > > > 3) Verify the license server is now listed in /etc/hosts and then
> push
> > > out
> > > > > > > > this file via 411
> > > > > > > >
> > > > > > > > cd /var/411
> > > > > > > > make
> > > > > > > >
> > > > > > > > Tim
> > > > > > > >
> > > > > > > > > some license server allow proxy server
> > > > > > > > > may be U need to see that ur frontend can be a license proxy server
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 8/26/2010 9:27 AM, Doll, Margaret Ann wrote:
> > > > > > > > > > I have a software license on a unix system outside the computer
> > > > > > cluster.
> > > > > > > > > >
> > > > > > > > > > I can use the software on the head node of the cluster. It can
> see
> > > > > > > > > > the license through ports 1718 and 1719.
> > > > > > > > > >
> > > > > > > > > > The compute nodes, however, cannot connect through the head node
> to
> > > > > > > > > > the outside server. is there a way to open the ports on the head
> > > node
> > > > > > > > > > to allow the connection?
> > > > > > > > > -------------- next part --------------
> > > > > > > > > A non-text attachment was scrubbed...
> > > > > > > > > Name: laotsao.vcf
> > > > > > > > > Type: text/x-vcard
> > > > > > > > > Size: 221 bytes
> > > > > > > > > Desc: not available
> > > > > > > > > Url : https://lists.sdsc.edu/pipermail/npaci-rocks-
> > > > > > > > discussion/attachments/20100826/c6af2786/laotsao.vcf
> > > > > > >
> > > > > > >
> > > > > > > This message contains information that may be confidential,
> privileged
> > > or
> > > > > > otherwise protected by law from disclosure. It is intended for the
> > > exclusive
> > > > > > use of the Addressee(s). Unless you are the addressee or authorized
> agent
> > > of
> > > > > > the addressee, you may not review, copy, distribute or disclose to
> anyone
> > > the
> > > > > > message or any information contained within. If you have received this
> > > > > > message in error, please contact the sender by electronic reply to
> > > > > > email@environcorp.com and immediately delete all copies of the
> message.
> > > > > > >
> > > > >
> > > > >
> > > > > This message contains information that may be confidential, privileged
> or
> > > otherwise protected by law from disclosure. It is intended for the
> exclusive
> > > use of the Addressee(s). Unless you are the addressee or authorized agent
> of
> > > the addressee, you may not review, copy, distribute or disclose to anyone
> the
> > > message or any information contained within. If you have received this
> > > message in error, please contact the sender by electronic reply to
> > > email@environcorp.com and immediately delete all copies of the message.
> > > > >
> > > >
> >
> >
> > This message contains information that may be confidential, privileged or
> otherwise protected by law from disclosure. It is intended for the exclusive
> use of the Addressee(s). Unless you are the addressee or authorized agent of
> the addressee, you may not review, copy, distribute or disclose to anyone the
> message or any information contained within. If you have received this
> message in error, please contact the sender by electronic reply to
> email@environcorp.com and immediately delete all copies of the message.
> >
This message contains information that may be confidential, privileged or otherwise \
protected by law from disclosure. It is intended for the exclusive use of the \
Addressee(s). Unless you are the addressee or authorized agent of the addressee, you \
may not review, copy, distribute or disclose to anyone the message or any information \
contained within. If you have received this message in error, please contact the \
sender by electronic reply to email@environcorp.com and immediately delete all copies \
of the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic