[gridengine users] Port range when using ssh for qrsh

Christopher Heiny cheiny at synaptics.com
Tue Oct 31 14:58:35 UTC 2017


On Thu, 2017-10-26 at 18:51 -0400, Dj Merrill wrote:
> On 10/26/2017 6:40 PM, Christopher Heiny wrote:
> > The IT
> > department didn't want the workers on private network, so all the
> nodes
> > are on the same subnet.  According to InfoSec, that means we need
> > firewalls.
> 
> 
> The firewalls can be setup to allow all traffic between the worker 
> nodes, and the shadow masters, on all ports, and block the traffic 
> coming in from everywhere else, except for the specific ports you
> want 
> open.  From an HPC perspective, this is fairly normal if you aren't
> on a 
> private network, which is obviously the preferred option.  For a
> wide 
> variety of reasons exceeding qrsh, you'll need all ports open
> between 
> worker nodes.
> 
> Trying to do firewall rules between worker nodes is an exercise in
> futility.
> 
> In other words, all unused ports coming in from outside of the
> cluster 
> should be blocked, but all ports between nodes in the cluster need to
> be 
> open.  It simply isn't practical otherwise.


Another case of "the solution is so obvious you don't see it".  At
least that was the case for me.  Since that particular subnet is
dedicated to the cluster, it looks like setting up a cluster-specific
zone for that subnet with relaxed firewall rules will keep infosec
happy (well, as happy as infosec folks ever are) and let us get our
work done, too.  Thanks to all who replied! 

						Chris



More information about the users mailing list