gcb tutorial european condor week june 2006 infn milan, italy
DESCRIPTION
GCB Tutorial European Condor Week June 2006 INFN Milan, Italy. What is GCB?. GCB is the Generic Connection Broker Included in Condor 6.7.13 (Nov 2005) and later Linux-only It solves the “firewall traversal problem” So what is the firewall traversal problem?. Communication is initiated - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/1.jpg)
Todd TannenbaumCondor Team
http://www.cs.wisc.edu/condor
GCB TutorialEuropean Condor Week
June 2006INFN
Milan, Italy
![Page 2: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/2.jpg)
www.cs.wisc.edu/condor
What is GCB?› GCB is the Generic Connection Broker
Included in Condor 6.7.13 (Nov 2005) and later
Linux-only› It solves the “firewall traversal
problem”› So what is the firewall traversal
problem?
![Page 3: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/3.jpg)
www.cs.wisc.edu/condor
A Simple Condor Pool
Matchmaker
ExecutorSubmitter
Communication is initiated in two directions
Note: This is a subset of communication in Condor
![Page 4: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/4.jpg)
www.cs.wisc.edu/condor
What If There Is A Firewall?
› Firewalls usually block incoming traffic on most ports
› “Incoming” depends on your perspective: Organizations have firewalls to protect
from computers outside the organization Individual computers have firewalls to
protect from other computers
![Page 5: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/5.jpg)
www.cs.wisc.edu/condor
A Condor Pool With Firewall
Matchmaker
ExecutorSubmitter
X
X
![Page 6: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/6.jpg)
www.cs.wisc.edu/condor
How Can You Traverse Firewalls?
› Punch a hole Configure firewall to allow traffic on a
certain range of ports to come through Tell Condor to restrict itself to use only
this range Bummer: Condor can use many ports Bummer: Punching holes makes people
nervous
![Page 7: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/7.jpg)
www.cs.wisc.edu/condor
How Can You Traverse Firewalls?› Use Condor-C
Matchmaker
ExecutorSubmitter Re-Submitter
Put host on network edge Open a couple of ports for it Delegate jobs to this host
![Page 8: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/8.jpg)
www.cs.wisc.edu/condor
How Can You Traverse Firewalls?
› Change Condor to always use outgoing traffic What if there are two firewalls or private
networks? Which direction is “outgoing”?
› GCB automates this solution It knows which direction is outgoing It can proxy if there are two firewalls
![Page 9: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/9.jpg)
www.cs.wisc.edu/condor
GCB: Contacting Executor(One Possible Scenario)
Matchmaker
Executor
Submitter
GCB4 1
1. Executor registers with GCB (Permanent TCP connection)
2. Executor advertises to matchmaker (GCB IP address)
2
3. After match, submitter contacts executor, via GCB
34. GCB tell executor to open
connection
5. Executor opens connection to submitter 5
![Page 10: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/10.jpg)
www.cs.wisc.edu/condor
GCB(Acting as Proxy)
Matchmaker
Executor
Submitter
1. Assume 1 port open for matchmaker. (Can avoid…)
2. Executor advertises with GCB (permanent connection)
3. Executor advertises to matchmaker (GCB IP address)
4. After match, submitter contacts executor, via GCB
5. Communication flows through GCB, using both connections
1
5
GCB2
3
4
![Page 11: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/11.jpg)
www.cs.wisc.edu/condor
GCB Advantages› Good connectivity
Works with multiple private networks Works with network address translation
› Don’t need to punch holes in firewall› GCB does not need to be run as root› No changes to firewall configuration
![Page 12: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/12.jpg)
www.cs.wisc.edu/condor
GCB Disadvantages› GCB is a point of failure
All communications through GCB, so if GCB fails…
› Computers behind a firewall share an IP address (of GCB) Makes host-based security difficult
› Doesn’t work with Kerberos security› Can slow down network performance› Scalability issues
A single GCB server is limited by number of ports available on computer
