Thursday, September 27, 2012

Flocking to the OSG behind a restrictive Firewall

On many campuses, restrictive firewalls are the name of the game, rather then the exception.  Here at Nebraska, we have the ability to define our own network policies.  But some universities / labs restrict firewall policies.  In this post, I want to talk about how you can still flock to the OSG with only 1 port open to the external world.

What you will need before beginning:
  • A RHEL 5 or 6 machine with root access.
  • The machine needs to have a public IP address, but does not need a lot of ports open.  Actually only needs 1 port open.  Make a note of what port is open.
  • An OSG Certificate: I know that most people do not like using certificates.  Actually, no one likes using certificates.  Here is the newer, easier place you can apply for a new(ish) digi-cert certificate.  Not sure if it's production yet.

First, we will start on the machine as root, we will install the OSG Repos.  The instructions are on the OSG Twiki.  For RHEL 5, here's the short instructions:
$ rpm -Uvh
$ yum install yum-priorities -y
$ rpm -Uvh

Next we will send install Condor and the OSG-Condor-Flock packages on the machine.  Documentation on setting up a Condor Flock is also on the OSG Twiki:
$ yum install condor osg-ca-certs -y
$ yum install --enablerepo=osg-development -y osg-condor-flock

After installing these tools, we need to configure condor to use our certificate, and to flock to our glideinwms provider of choice.

Next, we need to configure the host to use your certificate.  In order to do this, we make your certificate the 'host' certificate.  Copy your cert and key to: /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem.

Next, we select the glideinwms provider of choice to use.  This is covered more in-depth on the OSG Twiki.  You will also need to send your certificate to the OSG gateway provider you have chosen.  Both have pages on the OSG OIM with contact information.  OSG Gateway.  HCC Gateway.

Next, we need to set condor to use only a single port, and specify that port. In /etc/condor/config.d/99_osg_flock.conf, add the following lines.

The port number (given by the argument after -p) can be any arbitrary port.  Additionally, you will need to open the firewall.  In iptables, add a line like:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4080 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4080 -j ACCEPT

And, that is all you need.  Startup condor with 'service condor start', and you're on your way to running on the OSG with only 1 port open to the world.