[torqueusers] Running torque with iptables
Stephen Dowdy
sdowdy at ucar.edu
Thu Oct 20 14:36:54 MDT 2011
Gabe Turner wrote, On 10/20/2011 01:58 PM:
> On Thu, Oct 20, 2011 at 01:55:26PM -0600, Ken Nielson wrote:
>> The MOMs should only communicate with pbs_server and the other MOMs. I do
>> not believe they communicate with the submit hosts. Could you tell us
>> more about your setup?
>>
>
> I believe the moms do communicate with the submit host if you're running an
> interactive (qsub -I) job. At least that has been my experience. Thus we
> allow ports 1024 to 65536 between submit and compute. I'd also be
> interested in narrowing this range, if possible.
If it's indeed getting a port from the ephemeral pool
*something* like:
EPHEMERAL_PORTS=$(sed 's/[[:space:]]\+/:/' /proc/sys/net/ipv4/ip_local_port_range)
EPHEMERAL_PORTS=${EPHEMERAL_PORTS:-"32768:61000"}
for host in ${SUBMIT_HOSTS}; do
iptables -A DEFAULT -p tcp -s ${network} --sport ${EPHEMERAL_PORTS} --dport ${EPHEMERAL_PORTS} -j ACCEPT
done
should do it.
narrowing the range like this doesn't help a whole lot, but
it's probably worthwhile anyway.
--stephen
--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdowdy at ucar.edu - http://www.ral.ucar.edu/~sdowdy/
More information about the torqueusers
mailing list