› Complex to configure and debug
![Page 13: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/13.jpg)
www.cs.wisc.edu/condor
Now for the Nitty Gritty…
![Page 14: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/14.jpg)
www.cs.wisc.edu/condor
Setting Up GCB1. Install GCB2. Configure GCB3. Configure Condor to use GCB
![Page 15: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/15.jpg)
www.cs.wisc.edu/condor
Install GCB› GCB comes with Condor› GCB has two programs
gcb_broker: The “big brains” of GCB gcb_relay_server: proxy for private net to
private net communication› GCB was written independently of Condor
Can’t read condor_config directly So create environment in condor_config GCB reads from environment
![Page 16: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/16.jpg)
www.cs.wisc.edu/condor
Install GCB› GCB should be on computer with no other
services GCB can use lots of ports, so avoid port
competition with other programs Using GCB can slow down communication, so
keeping GCB on its own computer helps speed
› GCB needs to be on edge of network On public network and private network At least one GCB per private network
![Page 17: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/17.jpg)
www.cs.wisc.edu/condor
Configure GCB› To run from condor_master:# Specify that you only want the master # and the broker running DAEMON_LIST = MASTER, GCB_BROKER
# Define the path to the broker binary # for the master to spawn GCB_BROKER=$(RELEASE_DIR)/libexec/gcb_broker
![Page 18: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/18.jpg)
www.cs.wisc.edu/condor
Configure GCB› GCB expects configuration in
environment. Sample:GCB_BROKER_ENVIRONMENT =
# Provide the full path to the gcb_relay_server GCB_BROKER_ENVIRONMENT = GCB_RELAY_SERVER=$(GCB_RELAY)
# Tell GCB to write all log files into the Condor log # directory GCB_BROKER_ENVIRONMENT=(GCB_BROKER_ENVIRONMENT);GCB_LOG_DIR=$(LOG)
# Tell GCB it can connect to private networkGCB_BROKER_ENVIRONMENT=$(GCB_BROKER_ENVIRONMENT);GCB_ACTIVE_TO_CLIENT=yes
# Set public IP address for GCB brokerGCB_BROKER_ARGS = -i 123.123.123.123
# Provide the full path to the gcb_relay_server GCB_BROKER_ENV = GCB_RELAY_SERVER=$(GCB_RELAY) # Tell GCB to write all log files into the# Condor log directory GCB_BROKER_ENV=$(GCB_BROKER_ENV);GCB_LOG_DIR=$(LOG)
# Set public IP address for GCB brokerGCB_BROKER_ARGS = -i 123.123.123.123
Note: more configuration options are available. See manual for details# Tell GCB it can connect to private network
GCB_BROKER_ENV = $(GCB_BROKER_ENV);GCB_ACTIVE_TO_CLIENT=yes
![Page 19: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/19.jpg)
www.cs.wisc.edu/condor
Configure Condor to Use GCB› In condor_config:
Turn on GCB:NET_REMAP_ENABLE = trueNET_REMAP_SERVICE = GCB
# Point to GCBNET_REMAP_INAGENT = 123.123.123.123
# Routing TableNET_REMAP_ROUTE = /full/path/gcbroutes
![Page 20: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/20.jpg)
www.cs.wisc.edu/condor
Set Up Routing Table
Private Network192.168.2.*
Public Network123.123.123.*
GCB Broker123.123.123.123
Routing Table123.123.123.123/32 GCB */0 direct
![Page 21: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/21.jpg)
www.cs.wisc.edu/condor
Set Up Routing Table
Private Network192.168.2.*
Public Network123.123.123.* GCB Broker
123.123.123.65
Routing Table123.123.123.65/32 GCB 123.123.123.66/32 GCB*/0 direct
Private Network192.168.2.*
GCB Broker123.123.123.66
![Page 22: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/22.jpg)
www.cs.wisc.edu/condor
Security Implications› Hosts in private network look like they
share a single IP Address (the address of the GCB broker)
› If you use host-based security, you can’t distinguish hosts in the private network
› GCB does not authenticate who it is providing its proxy service for.
![Page 23: GCB Tutorial European Condor Week June 2006 INFN Milan, Italy](https://reader036.vdocument.in/reader036/viewer/2022062814/56816825550346895dddb5d7/html5/thumbnails/23.jpg)
www.cs.wisc.edu/condor
More Information› Section 3.8 of the Condor manual
“Networking”› http://www.cs.wisc.edu/~sschang/firewall/
gcb
Thank You!!!