On Mon, 7 Jun 2004, Marc Colosimo wrote:
> I searched the archives and found that this came up before, but it
> doesn't seem like much was done about it. My basic problem is that I'm
> using other peoples' work machines after hours and they have the
> firewall on and don't want to turn it off. This is a collection of OS X
> machines (dual G5s). The nice thing about xGrid is that it works with
> the firewall, but doesn't meet our needs.
>
> First, is there a way to assign TCP/UDP ports for lam-mpi and is there a
> reason for random ports?
There is not currently a way to do it. Someone started an effort to do
it (you might want to troll the lam-devel archives -- there was a fair
amount of discussion about this there), but it never got finished. I
initially thought it would be a quick-n-easy thing, but as the developer
found it, it got more and more involved, complex, and essentially ended up
negating the purpose of the firewall.
Specifically: LAM current architecture assumes that every MPI process has
full connectivity to every other process. This will be pretty difficult
to change in the near future (stay tuned, though...). LAM's infrastrcture
(the LAM daemons) also assumes the same thing (although that might be a
bit easier to fix). As such, for each node behind the firewall, you need
a public/routable IP address that it can be reached at. So if you have 32
machines behind a firewall, you need 32 holes poked in the firewall to
allow MPI traffic and probably 32 holes for LAM's infrastructure traffic.
Alternatively, this could be solved by having some kind of LAM proxy that
is able to route all this stuff, and therefore you would probably only
need 2 holes poked in the firewall (one for MPI TCP traffic and one for
LAM infrastrcture traffic). But that's not going to happen for 7.0 or
7.1. :-(
As for the random ports, we just take what the OS gives us. We don't ask
for specific ports because it becomes a delicate dance of port allocation
in the general case -- where you may have multiple MPI processes on the
same machine, etc. The discussions on lam-devel talked about this, IIRC
-- I think we had the idea of not specific ports, but port *ranges*, and
that part may even have been working nicely...? It was a long time ago...
> If there isn't a way, do I only need to allow the master node machine
> all access via some ugly ipfw rule for a port range?
Unfortunately, that won't work either because of the reasons cited above.
We do anticipate having some kind of proxy / relay service available that
would allow this kind of behavior someday, but not in the near future.
--
{+} Jeff Squyres
{+} jsquyres_at_[hidden]
{+} http://www.lam-mpi.org/
|
