On Jun 8, 2004, at 9:27 AM, Jeff Squyres wrote:
> On Mon, 7 Jun 2004, Marc Colosimo wrote:
>
>> I searched the archives and found that this came up before, but it
>> doesn't seem like much was done about it. My basic problem is that
>> I'm using other peoples' work machines after hours and they have the
>> firewall on and don't want to turn it off. This is a collection of OS
>> X machines (dual G5s). The nice thing about xGrid is that it works
>> with the firewall, but doesn't meet our needs.
>>
>> First, is there a way to assign TCP/UDP ports for lam-mpi and is
>> there a reason for random ports?
>
> There is not currently a way to do it. Someone started an effort to
> do it (you might want to troll the lam-devel archives -- there was a
> fair amount of discussion about this there), but it never got
> finished. I initially thought it would be a quick-n-easy thing, but
> as the developer found it, it got more and more involved, complex, and
> essentially ended up negating the purpose of the firewall.
>
> Specifically: LAM current architecture assumes that every MPI process
> has full connectivity to every other process. This will be pretty
> difficult to change in the near future (stay tuned, though...). LAM's
> infrastrcture (the LAM daemons) also assumes the same thing (although
> that might be a bit easier to fix). As such, for each node behind the
> firewall, you need a public/routable IP address that it can be reached
> at. So if you have 32 machines behind a firewall, you need 32 holes
> poked in the firewall to allow MPI traffic and probably 32 holes for
> LAM's infrastructure traffic.
>
> Alternatively, this could be solved by having some kind of LAM proxy
> that is able to route all this stuff, and therefore you would probably
> only need 2 holes poked in the firewall (one for MPI TCP traffic and
> one for LAM infrastrcture traffic). But that's not going to happen
> for 7.0 or 7.1. :-(
>
I got lost looking at the code as to how everyone talks to each other.
There is a lot of talking going on. Apple is using LnxMPI in their
xGrid application
<http://exodus.physics.ucla.edu/appleseed/dev/LnxMPI_S.c>. xGrid works
through firewalls because it uses defined ports (411-4120,
49200-49500). I don't know if LnxMPI would however.
> As for the random ports, we just take what the OS gives us. We don't
> ask for specific ports because it becomes a delicate dance of port
> allocation in the general case -- where you may have multiple MPI
> processes on the same machine, etc. The discussions on lam-devel
> talked about this, IIRC -- I think we had the idea of not specific
> ports, but port *ranges*, and that part may even have been working
> nicely...? It was a long time ago...
>
>> If there isn't a way, do I only need to allow the master node machine
>> all access via some ugly ipfw rule for a port range?
>
> Unfortunately, that won't work either because of the reasons cited
> above. We do anticipate having some kind of proxy / relay service
> available that would allow this kind of behavior someday, but not in
> the near future.
I'll be on the watch.
Thanks
Marc
|
