Jump to content
  • Announcements

    • admin

      PBS Forum Has Closed   06/12/17

      The PBS Works Support Forum is no longer active.  For PBS community-oriented questions and support, please join the discussion at http://community.pbspro.org.  Any new security advisories related to commercially-licensed products will be posted in the PBS User Area (https://secure.altair.com/UserArea/). 
speleolinux

iptables and interactive jobs

Recommended Posts

Hi

I have been tightening down our cluster.  Our login node accepts ssh from anywhere. Execution nodes accept ssh only from the head node. That all seems to work fine for submitting normal non-interactive jobs.

Exec nodes: From the head node allow: proto (tcp udp) mod state state NEW dport 15001:15004 ACCEPT;
Login node:  From the head node allow: proto (tcp udp) mod state state NEW dport 15001:15004 ACCEPT;
This allows normal jobs to be submitted but interactive jobs fail with "Job cannot be executed" and an exit status of -1
If I set for the login node a rule to allow from a specific node NEW ACCEPT then the interactive job will work on that node.

I thought all PBS communications would be via the head node and not direct node-to-node like exec node to/from login node.
Are there ports that need to be allowed to let interactive jobs run? A netstat during an interactive job showed
"login node:33796     to   exec node:39424          ESTABLISHED

Mike

Share this post


Link to post
Share on other sites

Referencing the latest PBS Professional Installation and Upgrade Guide (14.2.1)

Quote

PBS needs to be able to use any port for outgoing connections, but only specific ports for incoming connections. If you have firewalls running on the server or execution hosts, be sure to allow incoming connections on the appropriate ports for each host. By default, the PBS server and MoM daemons use ports 15001 through 15004 for incoming connections, the PBS communication daemon listens on port 17001, and daemons use any port below 1024 for outgoing connections. See section 4.6, “Ports Used by PBS”, on page 61 for a list of ports.

A few more points.. what ports to open for interactive qsub jobs?

It's unknown, and it has to, since you have different sessions -- a possibly unlimited number of them -- and they don't use privileged ports since they are not run as root but as the user (they simply communicate the port to the execution nodes by setting an attribute). Allow traffic _from_ the execution hosts.
 

Share this post


Link to post
Share on other sites

Okies

What I am trying to do is to allow interactive jobs via PBS but not allow users the ability to use ssh to login to other execution nodes.  For the admin to login to execution nodes they login to the login node and then via the head node they can login to an exec node.

 

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

×