Flocking to the OSG behind a restrictive Firewall
What you will need before beginning:
- A RHEL 5 or 6 machine with root access.
- The machine needs to have a public IP address, but does not need a lot of ports open. Actually only needs 1 port open. Make a note of what port is open.
- An OSG Certificate: I know that most people do not like using certificates. Actually, no one likes using certificates. Here is the newer, easier place you can apply for a new(ish) digi-cert certificate. Not sure if it's production yet.
$ rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
$ yum install yum-priorities -y
$ rpm -Uvh http://repo.grid.iu.edu/osg-el5-release-latest.rpm
Next we will send install Condor and the OSG-Condor-Flock packages on the machine. Documentation on setting up a Condor Flock is also on the OSG Twiki:
$ yum install condor osg-ca-certs -y
$ yum install --enablerepo=osg-development -y osg-condor-flock
After installing these tools, we need to configure condor to use our certificate, and to flock to our glideinwms provider of choice.
Next, we need to configure the host to use your certificate. In order to do this, we make your certificate the 'host' certificate. Copy your cert and key to: /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem.
Next, we select the glideinwms provider of choice to use. This is covered more in-depth on the OSG Twiki. You will also need to send your certificate to the OSG gateway provider you have chosen. Both have pages on the OSG OIM with contact information. OSG Gateway. HCC Gateway.
Next, we need to set condor to use only a single port, and specify that port. In /etc/condor/config.d/99_osg_flock.conf, add the following lines.
USE_SHARED_PORT = True
SHARED_PORT_ARGS = -p 4080
The port number (given by the argument after -p) can be any arbitrary port. Additionally, you will need to open the firewall. In iptables, add a line like:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4080 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4080 -j ACCEPT
And, that is all you need. Startup condor with 'service condor start', and you're on your way to running on the OSG with only 1 port open to the world.
Leave a comment